ERROR Error: waiting for creation of Linux Virtual Machine "master machine" Azure IPI Private Cluster

Solution In Progress - Updated -

Environment

  • Red Hat OpenShift Container Platform (RHOCP) 4.6+
  • Red Hat OpenShift Container Platform on Microsoft Azure
  • Red Hat OpenShift Container Platform on Microsoft Azure Private IPI

Issue

  • Azure IPI private cluster creation failed with below message.
ERROR Error: waiting for creation of Linux Virtual Machine "ipiopenshift-pndjr-master-2" (Resource Group "Ipi-output"): Code="OSProvisioningTimedOut" Message="OS Provisioning for VM 'ipiopenshift-pndjr-master-2' did not finish in the allotted time. The VM may still finish provisioning successfully. Please check provisioning state later. Also, make sure the image has been properly prepared (generalized).\r\n * Instructions for Windows: https://azure.microsoft.com/documentation/articles/virtual-machines-windows-upload-image/ \r\n * Instructions for Linux: https://azure.microsoft.com/documentation/articles/virtual-machines-linux-capture-image/ \r\n * If you are deploying more than 20 Virtual Machines concurrently, consider moving your custom image to shared image gallery. Please refer to https://aka.ms/movetosig for the same."
ERROR

Resolution

  • There could be lot of issues as this is a vague message during the failed installation.
  • First check the Contributor and UserAccessAdministrator permissions on service principal.
  • Check the Azure Active Directory Graph API permissions on service principal.
  • In private IPI installation type, sometime bootstrap node failed to connect to quay.io, hence failed to download the release image on bootstrap node or other master/worker node.
  • If this is the case, check if the NAT Gateway is attached to master/worker subnets.
  • If not attached, create a NAT Gateway, attach the public IP to NAT Gateway and attach it to master/worker subnet.

Root Cause

  • API permissions not given on Service Principal
  • NAT Gateway was not attached on master/worker subnet.

Diagnostic Steps

  • Check the Azure Active Directory graph permissions using below command:
az ad app permission list --id <app-id>
  • Check the UserAccessAdministrator permissions using below commands:
az role assignment list --role "User Access Administrator" --subscription <subscription-name>
  • Check the Contributor permissions using below commands:
az role assignment list --role "Contributor" --subscription <subscription-name>
  • Check if NAT Gateway is attached on master/worker subnets.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments