Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: 4.20.0
Affects Version/s: 4.17
Component/s: Networking / On-Prem Load Balancer
Labels:

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:

4.20.0
Release Blocker:
None
Sprint:
None

Customer Impact:

Customer Escalated

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
* Before this update, one of the `keepalived` health check scripts was failing due to missing permissions. This could cause the ingress VIP to be misplaced when shared ingress services were in use. With this release, the necessary permission was added back to the container so the health check now works correctly. (link:https://issues.redhat.com/browse/OCPBUGS-55681[OCPBUGS-55681])

Show
* Before this update, one of the `keepalived` health check scripts was failing due to missing permissions. This could cause the ingress VIP to be misplaced when shared ingress services were in use. With this release, the necessary permission was added back to the container so the health check now works correctly. (link: https://issues.redhat.com/browse/OCPBUGS-55681 [ OCPBUGS-55681 ])

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

The chk_default_ingress script used by keepalived to determine where the ingress VIP should be located is perma-failing at least back to 4.17. In clusters with sharded ingress, this can cause the VIP to be placed on a node hosting a shard and not the default ingress, which breaks access to core ingress services.

Version-Release number of selected component (if applicable):

Initially reported against 4.17.23, but also present on 4.19.

How reproducible:

Always

Steps to Reproduce:

    1. Deploy on-prem IPI cluster
    2. Check keepalived logs on the node holding the ingress VIP
    3.

Actual results:

    chk_default_ingress check failing

Expected results:

chk_default_ingress check passing

Additional info:

    It looks like this is a permission problem. The chroot into /host is failing.

blocks

OCPBUGS-56623 chk_default_ingress perma-failing

Closed

is cloned by

OCPBUGS-56623 chk_default_ingress perma-failing

Closed

links to

KCS for this issue.

openshift/machine-config-operator#5032: OCPBUGS-55681: Give keepalived container chroot cap

Assignee:: Benjamin Nemec

Reporter:: Benjamin Nemec

Need Info From:: None

Contributors:: None

QA Contact:: Ross Brattain

Doc Contact:: None

Votes:: 2 Vote for this issue

Watchers:: 11 Start watching this issue

Created:: 2025/05/02 7:39 PM

Updated:: 2025/10/14 3:56 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide