Bug 1985717 - [OVN][Test-only] Metadata ports can no longer talk to SR-IOV ports
Summary: [OVN][Test-only] Metadata ports can no longer talk to SR-IOV ports
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-networking-ovn
Version: 16.2 (Train)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 16.2 (Train on RHEL 8.4)
Assignee: Ihar Hrachyshka
QA Contact: Eran Kuris
URL:
Whiteboard:
Depends On: 1974062
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-07-25 08:37 UTC by Roman Safronov
Modified: 2022-04-20 18:15 UTC (History)
22 users (show)

Fixed In Version: ovn-2021-21.06.0-17.el8fdp
Doc Type: Bug Fix
Doc Text:
This update fixes a known issue where the Open Virtual Network (OVN) Metadata service was not available to VM instances bound to an SR-IOV virtual function. The issue did not affect network function but these instances did not receive their SSH keys in the absence of a Metadata service connection. + The metadata service connectivity for SR-IOV ports now functions correctly.
Clone Of: 1974062
Environment:
Last Closed: 2022-04-20 18:15:43 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-6425 0 None None None 2021-12-01 03:59:25 UTC

Description Roman Safronov 2021-07-25 08:37:50 UTC
+++ This bug was initially created as a clone of Bug #1974062 +++

This is a test-only OSP bz in order to make sure that OSP16.2 does not have the described issues after FDP OVN version that includes the fix for #1974062 is available in OSP container images. Expected release date of the FDP version is July 26, 2021


Description of problem:
Instance is not able to get metadata on creation. SSH to the instance is not working.

Version-Release number of selected component (if applicable):
RHOS-16.2-RHEL-8-20210610.n.1, and still occurs on RHOS-16.2-RHEL-8-20210722.n.0

How reproducible:
Happens very often, mainly on SR-IOV environment

Steps to Reproduce:
1. Deploy SR-IOV environment, make sure that external network exist.
2. Create a security group with allowed icmp and ssh and a keypair.
3. Create a vf sr-iov port ('direct' port) in the external network, make sure vf is using the security group that have rules allowing ssh and icmp.
4. Launch a VM connected using the vf port, created in the previous stage.
5. Try to ping the VM IP
Result: Ping works - OK
6. Try to ssh the VM
Result: Access using SSH fails - NOK (BUG)

Actual results:
Metadata service is not accessible from a VM so SSH key can not be obtained. It is not possible to connect to VM using SSH.

Expected results:
Metadata service is accessible from VM. It is possible to connect to VM using SSH.

Additional info:

Try run openstack console log show <VM UUID>
It can be seen that VM is not able to access metadata:
   35.102236] cloud-init[797]: 2021-06-18 18:11:07,494 - util.py[WARNING]: No active metadata service found

Connect to the compute node where the VM is running and try to ping the VM from metadata namespace:
sudo ip net exec ovnmeta-<DATAPATH UUID> ping 192.168.2.225
Result: no replies

Comment 10 Eran Kuris 2021-08-08 06:38:18 UTC
The fix verified on the latest official puddle : 
(undercloud) [stack@undercloud-0 ~]$ cat core_puddle_version 
RHOS-16.2-RHEL-8-20210804.n.0

[root@computesriov-1 ~]# podman ps | grep ovn 
c3a3195d480b  undercloud-0.ctlplane.localdomain:8787/rh-osbs/rhosp16-openstack-ovn-controller:16.2_20210804.1              kolla_start  2 days ago  Up 2 days ago          ovn_controller
7c4c403a999b  undercloud-0.ctlplane.localdomain:8787/rh-osbs/rhosp16-openstack-neutron-metadata-agent-ovn:16.2_20210804.1  kolla_start  2 days ago  Up 2 days ago          ovn_metadata_agent
[root@computesriov-1 ~]# podman exec -it ovn_controller /bin/bash
[root@computesriov-1 /]# rpm -qa | grep ovn 
ovn-2021-21.06.0-17.el8fdp.x86_64
rhosp-ovn-2021-4.el8ost.1.noarch
ovn-2021-host-21.06.0-17.el8fdp.x86_64
rhosp-ovn-host-2021-4.el8ost.1.noarch


Note You need to log in before you can comment on or make changes to this bug.