Bug 1931974: Prefer IPv6 hostIP on bootstrap IPv6 deployments

[celebdor]

Kubelet can end up choosing IPv4 addresses as its hostIP, which after:

https://github.com/openshift/cluster-kube-apiserver-operator/pull/1042/files

mean that the kubernetes API service ends up with an endpoint being an
IPv4 address. This breaks the kubernetes API loadbalancer in the
service network and prevent the deployment from succeeding.

[openshift-ci-robot]

@celebdor: This pull request references Bugzilla bug 1931974, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.8.0) matches configured target release for branch (4.8.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

No GitHub users were found matching the public email listed for the QA contact in Bugzilla (vvoronko@redhat.com), skipping review request.

Details

In response to this:

Bug 1931974: Prefer IPv6 hostIP on bootstrap IPv6 deployments

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[celebdor]

still need to test it out

[celebdor]

@staebler that makes it simpler, thanks, It renders well

[asegurap@edge-24 installer]$ ssh core@fd2e:6f44:5dd8:c956::2c
[core@localhost ~]$ cat /etc/systemd/system/kubelet.service 
[Unit]
Description=Kubernetes Kubelet
Wants=rpc-statd.service crio.service release-image.service
After=crio.service release-image.service

[Service]
Type=notify
ExecStartPre=/bin/mkdir --parents /etc/kubernetes/manifests
ExecStartPre=/bin/mkdir --parents /etc/kubernetes/kubelet-plugins/volume/exec
ExecStartPre=/usr/local/bin/kubelet-pause-image.sh
Environment=KUBELET_RUNTIME_REQUEST_TIMEOUT=10m
EnvironmentFile=-/etc/kubernetes/kubelet-env
EnvironmentFile=-/etc/kubernetes/kubelet-pause-image-override

ExecStart=/usr/bin/hyperkube \
  kubelet \
    --anonymous-auth=false \
    --container-runtime=remote \
    --container-runtime-endpoint=/var/run/crio/crio.sock \
    --runtime-request-timeout=${KUBELET_RUNTIME_REQUEST_TIMEOUT} \
    --node-ip=:: \
    --pod-manifest-path=/etc/kubernetes/manifests \
    --minimum-container-ttl-duration=6m0s \
    --cluster-domain=cluster.local \
    --cgroup-driver=systemd \
    --serialize-image-pulls=false \
    --v=2 \
    --volume-plugin-dir=/etc/kubernetes/kubelet-plugins/volume/exec \
    --pod-infra-container-image=${MACHINE_CONFIG_INFRA_IMAGE}

Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target
[core@localhost ~]$ 

[celebdor]

After rebase:

[asegurap@edge-24 installer]$ ssh core@fd2e:6f44:5dd8:c956::33
[core@localhost ~]$ cat /usr/local/bin/kubelet.sh 
#!/usr/bin/env bash

# shellcheck disable=SC1091  # using path on bootstrap machine
. /usr/local/bin/bootstrap-service-record.sh

/usr/bin/hyperkube \
  kubelet \
    --anonymous-auth=false \
    --container-runtime=remote \
    --container-runtime-endpoint=/var/run/crio/crio.sock \
    --runtime-request-timeout="${KUBELET_RUNTIME_REQUEST_TIMEOUT}" \
    --node-ip=:: \
    --pod-manifest-path=/etc/kubernetes/manifests \
    --minimum-container-ttl-duration=6m0s \
    --cluster-domain=cluster.local \
    --cgroup-driver=systemd \
    --serialize-image-pulls=false \
    --v=2 \
    --volume-plugin-dir=/etc/kubernetes/kubelet-plugins/volume/exec \
    --pod-infra-container-image="${MACHINE_CONFIG_INFRA_IMAGE}"
[core@localhost ~]$ 

[celebdor]

Moved the kubelet.sh to only be rendered with the ipv6 check on the batemetal platform. Still rendering well:

[asegurap@edge-24 installer]$ ssh core@fd2e:6f44:5dd8:c956::1d cat /usr/local/bin/kubelet.sh
#!/usr/bin/env bash

# shellcheck disable=SC1091  # using path on bootstrap machine
. /usr/local/bin/bootstrap-service-record.sh

/usr/bin/hyperkube \
  kubelet \
    --anonymous-auth=false \
    --container-runtime=remote \
    --container-runtime-endpoint=/var/run/crio/crio.sock \
    --runtime-request-timeout="${KUBELET_RUNTIME_REQUEST_TIMEOUT}" \
    --node-ip=:: \
    --pod-manifest-path=/etc/kubernetes/manifests \
    --minimum-container-ttl-duration=6m0s \
    --cluster-domain=cluster.local \
    --cgroup-driver=systemd \
    --serialize-image-pulls=false \
    --v=2 \
    --volume-plugin-dir=/etc/kubernetes/kubelet-plugins/volume/exec \
    --pod-infra-container-image="${MACHINE_CONFIG_INFRA_IMAGE}"
[asegurap@edge-24 installer]$

[celebdor]

/retest

[osherdp]

/lgtm

[osherdp]

I just tested it, it seems to fix the problem
Thanks!

[celebdor]

/retest

[staebler]

Moved the kubelet.sh to only be rendered with the ipv6 check on the batemetal platform.

I don't think it is a good idea to have a completely separate kubelet.sh file for baremetal. What is the reasoning behind copying the file?

Note that the code creating the bootstrap ignition config adds both the regular kubelet.sh file and the baremetal-specific kubelet.sh file. You are getting the bootstrap-specific one only because the code happens to add that one second: That is not guaranteed.

