OpenStack known issues and limitations


Limitations

Due to limitations in the Octavia and MOS integration, the clusters where Neutron is deployed in the Distributed Virtual Router (DVR) mode are not stable. Therefore, Mirantis does not recommend such configuration for production deployments.


[9809] The default max_pods setting does not allow upgrading a cluster

Fixed in MOS 21.1

During update of a MOS cluster, the pods may get stuck in the Pending state with the following example warning:

Warning FailedScheduling <unknown> default-scheduler 0/9 nodes are available:
1 node(s) were unschedulable, 2 Too many pods, 6 node(s) didn't match node selector.

Workaround

  1. Before you update the managed cluster:

    1. Set kubelet_max_pods to 250:

      UCP_HOST=$(kubectl -n <child name space> get clusters <child name> -o jsonpath='{.status.providerStatus.ucpDashboard}')
      AUTHTOKEN=$(curl --silent --insecure --data '{"username":"admin","password":"<PASWORD>"}' $UCP_HOST/auth/login | jq --raw-output .auth_token)
      curl --insecure -X GET "$UCP_HOST/api/ucp/config-toml" -H "accept: application/toml" -H "Authorization: Bearer $AUTHTOKEN" > ucp-config.toml
      sed -i 's/kubelet_max_pods = 110/kubelet_max_pods = 250/g' ucp-config.toml
      curl --insecure -X PUT -H "accept: application/toml" -H "Authorization: Bearer $AUTHTOKEN" --upload-file 'ucp-config.toml' -H "X-Ucp-Allow-Restricted-Api: i-solemnly-swear-i-am-up-to-no-good" $UCP_HOST/api/ucp/config-toml
      curl -k -X PUT "$UCP_HOST/api/ucp/config/tuning" -H "X-Ucp-Allow-Restricted-Api: i-solemnly-swear-i-am-up-to-no-good" -H "Authorization: Bearer $AUTHTOKEN" --data '{"kaasManagedCluster":true}'
      
    2. Verify that the changes have been applied:

      kubectl get nodes -o jsonpath='{.items[*].status.capacity.pods}'
      

      Example of a positive system response:

      250 250 250 250 250 250 250 250 250
      
  2. After you update the managed cluster, set kubelet_max_pods to the default 110 value:

    UCP_HOST=$(kubectl -n <child name space> get clusters <child name> -o jsonpath='{.status.providerStatus.ucpDashboard}')
    AUTHTOKEN=$(curl --silent --insecure --data '{"username":"admin","password":"<PASWORD>"}' $UCP_HOST/auth/login | jq --raw-output .auth_token)
    curl --insecure -X GET "$UCP_HOST/api/ucp/config-toml" -H "accept: application/toml" -H "Authorization: Bearer $AUTHTOKEN" > ucp-config.toml
    sed -i 's/kubelet_max_pods = 250/kubelet_max_pods = 110/g' ucp-config.toml
    curl --insecure -X PUT -H "accept: application/toml" -H "Authorization: Bearer $AUTHTOKEN" --upload-file 'ucp-config.toml' -H "X-Ucp-Allow-Restricted-Api: i-solemnly-swear-i-am-up-to-no-good" $UCP_HOST/api/ucp/config-toml
    curl -k -X PUT "$UCP_HOST/api/ucp/config/tuning" -H "X-Ucp-Allow-Restricted-Api: i-solemnly-swear-i-am-up-to-no-good" -H "Authorization: Bearer $AUTHTOKEN" --data '{"kaasManagedCluster":true}'
    

[6912] Octavia load balancers may not work properly with DVR

Limitation

When Neutron is deployed in the DVR mode, Octavia load balancers may not work correctly. The symptoms include both failure to properly balance traffic and failure to perform an amphora failover. For details, see DVR incompatibility with ARP announcements and VRRP.


[8573] External authentication to Horizon fails to log in a different user

Fixed in MOS 21.1

Horizon retains the user’s credentials following their initial login using External Authentication Service, and does not allow to log in with another user credentials.

Workaround:

  1. Clear cookies in your browser.

  2. Select External Authentication Service on the Horizon login page.

  3. Click Sign In. The Keycloak login page opens.

    If the following error occurs, refresh the page and try again:

    CSRF token missing or incorrect. Cookies may be turned off.
    Make sure cookies are enabled and try again.