Bug 2005854 - SSH NodePort service is created for each VM
Summary: SSH NodePort service is created for each VM
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Console Kubevirt Plugin
Version: 4.8
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.10.0
Assignee: Yaacov Zamir
QA Contact: Guohua Ouyang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-20 10:58 UTC by Petr Horáček
Modified: 2022-03-10 16:12 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-10 16:11:55 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 10180 0 None open Bug 2005854: make ssh service opt-in instead of opt-out 2021-10-05 10:27:10 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:12:12 UTC

Description Petr Horáček 2021-09-20 10:58:12 UTC 
Description of problem:

A NodePort Service *-ssh-service is created for every VM by default. NodePort service consumes one free port on each Node per Service. This means that if I have a cluster with many nodes and create 1000 VMs, it will consume 1000 TCP ports on every node, no matter if I need SSH or not.

This is very resource heavy and I think should be made into an opt-in feature.


Version-Release number of selected component (if applicable):
OCP 4.8.9
OpenShift Virtualization 4.8.1


How reproducible:
Always


Steps to Reproduce:
1. Create a basic VM (e.g. apply the default from Virtualization -> Create -> With YAML)

Actual results:
A service <vm-name>-ssh-service is created.


Expected results:
It should not consume my port pool unless it is clear I really want and need this.
Comment 1 Yaacov Zamir 2021-10-04 07:53:03 UTC 
Petr thanks for noticing that

Fixing this is very easy, just making the wizard default to not creating the node port service, and opt in.
But the original design was to make the ssh node port on by default.

Ronen, Fabian HELP, can we change the default behavior of creating the ssh node port ?
Comment 2 Yaacov Zamir 2021-10-04 08:56:05 UTC 
> it will consume 1000 TCP ports on every node, no matter if I need SSH or not.

Setting sevirity to high
Comment 3 Fabian Deutsch 2021-10-04 10:16:39 UTC 
In general I do not see much value in creating a Service by default, mainly because we do not know _how_ the Service (ClusterIP, NodePort, something else, nothing) needs to be created to allow a user to get inbound access to the VM. Speak a Service can be created, but the UI can not tell if the Service is also useful to the user.
Thus to me, yes, it would be correct to not enable the Service creation by default.
Comment 5 Yaacov Zamir 2021-10-04 10:44:41 UTC 
Fabian thanks, we will fix this issue by making the ssh service opt-in instead of opt-out.
Comment 6 Tal Nisan 2021-10-04 11:40:09 UTC 
This seems quite severe, once fixed for 4.10 please backport to 4.9.z
Comment 9 Guohua Ouyang 2021-10-21 07:29:03 UTC 
verified on master, enable ssh checkbox is not checked by default
Comment 12 errata-xmlrpc 2022-03-10 16:11:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056
Note You need to log in before you can comment on or make changes to this bug.