overlay: disable iscsi.service by default

[jlebon]

iscsi.service has Before=remote-fs-pre.target and After=network-online.target. This forces remote-fs-pre.target to block on network-online.target and hence in OCP, on ovs-configuration.service (which has Before=network-online.target).

So this transitively makes systemd-user-sessions.service block on network-online.target.

This was an issue in Fedora as well and was discussed in a devel thread[1]. iscsi.service was subsequently reworked[2][3] so that it was only activated if iSCSI was actually used by the system.

On RHEL 8, iscsi.service and co. were directly enabled by RPM scriptlets rather than using presets. In RHCOS, we explicitly make presets canonical[4] so we shipped with iscsi.service disabled by default. On RHEL 9, the units were fixed to use presets[5]. This is why we started seeing this issue after moving to RHEL 9.

So all we need in theory is to have the Fedora patch backported to RHEL
9. However, since we don't really need the functionality from iscsi.service by default in RHCOS, we can fast-track its (re-)disablement and not wait for the iscsi-starter.service workaround.

Note that iscsi.service is only used to bring up iSCSI sessions marked for autostart in /var/lib/iscsi/nodes and is separate from iscsid.service, which is what actually manages the iSCSI connections. In OpenShift, we rely on the latter only (e.g. configured iSCSI PVCs are done by the kubelet directly calling out to iscsiadm). It's also separate from iSCSI devices that use host bus adapters, which are transparent to RHCOS/OCP.

Fixes: https://issues.redhat.com/browse/OCPBUGS-11124

[jlebon]

@mkowalski Can you verify that the real life situation in OCPBUGS-11124 is indeed fixed if you also add a MachineConfig/Ignition fragment to disable iscsi.service?

{
  "ignition": {
    "version": "3.3.0"
  },
  "systemd": {
    "units": [
      {
        "enabled": false,
        "name": "iscsi.service"
      }
    ]
  }
}

[jlebon]

Aside: this came in via 929ac48 (in #905) which doesn't have any context on what exactly this fixes, which isn't great. @travier, do you know why we needed this? I'd like to add a comment there (and otherwise just drop it).

[travier]

Arg sorry, it was meant as a workaround to be investigated later and then I forgot.

[travier]

I think I disabled it as it was an additionally enabled unit and that made our kola test fail.

[jlebon]

Ack. I'll remove it in a follow-up PR and if anything breaks, at least we'll be able to add some context to it. :)

[jlebon]

Sorry, I hadn't seen your second comment here. If that's the case, I think that was fixed by coreos/coreos-assembler#3275.

[travier]

My bad, we disable the iscsi.service service here, not the d one.

[travier]

We can drop this here or in another PR. Up to you.

[travier]

#1016

[jlebon]

Yeah, I'll drop it in a follow-up.

[jlebon]

Opened follow-up in #1298.

[jlebon]

It's possible (though IMO unlikely) some customers are configuring host-level OS-initiated iSCSI mounts and relying on iscsi.service to autostart sessions. Before 4.13, they would have had to enable it themselves. If they upgraded from 4.12, the e.g. MachineConfig to enable it would still be hanging around there. If they started at 4.13, they didn't technically have to enable it, but with this patch, they would have to (until the Fedora patch is backported).

[cgwalters]

Nice investigation! That makes total sense.
/lgtm

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD b3adeb1 and 2 for PR HEAD a6c9055 in total

[mkowalski]

Can you verify that the real life situation in OCPBUGS-11124 is indeed fixed if you also add a MachineConfig/Ignition fragment to disable iscsi.service?

I can confirm that disabling iscsi.service is solving the issue completely, i.e. hanging nodeip-configuration.service does not anymore block access to the system. Thanks a lot for finding this out!

[mike-nguyen]

/retest

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 425197c and 1 for PR HEAD a6c9055 in total

[travier]

/lgtm

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 2f1c135 and 0 for PR HEAD a6c9055 in total

[openshift-ci-robot]

/hold

Revision a6c9055 was retested 3 times: holding

[jlebon]

/retest

[jlebon]

The test added in this PR is being upstreamed in coreos/fedora-coreos-config#2437. Once the FCOS submodule is updated to include it, we can remove our copy here.

[jlebon]

This requires coreos/coreos-assembler#3487.

[openshift-ci]

@jlebon: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[jlebon]

This one just needs another /lgtm now! (No changes, just restamped to tickle a full CI rerun after coreos/coreos-assembler#3487.)

[c4rt0]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: c4rt0, cgwalters, jlebon, travier

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [c4rt0,cgwalters,jlebon,travier]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mkowalski]

/cherry-pick release-4.13

[openshift-cherrypick-robot]

@mkowalski: new pull request created: #1301

Details

In response to this:

/cherry-pick release-4.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[mkowalski]

Thanks for this a lot, @jlebon! Given that we need backport to 4.13, should coreos/coreos-assembler#3487 get backport to rhcos-4.13 too?

[travier]

It will need an f-c-c backport and bump as well