Bug 1687722
Summary: | Fail to use authentication enabled iscsi on OCP 4.1 | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Liang Xia <lxia> |
Component: | RHCOS | Assignee: | Steve Milner <smilner> |
Status: | CLOSED ERRATA | QA Contact: | Liang Xia <lxia> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.1.0 | CC: | aos-bugs, aos-storage-staff, bbreard, dustymabe, imcleod, jligon, jsafrane, nstielau, walters, wsun |
Target Milestone: | --- | ||
Target Release: | 4.1.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | No Doc Update | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-04 10:45:33 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1680012 |
Description
Liang Xia
2019-03-12 08:53:37 UTC
You are right, the operator had two issues: * In Kubernetes 1.12, dynamic driver registration is enabled and the operator must start driver registrar with --kubelet-registration-path. This has been fixed in https://github.com/openshift/csi-operator/pull/44/files and I checked that it's available in today's OKD repository (registry.svc.ci.openshift.org/openshift/origin-v4.0:csi-operator) * For 1.12 a new hostpath driver is required, see https://github.com/openshift/csi-operator/pull/47 Oops, wrong bug, please ignore comment #1. I edited /etc/iscsi/initiatorname.iscsi and then did `systemctl restart iscsid` and it worked for me. @lxia, does that work? Do we need to document it on openshift side or is it more of an iscsi-specific issue (i.e. admin needs to set up acl's correctly)? In 4.0, nodes are dynamic provisioned/removed, so manually configuration on nodes is not acceptable. the initiator name is the same for all nodes with the same OS image version so something (an operator? the node post-provision script?) will need to generate an initiator name for every node (iscsi-iname). Then the admin will need to periodically find out what the initiator name for every node is and keep their iscsi acl's updated so maybe the "operator" will need to write node:initiator name mappings to an openshift object for the admin to parse. Without a complex solution like this, I don't see a way to avoid manual ssh into the node (to either read or write /etc/iscsi/initiatorname.iscsi). Need some more input to figure out a solution. In 3.x, as far as I can tell, openshift-ansible installed iscsi-initiator-utils then did nothing, which is fine since configuration is a one-time thing. We could set the unique part of the initiator name to equal the node name maybe? /etc/iscsi/initiatorname.iscsi is created by iscsi-initiator-utils RPM package during %post. It is then baked into RHCOS images and every VM then has the same initiator name. That's the root cause of the bug - initiatorname.iscsi should be unique on each host. RHCOS should ship images without /etc/iscsi/initiatorname.iscsi and then generate a new one during the first boot. It's quite simple, from iscsi-initiator-utils %post script: if [ ! -f %{_sysconfdir}/iscsi/initiatorname.iscsi ]; then echo "InitiatorName=`/usr/sbin/iscsi-iname`" > %{_sysconfdir}/iscsi/initiatorname.iscsi fi (/usr/sbin/iscsi-iname is installed in current RHCOS8). I'm taking a quick look at the package to see where the disconnect is. See https://bugzilla.redhat.com/show_bug.cgi?id=1493294 which links to https://bugzilla.redhat.com/show_bug.cgi?id=1493296 Ideally we fix this upstream - a comment from the maintainer would be nice. Checked with payload 4.1.0-0.nightly-2019-04-18-210657 (with Red Hat Enterprise Linux CoreOS 410.8.20190417.0 ), Verified the nodes are using different initiator names. [core@ip-172-31-136-154 ~]$ cat /etc/iscsi/initiatorname.iscsi InitiatorName=iqn.1994-05.com.redhat:ecba29bf977 [core@ip-172-31-136-71 ~]$ cat /etc/iscsi/initiatorname.iscsi InitiatorName=iqn.1994-05.com.redhat:aee4174ca864 Also verified iSCSI volume is working fine. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758 |