[victoria][magnum][octavia]<NOSRV> in amphora
Luke Camilleri
luke.camilleri at zylacomputing.com
Tue May 25 20:11:40 UTC 2021
HI Michael and thanks for your reply. Below please find my answers:
Yes the load balancer is healthy and the health check of the member
endpoint in failing
Yes, none of the members have monitor_address or monitor_port configured
to override the health check endpoint (below details of one of the members)
| Field | Value
+---------------------+-------------------------------------------------------------------------------------------------------------------+
| address | 192.168.1.99
| admin_state_up | True
| created_at | 2021-05-24T20:07:56
| id | 8d093783-79c9-4094-b3a2-8d31b1c4567f
| name |
member_0_k8s-c1-final-yrlns2q7qo2w-node-1_kube_service_f48f5572-0011-4b66-b9ab-63190d0c00b3_default_nginx-service
| operating_status | ERROR
| project_id | 35a0fa65de1741619709485c5f6d989b
| protocol_port | 31765
| provisioning_status | ACTIVE
| subnet_id | 19d73049-4bf7-455c-b278-3cba451102fb
| updated_at | 2021-05-24T20:08:51
| weight | 1
| monitor_port | None
| monitor_address | None
| backup | False
The subnet ID shown in the above details for the member node are the
same and the subnet ID assigned to this project as shown below:
| Field | Value |
+----------------------+--------------------------------------+
| allocation_pools | 192.168.1.10-192.168.1.254
| cidr | 192.168.1.0/24
| created_at | 2021-03-24T20:14:03Z
| description |
| dns_nameservers | 8.8.4.4, 8.8.8.8
| dns_publish_fixed_ip | None
| enable_dhcp | True
| gateway_ip | 192.168.1.1
| host_routes |
| id | 19d73049-4bf7-455c-b278-3cba451102fb
| ip_version | 4
| ipv6_address_mode | None
| ipv6_ra_mode | None
| name | red-subnet-2
| network_id | 9d2e17df-a93f-4709-941d-a6e8f98f5556
| prefix_length | None
| project_id | 35a0fa65de1741619709485c5f6d989b
| revision_number | 1
| segment_id | None
| service_types |
| subnetpool_id | None
| tags
| updated_at | 2021-03-26T13:59:07Z
I can SSH on an instance unrelated to the issue and from within SSH into
all 3 members without any issues. The members are part of a Kubernetes
cluster (created using Magnum) and both subnet and network have been
specified during the cluster creation.
the issue seems to be coming from the nodeport which is created by
default and that should proxy the LoadBalancer requests to the clusterIP
as I do not get any reply when querying the port with curl and since the
health manager uses that port it is also failing
I do not believe that the issue is actually from Octavia but from Magnum
from what I can see and the nodeport functionality that gets created to
have the amphora instance reach the nodeports
Thanks in advance
On 25/05/2021 02:12, Michael Johnson wrote:
> Hi Luke,
>
> From the snippet you provided, it looks like the load balancer is
> healthy and working as expected, but the health check of the member
> endpoint is failing.
>
> I also see that the health monitor is configured for a type of TCP and
> the members are configured for port 31765. This assumes that the
> members do not have "monitor_address" or "monitor_port" configured to
> override the health check endpoint.
>
> One thing to check is the subnet_id that was configured on the members
> in Octavia. The members (192.168.1.99:31765, etc.) must be reachable
> from that subnet_id. If no subnet_id was used when creating the
> members, it will use the VIP subnet of the load balancer.
>
> Sometimes users forget to specify the subnet_id, that a member should
> be reachable from, when creating the member on the load balancer.
>
> Michael
>
> On Mon, May 24, 2021 at 1:48 PM Luke Camilleri
> <luke.camilleri at zylacomputing.com> wrote:
>> I have configured magnum with a service type of LoadBalancer and it is
>> successfully deploying an external LoadBalancer via Octavia. The problem
>> is that I cannot reach the public IP address but can see the entries in
>> the haproxy.log on the amphora instance and the log shows <NOSRV> 0 SC--
>> at the end of each entry when it is being accessed (via a browser for
>> example).
