Fuel for OpenStack

Detached keystone fails deployment with use public ssl error

Bug #1530119 reported by Alexander Kurenyshev on 2015-12-30

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Fuel for OpenStack	Fix Released	High	Bartosz Kupidura	Fuel for OpenStack 9.0
8.0.x	Fix Released	High	Fuel Library (Deprecated)	Fuel for OpenStack 8.0
Mitaka	Fix Released	High	Bartosz Kupidura	Fuel for OpenStack 9.0

Bug Description

Found on CI job https://product-ci.infra.mirantis.net/job/8.0.system_test.ubuntu.plugins.thread_2_separate_services/91/console

Deploy failed with error:
2015-12-30 02:16:30 ERROR [804] Task '{"priority"=>4800, "type"=>"puppet", "id"=>"keystone-controller", "parameters"=>{"puppet_modules"=>"/etc/puppet/modules", "puppet_manifest"=>"keystone-controller.pp", "timeout"=>600, "cwd"=>"/etc/fuel/plugins/detach-keystone-1.0/"}, "uids"=>["1"]}' failed on node 1

At the puppet logs on node-1:

2015-12-30 02:16:28 +0000 Puppet (err): You must set up path to public ssl keypair if you want to use public ssl at /etc/puppet/modules/openstack/manifests/ha/haproxy_service.pp:103 on node node-1.test.domain.local

Fuel ISO #368

Tags:

Revision history for this message

Alexander Kurenyshev (akurenyshev) wrote on 2015-12-30:

fuel-snapshot-2015-12-30_13-07-19.tar.xz Edit (31.2 MiB, application/octet-stream)

Revision history for this message

Alexander Kurenyshev (akurenyshev) wrote on 2015-12-30:

The same situation is here https://product-ci.infra.mirantis.net/job/8.0.system_test.ubuntu.plugins.thread_keystone_separate_services/88/console

summary:

- Detached keystone fails deployment
+ Detached keystone fails deployment with use public ssl error

Revision history for this message

Alexander Kurenyshev (akurenyshev) wrote on 2015-12-30:

fuel-snapshot-2015-12-30_13-15-56.tar.xz Edit (18.7 MiB, application/octet-stream)

Aleksey Zvyagintsev (azvyagintsev) on 2015-12-31

Changed in fuel:
importance:	Undecided → Critical
status:	New → Confirmed
tags:	added: area-library ha haproxy

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-07: Fix proposed to fuel-plugin-detach-keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/264728

Changed in fuel:
assignee:	Fuel Library Team (fuel-library) → Bartosz Kupidura (zynzel)
status:	Confirmed → In Progress

Alex Schultz (alex-schultz) on 2016-01-07

Changed in fuel:
importance:	Critical → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-11: Fix merged to fuel-plugin-detach-keystone (master)

Reviewed: https://review.openstack.org/264728
Committed: https://git.openstack.org/cgit/openstack/fuel-plugin-detach-keystone/commit/?id=3c1ffde9ae649bd57bf7223ce83a07699e601665
Submitter: Jenkins
Branch: master

commit 3c1ffde9ae649bd57bf7223ce83a07699e601665
Author: Bartosz Kupidura <email address hidden>
Date: Thu Jan 7 12:15:06 2016 +0100

Use SSL path when SSL enabled

Change-Id: Id292e2411902f0e4f3ea86402ee58eb7d07bfd11
Closes-Bug: #1530119

Changed in fuel:
status:	In Progress → Fix Committed

Revision history for this message

Tatyanka (tatyana-leontovich) wrote on 2016-01-11:

was merged in master and not backported into stable, so I set correct statuses

no longer affects:

fuel/future

Revision history for this message

Bartosz Kupidura (zynzel) wrote on 2016-01-12:

In detach-keystone plugin we have only master branch. So there is no need for backport.

Revision history for this message

Tatyanka (tatyana-leontovich) wrote on 2016-01-12:

looks like issue still reproduces:
plugin used in tests http://jenkins-product.srt.mirantis.net:8080/job/build-fuel-plugins/lastSuccessfulBuild/artifact/built_plugins/detach-keystone-1.0-1.0.2-1.noarch.rpm
(contains changes), but tests failed with the same error
https://product-ci.infra.mirantis.net/job/8.0.system_test.ubuntu.plugins.thread_keystone_separate_services/102/testReport/%28root%29/separate_keystone_service/
You must set up path to public ssl keypair if you want to use public ssl at /etc/puppet/modules/openstack/manifests/ha/haproxy_service.pp:103 on node node-1.test.domain.local

Revision history for this message

Tatyanka (tatyana-leontovich) wrote on 2016-01-12:

fail_error_separate_keystone_service-fuel-snapshot-2016-01-11_22-54-59.tar.xz Edit (20.9 MiB, application/octet-stream)

Revision history for this message

Tatyanka (tatyana-leontovich) wrote on 2016-01-12:

#10

detach-keystone-1.0-1.0.2-1.noarch.rpm Edit (14.5 KiB, application/x-redhat-package-manager)

Revision history for this message

Bartosz Kupidura (zynzel) wrote on 2016-01-12:

#11

This env was deployed with old plugin version:
root@node-1:/etc/fuel/plugins/detach-keystone-1.0# grep -c 'path to public ssl keypair' /var/log/puppet.log
6
root@node-1:/etc/fuel/plugins/detach-keystone-1.0# grep 'public_ssl' /etc/fuel/plugins/detach-keystone-1.0/keystone-controller.pp
$public_ssl_hash = hiera('public_ssl')
public_ssl => $public_ssl_hash['services'],

