Troubleshooting

    Workflow 1 of 4 illustrates a troubleshooting workflow when the install-config.yaml file has errors or the Fedora CoreOS (FCOS) images are inaccessible. Troubleshooting suggestions can be found at .

    Flow-Diagram-2

    Workflow 2 of 4 illustrates a troubleshooting workflow for bootstrap VM issues, , and inspecting logs. When installing an OKD cluster without the provisioning network, this workflow does not apply.

    Workflow 3 of 4 illustrates a troubleshooting workflow for . If installing using RedFish Virtual Media, each node must meet minimum firmware requirements for the installer to deploy the node. See Firmware requirements for installing with virtual media in the Prerequisites section for additional details.

    Flow-Diagram-4

    Workflow 4 of 4 illustrates a troubleshooting workflow from a non-accessible API to a .

    Troubleshooting install-config.yaml

    The install-config.yaml configuration file represents all of the nodes that are part of the OKD cluster. The file contains the necessary options consisting of but not limited to apiVersion, baseDomain, imageContentSources and virtual IP addresses. If errors occur early in the deployment of the OKD cluster, the errors are likely in the install-config.yaml configuration file.

    Procedure

    1. Use the guidelines in .

    2. Verify the YAML syntax is correct using syntax-check.

    3. Verify the Fedora CoreOS (FCOS) QEMU images are properly defined and accessible via the URL provided in the install-config.yaml. For example:

      If the output is 200, there is a valid response from the webserver storing the bootstrap VM image.

    Bootstrap VM issues

    The OKD installation program spawns a bootstrap node virtual machine, which handles provisioning the OKD cluster nodes.

    Procedure

    1. About 10 to 15 minutes after triggering the installation program, check to ensure the bootstrap VM is operational using the virsh command:

      1. $ sudo virsh list
      1. Id Name State
      2. --------------------------------------------
      3. 12 openshift-xf6fq-bootstrap running

      If the bootstrap VM is not running after 10-15 minutes, troubleshoot why it is not running. Possible issues include:

    2. Verify libvirtd is running on the system:

      1. $ systemctl status libvirtd
      1. libvirtd.service - Virtualization daemon
      2. Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
      3. Active: active (running) since Tue 2020-03-03 21:21:07 UTC; 3 weeks 5 days ago
      4. Docs: man:libvirtd(8)
      5. https://libvirt.org
      6. Main PID: 9850 (libvirtd)
      7. Tasks: 20 (limit: 32768)
      8. Memory: 74.8M
      9. CGroup: /system.slice/libvirtd.service
      10. ├─ 9850 /usr/sbin/libvirtd

      If the bootstrap VM is operational, log in to it.

    3. Use the virsh console command to find the IP address of the bootstrap VM:

      1. $ sudo virsh console example.com
      1. Connected to domain example.com
      2. Escape character is ^]
      3. Red Hat Enterprise Linux CoreOS 43.81.202001142154.0 (Ootpa) 4.3
      4. SSH host key: SHA256:BRWJktXZgQQRY5zjuAV0IKZ4WM7i4TiUyMVanqu9Pqg (ED25519)
      5. SSH host key: SHA256:7+iKGA7VtG5szmk2jB5gl/5EZ+SNcJ3a2g23o0lnIio (ECDSA)
      6. SSH host key: SHA256:DH5VWhvhvagOTaLsYiVNse9ca+ZSW/30OOMed8rIGOc (RSA)
      7. ens3: fd35:919d:4042:2:c7ed:9a9f:a9ec:7
      8. ens4: 172.22.0.2 fe80::1d05:e52e:be5d:263f
      9. localhost login:

      When deploying an OKD cluster without the provisioning network, you must use a public IP address and not a private IP address like 172.22.0.2.

    4. After you obtain the IP address, log in to the bootstrap VM using the ssh command:

      1. $ ssh core@172.22.0.2

    If you are not successful logging in to the bootstrap VM, you have likely encountered one of the following scenarios:

    • You cannot reach the 172.22.0.0/24 network. Verify the network connectivity between the provisioner and the provisioning network bridge. This issue might occur if you are using a provisioning network. `

    • You cannot reach the bootstrap VM through the public network. When attempting to SSH via baremetal network, verify connectivity on the provisioner host specifically around the baremetal network bridge.

    • You encountered Permission denied (publickey,password,keyboard-interactive). When attempting to access the bootstrap VM, a Permission denied error might occur. Verify that the SSH key for the user attempting to log in to the VM is set within the install-config.yaml file.

    During the deployment, it is possible for the bootstrap VM to fail to boot the cluster nodes, which prevents the VM from provisioning the nodes with the FCOS image. This scenario can arise due to:

    • A problem with the install-config.yaml file.

    • Issues with out-of-band network access when using the baremetal network.

    To verify the issue, there are three containers related to ironic:

    • ironic

    • ironic-inspector

    Procedure

    1. Log in to the bootstrap VM:

      1. $ ssh core@172.22.0.2
    2. To check the container logs, execute the following:

      1. [core@localhost ~]$ sudo podman logs -f <container_name>

      Replace <container_name> with one of ironic or ironic-inspector. If you encounter an issue where the control plane nodes are not booting up from PXE, check the ironic pod. The ironic pod contains information about the attempt to boot the cluster nodes, because it attempts to log in to the node over IPMI.

    Potential reason

    The cluster nodes might be in the ON state when deployment started.

    Solution

    Power off the OKD cluster nodes before you begin the installation over IPMI:

    1. $ ipmitool -I lanplus -U root -P <password> -H <out_of_band_ip> power off

    Inspecting logs

    When experiencing issues downloading or accessing the FCOS images, first verify that the URL is correct in the install-config.yaml configuration file.

    Example of internal webserver hosting FCOS images

    1. bootstrapOSImage: http://<ip:port>/rhcos-43.81.202001142154.0-qemu.<architecture>.qcow2.gz?sha256=9d999f55ff1d44f7ed7c106508e5deecd04dc3c06095d34d36bf1cd127837e0c
    2. clusterOSImage: http://<ip:port>/rhcos-43.81.202001142154.0-openstack.<architecture>.qcow2.gz?sha256=a1bda656fa0892f7b936fdc6b6a6086bddaed5dafacedcd7a1e811abb78fe3b0

    The coreos-downloader container downloads resources from a webserver or from the external quay.io registry, whichever the install-config.yaml configuration file specifies. Verify that the coreos-downloader container is up and running and inspect its logs as needed.

    Procedure

      1. $ ssh core@172.22.0.2
    1. Check the status of the coreos-downloader container within the bootstrap VM by running the following command:

      1. [core@localhost ~]$ sudo podman logs -f coreos-downloader

      If the bootstrap VM cannot access the URL to the images, use the curl command to verify that the VM can access the images.

    2. To inspect the bootkube logs that indicate if all the containers launched during the deployment phase, execute the following:

      1. [core@localhost ~]$ journalctl -xe
      1. [core@localhost ~]$ journalctl -b -f -u bootkube.service
    3. Verify all the pods, including dnsmasq, mariadb, httpd, and ironic, are running:

      1. [core@localhost ~]$ sudo podman ps
    4. If there are issues with the pods, check the logs of the containers with issues. To check the logs of the ironic service, run the following command:

      1. [core@localhost ~]$ sudo podman logs ironic

    When OKD cluster nodes will not PXE boot, execute the following checks on the cluster nodes that will not PXE boot. This procedure does not apply when installing an OKD cluster without the provisioning network.

