Description of problem: A NodePort Service *-ssh-service is created for every VM by default. NodePort service consumes one free port on each Node per Service. This means that if I have a cluster with many nodes and create 1000 VMs, it will consume 1000 TCP ports on every node, no matter if I need SSH or not. This is very resource heavy and I think should be made into an opt-in feature. Version-Release number of selected component (if applicable): OCP 4.8.9 OpenShift Virtualization 4.8.1 How reproducible: Always Steps to Reproduce: 1. Create a basic VM (e.g. apply the default from Virtualization -> Create -> With YAML) Actual results: A service <vm-name>-ssh-service is created. Expected results: It should not consume my port pool unless it is clear I really want and need this.
Petr thanks for noticing that Fixing this is very easy, just making the wizard default to not creating the node port service, and opt in. But the original design was to make the ssh node port on by default. Ronen, Fabian HELP, can we change the default behavior of creating the ssh node port ?
> it will consume 1000 TCP ports on every node, no matter if I need SSH or not. Setting sevirity to high
In general I do not see much value in creating a Service by default, mainly because we do not know _how_ the Service (ClusterIP, NodePort, something else, nothing) needs to be created to allow a user to get inbound access to the VM. Speak a Service can be created, but the UI can not tell if the Service is also useful to the user. Thus to me, yes, it would be correct to not enable the Service creation by default.
Fabian thanks, we will fix this issue by making the ssh service opt-in instead of opt-out.
This seems quite severe, once fixed for 4.10 please backport to 4.9.z
verified on master, enable ssh checkbox is not checked by default
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056