OpenStack known issues

This section lists the OpenStack known issues with workarounds for the Mirantis OpenStack for Kubernetes release 21.6.

• [25594] Security groups shared through RBAC cannot be used to create instances

• [23985] Federated authorization fails after updating Keycloak URL

• [6912] Octavia load balancers may not work properly with DVR

• [16495] Failure to reschedule OpenStack deployment pods after a node recovery

• [18713] Inability to remove a Glance image after an unsuccessful instance spawn

• [19274] Horizon container missing proxy variables

• [19065] Octavia load balancers lose Amphora VMs after failover

---

[25594] Security groups shared through RBAC cannot be used to create instances

Fixed in MOSK 22.5 for Yoga

It is not possible to create an instance that uses a security group shared through role-based access control (RBAC) with only specifying the network ID when calling Nova. In such case, before creating a port in the given network, Nova verifies if the given security group exists in Neutron. However, Nova asks only for the security groups filtered by project_id. Therefore, it will not get the shared security group back from the Neutron API. For details, see the OpenStack known issue #1942615.

Workaround:

1. Create a port in Neutron:

   openstack port create --network <NET> --security-group <SG_ID> shared-sg-port
   

2. Pass the created port to Nova:

   openstack server create --image <IMAGE> --flavor <FLAVOR> --port shared-sg-port vm-with-shared-sg
   

Note

if SGs shared through RBAC is used, apply them to ports only not to instances directly.

---

[23985] Federated authorization fails after updating Keycloak URL

Fixed in MOSK 22.3

After updating the Keycloak URL in the OpenStackDeployment resource through the spec.features.keystone.keycloak.url or spec.features.keystone.keycloak.oidc.OIDCProviderMetadataURL fields, authentication to Keystone through federated OpenID Connect through Keycloak stops working returning HTTP 403 Unauthorized on authentication attempt.

The failure occurs because such change is not automatically propagated to the corresponding Keycloak identity provider, which was automatically created in Keystone during the initial deployment.

The workaround is to manually update the identity provider’s remote_ids attribute:

1. Compare the Keycloak URL set in the OpenStackDeployment resource with the one set in Keystone identity provider:

   kubectl -n openstack get osdpl -ojsonpath='{.items[].spec.features.keystone.keycloak}
   # vs
   openstack identity provider show keycloak -f value -c remote_ids
   

2. If the URLs do not coincide, update the identity provider in OpenStack with the correct URL keeping the auth/realms/iam part as shown below. Otherwise, the problem is caused by something else, and you need to proceed with the debugging.

   openstack identity provider set keycloak --remote-id <new-correct-URL>/auth/realms/iam
   

---

[6912] Octavia load balancers may not work properly with DVR

Limitation

When Neutron is deployed in the DVR mode, Octavia load balancers may not work correctly. The symptoms include both failure to properly balance traffic and failure to perform an amphora failover. For details, see DVR incompatibility with ARP announcements and VRRP.

---

[16495] Failure to reschedule OpenStack deployment pods after a node recovery

Fixed in MOS 22.1

Kubernetes does not reschedule OpenStack deployment pods after a node recovery.

As a workaround, delete all pods of the deployment:

for i in $(kubectl -n openstack get deployments |grep -v NAME | awk '{print $1}');
do
kubectl -n openstack rollout restart deployment/$i;
done

Once done, the pods will respawn automatically.

---

[18713] Inability to remove a Glance image after an unsuccessful instance spawn

Fixed in MOS 22.1

When image signature verification is enabled and the signature is incorrect on the image, it is impossible to remove a Glance image right after an unsuccessful instance spawn attempt. As a workaround, wait for at least one minute before trying to remove the image.

---

[19274] Horizon container missing proxy variables

Fixed in MOS 22.1

Horizon container is missing proxy variables. As a result, it is not possible to create a Heat stack by specifying the Heat template as a URL link. As a workaround, use a different upload method and specify the file from a local folder.

---

[19065] Octavia load balancers lose Amphora VMs after failover

Fixed in MOSK 22.3

If an Amphora VM does not respond or responds too long to heartbeat requests, the Octavia load balancer automatically initiates a failover process after 60 seconds of unsuccessful attempts. Long responses of an Amphora VM may be caused by various events, such as a high load on the OpenStack compute node that hosts the Amphora VM, network issues, system service updates, and so on. After a failover, the Amphora VMs may be missing in the completed Octavia load balancer.

Workaround:

• If your deployment is already affected, manually restore the work of the load balancer by recreating the Amphora VM:

  1. Define the load balancer ID:

     openstack loadbalancer amphora list --column loadbalancer_id --format value --status ERROR
     

  2. Start the load balancer failover:

     openstack loadbalancer failover <Load balancer ID>
     

• To avoid an automatic failover start that may cause the issue, set the heartbeat_timeout parameter in the OpenStackDeployment CR to a large value in seconds. The default is 60 seconds. For example:

  spec:
    services:
      load-balancer:
        octavia:
          values:
            conf:
              octavia:
                health_manager:
                  heartbeat_timeout: 31536000