Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-30247

Failure creating MachineSet ports when using securityGroups

XMLWordPrintable

    • -
    • Important
    • No
    • ShiftStack Sprint 250
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Deployment of an SR-IOV/DPDK MachineSet fails creating ports due to securityGroups failure. 

      The MachineSets configurations are according to the official documentation. [0]

      $ oc get events -n openshift-machine-api | grep Failed

96s         Warning   Failedcreateport                    machine/ostest-9b6s2-worker-1-4m2wr   Failed to create port ostest-9b6s2-worker-1-4m2wr-dpdk_net_nic0_9_normal_worker-1_port: Bad request with: [POST http://10.46.96.71:9696/v2.0/ports], error message: {"NeutronError": {"type": "PortSecurityAndIPRequiredForSecurityGroups", "message": "Port security must be enabled and port must have an IP address in order to use security groups.", "detail": ""}}

      Version-Release number of selected component (if applicable):

      OCP 4.15.0-0.nightly-2024-02-21-222537 on top of RHOS-17.1-RHEL-9-20240123.n.1.

IPI telco env.

      How reproducible:

      Always

      Steps to Reproduce:

          1. Install OSP for Telco env
    2. Deploy a OCP cluster with no workers using IPI method
    3. Create SR-IOV/DPDK MachineSets according to https://docs.openshift.com/container-platform/4.15/machine_management/creating_machinesets/creating-machineset-osp.html#machineset-yaml-osp-sr-iov_creating-machineset-osp     

      Actual results:

      The machine creation is stuck on "Provisioning" due to PortSecurityAndIPRequiredForSecurityGroups:
```
96s Warning Failedcreateport machine/ostest-9b6s2-worker-1-4m2wr Failed to create port ostest-9b6s2-worker-1-4m2wr-dpdk_net_nic0_9_normal_worker-1_port: Bad request with: [POST http://10.46.96.71:9696/v2.0/ports], error message: {"NeutronError": {"type": "PortSecurityAndIPRequiredForSecurityGroups", "message": "Port security must be enabled and port must have an IP address in order to use security groups.", "detail": ""}}
```

      Expected results:

      The machine and node are up after applying the MachineSet config

      Additional info:

      1. We had a similar bug with LB - https://issues.redhat.com/browse/OCPBUGS-22246

2. If we are removing the securityGroups config from the MachineSet, the failure is not reproduced, and the node comes up

       

       [0] https://docs.openshift.com/container-platform/4.15/machine_management/creating_machinesets/creating-machineset-osp.html#machineset-yaml-osp-sr-iov_creating-machineset-osp 

            pprinett@redhat.com Pierre Prinetti
            rhn-support-imatza Itay Matza
            Itshak Brown Itshak Brown
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: