Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-8035

[IBMCloud] fail to ssh to master/bootstrap/worker nodes from the bastion inside a customer vpc.

XMLWordPrintable

    • No
    • Proposed
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, SSH access to bootstrap and cluster nodes failed when the bastion host ran in the same VPC network as the cluster nodes. Additionally, this configuration caused SSH access from the temporary bootstrap node to the cluster nodes to fail. These issues are now fixed by updating the the IBM Cloud `SecurityGroupRules` to support SSH traffic between the temporary bootstrap node and cluster nodes, and to support SSH traffic from a bastion host to cluster nodes on the same VPC network. Log and debug information can be accuretly collected for analysis during installer-provisioned infrastructure failure.(link:https://issues.redhat.com/browse/OCPBUGS-8035[*OCPBUGS-8035*])
      Show
      * Previously, SSH access to bootstrap and cluster nodes failed when the bastion host ran in the same VPC network as the cluster nodes. Additionally, this configuration caused SSH access from the temporary bootstrap node to the cluster nodes to fail. These issues are now fixed by updating the the IBM Cloud `SecurityGroupRules` to support SSH traffic between the temporary bootstrap node and cluster nodes, and to support SSH traffic from a bastion host to cluster nodes on the same VPC network. Log and debug information can be accuretly collected for analysis during installer-provisioned infrastructure failure.(link: https://issues.redhat.com/browse/OCPBUGS-8035 [* OCPBUGS-8035 *])
    • Bug Fix
    • Done

      Description of problem:

      install discnnect private cluster, ssh to master/bootstrap nodes from the bastion on the vpc failed.

      Version-Release number of selected component (if applicable):

      Pre-merge build https://github.com/openshift/installer/pull/6836
      registry.build05.ci.openshift.org/ci-ln-5g4sj02/release:latest
      Tag: 4.13.0-0.ci.test-2023-02-27-033047-ci-ln-5g4sj02-latest

      How reproducible:

      always

      Steps to Reproduce:

      1.Create bastion instance maxu-ibmj-p1-int-svc 
      2.Create vpc on the bastion host 
      3.Install private disconnect cluster on the bastion host with mirror registry 
      4.ssh to the bastion  
      5.ssh to the master/bootstrap nodes from the bastion 

      Actual results:

      [core@maxu-ibmj-p1-int-svc ~]$ ssh -i ~/openshift-qe.pem core@10.241.0.5 -v
      OpenSSH_8.8p1, OpenSSL 3.0.5 5 Jul 2022
      debug1: Reading configuration data /etc/ssh/ssh_config
      debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
      debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
      debug1: configuration requests final Match pass
      debug1: re-parsing configuration
      debug1: Reading configuration data /etc/ssh/ssh_config
      debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
      debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
      debug1: Connecting to 10.241.0.5 [10.241.0.5] port 22.
      debug1: connect to address 10.241.0.5 port 22: Connection timed out
      ssh: connect to host 10.241.0.5 port 22: Connection timed out

      Expected results:

      ssh succeed.

      Additional info:

      $ibmcloud is sg-rules r014-5a6c16f4-8a4c-4c02-ab2d-626c14f72a77 --vpc maxu-ibmj-p1-vpc
      Listing rules of security group r014-5a6c16f4-8a4c-4c02-ab2d-626c14f72a77 under account OpenShift-QE as user ServiceId-dff277a9-b608-410a-ad24-c544e59e3778...
      ID                                          Direction   IP version   Protocol                      Remote   
      r014-6739d68f-6827-41f4-b51a-5da742c353b2   outbound    ipv4         all                           0.0.0.0/0   
      r014-06d44c15-d3fd-4a14-96c4-13e96aa6769c   inbound     ipv4         all                           shakiness-perfectly-rundown-take   r014-25b86956-5370-4925-adaf-89dfca9fb44b   inbound     ipv4         tcp Ports:Min=22,Max=22       0.0.0.0/0   
      r014-e18f0f5e-c4e5-44a5-b180-7a84aa59fa97   inbound     ipv4         tcp Ports:Min=3128,Max=3129   0.0.0.0/0   
      r014-7e79c4b7-d0bb-4fab-9f5d-d03f6b427d89   inbound     ipv4         icmp Type=8,Code=0            0.0.0.0/0   
      r014-03f23b04-c67a-463d-9754-895b8e474e75   inbound     ipv4         tcp Ports:Min=5000,Max=5000   0.0.0.0/0   
      r014-8febe8c8-c937-42b6-b352-8ae471749321   inbound     ipv4         tcp Ports:Min=6001,Max=6002   0.0.0.0/0   

            cschaefe@redhat.com Christopher Schaefer
            maxu@redhat.com May Xu
            Johnny Liu Johnny Liu
            Darragh Fitzmaurice Darragh Fitzmaurice
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: