Skip to content

OCPBUGS-34950: Fix OpenStack infrastructure bootstrap issues #10148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-bot merged 2 commits into from
Dec 10, 2025
Merged

OCPBUGS-34950: Fix OpenStack infrastructure bootstrap issues #10148

openshift-merge-bot merged 2 commits into from
Dec 10, 2025
+220 −9

Conversation

@eshulman2
Copy link
Contributor

@eshulman2 eshulman2 commented Dec 4, 2025

This commit addresses two related issues in OpenStack IPI installations:

  1. Bootstrap security group for SSH access to enable log collection
  2. Proper cleanup of installer-created bootstrap resources

Problem 1: Bootstrap Log Collection

Bootstrap machine logs cannot be collected when installation fails because
the bootstrap VM uses the master security group, which doesn't allow SSH
access from the installation source address. This prevents gathering
diagnostic information needed to troubleshoot failed installations.

Problem 2: Orphaned Bootstrap Resources

During investigation of bootstrap resource lifecycle, discovered that CAPO
deletes floating IPs instead of disassociating them when removing control
plane machines. This contradicts the maintainer's design intent (see comment
at openstackmachine_controller.go:291) and causes issues for installer-managed
floating IPs.

Solution

1. Bootstrap Security Group

  • Created dedicated bootstrap security group with SSH access from anywhere
  • Tagged with openshiftRole=bootstrap for lifecycle management
  • Enables SSH access to bootstrap VM for log collection on failure

2. PostDestroyer Implementation

  • Implemented PostDestroyer interface for OpenStack provider
  • Runs after CAPO deletes bootstrap machine, ensuring resources are detached
  • Cleans up bootstrap floating IP (disassociated by CAPO)
  • Cleans up bootstrap security group (no longer attached to deleted VM)
  • Uses tag-based identification: both resources tagged with
    openshiftClusterID={infraID} AND openshiftRole=bootstrap

@openshift-ci openshift-ci bot requested review from gryf and stephenfin December 4, 2025 17:39
@stephenfin
Copy link
Contributor

stephenfin commented Dec 5, 2025

/assign @stephenfin

Looks like there are some linter issues to address here?

@eshulman2
Copy link
Contributor Author

eshulman2 commented Dec 7, 2025

/retest

1 similar comment
@eshulman2
Copy link
Contributor Author

eshulman2 commented Dec 8, 2025

/retest

stephenfin
stephenfin suggested changes Dec 8, 2025
View reviewed changes
Copy link
Contributor

@stephenfin stephenfin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great. I have left a lot of comments but most of them are nits: feel free to ignore if you disagree. I think the main meaningful changes are the use of net/http consts and handling deletion of FIPs/SGs when there are more than one and you get errors.

@stephenfin
Copy link
Contributor

stephenfin commented Dec 8, 2025

/retitle OCPBUGS-34950: Fix OpenStack infrastructure bootstrap issues

@openshift-ci openshift-ci bot changed the title Fix OpenStack infrastructure bootstrap issues OCPBUGS-34950: Fix OpenStack infrastructure bootstrap issues Dec 8, 2025
@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Dec 8, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Dec 8, 2025

@eshulman2: This pull request references Jira Issue OCPBUGS-34950, which is invalid:

  • expected the bug to target the "4.21.0" version, but no target version was set
  • expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This commit addresses two related issues in OpenStack IPI installations:

  1. Bootstrap security group for SSH access to enable log collection
  2. Proper cleanup of installer-created bootstrap resources

Problem 1: Bootstrap Log Collection

Bootstrap machine logs cannot be collected when installation fails because
the bootstrap VM uses the master security group, which doesn't allow SSH
access from the installation source address. This prevents gathering
diagnostic information needed to troubleshoot failed installations.

Problem 2: Orphaned Bootstrap Resources

During investigation of bootstrap resource lifecycle, discovered that CAPO
deletes floating IPs instead of disassociating them when removing control
plane machines. This contradicts the maintainer's design intent (see comment
at openstackmachine_controller.go:291) and causes issues for installer-managed
floating IPs.

Solution

1. Bootstrap Security Group

  • Created dedicated bootstrap security group with SSH access from anywhere
  • Tagged with openshiftRole=bootstrap for lifecycle management
  • Enables SSH access to bootstrap VM for log collection on failure

2. PostDestroyer Implementation

  • Implemented PostDestroyer interface for OpenStack provider
  • Runs after CAPO deletes bootstrap machine, ensuring resources are detached
  • Cleans up bootstrap floating IP (disassociated by CAPO)
  • Cleans up bootstrap security group (no longer attached to deleted VM)
  • Uses tag-based identification: both resources tagged with
    openshiftClusterID={infraID} AND openshiftRole=bootstrap

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@eshulman2 eshulman2 requested a review from stephenfin December 8, 2025 20:08
@eshulman2
Copy link
Contributor Author

eshulman2 commented Dec 8, 2025

I believe I addressed all concerns and comments and also improved the error handling and logging :)

@eshulman2 eshulman2 force-pushed the main branch 2 times, most recently from c9ee29b to 7b9ece6 Compare December 9, 2025 07:35
@eshulman2
Copy link
Contributor Author

eshulman2 commented Dec 9, 2025

/jira refresh

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Dec 9, 2025

@eshulman2: This pull request references Jira Issue OCPBUGS-34950, which is invalid:

