Bug 2081182
| Summary: | VM SSH command generated by UI points at api VIP | |||
|---|---|---|---|---|
| Product: | Container Native Virtualization (CNV) | Reporter: | Chandler Wilkerson <cwilkers> | |
| Component: | User Experience | Assignee: | Aviv Turgeman <aturgema> | |
| Status: | CLOSED ERRATA | QA Contact: | Guohua Ouyang <gouyang> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 4.10.0 | CC: | cnv-qe-bugs, flozano, gouyang, ycui, yzamir | |
| Target Milestone: | --- | |||
| Target Release: | 4.11.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2090178 2111378 (view as bug list) | Environment: | ||
| Last Closed: | 2022-09-14 19:31:44 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2090178 | |||
|
Description
Chandler Wilkerson
2022-05-02 22:52:59 UTC
moving back to 'ASSIGNED' as fix is not good verified on OCP-v4.11.0-47 The ssh command looks like: ssh test.uit-411-dev.cnv-qe.rhcloud.com -p 31837 and the ssh connection works from command line The default behavior of exposing SSH access to VMs using NodePort services is just not guaranteed to work. Switching from the API address/hostname to any other node might be a workaround for some customers and not work at all for others. Many customers all block ports other than the API and Ingress controller to all cluster nodes and that makes any NodePort service inaccessible. This is not an issue created by OpenShift Virtualization and IMHO it is very misleading that the product UI offers that alternative. It creates an expectation that it "should work" when it should not, at least in environments configured according to hardneded security. We should educate our users better about the caveats of that setting and offer alternatives not only in product docs but also int the product's UI. Unfortunately there's no alternative that guaranteed to work everywhere, at least not with the current supported OpenShift 4.10 product and I guess not even with the next EUS release 4.12. Which makes it even more important to provide caveats and alternatives in the product's UI and docs. (In reply to Fernando Lozano from comment #4) > The default behavior of exposing SSH access to VMs using NodePort services > is just not guaranteed to work. Yes, my concern is that we do want to give this functionality * if it's set up on user cluster * IMHO best we can do is notify users that this "REQUIRES CLUSTER NETWORK SETUP" to support this feature, and link to documentation. > Switching from the API address/hostname to > any other node might be a workaround for some customers and not work at all > for others. Yes, IMHO prominent help text, saying this requires specific network setting to work will help here. > This is not an issue created by OpenShift Virtualization and IMHO it is very > misleading that the product UI offers that alternative. It creates an > expectation that it "should work" when it should not Documentation and in-the-UI help text that explains things can help > Unfortunately there's no alternative that guaranteed to work everywhere, at > least not with the current supported OpenShift 4.10 product and I guess not > even with the next EUS release 4.12. Which makes it even more important to > provide caveats and alternatives in the product's UI and docs. Guohua hi, we currently inform users that accessing SSH using "node port" require specific network/firewall settings, when they enable the service. does it makes sense to add help notification + docs link near the "copy ssh command" as well? cc:// Fernando (In reply to Yaacov Zamir from comment #5) > (In reply to Fernando Lozano from comment #4) > > The default behavior of exposing SSH access to VMs using NodePort services > > is just not guaranteed to work. > > Yes, my concern is that we do want to give this functionality * if it's set > up on user cluster * > IMHO best we can do is notify users that this "REQUIRES CLUSTER NETWORK > SETUP" to support this feature, and link to documentation. > > > Switching from the API address/hostname to > > any other node might be a workaround for some customers and not work at all > > for others. > > Yes, IMHO prominent help text, saying this requires specific network setting > to work will help here. > > > This is not an issue created by OpenShift Virtualization and IMHO it is very > > misleading that the product UI offers that alternative. It creates an > > expectation that it "should work" when it should not > > Documentation and in-the-UI help text that explains things can help > > > Unfortunately there's no alternative that guaranteed to work everywhere, at > > least not with the current supported OpenShift 4.10 product and I guess not > > even with the next EUS release 4.12. Which makes it even more important to > > provide caveats and alternatives in the product's UI and docs. > > Guohua hi, > > we currently inform users that accessing SSH using "node port" require > specific network/firewall settings, when they enable the service. > does it makes sense to add help notification + docs link near the "copy ssh > command" as well? Any improvement here works for me, let me clone the bug to 4.12 for further investigation or discussion > cc:// Fernando +1 to documentation links. The wildcard VIP does work better in my context than the API VIP Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Virtualization 4.11.0 Images security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:6526 |