[staebler]

/hold for concerns over duplicate kubelet.sh file

[celebdor]

Correctly rendered with the new approach:

[asegurap@edge-24 ~]$ ssh core@fd2e:6f44:5dd8:c956::18 cat /usr/local/bin/kubelet.sh
#!/usr/bin/env bash

# shellcheck disable=SC1091  # using path on bootstrap machine
. /usr/local/bin/bootstrap-service-record.sh

/usr/bin/hyperkube \
  kubelet \
    --anonymous-auth=false \
    --container-runtime=remote \
    --container-runtime-endpoint=/var/run/crio/crio.sock \
    --runtime-request-timeout="${KUBELET_RUNTIME_REQUEST_TIMEOUT}" \
    --node-ip=:: \
    --pod-manifest-path=/etc/kubernetes/manifests \
    --minimum-container-ttl-duration=6m0s \
    --cluster-domain=cluster.local \
    --cgroup-driver=systemd \
    --serialize-image-pulls=false \
    --v=2 \
    --volume-plugin-dir=/etc/kubernetes/kubelet-plugins/volume/exec \
    --pod-infra-container-image="${MACHINE_CONFIG_INFRA_IMAGE}"
[asegurap@edge-24 ~]$ 

[staebler]

Keep this function in pkg/asset/ignition/bootstrap for now since that is the only place where it is used.

[staebler]

Would it make sense to make the name of this variable more specific to its use rather than specific to its source?

Suggested change

	{{- if .APIVIPIPv6 }}
	{{- if .UseIPv6ForNodeIP }}

[celebdor]

Applied the suggestions. Still renders right:

[asegurap@edge-24 ~]$ ssh core@fd2e:6f44:5dd8:c956::26 cat /usr/local/bin/kubelet.sh
#!/usr/bin/env bash

# shellcheck disable=SC1091  # using path on bootstrap machine
. /usr/local/bin/bootstrap-service-record.sh

/usr/bin/hyperkube \
  kubelet \
    --anonymous-auth=false \
    --container-runtime=remote \
    --container-runtime-endpoint=/var/run/crio/crio.sock \
    --runtime-request-timeout="${KUBELET_RUNTIME_REQUEST_TIMEOUT}" \
    --node-ip=:: \
    --pod-manifest-path=/etc/kubernetes/manifests \
    --minimum-container-ttl-duration=6m0s \
    --cluster-domain=cluster.local \
    --cgroup-driver=systemd \
    --serialize-image-pulls=false \
    --v=2 \
    --volume-plugin-dir=/etc/kubernetes/kubelet-plugins/volume/exec \
    --pod-infra-container-image="${MACHINE_CONFIG_INFRA_IMAGE}"
[asegurap@edge-24 ~]$ 

[celebdor]

/retest

[staebler]

/lgtm
/approve
/hold for e2e-metal-ipi-ovn-ipv6

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: staebler

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [staebler]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[osherdp]

/retest

[osherdp]

\unhold as e2e-metal-ipi-ovn-ipv6 passes

[osherdp]

/unhold

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[osherdp]

/retest

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci]

@celebdor: The following tests failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/e2e-libvirt	0c45286	link	/test e2e-libvirt
ci/prow/e2e-crc	0c45286	link	/test e2e-crc

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-ci-robot]

@celebdor: All pull requests linked via external trackers have merged:

• openshift/installer#4756

Bugzilla bug 1931974 has been moved to the MODIFIED state.

Details

In response to this:

Bug 1931974: Prefer IPv6 hostIP on bootstrap IPv6 deployments

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-cherrypick-robot]

@sadasu: #4756 failed to apply on top of branch "release-4.7":

Applying: Prefer IPv6 hostIP on bootstrap IPv6 deployments
Using index info to reconstruct a base tree...
A	data/data/bootstrap/files/usr/local/bin/kubelet.sh
A	pkg/asset/ignition/bootstrap/common.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/asset/ignition/bootstrap/bootstrap.go
CONFLICT (content): Merge conflict in pkg/asset/ignition/bootstrap/bootstrap.go
CONFLICT (rename/delete): data/data/bootstrap/files/usr/local/bin/kubelet.sh deleted in HEAD and renamed to data/data/bootstrap/files/usr/local/bin/kubelet.sh.template in Prefer IPv6 hostIP on bootstrap IPv6 deployments. Version Prefer IPv6 hostIP on bootstrap IPv6 deployments of data/data/bootstrap/files/usr/local/bin/kubelet.sh.template left in tree.
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Prefer IPv6 hostIP on bootstrap IPv6 deployments
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

Details

In response to this:

/cherry-pick release-4.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-cherrypick-robot]

@sadasu: #4756 failed to apply on top of branch "release-4.7":

Applying: Prefer IPv6 hostIP on bootstrap IPv6 deployments
Using index info to reconstruct a base tree...
A	data/data/bootstrap/files/usr/local/bin/kubelet.sh
A	pkg/asset/ignition/bootstrap/common.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/asset/ignition/bootstrap/bootstrap.go
CONFLICT (content): Merge conflict in pkg/asset/ignition/bootstrap/bootstrap.go
CONFLICT (rename/delete): data/data/bootstrap/files/usr/local/bin/kubelet.sh deleted in HEAD and renamed to data/data/bootstrap/files/usr/local/bin/kubelet.sh.template in Prefer IPv6 hostIP on bootstrap IPv6 deployments. Version Prefer IPv6 hostIP on bootstrap IPv6 deployments of data/data/bootstrap/files/usr/local/bin/kubelet.sh.template left in tree.
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Prefer IPv6 hostIP on bootstrap IPv6 deployments
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

Details

In response to this:

/cherry-pick release-4.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.