Bug 1850505 - SR-IOV webhook fails with "no matched NIC is selected by the nicSelector"
Summary: SR-IOV webhook fails with "no matched NIC is selected by the nicSelector"
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.5
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.6.0
Assignee: Peng Liu
QA Contact: zhaozhanqi
Depends On:
TreeView+ depends on / blocked
Reported: 2020-06-24 12:18 UTC by Petr Horáček
Modified: 2020-10-27 16:09 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-10-27 16:09:32 UTC
Target Upstream Version:
pliu: needinfo-

Attachments (Terms of Use)
sriov-webhook.log (6.05 KB, text/plain)
2020-06-24 12:23 UTC, Petr Horáček
no flags Details

System ID Private Priority Status Summary Last Updated
Github openshift sriov-network-operator pull 279 0 None closed Bug 1850505: Make the webhook error message more accurate 2020-12-31 15:55:31 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:09:33 UTC

Description Petr Horáček 2020-06-24 12:18:07 UTC
Description of problem:
The webhook rejects a new Policy claiming it does not match any available NIC despite there are available matching NICs and it worked with 4.4 SR-IOV operator.

Version-Release number of selected component (if applicable):
OCP 4.5.0-rc.2
SR-IOV operator 4.5 rh-verified-operators

How reproducible:

Steps to Reproduce:
1. Check available NICs
    - deviceID: "1572"
      driver: i40e
      mtu: 1500
      name: ens2f1
      pciAddress: 0000:3b:00.1
      totalvfs: 64
      vendor: "8086"
2. Create a policy:
cat <<EOF | oc create -f -
apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetworkNodePolicy
  name: policy-ens2f1
  namespace: openshift-sriov-network-operator
  deviceType: vfio-pci
    - 0000:3b:00.1
    vendor: "8086"
    - ens2f1
    feature.node.kubernetes.io/network-sriov.capable: "true"
  numVfs: 5
  resourceName: sriov_net

Actual results:
It fails with:
Error from server (no matched NIC is selected by the nicSelector in CR policy-ens2f1): error when creating "STDIN": admission webhook "operator-webhook.sriovnetwork.openshift.io" denied the request: no matched NIC is selected by the nicSelector in CR policy-ens2f1

Expected results:
Should configure the Policy.

Comment 1 Petr Horáček 2020-06-24 12:23:58 UTC
Created attachment 1698586 [details]

Comment 2 Peng Liu 2020-06-29 13:28:39 UTC
Hi Petr,

Could you share the output of 'oc get node -o yaml' and 'oc get sriovnetworknodestate -o yaml' for node cnvqe-10.lab.eng.tlv2.redhat.com and cnvqe-11.lab.eng.tlv2.redhat.com?

Comment 4 Peng Liu 2020-06-29 14:04:52 UTC
Hi Geetika,

I cannot reproduce this issue in my environment. Does it always happen in yours?
From the node state manifests you attached, it looks the policy has been applied. Did you turn off the operator webhook to make it happen?

Comment 5 Petr Horáček 2020-06-29 14:17:02 UTC
Yes, we disabled the webhook to get over this issue. It happened always on our 4.5 environment.

Comment 7 Peng Liu 2020-06-29 15:19:16 UTC
The device which you want to select is not in the supported NIC list. It has been blocked by https://github.com/openshift/sriov-network-operator/pull/204. So it is expected behavior. So when you want to configure an unsupported NIC model, you shall disable the operator webhook.

Comment 8 Petr Horáček 2020-06-29 15:43:47 UTC
Makes sense. So all that needs to be done here is to fix the error message from "no matched NIC is selected by the nicSelector" to something more appropriate?

Comment 9 Peng Liu 2020-06-30 02:52:25 UTC
How about change to "no supported NIC is selected by the nicSelector"?

Comment 10 Petr Horáček 2020-06-30 07:36:20 UTC
That sounds ok.

I have some second thoughts, I get that Red Hat can't officially support models it does not test. However, the operator is known to work with other similar models too and it seems to me wasteful to hard-limit ourselves with a subset of them. Can we have a configuration option to disable the model check instead of disabling of the whole webhook? It would have the same effect, it would be 100% explicit and we would be able to utilize other features of the webhook.

It would help the upstream community, including myself who has X710 (not the supported XXV710).

Comment 11 Peng Liu 2020-07-01 13:19:23 UTC
Hi Petr,
I agree that we shall a way to allow users to try the unsupported NIC models. We're planning to have a proper systematic solution for that. It is on our to-do list.
For this BZ, can we close it with the error message change?

Comment 12 Petr Horáček 2020-07-01 13:22:30 UTC
I can hardly complain about something which is unsupported, the message change would be great :)

For the solution you mention, could I track it anywhere? On Jira maybe?

Comment 13 Peng Liu 2020-07-01 13:49:25 UTC
It hasn't started yet. I'll keep you posted.

Comment 16 zhaozhanqi 2020-07-07 03:11:26 UTC
Verified this bug

Comment 18 errata-xmlrpc 2020-10-27 16:09:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.