Bug 2095323 - Openshift on OpenStack does not honor machineNetwork setting with multiple networks
Summary: Openshift on OpenStack does not honor machineNetwork setting with multiple ne...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.11
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
: 4.12.0
Assignee: Martin André
QA Contact: rlobillo
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-06-09 14:25 UTC by Martin André
Modified: 2023-01-17 19:50 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
* Previously, when installing a cluster on :rh-openstack-first: with multiple networks defined in the `machineNetwork` parameter, the installation program only created security group rules for the first network. With this update, the installation program creates security group rules for all networks defined in the `machineNetwork` so that users no longer need to manually edit security group rules after installation. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2095323[*BZ#2095323*])
Clone Of:
Environment:
Last Closed: 2023-01-17 19:49:58 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 6125 0 None open Bug 2095323: Create security group rules for each MachineNetwork CIDR 2022-07-15 04:56:50 UTC
Red Hat Product Errata RHSA-2022:7399 0 None None None 2023-01-17 19:50:17 UTC

Description Martin André 2022-06-09 14:25:07 UTC
The `install-config.yaml` file defines the machineNetwork to as a slice. The installer does not respect this field when defining multiple entries in machineNetwork and only picks up the first one. This is not a huge deal for now as we don't expect this to be a common scenario (in fact, this has been broken forever on OpenStack platforms and not seen a bug report), however this will become problematic when we start supporting dual-stack deployments.

Comment 2 ShiftStack Bugwatcher 2022-06-10 07:04:36 UTC
Removing the Triaged keyword because:
* the priority assessment is missing
* the QE automation assessment (flag qe_test_coverage) is missing

Comment 3 Pierre Prinetti 2022-06-10 07:35:59 UTC
Setting a low severity because there are no user reports on this particular lack of functionality so far on OpenStack.
Medium priority because we consider this to be on our path to supporting dual stack IPv6.

Comment 8 rlobillo 2022-08-22 08:14:02 UTC
Verified on 4.12.0-0.nightly-2022-08-21-205113

Modifying install-config to include two machine CIDRs: 
  machineNetwork:
    - cidr: "10.196.0.0/28"
    - cidr: "10.196.0.16/28"

but the installer only takes the first one:
$ o subnet list
+--------------------------------------+--------------------+--------------------------------------+---------------+
| ID                                   | Name               | Network                              | Subnet        |
+--------------------------------------+--------------------+--------------------------------------+---------------+
| 7fc4a140-a6d8-4852-9f8f-3c3df7254d2e | ostest-tw2pb-nodes | fa163127-eb44-40fa-b64e-884949f51356 | 10.196.0.0/28 |
+--------------------------------------+--------------------+--------------------------------------+---------------+

The SG rules are created considering both cidrs:

$ openstack security group show ostest-tw2pb-master -c rules -f json | jq '.rules[] | select(.port_range_min==22) | .remote_ip_prefix'
"10.196.0.0/28"
"10.196.0.16/28"

Comment 11 errata-xmlrpc 2023-01-17 19:49:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399


Note You need to log in before you can comment on or make changes to this bug.