Bug 1726679 - [backport 4.1] Network mode Multitenant - apiserver can not connect to etcd because of netnamespaces
Summary: [backport 4.1] Network mode Multitenant - apiserver can not connect to etcd b...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.1.z
Assignee: Ricardo Carrillo Cruz
QA Contact: zhaozhanqi
URL:
Whiteboard: 4.1.7
Depends On: 1719653
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-03 12:12 UTC by Ricardo Carrillo Cruz
Modified: 2019-07-25 05:32 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-25 05:32:32 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-network-operator pull 225 0 None closed Bug 1726679: [release-4.1] Put openshift-etcd netnamespace on netid 1 2020-04-27 12:58:57 UTC
Red Hat Product Errata RHBA-2019:1809 0 None None None 2019-07-25 05:32:37 UTC

Description Ricardo Carrillo Cruz 2019-07-03 12:12:37 UTC 
This bug was initially created as a copy of Bug #1719653

I am copying this bug because: 



Description of problem:

If I follow the documentation[1] to install an OpenShift 4 cluster with network mode Multitenant the installation fails, attached my cluster-network-03-config.yml.

Because api server can not connect to etcd.

[1] https://docs.openshift.com/container-platform/4.1/installing/installing_aws/installing-aws-network-customizations.html#modifying-nwoperator-config-startup_installing-aws-network-customizations

Version-Release number of selected component (if applicable):

$ openshift-install version
openshift-install v4.1.0-201905212232-dirty
built from commit 71d8978039726046929729ad15302973e3da18ce
release image quay.io/openshift-release-dev/ocp-release@sha256:b8307ac0f3ec4ac86c3f3b52846425205022da52c16f56ec31cbe428501001d6

How reproducible:

Install ocp4 with cluster-network-03-config.yml follow the documentation [1]

Steps to Reproduce:
1.
2.
3.

Actual results:

Installation fails.

API Server can not connect to etcd server:
$ oc debug apiserver-p48hk
$ curl -k -I --connect-timeout 1 https://etcd.openshift-etcd.svc:2379/
curl: (28) Resolving timed out after 1510 milliseconds
Expected results:

Installation pass.

API Server can connect to etcd server:
$ oc rsh apiserver-nf7hx
$ curl -k -I --connect-timeout 1 https://etcd.openshift-etcd.svc:2379/
curl: (58) NSS: client certificate not found (nickname not specified)

Additional info:

oc get netnamespaces | grep -E '(openshift-apiserver|openshift-etcd) '
openshift-apiserver                                     1
openshift-etcd                                          3025533

It looks like openshift-etcd should use the netid 1.
Comment 1 Ricardo Carrillo Cruz 2019-07-04 09:40:58 UTC 
https://github.com/openshift/cluster-network-operator/pull/225
Comment 3 zhaozhanqi 2019-07-18 05:12:30 UTC 
Verified this bug on 4.1.0-0.nightly-2019-07-18-023612

using 'multitenant' mode to setup the env, the cluster can work well.

[root@preserve-zzhao 0718]# oc get clusternetwork
NAME      CLUSTER NETWORK   SERVICE NETWORK   PLUGIN NAME
default   10.128.0.0/14     172.30.0.0/16     redhat/openshift-ovs-multitenant
[root@preserve-zzhao 0718]# oc get netnamespaces | grep etcd
openshift-etcd                                          1
Comment 5 errata-xmlrpc 2019-07-25 05:32:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:1809
Note You need to log in before you can comment on or make changes to this bug.