How this should look like:
131156:banshee.local$ grep 'public_ssl' keystone-controller.pp
$public_ssl_hash = hiera('public_ssl')
$public_ssl = get_ssl_property($ssl_hash, $public_ssl_hash, 'keystone', 'public', 'usage', false)
$public_ssl_path = get_ssl_property($ssl_hash, $public_ssl_hash, 'keystone', 'public', 'path', [''])
public_ssl => $public_ssl,
public_ssl_path => $public_ssl_path,

Please rerun test with laster master of detach-keystone plugin

Revision history for this message

Timur Nurlygayanov (tnurlygayanov) wrote on 2016-01-12:

#12

I checked the latest job logs:
https://product-ci.infra.mirantis.net/job/8.0.system_test.ubuntu.plugins.thread_2_separate_services/105/console

and looks like SWARM tests for separate keystone node deployment passed in this run.
So, bug marked as Invalid because it was the issue with incorrect version of the plugin (it is not clear why we used incorrect version of the plugin it SWARM)

Revision history for this message

Timur Nurlygayanov (tnurlygayanov) wrote on 2016-01-12:

#13

the original issue not reporduced, for the latest snapshot:

xwizard@DFldslr:~/fuel-snapshot-2016-01-12_07-18-39$ egrep -e "failed on node" -r ./
xwizard@DFldslr:~/fuel-snapshot-2016-01-12_07-18-39$ egrep -e "You must set up path to public ssl" -r ./
xwizard@DFldslr:~/fuel-snapshot-2016-01-12_07-18-39$

Revision history for this message

Tatyanka (tatyana-leontovich) wrote on 2016-01-12:

#14

Timur actually job you are linked contains failed test by this reason, so move to incomplete and if you revert the env you'll see that plugin (rpm) contain the fix, so move back to incomplete

Revision history for this message

Timur Nurlygayanov (tnurlygayanov) wrote on 2016-01-12:

#15

The latest diagnostic snapshot:
https://product-ci.infra.mirantis.net/job/8.0.system_test.ubuntu.plugins.thread_2_separate_services/105/artifact/logs/fail_error_separate_all_service-fuel-snapshot-2016-01-12_07-18-39.tar.xz

Revision history for this message

Timur Nurlygayanov (tnurlygayanov) wrote on 2016-01-12:

#16

I reverted the latest snapshot and we can see the following on the node with separate keystone service:

root@node-3:/etc/fuel/plugins/detach-keystone-1.0# md5sum keystone-controller.pp
5035319a2ecd00d5f0aba1fafed83a8a keystone-controller.pp

and we can see that we have another version of this puppet manifest in http://jenkins-product.srt.mirantis.net:8080/job/build-fuel-plugins/lastSuccessfulBuild/artifact/built_plugins/:

xwizard@DFldslr:~/detach-keystone-1.0/deployment_scripts$ md5sum keystone-controller.pp
ee0eda41c3538e1c5e82c128b2bd1842 keystone-controller.pp

but on master node:
[root@nailgun deployment_scripts]# md5sum keystone-controller.pp
5035319a2ecd00d5f0aba1fafed83a8a keystone-controller.pp

Revision history for this message

Timur Nurlygayanov (tnurlygayanov) wrote on 2016-01-12:

#17

So, the reason of the issue in the old package:
http://jenkins-product.srt.mirantis.net:8080/job/build-fuel-plugins/lastSuccessfulBuild/artifact/built_plugins/detach-keystone-1.0-1.0.2-1.noarch.rpm

we need to update this package and then tests should pass.

How to verify the fix:
md5 sum for this package should be different:
http://jenkins-product.srt.mirantis.net:8080/job/build-fuel-plugins/lastSuccessfulBuild/artifact/built_plugins/detach-keystone-1.0-1.0.2-1.noarch.rpm:

wget http://jenkins-product.srt.mirantis.net:8080/job/build-fuel-plugins/lastSuccessfulBuild/artifact/built_plugins/detach-keystone-1.0-1.0.2-1.noarch.rpm && md5sum detach-keystone-1.0-1.0.2-1.noarch.rpm

ced278983a71f6a7b4c8c5f8aae2bdc0 detach-keystone-1.0-1.0.2-1.noarch.rpm

^^ it is for old package.

Revision history for this message

Timur Nurlygayanov (tnurlygayanov) wrote on 2016-01-13:

#18

from the github repository:
xwizard@DFldslr:~/detach-keystone-1.0$ md5sum keystone-controller.pp
ee0eda41c3538e1c5e82c128b2bd1842 keystone-controller.pp

from the latest jenkins job:
xwizard@DFldslr:~/fuel-plugin-detach-keystone/deployment_scripts$ md5sum keystone-controller.pp
ee0eda41c3538e1c5e82c128b2bd1842 keystone-controller.pp

it means that we have the latest version of the plugin in rpm package.

On the master node in test environment which was reverted from the latest snapshot:
[root@nailgun ~]# md5sum /var/www/nailgun/plugins/detach-keystone-1.0/deployment_scripts/keystone-controller.pp
ee0eda41c3538e1c5e82c128b2bd1842 /var/www/nailgun/plugins/detach-keystone-1.0/deployment_scripts/keystone-controller.pp

the version is the same.

Revision history for this message

Timur Nurlygayanov (tnurlygayanov) wrote on 2016-01-13:

#19

but tests still fail

Revision history for this message

Timur Nurlygayanov (tnurlygayanov) wrote on 2016-01-13:

#20

Fix verified on SWARM jobs execution.

Tests still fail but because of another issue:
https://bugs.launchpad.net/fuel/+bug/1533649

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.