If you are setting up OpenShift Virt you oftent want to confirm the customer is actually sending VLAN tags to the node before troubleshooting deeper. Here is a tcpdump that can be used.
Log into the node and run toolbox to gain access to tcpdump.
[root@rhel-node-1 ~]# tcpdump -enni eth1 ether proto 0x8100 # 802.1q
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
[root@worker-4 ~]# ovs-vsctl --columns=name,mac_in_use,mtu find interface external_ids:"k8s.ovn.org/network"="vlan-1924"
name : "81a5ebcb6fa45_3"
mac_in_use : "be:a0:20:9b:b1:de"
mtu : 1400
name : "040cd3693b52c_3"
mac_in_use : "c2:93:f7:05:0a:6e"
| coreos-installer iso ignition show agent.x86_64.iso | jq -s > /tmp/agent.json | |
| # you can read any file of course, but i wanted to verify the pull secret in this case | |
| cat /tmp/agent.json | jq -r '.[].storage.files[] | select(.path | contains("pull-secret.yaml")) | .contents.source' | awk -F, '{print $2}' | base64 -d |
| # used to lookup vcenter connection details from 1Password | |
| VAULT=development | |
| CLUSTER=vcenter | |
| export GOVC_USERNAME="$(op read op://${VAULT}/${CLUSTER}/username)" | |
| export GOVC_PASSWORD="$(op read op://${VAULT}/${CLUSTER}/password)" | |
| export GOVC_URL="$(op read op://${VAULT}/${CLUSTER}/website)" |
| # connect to OVN Northbound DB https://gist.github.com/dlbewley/b4d4c85931e7a9c03caf56db1a1a0d2e | |
| $ ovncli.sh | |
| # find local chassis id | |
| sh-5.1# CHASSIS=`ovn-sbctl --bare --columns=name find chassis other_config:is-remote="false"` | |
| sh-5.1# echo $CHASSIS | |
| f57f0c4e-5d93-4639-a016-7cea61281c04 | |
| # view bridge mappings for local chassis |
| #!/bin/bash | |
| # Connect to the OVN northbound database pod. | |
| # Optionally specify the node and or command | |
| # https://guifreelife.com/blog/2024/11/19/Open-Virtual-Network-Inspection-on-OpenShift/ | |
| node=$1; shift; cmd=$* | |
| if [[ -n "$node" ]]; then | |
| nbdbpod=$(oc get pod \ | |
| -l app=ovnkube-node \ |
| #!/bin/sh | |
| cat $KUBECONFIG \ | |
| | yq e '.clusters[0].cluster."certificate-authority-data"' \ | |
| | base64 -d > kubeconfig-ca-data.pem | |
| split -p "-----BEGIN CERTIFICATE-----" kubeconfig-ca-data.pem cert- | |
| for c in cert-??; do | |
| subject=`openssl x509 -in $c -noout -subject | sed 's/^.*CN[[:space:]]*=[[:space:]]*\(.*\)/\1/'` | |
| echo $subject |
| # split a file having multiple policies into multiple files | |
| # each file is named policy-<policy_name> and contains 1 policy | |
| yq e '.|split_doc' -s '.kind + "-" + .metadata.name | downcase' multi-policy.yaml | |
| # create manifests dir for each policy | |
| # place object definitions from each policy into corresponding manifest dir | |
| for p in policy-*; do | |
| policy_name=$(yq '.metadata.name' $p); | |
| mkdir -p "manifests-$policy_name" | |
| yq '.spec.policy-templates[].objectDefinition[].object-templates[].objectDefinition | split_doc' \ |
| # if you don't want to just use --authfile or set REGISTRY_AUTH_FILE for whatever reason | |
| # you may login to each registry in your pull secret thusly | |
| # spoiler alert, here's how to extract usernames and passwords from your pull secret | |
| PULL_SECRET_PATH=pull-secret.json | |
| for R in $(jq -r '.auths|keys[]' $PULL_SECRET_PATH ); do | |
| echo "Logging into $R" | |
| U=$(jq -r ".auths.\"$R\".auth" $PULL_SECRET_PATH | base64 -d | awk -F: '{print $1}') | |
| P=$(jq -r ".auths.\"$R\".auth" $PULL_SECRET_PATH | base64 -d | awk -F: '{print $2}') |
| #!/bin/bash | |
| ROXCTL_IMAGE="registry.redhat.io/advanced-cluster-security/rhacs-roxctl-rhel8:3.71" | |
| # Central CA cert: | |
| # oc extract secrets/service-ca -n stackrox --keys=ca.pem --to=- | |
| # read values from 1Password YMMV | |
| CLUSTER="hub-lab-bewley-net" | |
| VAULT="development" |