Bug 2029867 - [4.9] Missing netFilter to the list of parameters when platform is OpenStack
Summary: [4.9] Missing netFilter to the list of parameters when platform is OpenStack
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.9
Hardware: All
OS: All
medium
medium
Target Milestone: ---
: 4.9.z
Assignee: Emilien Macchi
QA Contact: Ziv Greenberg
URL:
Whiteboard:
Depends On: 2028531
Blocks: 2049789
TreeView+ depends on / blocked
 
Reported: 2021-12-07 13:53 UTC by Emilien Macchi
Modified: 2022-02-23 20:03 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2028531
Environment:
Last Closed: 2022-02-23 20:02:50 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift sriov-network-operator pull 600 0 None open Bug 2029867: backport for allowing netFilter to be set alone in NicSelector 2021-12-28 10:27:37 UTC
Red Hat Product Errata RHSA-2022:0561 0 None None None 2022-02-23 20:03:43 UTC

Description Emilien Macchi 2021-12-07 13:53:31 UTC
+++ This bug was initially created as a clone of Bug #2028531 +++

Description of problem:
When deploying OpenShift on OpenStack, we only need to provide the netFilter to the nicSelector in the SriovNetworkNodePolicy.

Until now, we were workarounding by disabling the webhook but this isn't clean as the webhook could really be helpful to us as well.


Version-Release number of selected component (if applicable):
4.10

How reproducible:
Create a policy like this:

apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetworkNodePolicy
metadata:
  name: sriov1
  namespace: openshift-sriov-network-operator
spec:
  deviceType: vfio-pci
  nicSelector:
    netFilter: openstack/NetworkID:OPENSTACK_SRIOV_NET_UUID
  nodeSelector:
    feature.node.kubernetes.io/network-sriov.capable: 'true'
  numVfs: 1
  priority: 99
  resourceName: sriov1


Actual results:
The webhook will fail with message "at least one of these parameters (vendor, deviceID, pfNames or rootDevices) has to be defined in nicSelector".

Expected results:
The webhook should accept netFilter to be enough when the platform is OpenStack.

Comment 6 Ziv Greenberg 2022-02-14 08:40:41 UTC
Hello,

I was able to verify it and also created a dedicated dut pod with attached Intel X710 SR-IOV VF's:

(shiftstack) [cloud-user@installer-host ~]$ oc get clusterversions.config.openshift.io
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.9.0-0.nightly-2022-02-07-031906   True        False         5d13h   Cluster version is 4.9.0-0.nightly-2022-02-07-031906
(shiftstack) [cloud-user@installer-host ~]$
(shiftstack) [cloud-user@installer-host ~]$
(shiftstack) [cloud-user@installer-host ~]$
(shiftstack) [cloud-user@installer-host ~]$ oc get csv -n openshift-sriov-network-operator
NAME                                        DISPLAY                      VERSION              REPLACES                            PHASE
performance-addon-operator.v4.9.5           Performance Addon Operator   4.9.5                performance-addon-operator.v4.9.4   Succeeded
sriov-network-operator.4.9.0-202202120107   SR-IOV Network Operator      4.9.0-202202120107                                       Succeeded
(shiftstack) [cloud-user@installer-host ~]$
(shiftstack) [cloud-user@installer-host ~]$
(shiftstack) [cloud-user@installer-host ~]$
(shiftstack) [cloud-user@installer-host ~]$ oc get all -n openshift-sriov-network-operator
NAME                                          READY   STATUS    RESTARTS   AGE
pod/network-resources-injector-jrrqq          1/1     Running   0          6m27s
pod/network-resources-injector-pt5w5          1/1     Running   0          6m27s
pod/network-resources-injector-tqxbk          1/1     Running   0          6m27s
pod/operator-webhook-85nvr                    1/1     Running   0          6m27s
pod/operator-webhook-zkdkl                    1/1     Running   0          6m27s
pod/operator-webhook-ztlrk                    1/1     Running   0          6m27s
pod/sriov-device-plugin-b7gn8                 1/1     Running   0          85s
pod/sriov-network-config-daemon-98f95         3/3     Running   0          6m27s
pod/sriov-network-config-daemon-gx4z5         3/3     Running   0          6m27s
pod/sriov-network-operator-7b77bc6678-tt789   1/1     Running   0          6m48s

