Bug 1726679

Summary: [backport 4.1] Network mode Multitenant - apiserver can not connect to etcd because of netnamespaces
Product: OpenShift Container Platform Reporter: Ricardo Carrillo Cruz <ricarril>
Component: NetworkingAssignee: Ricardo Carrillo Cruz <ricarril>
Status: CLOSED ERRATA QA Contact: zhaozhanqi <zzhao>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.1.0CC: aos-bugs, bbennett, sponnaga
Target Milestone: ---   
Target Release: 4.1.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: 4.1.7
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-25 05:32:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1719653    
Bug Blocks:    

Description Ricardo Carrillo Cruz 2019-07-03 12:12:37 UTC
This bug was initially created as a copy of Bug #1719653

I am copying this bug because: 

Description of problem:

If I follow the documentation[1] to install an OpenShift 4 cluster with network mode Multitenant the installation fails, attached my cluster-network-03-config.yml.

Because api server can not connect to etcd.

[1] https://docs.openshift.com/container-platform/4.1/installing/installing_aws/installing-aws-network-customizations.html#modifying-nwoperator-config-startup_installing-aws-network-customizations

Version-Release number of selected component (if applicable):

$ openshift-install version
openshift-install v4.1.0-201905212232-dirty
built from commit 71d8978039726046929729ad15302973e3da18ce
release image quay.io/openshift-release-dev/ocp-release@sha256:b8307ac0f3ec4ac86c3f3b52846425205022da52c16f56ec31cbe428501001d6

How reproducible:

Install ocp4 with cluster-network-03-config.yml follow the documentation [1]

Steps to Reproduce:

Actual results:

Installation fails.

API Server can not connect to etcd server:
$ oc debug apiserver-p48hk
$ curl -k -I --connect-timeout 1 https://etcd.openshift-etcd.svc:2379/
curl: (28) Resolving timed out after 1510 milliseconds
Expected results:

Installation pass.

API Server can connect to etcd server:
$ oc rsh apiserver-nf7hx
$ curl -k -I --connect-timeout 1 https://etcd.openshift-etcd.svc:2379/
curl: (58) NSS: client certificate not found (nickname not specified)

Additional info:

oc get netnamespaces | grep -E '(openshift-apiserver|openshift-etcd) '
openshift-apiserver                                     1
openshift-etcd                                          3025533

It looks like openshift-etcd should use the netid 1.

Comment 1 Ricardo Carrillo Cruz 2019-07-04 09:40:58 UTC

Comment 3 zhaozhanqi 2019-07-18 05:12:30 UTC
Verified this bug on 4.1.0-0.nightly-2019-07-18-023612

using 'multitenant' mode to setup the env, the cluster can work well.

[root@preserve-zzhao 0718]# oc get clusternetwork
default     redhat/openshift-ovs-multitenant
[root@preserve-zzhao 0718]# oc get netnamespaces | grep etcd
openshift-etcd                                          1

Comment 5 errata-xmlrpc 2019-07-25 05:32:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.