Bug 1947080
| Summary: | SNO IPv6 with 'temporary 60-day domain' option fails with IPv4 exception | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Constantin Vultur <cvultur> | ||||
| Component: | assisted-installer | Assignee: | vemporop | ||||
| assisted-installer sub component: | assisted-service | QA Contact: | Yuri Obshansky <yobshans> | ||||
| Status: | CLOSED ERRATA | Docs Contact: | |||||
| Severity: | high | ||||||
| Priority: | high | CC: | alazar, aos-bugs, atraeger, derez, itsoiref, sasha, vemporop | ||||
| Version: | 4.8 | Flags: | alazar:
needinfo-
|
||||
| Target Milestone: | --- | ||||||
| Target Release: | 4.8.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | AI-Team-Core | ||||||
| Fixed In Version: | OCP-Metal-v1.0.20.1 | Doc Type: | Bug Fix | ||||
| Doc Text: |
Cause:
When a user opts for a temporary 60-day domain, Assisted Service creates a DNS record in AWS Route53. Before the introduction of IPv6, it was assumed that all IP addresses were IPv4, therefore Assisted Service always created a DNS record of type A, which does not work for IPv6.
Consequence:
When using IPv6 addresses, an attempt to create a temporary DNS record would cause the installation to fail with error message "Invalid Resource Record: 'FATAL problem: ARRDATAIllegalIPv4Address (Value is not a valid IPv4 address)".
Fix:
When creating a DNS record for an IPv6 address, Assisted Installer will use record type AAAA suitable for IPv6.
Result:
Cluster can be successfully installed when opting for a temporary 60-day domain. After the installation, there will be DNS records mapping the cluster known FQDNs to its IPv6 VIPs.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2021-07-27 22:57:59 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Constantin Vultur
2021-04-07 15:59:41 UTC
Created attachment 1769972 [details]
ipv6 registration error
@eran cohen since we do not support IPv6 from the cloud I don't think we should support rout53 updates. What do you think? Maybe we just need to block this option from the API? If we do want to support IPv6, we should just create an AAAA dns record (instead of A record for IPv4). Otherwise, I guess we can indeed just block it when IPv6Support is enabled, in: https://github.com/openshift/assisted-service/blob/834faecd31fbccaa9716ca020da405a2d13296f8/internal/bminventory/inventory.go#L3960 It should be possible to deploy SNO using an on-prem assisted service, and it's up to the customer to deploy IPv6 clusters in this case. Therefore, we must be able to create an AAAA type DNS record in route53 for IPv6, even if we don't support IPv6 in the cloud. As for IPv6 in the cloud, it's already blocked (IPv6 values are rejected for machine CIDR etc.), so this discussion seems irrelevant for cloud deployments. @vemporop The route53 feature is not supported in our kubeapi deployments so I think it is relevant only for cloud. @atraeger what do you think? AFAIK this happened in a non-cloud deployment. I also spoke with @itsoiref and he thinks we should support route53 for IPv6. Route53 is for SaaS only, and even there it's not production or in the UI. We should add IPv6 support as very low priority. Validated with Assisted Installer quay.io/ocpmetal/assisted-installer:c5c58c594badd91811edb7cd00c0de1b9e3a7ca9 Assisted Installer Agent quay.io/ocpmetal/assisted-installer-agent:72b14c873597f3883eab9af308fb803b344af2d0 Assisted Installer Controller quay.io/ocpmetal/assisted-installer-controller:c5c58c594badd91811edb7cd00c0de1b9e3a7ca9 Assisted Installer Service quay.io/ocpmetal/assisted-service:1e9a56ba4c76a165ec8925b2673b65f7be264802 and with route53 configured: $ dig -t aaaa api.ocp-edge-cdv-sno-0.assistedinstaller.sysdeseng.com ... ;; QUESTION SECTION: ;api.ocp-edge-cdv-sno-0.assistedinstaller.sysdeseng.com. IN AAAA ;; ANSWER SECTION: api.ocp-edge-cdv-sno-0.assistedinstaller.sysdeseng.com. 60 IN AAAA fd2e:6f44:5dd8::65 $ dig -t aaaa tesging.apps.ocp-edge-cdv-sno-0.assistedinstaller.sysdeseng.com ;; QUESTION SECTION: ;tesging.apps.ocp-edge-cdv-sno-0.assistedinstaller.sysdeseng.com. IN AAAA ;; ANSWER SECTION: tesging.apps.ocp-edge-cdv-sno-0.assistedinstaller.sysdeseng.com. 60 IN AAAA fd2e:6f44:5dd8::65 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438 |