Juniper Openstack

Provision fails when adding SSL support for Keystone, API-Server & Neutron in existing Contrail 3.1 setup with Ceilometer

Bug #1618657 reported by Savithru Lokanath on 2016-08-30

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R3.0	Fix Committed	Undecided	Ignatious Johnson Christopher	Juniper Openstack r3.0.3.0
R3.1	Fix Committed	Undecided	Ignatious Johnson Christopher	Juniper Openstack r3.1.1.0
Trunk	Fix Committed	Undecided	Ignatious Johnson Christopher	Juniper Openstack r3.2.0.0-fcs "r3.2.0.0"

Bug Description

Provision (fab setup_all) fails with the below error, when trying to add SSL support in an existing Contrail 3.1 setup with OpenStack Ceilometer.

Changes made in testbed.py:

env.keystone = {
'auth_protocol' : 'https'
}

env.cfgm = {
'auth_protocol' : 'https'
}

The error message seen during fab setup_all:

2016-08-30 16:10:56:201363: 2016-08-30 16:10:56:201229: [root@10.84.18.1] sudo: source /etc/contrail/openstackrc;keystone --insecure user-create --name=ceilometer --pass=CEILOMETER_PASS --tenant=service --<email address hidden>
2016-08-30 16:10:56:201508: [root@10.84.18.1] out: /usr/lib/python2.7/dist-packages/keystoneclient/shell.py:64: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient.
2016-08-30 16:10:58:010172: [root@10.84.18.1] out: 'python-keystoneclient.', DeprecationWarning)
2016-08-30 16:10:58:010249: [root@10.84.18.1] out: /usr/lib/python2.7/dist-packages/keystoneclient/v2_0/client.py:145: DeprecationWarning: Constructing an instance of the keystoneclient.v2_0.client.Client class without a session is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release.
2016-08-30 16:10:58:027243: [root@10.84.18.1] out: 'the 2.0.0 release.', DeprecationWarning)
2016-08-30 16:10:58:027385: [root@10.84.18.1] out: /usr/lib/python2.7/dist-packages/keystoneclient/v2_0/client.py:147: DeprecationWarning: Using the 'tenant_name' argument is deprecated in version '1.7.0' and will be removed in version '2.0.0', please use the 'project_name' argument instead
2016-08-30 16:10:58:027451: [root@10.84.18.1] out: super(Client, self).__init__(**kwargs)
2016-08-30 16:10:58:027557: [root@10.84.18.1] out: /usr/lib/python2.7/dist-packages/debtcollector/renames.py:45: DeprecationWarning: Using the 'tenant_id' argument is deprecated in version '1.7.0' and will be removed in version '2.0.0', please use the 'project_id' argument instead
2016-08-30 16:10:58:027619: [root@10.84.18.1] out: return f(*args, **kwargs)
2016-08-30 16:10:58:027682: [root@10.84.18.1] out: /usr/lib/python2.7/dist-packages/keystoneclient/httpclient.py:371: DeprecationWarning: Constructing an HTTPClient instance without using a session is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release.
2016-08-30 16:10:58:027744: [root@10.84.18.1] out: 'the 2.0.0 release.', DeprecationWarning)
2016-08-30 16:10:58:027806: [root@10.84.18.1] out: /usr/lib/python2.7/dist-packages/keystoneclient/session.py:140: DeprecationWarning: keystoneclient.session.Session is deprecated as of the 2.1.0 release in favor of keystoneauth1.session.Session. It will be removed in future releases.
2016-08-30 16:10:58:027867: [root@10.84.18.1] out: DeprecationWarning)
2016-08-30 16:10:58:027929: [root@10.84.18.1] out: /usr/lib/python2.7/dist-packages/keystoneclient/auth/identity/base.py:56: DeprecationWarning: keystoneclient auth plugins are deprecated as of the 2.1.0 release in favor of keystoneauth1 plugins. They will be removed in future releases.
2016-08-30 16:10:58:030676: [root@10.84.18.1] out: 'in future releases.', DeprecationWarning)
2016-08-30 16:10:58:030814: [root@10.84.18.1] out: /usr/lib/python2.7/dist-packages/urllib3/util/ssl_.py:315: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
2016-08-30 16:10:58:039653: [root@10.84.18.1] out: SNIMissingWarning
2016-08-30 16:10:58:039805: [root@10.84.18.1] out: /usr/lib/python2.7/dist-packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
2016-08-30 16:10:58:039883: [root@10.84.18.1] out: InsecurePlatformWarning
2016-08-30 16:10:58:039952: [root@10.84.18.1] out: Authorization Failed: SSL exception connecting to https://10.84.18.1:5000/v2.0/tokens: [Errno 1] _ssl.c:510: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2016-08-30 16:10:58:040016: [root@10.84.18.1] out:
2016-08-30 16:10:58:072897:

2016-08-30 16:10:58:082204: Fatal error: sudo() received nonzero return code 1 while executing!
2016-08-30 16:10:58:082204:
2016-08-30 16:10:58:082204: Requested: source /etc/contrail/openstackrc;keystone --insecure user-create --name=ceilometer --pass=CEILOMETER_PASS --tenant=service --<email address hidden>
2016-08-30 16:10:58:082204: Executed: sudo -S -p 'sudo password:' /bin/bash -l -c "source /etc/contrail/openstackrc;keystone --insecure user-create --name=ceilometer --pass=CEILOMETER_PASS --tenant=service --<email address hidden>"
2016-08-30 16:10:58:082204:
2016-08-30 16:10:58:082233: Aborting.