OpenStack known issues and limitations¶
[9809] The default max_pods setting does not allow upgrading a cluster
[6912] Octavia load balancers may not work properly with DVR
[8573] External authentication to Horizon fails to log in a different user
Limitations¶
Due to limitations in the Octavia and MOS integration, the clusters where Neutron is deployed in the Distributed Virtual Router (DVR) mode are not stable. Therefore, Mirantis does not recommend such configuration for production deployments.
[9809] The default max_pods setting does not allow upgrading a cluster¶
Fixed in MOS 21.1
During update of a MOS cluster, the pods may get
stuck in the Pending
state with the following example warning:
Warning FailedScheduling <unknown> default-scheduler 0/9 nodes are available:
1 node(s) were unschedulable, 2 Too many pods, 6 node(s) didn't match node selector.
Workaround
Before you update the managed cluster:
Set
kubelet_max_pods
to250
:UCP_HOST=$(kubectl -n <child name space> get clusters <child name> -o jsonpath='{.status.providerStatus.ucpDashboard}') AUTHTOKEN=$(curl --silent --insecure --data '{"username":"admin","password":"<PASWORD>"}' $UCP_HOST/auth/login | jq --raw-output .auth_token) curl --insecure -X GET "$UCP_HOST/api/ucp/config-toml" -H "accept: application/toml" -H "Authorization: Bearer $AUTHTOKEN" > ucp-config.toml sed -i 's/kubelet_max_pods = 110/kubelet_max_pods = 250/g' ucp-config.toml curl --insecure -X PUT -H "accept: application/toml" -H "Authorization: Bearer $AUTHTOKEN" --upload-file 'ucp-config.toml' -H "X-Ucp-Allow-Restricted-Api: i-solemnly-swear-i-am-up-to-no-good" $UCP_HOST/api/ucp/config-toml curl -k -X PUT "$UCP_HOST/api/ucp/config/tuning" -H "X-Ucp-Allow-Restricted-Api: i-solemnly-swear-i-am-up-to-no-good" -H "Authorization: Bearer $AUTHTOKEN" --data '{"kaasManagedCluster":true}'
Verify that the changes have been applied:
kubectl get nodes -o jsonpath='{.items[*].status.capacity.pods}'
Example of a positive system response:
250 250 250 250 250 250 250 250 250
After you update the managed cluster, set
kubelet_max_pods
to the default110
value:UCP_HOST=$(kubectl -n <child name space> get clusters <child name> -o jsonpath='{.status.providerStatus.ucpDashboard}') AUTHTOKEN=$(curl --silent --insecure --data '{"username":"admin","password":"<PASWORD>"}' $UCP_HOST/auth/login | jq --raw-output .auth_token) curl --insecure -X GET "$UCP_HOST/api/ucp/config-toml" -H "accept: application/toml" -H "Authorization: Bearer $AUTHTOKEN" > ucp-config.toml sed -i 's/kubelet_max_pods = 250/kubelet_max_pods = 110/g' ucp-config.toml curl --insecure -X PUT -H "accept: application/toml" -H "Authorization: Bearer $AUTHTOKEN" --upload-file 'ucp-config.toml' -H "X-Ucp-Allow-Restricted-Api: i-solemnly-swear-i-am-up-to-no-good" $UCP_HOST/api/ucp/config-toml curl -k -X PUT "$UCP_HOST/api/ucp/config/tuning" -H "X-Ucp-Allow-Restricted-Api: i-solemnly-swear-i-am-up-to-no-good" -H "Authorization: Bearer $AUTHTOKEN" --data '{"kaasManagedCluster":true}'
[6912] Octavia load balancers may not work properly with DVR¶
Limitation
When Neutron is deployed in the DVR mode, Octavia load balancers may not work correctly. The symptoms include both failure to properly balance traffic and failure to perform an amphora failover. For details, see DVR incompatibility with ARP announcements and VRRP.
[8573] External authentication to Horizon fails to log in a different user¶
Fixed in MOS 21.1
Horizon retains the user’s credentials following their initial login using External Authentication Service, and does not allow to log in with another user credentials.
Workaround:
Clear cookies in your browser.
Select External Authentication Service on the Horizon login page.
Click Sign In. The Keycloak login page opens.
If the following error occurs, refresh the page and try again:
CSRF token missing or incorrect. Cookies may be turned off. Make sure cookies are enabled and try again.