>>
>> So the Octavia part seems to be fine, the config shows the correct LB
>> --> listener --> pool --> member and the nodeports that the service
>> should be listening on (I am assuming that the same nodeports are also
>> used for the healthchecks)
>>
>> The haproxy.cfg in the amphora instance shows the below in the pool
>> members section:
>>
>> server 43834d2f-4e22-4065-b448-ddf0713f2ced 192.168.1.191:31765
>> weight 1 check inter 60s fall 3 rise 3
>> server 3a733c48-24dd-426e-8394-699a908121ee 192.168.1.36:31765
>> weight 1 check inter 60s fall 3 rise 3
>> server 8d093783-79c9-4094-b3a2-8d31b1c4567f 192.168.1.99:31765
>> weight 1 check inter 60s fall 3 rise 3
>>
>> and the status of the pool's members (# openstack loadbalancer member
>> list) is as follows:
>>
>> +------------------------------------------------------------+---------------------------+-----------------+-----------------------+---------------------------+
>> | id | provisioning_status | address | protocol_port |
>> operating_status |
>>
>> 8d093783-79c9-4094-b3a2-8d31b1c4567f ACTIVE 192.168.1.99
>> 31765 ERROR
>> 43834d2f-4e22-4065-b448-ddf0713f2ced ACTIVE 192.168.1.191
>> 31765 ERROR
>> 3a733c48-24dd-426e-8394-699a908121ee ACTIVE 192.168.1.36
>> 31765 ERROR
>>
>> From the below loadbalancer healthmonitor show command I can see that
>> the health checks are being done via TCP on the same port and can
>> confirm that the security group allows the nodeports range (ALLOW IPv4
>> 30000-32767/tcp from 0.0.0.0/0)
>>
>> +---------------------+--------------------------------------+
>> | Field | Value
>> +---------------------+--------------------------------------+
>> | provisioning_status | ACTIVE
>> | type | TCP
>> | id | 86604638-27db-47d2-ad9c-0594564a44be
>> | operating_status | ONLINE
>> +---------------------+--------------------------------------+
>>
>> $ kubectl describe service nginx-service
>> Name: nginx-service
>> Namespace: default
>> Labels: <none>
>> Annotations: <none>
>> Selector: app=nginx
>> Type: LoadBalancer
>> IP Families: <none>
>> IP: 10.254.255.232
>> IPs: <none>
>> LoadBalancer Ingress: 185.89.239.217
>> Port: <unset> 80/TCP
>> TargetPort: 8080/TCP
>> NodePort: <unset> 31765/TCP
>> Endpoints: 10.100.4.11:8080,10.100.4.12:8080,10.100.5.10:8080
>> Session Affinity: None
>> External Traffic Policy: Cluster
>> Events:
>> Type Reason Age From Message
>> ---- ------ ---- ---- -------
>> Normal EnsuringLoadBalancer 29m service-controller Ensuring load
>> balancer
>> Normal EnsuredLoadBalancer 28m service-controller Ensured load
>> balancer
>>
>> The Kubernetes deployment file:
>>
>> apiVersion: apps/v1
>> kind: Deployment
>> metadata:
>> name: nginx-deployment
>> labels:
>> app: nginx
>> spec:
>> replicas: 3
>> selector:
>> matchLabels:
>> app: nginx
>> template:
>> metadata:
>> labels:
>> app: nginx
>> spec:
>> containers:
>> - name: nginx
>> image: nginx:latest
>> ports:
>> - containerPort: 8080
>> ---
>> apiVersion: v1
>> kind: Service
>> metadata:
>> name: nginx-service
>> spec:
>> selector:
>> app: nginx
>> type: LoadBalancer
>> ports:
>> - protocol: TCP
>> port: 80
>> targetPort: 8080
>>
>> Does ayone have any pointers as to why the amphora is not able to reach
>> the nodeports of the kubernetes workers?
>>
>> Thanks in advance
>>
More information about the openstack-discuss
mailing list