Bug 2095323

Summary: Openshift on OpenStack does not honor machineNetwork setting with multiple networks
Product: OpenShift Container Platform Reporter: Martin André <m.andre>
Component: InstallerAssignee: Martin André <m.andre>
Installer sub component: OpenShift on OpenStack QA Contact: rlobillo
Status: CLOSED ERRATA Docs Contact:
Severity: low    
Priority: medium CC: bscott, pprinett
Version: 4.11Keywords: Triaged
Target Milestone: ---   
Target Release: 4.12.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
* Previously, when installing a cluster on :rh-openstack-first: with multiple networks defined in the `machineNetwork` parameter, the installation program only created security group rules for the first network. With this update, the installation program creates security group rules for all networks defined in the `machineNetwork` so that users no longer need to manually edit security group rules after installation. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2095323[*BZ#2095323*])
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-17 19:49:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin André 2022-06-09 14:25:07 UTC 
The `install-config.yaml` file defines the machineNetwork to as a slice. The installer does not respect this field when defining multiple entries in machineNetwork and only picks up the first one. This is not a huge deal for now as we don't expect this to be a common scenario (in fact, this has been broken forever on OpenStack platforms and not seen a bug report), however this will become problematic when we start supporting dual-stack deployments.
Comment 2 ShiftStack Bugwatcher 2022-06-10 07:04:36 UTC 
Removing the Triaged keyword because:
* the priority assessment is missing
* the QE automation assessment (flag qe_test_coverage) is missing
Comment 3 Pierre Prinetti 2022-06-10 07:35:59 UTC 
Setting a low severity because there are no user reports on this particular lack of functionality so far on OpenStack.
Medium priority because we consider this to be on our path to supporting dual stack IPv6.
Comment 8 rlobillo 2022-08-22 08:14:02 UTC 
Verified on 4.12.0-0.nightly-2022-08-21-205113

Modifying install-config to include two machine CIDRs: 
  machineNetwork:
    - cidr: "10.196.0.0/28"
    - cidr: "10.196.0.16/28"

but the installer only takes the first one:
$ o subnet list
+--------------------------------------+--------------------+--------------------------------------+---------------+
| ID                                   | Name               | Network                              | Subnet        |
+--------------------------------------+--------------------+--------------------------------------+---------------+
| 7fc4a140-a6d8-4852-9f8f-3c3df7254d2e | ostest-tw2pb-nodes | fa163127-eb44-40fa-b64e-884949f51356 | 10.196.0.0/28 |
+--------------------------------------+--------------------+--------------------------------------+---------------+

The SG rules are created considering both cidrs:

$ openstack security group show ostest-tw2pb-master -c rules -f json | jq '.rules[] | select(.port_range_min==22) | .remote_ip_prefix'
"10.196.0.0/28"
"10.196.0.16/28"
Comment 11 errata-xmlrpc 2023-01-17 19:49:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399