Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-22974

failure creating openstack LoadBalancer when workers include a provider Network secondary interface

    XMLWordPrintable

Details

    • +
    • Important
    • Yes
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, `LoadBalancer` services were not created for a deployment when a node contained additional ports that each had the `enable_port_security` parameter set to `false`. Now, `LoadBalancer` services are created for a deployment that contains additional ports with this setting. (link:https://issues.redhat.com/browse/OCPBUGS-22974[*OCPBUGS-22974*])
      Show
      Previously, `LoadBalancer` services were not created for a deployment when a node contained additional ports that each had the `enable_port_security` parameter set to `false`. Now, `LoadBalancer` services are created for a deployment that contains additional ports with this setting. (link: https://issues.redhat.com/browse/OCPBUGS-22974 [* OCPBUGS-22974 *])
    • Bug Fix
    • Done

    Description

      Description of problem:

      while creating a service with type:LoadBalancer and the workers include provider network secondary interfaces, CCM is complaining:

      2023-10-21T04:16:47.399130931Z E1021 04:16:47.398913       1 controller.go:291] error processing service lb-tcp-verification-ns/lb-tcp-verification-svc (will retry): failed to ensure load balancer: failed when reconciling security groups for LB service lb-tcp-verification-ns/lb-tcp-verification-svc: failed to update security group for port 6d2389f1-5f47-4130-bb00-2dc61a6af1e4: Bad request with: [PUT https://overcloud.redhat.local:13696/v2.0/ports/6d2389f1-5f47-4130-bb00-2dc61a6af1e4], error message: {"NeutronError": {"type": "PortSecurityAndIPRequiredForSecurityGroups", "message": "Port security must be enabled and port must have an IP address in order to use security groups.", "detail": ""}}
      2023-10-21T04:16:47.399130931Z I1021 04:16:47.399031       1 event.go:307] "Event occurred" object="lb-tcp-verification-ns/lb-tcp-verification-svc" fieldPath="" kind="Service" apiVersion="v1" type="Warning" reason="SyncLoadBalancerFailed" message="Error syncing load balancer: failed to ensure load balancer: failed when reconciling security groups for LB service lb-tcp-verification-ns/lb-tcp-verification-svc: failed to update security group for port 6d2389f1-5f47-4130-bb00-2dc61a6af1e4: Bad request with: [PUT https://overcloud.redhat.local:13696/v2.0/ports/6d2389f1-5f47-4130-bb00-2dc61a6af1e4], error message: {\"NeutronError\": {\"type\": \"PortSecurityAndIPRequiredForSecurityGroups\", \"message\": \"Port security must be enabled and port must have an IP address in order to use security groups.\", \"detail\": \"\"}}

      Version-Release number of selected component (if applicable): 4.14 with OVN-K and OpenShiftSDN NetworkType. Issue is observed in 17.1 and 16.2 latest delivered puddles. This issue is a regression: it is not observed in <=4.13.
      How reproducible: Always
      Steps to Reproduce: Deploy cluster with provider network secondary interfaces and create a service with type:LoadBalancer.
      Actual results: The service never become ready.
      Expected results: The service is working as expected.
      Additional info: Must-gather provided on private comment.

      Attachments

        Issue Links

          Activity

            People

              mdulko Michał Dulko
              rlobillo Ramón Lobillo
              Ramón Lobillo Ramón Lobillo
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: