Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-6950

InstanceHA documentation does not mention about compute nodes with vTPM-enabled VM instances

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • rhos-17.1.3
    • rhos-17.1.0
    • documentation
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • Moderate

      Q. Description of problem:

      Ans:

      While testing the Compute InstanceHA feature using the guide [0], we encounter a problem with the unfencing of the InstanceHA node.

      ~~~
      $ sudo pcs status --full
      ...
      Failed Fencing Actions:

      • unfencing of compute04 by control02 for pacemaker-controld.35549@control01 last failed (Fence agent did not complete within 60s) at ...
        ...
        ~~~

      Upon investigating we found that the "evacuate" property for the InstanceHA node `compute04` (crashed for testing) is not automatically resetting to 'no'. So, we manually set it to 'no', and the "unfencing" failed action got cleaned up returning successful unfencing of the node.

      ~~~
      $ sudo attrd_updater --query --all --name=evacuate
      name="evacuate" host="compute04.redhat.local" value="yes"

      $ attrd_updater -p -n evacuate -N compute04.redhat.local -U no'

      $ sudo attrd_updater --query --all --name=evacuate
      name="evacuate" host="compute04.redhat.local" value="no"
      ~~~

      Upon further investigation, we found that the InstanceHA node `compute04` has vTPM-enabled VM instances. Reference doc [2].

      And, considering the limitation [1] stated in the official documentation [2], the unfencing of the Compute InstanceHA node will fail if there are vTPM-enabled instances residing on the Compute InstanceHA node being fenced because the vTPM-enabled instances cannot be evacuated.

      In the Compute InstanceHA documentation [3], it is not explicitly mentioned (as a note) that the unfencing will fail for the Compute InstanceHA node that has vTPM-enabled instances.

      Q. How reproducible:

      Ans: Always.

      Q. Steps to Reproduce:

      Ans:
      1. Deploy Compute InstanceHA node [3].
      2. Create vTPM-enabled instances [2].
      3. Test the InstanceHA feature [0].

      Q. Actual results:

      Ans: In the Compute InstanceHA documentation [3], it is not explicitly mentioned (as a note) that the unfencing will fail for the Compute InstanceHA node that has vTPM-enabled instances.

      Q. Expected results:

      Ans: In the Compute InstanceHA documentation [3], there should be a note mentioning that the unfencing will fail for the Compute InstanceHA node that has vTPM-enabled instances.

      [0] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/17.1/html-single/configuring_high_availability_for_instances/index#proc_testing-instanceha-evacuation_instanceha-install-config

      [1]

      ~~~
      *Limitations of instances with vTPM devices*

      • You cannot live migrate or evacuate instances that have vTPM devices. <<<<
      • You cannot rescue or shelve instances that have vTPM devices.
      • The instance must have the Q35 machine type.
        ~~~

      [2] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/17.1/html/configuring_the_compute_service_for_instance_creation/assembly_configuring-instance-security_vgpu

      [3] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/17.1/html-single/configuring_high_availability_for_instances/index

              rhn-support-gbrinn Gareth Brinn
              rhn-support-sapaul Saumik Paul
              rhos-dfg-pidone
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: