Loading...

XML

Word

Printable

Details

Type: Feature Request
Resolution: Unresolved
Priority: Blocker
Fix Version/s: None
Affects Version/s: openshift-4.15
Component/s: Installer
Labels:
- openstack

Hierarchy Progress:
0
Hierarchy Progress Bar:

0% 0%

SFDC Cases Counter:
SFDC Cases Links:

Description

1. Proposed title of this feature request

Support to install OCP using IPI-OpenStack on port_security_enabled=false network

2. What is the nature and description of the request?

My customer created a Neutron network and disabled port security:

openstack network set --disable-port-security <network-id>

After that, the customer tired to install OCP 4.15 on the network using IPI-OpenStack, but it failed with the following error.
When port security is enabled, allowed-address-pairs cannot be set.
The IPI-OpenStack installer tried to set allowed-address-pairs even though port security is disabled, that's why this error occurs.

ERROR Error: Error creating openstack_networking_port_v2: Expected HTTP response code [201 202] when accessing [POST http://openstack.example.com:9696/v2.0/ports], but got 409 instead
ERROR {"NeutronError": {"type": "AddressPairAndPortSecurityRequired", "message": "Port Security must be enabled in order to have allowed address pairs on a port.", "detail": ""}}
ERROR
ERROR   with openstack_networking_port_v2.masters[0],
ERROR   on private-network.tf line 46, in resource "openstack_networking_port_v2" "masters":
ERROR   46: resource "openstack_networking_port_v2" "masters"

According to the following document, port security must be enabled to do IPI-OpenStack install:

https://access.redhat.com/documentation/en-us/openshift_container_platform/4.15/html/installing/installing-on-openstack#installation-osp-provider-network-preparation_installing-openstack-installer-custom
The RHOSP networking service has the port security and allowed address pairs extensions enabled.

The following is the implementation where the error occurs.
I can see that Terraform attempts to set allowed-address-pairs regardless of the port security setting.

https://github.com/openshift/installer/blob/release-4.15/data/data/openstack/masters/private-network.tf#L73-L85

If port security is not set, we don't need to set allowed-address-pairs, because all traffic is allowed by disabling port security.
Would we be able to add some implementation not to set allowed-address-pairs when port security is disabled?
Could we support IPI-OpenStack installation on port_security_enabled=false network?

3. Why does the customer need this? (List the business requirements here)

The customer disables port security and they doesn't want to enable port security.
And, disabling port security is reasonable especially when we use MetalLB on Shift-on-Stack.
IMO, it's reasonable to support IPI-OpenStack installation on port_security_enabled=false network.

4. List any affected packages or components.

ocp-installer

Attachments

Activity

People

Assignee:: Gil Rosenberg

Reporter:: Yamato Tanaka

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2024/03/15 3:30 AM

Updated:: 2024/03/29 7:03 AM