NAME                                         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
service/network-resources-injector-service   ClusterIP   172.30.228.239   <none>        443/TCP   6m27s
service/operator-webhook-service             ClusterIP   172.30.229.65    <none>        443/TCP   6m27s

NAME                                         DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR                                                 AGE
daemonset.apps/network-resources-injector    3         3         3       3            3           beta.kubernetes.io/os=linux                                   6m27s
daemonset.apps/operator-webhook              3         3         3       3            3           beta.kubernetes.io/os=linux                                   6m27s
daemonset.apps/sriov-device-plugin           1         1         1       1            1           beta.kubernetes.io/os=linux,node-role.kubernetes.io/worker=   4m44s
daemonset.apps/sriov-network-config-daemon   2         2         2       2            2           beta.kubernetes.io/os=linux,node-role.kubernetes.io/worker=   6m27s

NAME                                     READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/sriov-network-operator   1/1     1            1           6m48s

NAME                                                DESIRED   CURRENT   READY   AGE
replicaset.apps/sriov-network-operator-7b77bc6678   1         1         1       6m48s
(shiftstack) [cloud-user@installer-host ~]$
(shiftstack) [cloud-user@installer-host ~]$
(shiftstack) [cloud-user@installer-host ~]$
(shiftstack) [cloud-user@installer-host ~]$ oc get SriovNetworkNodePolicy -n openshift-sriov-network-operator sriov10 -o yaml
apiVersion: sriovnetwork.openshift.io/v1
kind: SriovNetworkNodePolicy
metadata:
  creationTimestamp: "2022-02-14T08:24:00Z"
  generation: 1
  name: sriov10
  namespace: openshift-sriov-network-operator
  resourceVersion: "2796346"
  uid: ce519c3c-1774-411d-ab79-67ebc9e590b0
spec:
  deviceType: vfio-pci
  isRdma: false
  nicSelector:
    netFilter: openstack/NetworkID:e8247778-7691-460e-82dd-9cf280f62831
  nodeSelector:
    feature.node.kubernetes.io/network-sriov.capable: "true"
  numVfs: 1
  priority: 99
  resourceName: sriov10
(shiftstack) [cloud-user@installer-host ~]$
(shiftstack) [cloud-user@installer-host ~]$
(shiftstack) [cloud-user@installer-host ~]$
(shiftstack) [cloud-user@installer-host ~]$ oc get pods
NAME           READY   STATUS    RESTARTS   AGE
dpdk-testpmd   1/1     Running   0          2m29s
(shiftstack) [cloud-user@installer-host ~]$
(shiftstack) [cloud-user@installer-host ~]$
(shiftstack) [cloud-user@installer-host ~]$
(shiftstack) [cloud-user@installer-host ~]$ oc logs dpdk-testpmd | grep 'Virtual Function'
0000:00:05.0 'Ethernet Virtual Function 700 Series 154c' drv=vfio-pci unused=
0000:00:06.0 'Ethernet Virtual Function 700 Series 154c' if= drv=iavf unused=vfio-pci
0000:00:05.0 'Ethernet Virtual Function 700 Series 154c' drv=vfio-pci unused=
0000:00:06.0 'Ethernet Virtual Function 700 Series 154c' if= drv=iavf unused=vfio-pci

Please note, the image source that was used for pulling the sriov-network-operator is the "qe-optional-operators" in the marketplace.

Thanks,
Ziv

Comment 9 errata-xmlrpc 2022-02-23 20:02:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.22 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0561


Note You need to log in before you can comment on or make changes to this bug.