    Procedure

    1. Check the network connectivity to the provisioning network.

    2. Ensure PXE is enabled on the NIC for the provisioning network and PXE is disabled for all other NICs.

    3. Verify that the install-config.yaml configuration file has the proper hardware profile and boot MAC address for the NIC connected to the provisioning network. For example:

      control plane node settings

      1. bootMACAddress: 24:6E:96:1B:96:90 # MAC of bootable provisioning NIC
      2. hardwareProfile: default #control plane node settings

      Worker node settings

      1. bootMACAddress: 24:6E:96:1B:96:90 # MAC of bootable provisioning NIC
      2. hardwareProfile: unknown #worker node settings

    Unable to discover new bare metal hosts using the BMC

    In some cases, the installation program will not be able to discover the new bare metal hosts and issue an error, because it cannot mount the remote virtual media share.

    For example:

    1. ProvisioningError 51s metal3-baremetal-controller Image provisioning failed: Deploy step deploy.deploy failed with BadRequestError: HTTP POST
    2. https://<bmc_address>/redfish/v1/Managers/iDRAC.Embedded.1/VirtualMedia/CD/Actions/VirtualMedia.InsertMedia
    3. returned code 400.
    4. Base.1.8.GeneralError: A general error has occurred. See ExtendedInfo for more information
    5. Extended information: [
    6. {
    7. "Message": "Unable to mount remote share https://<ironic_address>/redfish/boot-<uuid>.iso.",
    8. "MessageArgs": [
    9. "https://<ironic_address>/redfish/boot-<uuid>.iso"
    10. ],
    11. "MessageArgs@odata.count": 1,
    12. "MessageId": "IDRAC.2.5.RAC0720",
    13. "RelatedProperties": [
    14. "#/Image"
    15. "RelatedProperties@odata.count": 1,
    16. "Resolution": "Retry the operation.",
    17. "Severity": "Informational"
    18. ].

    In this situation, if you are using virtual media with an unknown certificate authority, you can configure your baseboard management controller (BMC) remote file share settings to trust an unknown certificate authority to avoid this error.

    This resolution was tested on OKD 4.11 with Dell iDRAC 9 and firmware version 5.10.50.

    The API is not accessible

    When the cluster is running and clients cannot access the API, domain name resolution issues might impede access to the API.

    Procedure

    1. Hostname Resolution: Check the cluster nodes to ensure they have a fully qualified domain name, and not just localhost.localdomain. For example:

      1. $ hostname

      If a hostname is not set, set the correct hostname. For example:

      1. $ hostnamectl set-hostname <hostname>
    2. Incorrect Name Resolution: Ensure that each node has the correct name resolution in the DNS server using dig and nslookup. For example:

      1. $ dig api.<cluster_name>.example.com
      1. ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> api.<cluster_name>.example.com
      2. ;; global options: +cmd
      3. ;; Got answer:
      4. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37551
      5. ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
      6. ;; OPT PSEUDOSECTION:
      7. ; EDNS: version: 0, flags:; udp: 4096
      8. ; COOKIE: 866929d2f8e8563582af23f05ec44203d313e50948d43f60 (good)
      9. ;; QUESTION SECTION:
      10. ;api.<cluster_name>.example.com. IN A
      11. ;; ANSWER SECTION:
      12. api.<cluster_name>.example.com. 10800 IN A 10.19.13.86
      13. ;; AUTHORITY SECTION:
      14. <cluster_name>.example.com. 10800 IN NS <cluster_name>.example.com.
      15. ;; ADDITIONAL SECTION:
      16. <cluster_name>.example.com. 10800 IN A 10.19.14.247
      17. ;; Query time: 0 msec
      18. ;; SERVER: 10.19.14.247#53(10.19.14.247)
      19. ;; WHEN: Tue May 19 20:30:59 UTC 2020
      20. ;; MSG SIZE rcvd: 140

      The output in the foregoing example indicates that the appropriate IP address for the api.<cluster_name>.example.com VIP is 10.19.13.86. This IP address should reside on the baremetal network.

    In the event of a previous failed deployment, remove the artifacts from the failed attempt before attempting to deploy OKD again.

    Procedure

    1. Power off all bare metal nodes prior to installing the OKD cluster:

    2. Remove all old bootstrap resources if any are left over from a previous deployment attempt:

      1. for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'});
      2. do
      3. sudo virsh destroy $i;
      4. sudo virsh undefine $i;
      5. sudo virsh vol-delete $i --pool $i;
      6. sudo virsh vol-delete $i.ign --pool $i;
      7. sudo virsh pool-destroy $i;
      8. sudo virsh pool-undefine $i;
      9. done
    3. Remove the following from the clusterconfigs directory to prevent Terraform from failing:

      1. $ rm -rf ~/clusterconfigs/auth ~/clusterconfigs/terraform* ~/clusterconfigs/tls ~/clusterconfigs/metadata.json

    Issues with creating the registry

    When creating a disconnected registry, you might encounter a “User Not Authorized” error when attempting to mirror the registry. This error might occur if you fail to append the new authentication to the existing pull-secret.txt file.

    Procedure

    1. Check to ensure authentication is successful:

      1. $ /usr/local/bin/oc adm release mirror \
      2. -a pull-secret-update.json
      3. --from=$UPSTREAM_REPO \
      4. --to-release-image=$LOCAL_REG/$LOCAL_REPO:${VERSION} \
      5. --to=$LOCAL_REG/$LOCAL_REPO
    2. After mirroring the registry, confirm that you can access it in your disconnected environment:

      1. $ curl -k -u <user>:<password> https://registry.example.com:<registry_port>/v2/_catalog
      2. {"repositories":["<Repo_Name>"]}

    Miscellaneous issues

    After the deployment of a cluster you might receive the following error:

    1. `runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:Network plugin returns error: Missing CNI default network`

    The Cluster Network Operator is responsible for deploying the networking components in response to a special object created by the installer. It runs very early in the installation process, after the control plane (master) nodes have come up, but before the bootstrap control plane has been torn down. It can be indicative of more subtle installer issues, such as long delays in bringing up control plane (master) nodes or issues with apiserver communication.

    Procedure

    1. Inspect the pods in the openshift-network-operator namespace:

      1. $ oc get all -n openshift-network-operator
      1. NAME READY STATUS RESTARTS AGE
      2. pod/network-operator-69dfd7b577-bg89v 0/1 ContainerCreating 0 149m
    2. On the provisioner node, determine that the network configuration exists:

      1. $ kubectl get network.config.openshift.io cluster -oyaml
      1. apiVersion: config.openshift.io/v1
      2. kind: Network
      3. metadata:
      4. name: cluster
      5. spec:
      6. serviceNetwork:
      7. - 172.30.0.0/16
      8. clusterNetwork:
      9. - cidr: 10.128.0.0/14
      10. hostPrefix: 23
      11. networkType: OVNKubernetes

      If it does not exist, the installer did not create it. To determine why the installer did not create it, execute the following:

      1. $ openshift-install create manifests
    3. Check that the network-operator is running:

      1. $ kubectl -n openshift-network-operator get pods
    4. Retrieve the logs:

      1. $ kubectl -n openshift-network-operator logs -l "name=network-operator"

      On high availability clusters with three or more control plane (master) nodes, the Operator will perform leader election and all other Operators will sleep. For additional details, see Troubleshooting.

    Cluster nodes not getting the correct IPv6 address over DHCP

    If the cluster nodes are not getting the correct IPv6 address over DHCP, check the following:

    1. Ensure the reserved IPv6 addresses reside outside the DHCP range.

    2. In the IP address reservation on the DHCP server, ensure the reservation specifies the correct DHCP Unique Identifier (DUID). For example:

      1. # This is a dnsmasq dhcp reservation, 'id:00:03:00:01' is the client id and '18:db:f2:8c:d5:9f' is the MAC Address for the NIC
      2. id:00:03:00:01:18:db:f2:8c:d5:9f,openshift-master-1,[2620:52:0:1302::6]
    3. Ensure that route announcements are working.

    4. Ensure that the DHCP server is listening on the required interfaces serving the IP address ranges.

    1. Failed Units: 2
    2. NetworkManager-wait-online.service
    3. nodeip-configuration.service

    This error indicates that the cluster node likely booted without first receiving a hostname from the DHCP server, which causes kubelet to boot with a localhost.localdomain hostname. To address the error, force the node to renew the hostname.

    Procedure

    1. Retrieve the hostname:

      1. [core@master-X ~]$ hostname

      If the hostname is localhost, proceed with the following steps.

      Where X is the control plane node number.

    2. Force the cluster node to renew the DHCP lease:

      1. [core@master-X ~]$ sudo nmcli con up "<bare_metal_nic>"

      Replace <bare_metal_nic> with the wired connection corresponding to the baremetal network.

    3. Check hostname again:

      1. [core@master-X ~]$ hostname
    4. If the hostname is still localhost.localdomain, restart NetworkManager:

      1. [core@master-X ~]$ sudo systemctl restart NetworkManager
    5. If the hostname is still localhost.localdomain, wait a few minutes and check again. If the hostname remains localhost.localdomain, repeat the previous steps.

    6. Restart the nodeip-configuration service:

      This service will reconfigure the kubelet service with the correct hostname references.

    7. Reload the unit files definition since the kubelet changed in the previous step:

      1. [core@master-X ~]$ sudo systemctl daemon-reload
    8. Ensure kubelet booted with the correct hostname:

      1. [core@master-X ~]$ sudo journalctl -fu kubelet.service

    If the cluster node is not getting the correct hostname over DHCP after the cluster is up and running, such as during a reboot, the cluster will have a pending csr. Do not approve a csr, or other issues might arise.

    Addressing a csr

    1. Get CSRs on the cluster:

      1. $ oc get csr
    2. Verify if a pending csr contains Subject Name: localhost.localdomain:

    3. Remove any csr that contains Subject Name: localhost.localdomain:

      1. $ oc delete csr <wrong_csr>

    Routes do not reach endpoints

    During the installation process, it is possible to encounter a Virtual Router Redundancy Protocol (VRRP) conflict. This conflict might occur if a previously used OKD node that was once part of a cluster deployment using a specific cluster name is still running but not part of the current OKD cluster deployment using that same cluster name. For example, a cluster was deployed using the cluster name openshift, deploying three control plane (master) nodes and three worker nodes. Later, a separate install uses the same cluster name openshift, but this redeployment only installed three control plane (master) nodes, leaving the three worker nodes from a previous deployment in an ON state. This might cause a Virtual Router Identifier (VRID) conflict and a VRRP conflict.

    1. Get the route:

      1. $ oc get route oauth-openshift
    2. Check the service endpoint:

      1. $ oc get svc oauth-openshift
      1. NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
      2. oauth-openshift ClusterIP 172.30.19.162 <none> 443/TCP 59m
    3. Attempt to reach the service from a control plane (master) node:

      1. [core@master0 ~]$ curl -k https://172.30.19.162
      1. {
      2. "kind": "Status",
      3. "apiVersion": "v1",
      4. "metadata": {
      5. },
      6. "status": "Failure",
      7. "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
      8. "reason": "Forbidden",
      9. "details": {
      10. },
      11. "code": 403
    4. Identify the authentication-operator errors from the provisioner node:

      1. $ oc logs deployment/authentication-operator -n openshift-authentication-operator
      1. Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-authentication-operator", Name:"authentication-operator", UID:"225c5bd5-b368-439b-9155-5fd3c0459d98", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'OperatorStatusChanged' Status for clusteroperator/authentication changed: Degraded message changed from "IngressStateEndpointsDegraded: All 2 endpoints for oauth-server are reporting"

    Solution

    1. Ensure that the cluster name for every deployment is unique, ensuring no conflict.

    2. Turn off all the rogue nodes which are not part of the cluster deployment that are using the same cluster name. Otherwise, the authentication pod of the OKD cluster might never start successfully.

    During the Firstboot, the Ignition configuration may fail.

    Procedure

    1. Connect to the node where the Ignition configuration failed:

      1. Failed Units: 1
      2. machine-config-daemon-firstboot.service
    2. Restart the machine-config-daemon-firstboot service:

      1. [core@worker-X ~]$ sudo systemctl restart machine-config-daemon-firstboot.service

    NTP out of sync

    The deployment of OKD clusters depends on NTP synchronized clocks among the cluster nodes. Without synchronized clocks, the deployment may fail due to clock drift if the time difference is greater than two seconds.

    Procedure

    1. Check for differences in the AGE of the cluster nodes. For example:

      1. $ oc get nodes
      1. NAME STATUS ROLES AGE VERSION
      2. master-0.cloud.example.com Ready master 145m v1.26.0
      3. master-1.cloud.example.com Ready master 135m v1.26.0
      4. master-2.cloud.example.com Ready master 145m v1.26.0
      5. worker-2.cloud.example.com Ready worker 100m v1.26.0
    2. Check for inconsistent timing delays due to clock drift. For example:

      1. $ oc get bmh -n openshift-machine-api
      1. master-1 error registering master-1 ipmi://<out_of_band_ip>
      1. $ sudo timedatectl
      1. Local time: Tue 2020-03-10 18:20:02 UTC
      2. Universal time: Tue 2020-03-10 18:20:02 UTC
      3. RTC time: Tue 2020-03-10 18:36:53
      4. Time zone: UTC (UTC, +0000)
      5. System clock synchronized: no
      6. NTP service: active
      7. RTC in local TZ: no

    Addressing clock drift in existing clusters

    1. Create a Butane config file including the contents of the chrony.conf file to be delivered to the nodes. In the following example, create 99-master-chrony.bu to add the file to the control plane nodes. You can modify the file for worker nodes or repeat this procedure for the worker role.

      1. variant: openshift
      2. version: 4.13.0
      3. metadata:
      4. name: 99-master-chrony
      5. labels:
      6. machineconfiguration.openshift.io/role: master
      7. storage:
      8. files:
      9. - path: /etc/chrony.conf
      10. mode: 0644
      11. overwrite: true
      12. contents:
      13. inline: |
      14. server <NTP_server> iburst (1)
      15. stratumweight 0
      16. driftfile /var/lib/chrony/drift
      17. rtcsync
      18. makestep 10 3
      19. bindcmdaddress 127.0.0.1
      20. bindcmdaddress ::1
      21. keyfile /etc/chrony.keys
      22. commandkey 1
      23. generatecommandkey
      24. noclientlog
      25. logchange 0.5
      26. logdir /var/log/chrony
      1Replace <NTP_server> with the IP address of the NTP server.
    2. Use Butane to generate a MachineConfig object file, 99-master-chrony.yaml, containing the configuration to be delivered to the nodes:

      1. $ butane 99-master-chrony.bu -o 99-master-chrony.yaml
    3. Apply the MachineConfig object file:

      1. $ oc apply -f 99-master-chrony.yaml
    4. Ensure the System clock synchronized value is yes:

      1. $ sudo timedatectl
      1. Local time: Tue 2020-03-10 19:10:02 UTC
      2. Universal time: Tue 2020-03-10 19:10:02 UTC
      3. RTC time: Tue 2020-03-10 19:36:53
      4. Time zone: UTC (UTC, +0000)
      5. System clock synchronized: yes
      6. NTP service: active
      7. RTC in local TZ: no

      To setup clock synchronization prior to deployment, generate the manifest files and add this file to the openshift directory. For example:

      1. $ cp chrony-masters.yaml ~/clusterconfigs/openshift/99_masters-chrony-configuration.yaml

      Then, continue to create the cluster.

    After installation, ensure the installer deployed the nodes and pods successfully.

    Procedure

    1. When the OKD cluster nodes are installed appropriately, the following Ready state is seen within the STATUS column:

      1. $ oc get nodes
      1. NAME STATUS ROLES AGE VERSION
      2. master-0.example.com Ready master,worker 4h v1.26.0
      3. master-1.example.com Ready master,worker 4h v1.26.0