Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-22246

failure creating openstack LoadBalancer when workers include a provider Network secondary interface

XMLWordPrintable

    • +
    • Important
    • Yes
    • ShiftStack Sprint 243, ShiftStack Sprint 244
    • 2
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, deployments on {rh-openstack} nodes with additional ports with the `enable_port_security` field set to `false` were prevented from creating a LoadBalancer services. With this update, this issue is resolved. (link:https://issues.redhat.com/browse/OCPBUGS-22246[*OCPBUGS-22246*])

      A bug got fixed that prevented creation of LoadBalancer Services in deployments on OSP where nodes had additional ports with enable_port_security set to false.
      Show
      Previously, deployments on {rh-openstack} nodes with additional ports with the `enable_port_security` field set to `false` were prevented from creating a LoadBalancer services. With this update, this issue is resolved. (link: https://issues.redhat.com/browse/OCPBUGS-22246 [* OCPBUGS-22246 *]) A bug got fixed that prevented creation of LoadBalancer Services in deployments on OSP where nodes had additional ports with enable_port_security set to false.
    • Bug Fix
    • Proposed

      Description of problem:

      while creating a service with type:LoadBalancer and the workers include provider network secondary interfaces, CCM is complaining:

      2023-10-21T04:16:47.399130931Z E1021 04:16:47.398913       1 controller.go:291] error processing service lb-tcp-verification-ns/lb-tcp-verification-svc (will retry): failed to ensure load balancer: failed when reconciling security groups for LB service lb-tcp-verification-ns/lb-tcp-verification-svc: failed to update security group for port 6d2389f1-5f47-4130-bb00-2dc61a6af1e4: Bad request with: [PUT https://overcloud.redhat.local:13696/v2.0/ports/6d2389f1-5f47-4130-bb00-2dc61a6af1e4], error message: {"NeutronError": {"type": "PortSecurityAndIPRequiredForSecurityGroups", "message": "Port security must be enabled and port must have an IP address in order to use security groups.", "detail": ""}}
      2023-10-21T04:16:47.399130931Z I1021 04:16:47.399031       1 event.go:307] "Event occurred" object="lb-tcp-verification-ns/lb-tcp-verification-svc" fieldPath="" kind="Service" apiVersion="v1" type="Warning" reason="SyncLoadBalancerFailed" message="Error syncing load balancer: failed to ensure load balancer: failed when reconciling security groups for LB service lb-tcp-verification-ns/lb-tcp-verification-svc: failed to update security group for port 6d2389f1-5f47-4130-bb00-2dc61a6af1e4: Bad request with: [PUT https://overcloud.redhat.local:13696/v2.0/ports/6d2389f1-5f47-4130-bb00-2dc61a6af1e4], error message: {\"NeutronError\": {\"type\": \"PortSecurityAndIPRequiredForSecurityGroups\", \"message\": \"Port security must be enabled and port must have an IP address in order to use security groups.\", \"detail\": \"\"}}

      Version-Release number of selected component (if applicable): 4.14 with OVN-K and OpenShiftSDN NetworkType. Issue is observed in 17.1 and 16.2 latest delivered puddles. This issue is a regression: it is not observed in <=4.13.
      How reproducible: Always
      Steps to Reproduce: Deploy cluster with provider network secondary interfaces and create a service with type:LoadBalancer.
      Actual results: The service never become ready.
      Expected results: The service is working as expected.
      Additional info: Must-gather provided on private comment.

            mdulko Michał Dulko
            rlobillo Ramón Lobillo
            Ramón Lobillo Ramón Lobillo
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: