Description of problem: On Baremetal, and specially on IPv6 deploymnets, CRI-O's default setting of stream-address="" makes it bind to whichever address. That means that it can easily end up on the provisioning network. How reproducible: Often Steps to Reproduce: 1. Trigger a baremetal deployment 2. ssh to the different nodes 3. sudo ss -lptn | grep crio Actual results: Binds to provisioning network or some address not in the control plane. Expected results: Should be bound to a non VIP address on the control plane network (non-deprecated, non-link-local IPv6 address when IPv6 deployment). Additional info: You can check if crio got a stream address specified with a short command like in this example: [core@master-0 ~]$ cat "/proc/$(pgrep crio)/cmdline" | xargs -0 echo /usr/bin/crio --stream-address=fd2e:6f44:5dd8:c956::14 --enable-metrics=true --metrics-port=9537
[core@master-1 ~]$ ip a s dev enp5s0 3: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 52:54:00:c5:e6:84 brd ff:ff:ff:ff:ff:ff inet 192.168.123.107/24 brd 192.168.123.255 scope global dynamic noprefixroute enp5s0 valid_lft 2637sec preferred_lft 2637sec inet 192.168.123.6/24 scope global secondary enp5s0 valid_lft forever preferred_lft forever inet 192.168.123.10/24 scope global secondary enp5s0 valid_lft forever preferred_lft forever inet 192.168.123.5/24 scope global secondary enp5s0 valid_lft forever preferred_lft forever inet6 fe80::5175:86f6:582e:cec9/64 scope link noprefixroute valid_lft forever preferred_lft forever [core@master-1 ~]$ ps axu | grep /usr/bin/crio root 3025 10.9 0.6 3958292 221360 ? Ssl 22:26 4:27 /usr/bin/crio --stream-address=192.168.123.107 --enable-metrics=true --metrics-port=9537
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581