Bug 1825286
Summary: | UPI: Using security rules with remote security group may cause deployment to fail | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Pierre Prinetti <pprinett> | |
Component: | Installer | Assignee: | Pierre Prinetti <pprinett> | |
Installer sub component: | OpenShift on OpenStack | QA Contact: | David Sanz <dsanzmor> | |
Status: | CLOSED ERRATA | Docs Contact: | ||
Severity: | high | |||
Priority: | urgent | CC: | adduarte, dsanzmor, m.andre, pprinett | |
Version: | 4.4 | |||
Target Milestone: | --- | |||
Target Release: | 4.5.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: |
Cause: The openstack UPI playbook standing the Security groups uses `remote_group_id` to allow traffic origins.
Consequence: Using `remote_group_id` in the security rules is very inefficient, triggering a lot of computation by ovs agent to generate the flows and possibly exceeding the time allocated for flow generation. In such cases, especially in environments already under stress, masters nodes may be unable to communicate with worker nodes, leading the deployment to fail.
Fix: Use IP prefixes for whitelisting traffic origins instead of `remote_group_id`
Result: Less load on Neutron resources should reduce the occurrence of timeouts
|
Story Points: | --- | |
Clone Of: | 1824287 | |||
: | 1825459 (view as bug list) | Environment: | ||
Last Closed: | 2020-07-13 17:28:32 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1824287 | |||
Bug Blocks: | 1825459 |
Description
Pierre Prinetti
2020-04-17 14:54:33 UTC
This BZ refers to the UPI installation. No failure detected on latest 4.5 nightly after patch is merged, and secgroup rules are fine. Marking as verified Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409 |