  • expected the bug to target the "4.21.0" version, but no target version was set
  • expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@eshulman2
Copy link
Contributor Author

eshulman2 commented Dec 9, 2025

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Dec 9, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Dec 9, 2025

@eshulman2: This pull request references Jira Issue OCPBUGS-34950, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.21.0) matches configured target version for branch (4.21.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira ([email protected]), skipping review request.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@eshulman2
Copy link
Contributor Author

eshulman2 commented Dec 9, 2025

/retest

mandre
mandre reviewed Dec 9, 2025
View reviewed changes
@eshulman2 eshulman2 requested a review from mandre December 9, 2025 14:02
@eshulman2
openstack: add ssh to bootstrap sg
27eb6bd 
Fixes the issue of bootstrap machine logs cannot be collected when installation fails because
the bootstrap VM uses the master security group, which doesn't allow SSH
access from the installation source address. This prevents gathering
diagnostic information needed to troubleshoot failed installations.

- Created dedicated bootstrap security group with SSH access from anywhere
- Tagged with `openshiftRole=bootstrap` for lifecycle management
- Enables SSH access to bootstrap VM for log collection on failure
- Implement PostDestroyer for openstack bootstrap vm
@eshulman2
openstack: Remove FIPs created by the installer
1b18638 
Added cleanup for bootstrap VM FIP in the insatller as part of the
PostDestroyer to streamline FIP creation and deletion to be done by the
installer avoiding orphan FIPs.
@stephenfin
Copy link
Contributor

stephenfin commented Dec 9, 2025

/approve
/lgtm
/hold in case @mandre wants to come back around to this

@openshift-ci openshift-ci bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm Indicates that a PR is ready to be merged. labels Dec 9, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 9, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: stephenfin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 9, 2025
mandre
mandre reviewed Dec 10, 2025
View reviewed changes
Copy link
Member

@mandre mandre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/label acknowledge-critical-fixes-only
/verified by CI
/hold cancel

@openshift-ci openshift-ci bot added acknowledge-critical-fixes-only Indicates if the issuer of the label is OK with the policy. and removed do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Dec 10, 2025
@mandre
Copy link
Member

mandre commented Dec 10, 2025

/verified remove

@mandre
Copy link
Member

mandre commented Dec 10, 2025

/verified later

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Dec 10, 2025

@mandre: This PR does not have verified or verified-later labels.

In response to this:

/verified remove

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Dec 10, 2025

@mandre: /verified later <@username> requires at least one GitHub @username to be specified (it can be a comma delimited list). It indicates the engineer(s) that will be performing the verification. See https://docs.ci.openshift.org/docs/architecture/jira/#premerge-verification for more information.

In response to this:

/verified later

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@mandre
Copy link
Member

mandre commented Dec 10, 2025

/verified later @imatza-rh

@openshift-ci-robot openshift-ci-robot added verified-later verified Signifies that the PR passed pre-merge verification criteria labels Dec 10, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Dec 10, 2025

@mandre: This PR has been marked to be verified later by @imatza-rh.

In response to this:

/verified later @imatza-rh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 10, 2025

@eshulman2: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot bot merged commit 2ed2087 into openshift:main Dec 10, 2025
19 checks passed
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Dec 10, 2025

@eshulman2: Jira Issue OCPBUGS-34950: All pull requests linked via external trackers have merged:

This pull request has the verified-later tag and will need to be manually moved to VERIFIED after testing. Jira Issue OCPBUGS-34950 has been moved to the MODIFIED state.

In response to this:

This commit addresses two related issues in OpenStack IPI installations:

  1. Bootstrap security group for SSH access to enable log collection
  2. Proper cleanup of installer-created bootstrap resources

Problem 1: Bootstrap Log Collection

Bootstrap machine logs cannot be collected when installation fails because
the bootstrap VM uses the master security group, which doesn't allow SSH
access from the installation source address. This prevents gathering
diagnostic information needed to troubleshoot failed installations.

Problem 2: Orphaned Bootstrap Resources

During investigation of bootstrap resource lifecycle, discovered that CAPO
deletes floating IPs instead of disassociating them when removing control
plane machines. This contradicts the maintainer's design intent (see comment
at openstackmachine_controller.go:291) and causes issues for installer-managed
floating IPs.

Solution

1. Bootstrap Security Group

  • Created dedicated bootstrap security group with SSH access from anywhere
  • Tagged with openshiftRole=bootstrap for lifecycle management
  • Enables SSH access to bootstrap VM for log collection on failure

2. PostDestroyer Implementation

  • Implemented PostDestroyer interface for OpenStack provider
  • Runs after CAPO deletes bootstrap machine, ensuring resources are detached
  • Cleans up bootstrap floating IP (disassociated by CAPO)
  • Cleans up bootstrap security group (no longer attached to deleted VM)
  • Uses tag-based identification: both resources tagged with
    openshiftClusterID={infraID} AND openshiftRole=bootstrap

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gryf gryf Awaiting requested review from gryf

@stephenfin stephenfin Awaiting requested review from stephenfin

1 more reviewer

@mandre mandre mandre left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@mandre mandre

@stephenfin stephenfin

Labels

acknowledge-critical-fixes-only Indicates if the issuer of the label is OK with the policy. approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria verified-later

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@eshulman2 @stephenfin @openshift-ci-robot @mandre