Bug 2005854

Summary: SSH NodePort service is created for each VM
Product: OpenShift Container Platform Reporter: Petr Horáček <phoracek>
Component: Console Kubevirt PluginAssignee: Yaacov Zamir <yzamir>
Status: CLOSED ERRATA QA Contact: Guohua Ouyang <gouyang>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.8CC: aos-bugs, fdeutsch, gouyang, rsdeor, tnisan, yzamir
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 16:11:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Horáček 2021-09-20 10:58:12 UTC 
Description of problem:

A NodePort Service *-ssh-service is created for every VM by default. NodePort service consumes one free port on each Node per Service. This means that if I have a cluster with many nodes and create 1000 VMs, it will consume 1000 TCP ports on every node, no matter if I need SSH or not.

This is very resource heavy and I think should be made into an opt-in feature.


Version-Release number of selected component (if applicable):
OCP 4.8.9
OpenShift Virtualization 4.8.1


How reproducible:
Always


Steps to Reproduce:
1. Create a basic VM (e.g. apply the default from Virtualization -> Create -> With YAML)

Actual results:
A service <vm-name>-ssh-service is created.


Expected results:
It should not consume my port pool unless it is clear I really want and need this.
Comment 1 Yaacov Zamir 2021-10-04 07:53:03 UTC 
Petr thanks for noticing that

Fixing this is very easy, just making the wizard default to not creating the node port service, and opt in.
But the original design was to make the ssh node port on by default.

Ronen, Fabian HELP, can we change the default behavior of creating the ssh node port ?
Comment 2 Yaacov Zamir 2021-10-04 08:56:05 UTC 
> it will consume 1000 TCP ports on every node, no matter if I need SSH or not.

Setting sevirity to high
Comment 3 Fabian Deutsch 2021-10-04 10:16:39 UTC 
In general I do not see much value in creating a Service by default, mainly because we do not know _how_ the Service (ClusterIP, NodePort, something else, nothing) needs to be created to allow a user to get inbound access to the VM. Speak a Service can be created, but the UI can not tell if the Service is also useful to the user.
Thus to me, yes, it would be correct to not enable the Service creation by default.
Comment 5 Yaacov Zamir 2021-10-04 10:44:41 UTC 
Fabian thanks, we will fix this issue by making the ssh service opt-in instead of opt-out.
Comment 6 Tal Nisan 2021-10-04 11:40:09 UTC 
This seems quite severe, once fixed for 4.10 please backport to 4.9.z
Comment 9 Guohua Ouyang 2021-10-21 07:29:03 UTC 
verified on master, enable ssh checkbox is not checked by default
Comment 12 errata-xmlrpc 2022-03-10 16:11:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056