Bug 1752371
| Summary: | [kuryr]etcd traffic from service subnet to master nodes blocked | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Maysa Macedo <mdemaced> |
| Component: | Networking | Assignee: | Maysa Macedo <mdemaced> |
| Networking sub component: | kuryr | QA Contact: | Jon Uriarte <juriarte> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | urgent | ||
| Priority: | unspecified | CC: | asegurap, juriarte, zzhao |
| Version: | 4.2.0 | ||
| Target Milestone: | --- | ||
| Target Release: | 4.2.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-10-16 06:41:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Verified on 4.2.0-0.nightly-2019-10-02-150642 on top of OSP 13 2019-10-01.1 puddle.
The sg added to masters allows connections to etcd:
$ openstack security group rule list | grep 2379
| bd4d22cf-6289-4f1e-b5a4-d5c4ed765051 | tcp | None | 2379:2380 | 7b03d9b9-8d98-4937-afda-c4180a9390cf | 7b03d9b9-8d98-4937-afda-c4180a9390cf |
| c1c35b66-97c8-4c38-8269-311e2b6bbed3 | tcp | None | 2379:2379 | None | e025e4d9-7c89-4c4f-be36-1c64f4dac936 |
| ee354b3d-80ed-4cb3-bf37-0b133ec57467 | tcp | 172.30.0.0/15 | 2379:2380 | None | 7b03d9b9-8d98-4937-afda-c4180a9390cf |
$ openstack security group show 7b03d9b9-8d98-4937-afda-c4180a9390cf
+-----------------+-----------------
| Field | Value
+-----------------+-----------------
| name | ostest-mp284-master
| rules |
...
created_at='2019-10-03T11:53:23Z', direction='ingress', ethertype='IPv4', id='ee354b3d-80ed-4cb3-bf37-0b133ec57467', port_range_max='2380',
port_range_min='2379', protocol='tcp', remote_ip_prefix='172.30.0.0/15', updated_at='2019-10-03T11:53:23Z'
...
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922 |
Description of problem: With a recent change on the installer that tightens the security group of the master nodes, the API server pods were failing due to: "Unable to create storage backend: config (&{etcd3 openshift.io {[https://etcd.openshift-etcd.svc:2379] /var/run/secrets/etcd-client/tls.key /var/run/secrets/etcd-client/tls.crt /var/run/configmaps/etcd-serving-ca/ca-bundle.crt} false true {0xc000eaddd0 0xc000eade60} {{apps.openshift.io v1} [{apps.openshift.io } {apps.openshift.io }] false} <nil> 5m0s 1m0s}), err (context deadline exceeded)" As we created a lbaas for each SVC, and consequently an amphora VM, the traffic from the SVC subnet to master should be allowed on the etcd ports (2379-2380). Version-Release number of selected component (if applicable): How reproducible: Always with 4.2.0-0.nightly-2019-09-13. Steps to Reproduce: 1. Enable Kuryr on the install-config 2. 3. Actual results: Installation timeout Expected results: Installation finished successfully Additional info: