"nova.exception.PortBindingFailed: Binding failed" for OpenStack Zed in Juju deployment

Some further debugging: I entered the instance container for ovn-central/0, i.e.:
juju ssh ovn-central/0

In /etc/ovn/ovn-northd-db-params.conf, I found the TCP and SSL parameters for the OVN NB and SB databases for running check (based on https://numans.blog/2018/01/05/debugging-ovn-external-connectivity-part-1/), in my case:
sudo ovn-nbctl -c /etc/ovn/cert_host -C /etc/ovn/ovn-central.crt -p /etc/ovn/key_host --db=ssl:172.31.255.114:6641,ssl:172.31.255.115:6641,ssl:172.31.255.116:6641 show
sudo ovn-sbctl -c /etc/ovn/cert_host -C /etc/ovn/ovn-central.crt -p /etc/ovn/key_host --db=ssl:172.31.255.114:16642,ssl:172.31.255.115:16642,ssl:172.31.255.116:16642 show

Connecting to the DBs works.

SB lists all my 8 nodes, i.e.:
...
Chassis P52S11.maas
    hostname: P52S11.maas
    Encap geneve
        ip: "172.31.255.100"
        options: {csum="true"}
...
This seems to look okay.

NB seems to even list my test VM's port, i.e.:
switch b2e5de93-e19a-458d-af63-e80d44629614 (neutron-97c5c0a1-5c29-4fc4-852b-ce818c972a6d) (aka smil-network4)
    port ec87abb0-b261-49fd-8e95-9cefdf32798e (aka Port-warrnambool.fire.smil)
        addresses: ["unknown"]
...
But "addresses" only contain "unknown".

Destroying the failed instance leads to removing the port, a new trial leads to creating a new one. So, I assume that at least some communication with the OVN system is working.

It seems that something goes wrong somewhere after creating this port, but without any information in one of the log files. Is there any hint for where to look for further debugging?

Hi Thomas,

ANy luck to relsove this issue.I have also similar setup with 8 nodes, when I try to create instance on openstack I get same error message.I did all the tests which you mentioned, the issue I am having exactly same.Any advice will be appricated.Thank you

I finally gave up debugging the issue, and tried a full new deployment. Then it succeeded. So, I assume something went wrong silently in the deployment scripts during the first deployment.

I tried re-deploy twice, still stuck with same issue.I will try redeploy again.Thank you for your reply

I am following below deployment guide.Thank you

https://docs.openstack.org/project-deploy-guide/charm-deployment-guide/latest/install-openstack.html

> /var/snap/lxd/common/lxd/storage-pools/default/containers/juju-3083dc-2-lxd-1/rootfs/var/log/ovn/ovsdb-server-sb.log:
...
2023-04-24T08:30:50.962Z|21781|stream_ssl|WARN|SSL_accept: error:0A000126:SSL routines::unexpected eof while reading
2023-04-24T08:30:50.962Z|21782|jsonrpc|WARN|ssl:127.0.0.1:35594: receive error: Protocol error
2023-04-24T08:30:50.962Z|21783|reconnect|WARN|ssl:127.0.0.1:35594: connection dropped (Protocol error)
2023-04-24T08:35:00.857Z|21784|stream_ssl|WARN|SSL_accept: error:0A000126:SSL routines::unexpected eof while reading
2023-04-24T08:35:00.857Z|21785|jsonrpc|WARN|ssl:127.0.0.1:34324: receive error: Protocol error
2023-04-24T08:35:00.857Z|21786|reconnect|WARN|ssl:127.0.0.1:34324: connection dropped (Protocol error)

This bit looks a bit like an SSL connection attempt to a non SSL socket. i.e. the protocols aren't matching. Is the 'server' side running TLS and have valid certificates? As it's a juju model, could you provide a juju-status.txt (it shows the versions of everything), and maybe a crashdump? (https://github.com/juju/juju-crashdump).

Hi Alex, I see exactly same ssl errors on logs.I attached juju-status.txt file.I will try to get juju-crashdump

I attached ovn-central crashdump.Thank you

The only thing that catches my eye is that there is software mismatch between ovn chassis and ovn central:

(from juju status):

App Version Status Scale Charm Channel Rev Exposed Message
ovn-central 22.09.1 active 3 ovn-central 22.09/stable 75 no Unit is ready (leader: ovnsb_db northd: active)
ovn-chassis 22.03.0 active 8 ovn-chassis 22.09/stable 109 no Unit is ready

i.e. ovn-cental is running 22.09.1 and ovn-chassis is running 22.03.0.

I don't actually know if this is a problem (off the top of my head), but it would probably be good to align the versions to 22.09; note this may be a red-herring. Have you got a copy of the model (bundle) file that you used to deploy this please?

I am not using bundle.I a deploying individual packages following below documentation.

https://docs.openstack.org/project-deploy-guide/charm-deployment-guide/latest/install-openstack.html

juju deploy -n 3 --to lxd:0,lxd:1,lxd:2 --channel 22.09/stable ovn-central
The neutron-api application will be containerised on machine 1:

juju deploy --to lxd:1 --channel zed/stable --config neutron.yaml neutron-api
Deploy the subordinate charm applications:

juju deploy --channel zed/stable neutron-api-plugin-ovn
juju deploy --channel 22.09/stable --config neutron.yaml ovn-chassis

@Thomas

JAre you still SSL error after you redeployed ?

> /var/snap/lxd/common/lxd/storage-pools/default/containers/juju-3083dc-2-lxd-1/rootfs/var/log/ovn/ovsdb-server-sb.log:
...
2023-04-24T08:30:50.962Z|21781|stream_ssl|WARN|SSL_accept: error:0A000126:SSL routines::unexpected eof while reading
2023-04-24T08:30:50.962Z|21782|jsonrpc|WARN|ssl:127.0.0.1:35594: receive error: Protocol error
2023-04-24T08:30:50.962Z|21783|reconnect|WARN|ssl:127.0.0.1:35594: connection dropped (Protocol error)
2023-04-24T08:35:00.857Z|21784|stream_ssl|WARN|SSL_accept: error:0A000126:SSL routines::unexpected eof while reading
2023-04-24T08:35:00.857Z|21785|jsonrpc|WARN|ssl:127.0.0.1:34324: receive error: Protocol error
2023-04-24T08:35:00.857Z|21786|reconnect|WARN|ssl:127.0.0.1:34324: connection dropped (Protocol error)

@linux4376fan At the risk of doing "have you tried turning it off and on again" ... please could you try restarting the ovn-central services (ovn-central) on each of the 3 ovn-central units.

@Alex I restarted and rebooted all 3 ovn-central units, I still see same error message.I need to check how to upgrade ovn-chassis 22.03.0 version to match ovn-central 22.09

...skipping...
● ovn-ovsdb-server-sb.service - Open vSwitch database server for OVN Southbound database
     Loaded: loaded (/lib/systemd/system/ovn-ovsdb-server-sb.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2023-06-11 22:29:04 UTC; 2 days ago
   Main PID: 35001 (ovsdb-server)
      Tasks: 3 (limit: 314572)
     Memory: 7.2M
        CPU: 5min 32.259s
     CGroup: /system.slice/ovn-ovsdb-server-sb.service
             └─35001 ovsdb-server -vconsole:off -vfile:info --log-file=/var/log/ovn/ovsdb-server-sb.log --remote=punix:/var/run/ovn/ovnsb_db.sock --pidfile=>

Jun 14 14:56:53 juju-24ab8f-0-lxd-1 ovsdb-server[35001]: ovs|02444|reconnect|INFO|ssl:10.69.212.15:6644: connecting...
Jun 14 14:56:54 juju-24ab8f-0-lxd-1 ovsdb-server[35001]: ovs|02445|reconnect|INFO|ssl:10.69.212.15:6644: connection attempt timed out
Jun 14 14:56:54 juju-24ab8f-0-lxd-1 ovsdb-server[35001]: ovs|02446|reconnect|INFO|ssl:10.69.212.15:6644: waiting 2 seconds before reconnect
Jun 14 14:56:55 juju-24ab8f-0-lxd-1 ovsdb-server[35001]: ovs|02447|raft|INFO|ssl:10.69.212.15:39008: learned server ID 6e42
Jun 14 14:56:55 juju-24ab8f-0-lxd-1 ovsdb-server[35001]: ovs|02448|raft|INFO|ssl:10.69.212.15:39008: learned remote address ssl:10.69.212.15:6644
Jun 14 14:56:56 juju-24ab8f-0-lxd-1 ovsdb-server[35001]: ovs|02449|reconnect|INFO|ssl:10.69.212.15:6644: connecting...
Jun 14 14:56:56 juju-24ab8f-0-lxd-1 ovsdb-server[35001]: ovs|02450|reconnect|INFO|ssl:10.69.212.15:6644: connected
Jun 14 14:57:43 juju-24ab8f-0-lxd-1 ovsdb-server[35001]: ovs|02451|stream_ssl|WARN|SSL_accept: error:0A000126:SSL routines::unexpected eof while reading
Jun 14 14:57:43 juju-24ab8f-0-lxd-1 ovsdb-server[35001]: ovs|02452|jsonrpc|WARN|ssl:127.0.0.1:46464: receive error: Protocol error
Jun 14 14:57:43 juju-24ab8f-0-lxd-1 ovsdb-server[35001]: ovs|02453|reconnect|WARN|ssl:127.0.0.1:46464: connection dropped (Protocol error)

@linux3276fan - The ovn-chassis charm is a subordinate (i.e. doesn't have it's 'own' machine) and thus the packages for ovn on the same unit as a subordinate charm come from the principle charm which should be running jammy-zed, but jammy-zed should have 22.09 for the principle charm.

e.g. rmadison for zed shows.

 ovn | 22.09.1-0ubuntu0.22.10.1~cloud0 | zed | jammy-updates | source
 ovn | 22.09.1-0ubuntu0.22.10.1~cloud0 | zed-proposed | jammy-proposed | source

So looking at the juju status for nova-compute (ovn-chassis' parent) and nova-cloud-controller:

nova-cloud-controller 26.1.1 active 1 nova-cloud-controller zed/stable 655 no Unit is ready
nova-compute 25.1.1 active 8 nova-compute zed/stable 661 no Unit is ready

i.e. nova-compute is running 25.1.1 which is yoga (https://releases.openstack.org/yoga/) whereas the controller is running zed. Somehow, nova-compute is misconfigured or has a bug. Please could you check the output of the config for nova-compute:

juju config nova-compute | less

and see what the openstack-origin is set to?

@Alex, Thanks for your reply, Openstack Nova-compute is set to zed on juju config nova-compute output.I attached output file.Thank you

openstack-origin:
    default: zed

Below is the the deployment playbook used for nova-compute

cat nova-compute.yaml
nova-compute:
  config-flags: default_ephemeral_format=ext4
  enable-live-migration: true
  enable-resize: true
  migration-auth-type: ssh
  virt-type: qemu
  openstack-origin: distro

I will delete the model and re-try full deployment see if any luck.Thank you

Okay, the issue with the software versions is in the nova-computer.yaml file; specifically, the "openstack-origin: distro" is overriding the default of "zed".

If you do a:

$ juju config nova-compute openstack-origin=zed action-managed-upgrade=false

then the nova-compute charm will upgrade the nova application to 'zed'. That will at least rule out software version incompatibility. Note the default for action-managed-upgrade is false, but this just makes sure (in case it's been changed).

@Alex Kavanagh (ajkavanagh)

I redeployed openstack succesfully and can launch VMs, I can see now both ovn-central and ovn-chassis are same versions.The ssl error messages are still there but not causing any issues.I think what had happend I had nova-computer.yaml file from last 3 months the new version zed do not have openstack-origin: distro" entry this caused issue as you pointed out.Thank you for your support and very much appricated

@linux3276fan - Good news that everything is working.

Having done some more digging, I think that the SSL errors are almost certainly related to (or due to): https://github.com/openssl/openssl/issues/18866 - as such it's annoying, but not actually causing any issues other than filling the logs with nonsense. Hopefully, this will get sorted out eventually.

As for this bug, I'm going to set to incomplete, as both you and @dreibh have resolutions - perhaps in different ways. As "incomplete", if there are no further reports the bug will expire, but still be searchable, etc. If you get the issue again, please feel free to re-open the bug.

Thanks.

@Alex Thank you