Juniper Openstack

Fab provision fails on SSL enabled setup in R3.1

Bug #1639426 reported by musharani on 2016-11-05

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R3.0.3.x	Fix Committed	High	Ignatious Johnson Christopher	Juniper Openstack r3.0.3.2
R3.1	Fix Committed	High	Ignatious Johnson Christopher	Juniper Openstack r3.1.2.0
R3.1.1.x	Fix Committed	High	Ignatious Johnson Christopher	Juniper Openstack r3.1.1.1
R3.2	Fix Committed	High	Ignatious Johnson Christopher	Juniper Openstack r3.2.0.0-fcs "r3.2.0.0"
Trunk	Fix Committed	High	Ignatious Johnson Christopher	Juniper Openstack r4.0.0.0-fcs "r4.0.0.0"

Bug Description

Freshly loaded the build R3.1-38 ubuntu kilo with ssl enabled in testbed.py. After re-imaging provision got failed in the step fab setup_all. It throws connection error.

The same build got loaded without any issues for non-ssl enabled setup.

testbed.py
==========
}
env.hostnames = {
    'all': ['nodel10']
}
env.ostypes = {
     host1: 'ubuntu'
}
env.keystone = {
    'auth_protocol' : 'https'
}
env.cfgm = {
    'auth_protocol' : 'https'
}

2016-11-05 15:07:50:137178: [root@10.204.217.247] out: [localhost] local: python /opt/contrail/utils/provision_vrouter.py --host_name nodel10 --host_ip 10.204.217.247 --api_server_ip 10.204.217.247 --oper add --admin_user admin --admin_password contrail123 --admin_tenant_name admin --openstack_ip 10.204.217.247 --api_server_use_ssl True
2016-11-05 15:07:50:152975: [root@10.204.217.247] out: Traceback (most recent call last):
2016-11-05 15:07:50:353775: [root@10.204.217.247] out: File "/opt/contrail/utils/provision_vrouter.py", line 190, in <module>
2016-11-05 15:07:50:353981: [root@10.204.217.247] out: main()
2016-11-05 15:07:50:354109: [root@10.204.217.247] out: File "/opt/contrail/utils/provision_vrouter.py", line 186, in main
2016-11-05 15:07:50:354230: [root@10.204.217.247] out: VrouterProvisioner(args_str)
2016-11-05 15:07:50:354338: [root@10.204.217.247] out: File "/opt/contrail/utils/provision_vrouter.py", line 33, in __init__
2016-11-05 15:07:50:354444: [root@10.204.217.247] out: api_server_use_ssl=self._args.api_server_use_ssl)
2016-11-05 15:07:50:354609: [root@10.204.217.247] out: File "/usr/lib/python2.7/dist-packages/vnc_api/vnc_api.py", line 355, in __init__
2016-11-05 15:07:50:354728: [root@10.204.217.247] out: retry_on_error=False)
2016-11-05 15:07:50:354835: [root@10.204.217.247] out: File "/usr/lib/python2.7/dist-packages/vnc_api/vnc_api.py", line 792, in _request
2016-11-05 15:07:50:354938: [root@10.204.217.247] out: raise ConnectionError
2016-11-05 15:07:50:355075: [root@10.204.217.247] out: requests.exceptions.ConnectionError
2016-11-05 15:07:50:355186: [root@10.204.217.247] out:
2016-11-05 15:07:50:387513: [root@10.204.217.247] out: Fatal error: local() encountered an error (return code 1) while executing 'python /opt/contrail/utils/provision_vrouter.py --host_name nodel10 --host_ip 10.204.217.247 --api_server_ip 10.204.217.247 --oper add --admin_user admin --admin_password contrail123 --admin_tenant_name admin --openstack_ip 10.204.217.247 --api_server_use_ssl True'
2016-11-05 15:07:50:387738: [root@10.204.217.247] out:
2016-11-05 15:07:50:387872: [root@10.204.217.247] out: Aborting.
2016-11-05 15:07:50:388003: [root@10.204.217.247] out:
2016-11-05 15:07:50:388388:
2016-11-05 15:07:50:392101: Disconnecting from 10.204.217.247... done.
2016-11-05 15:07:50:507272:

Tags:

musharani (musharani) on 2016-11-07

tags:

added: blocker

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-11-21: [Review update] R3.1

Review in progress for https://review.opencontrail.org/26345
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-11-21: [Review update] R3.2

Review in progress for https://review.opencontrail.org/26346
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-11-21: [Review update] master

Review in progress for https://review.opencontrail.org/26347
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-11-21: [Review update] R3.1

Review in progress for https://review.opencontrail.org/26348
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-11-21: [Review update] R3.2

#11

Review in progress for https://review.opencontrail.org/26349
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-11-21: [Review update] master

#13

Review in progress for https://review.opencontrail.org/26350
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-11-22: [Review update] R3.1

#15

Review in progress for https://review.opencontrail.org/26345
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-11-22: [Review update] R3.2

#17

Review in progress for https://review.opencontrail.org/26346
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-11-22: [Review update] master

#19

Review in progress for https://review.opencontrail.org/26347
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-11-22: [Review update] R3.1

#23

Review in progress for https://review.opencontrail.org/26345
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-11-22: [Review update] R3.2

#25

Review in progress for https://review.opencontrail.org/26346
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-11-23: A change has been merged

#27

Reviewed: https://review.opencontrail.org/26350
Committed: http://github.org/Juniper/contrail-neutron-plugin/commit/61257dbdf6f2a11775bf2db605adc4dcc6f45068
Submitter: Zuul
Branch: master

commit 61257dbdf6f2a11775bf2db605adc4dcc6f45068
Author: Ignatious Johnson Christopher <email address hidden>
Date: Mon Nov 21 15:50:03 2016 -0800

Certificates needs to be chanined and bundled
in the order (certfile, keyfile and cacert).

1. Chaining in the certificate in correct order

Change-Id: I726f3e3543580aac2ad1adc14aba5cc9d2ffa3b5
Closes-Bug: 1639426

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-11-30:

#28

Reviewed: https://review.opencontrail.org/26349
Committed: http://github.org/Juniper/contrail-neutron-plugin/commit/68b00adb10af91217a6b64f7d889f3889186fb49
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit 68b00adb10af91217a6b64f7d889f3889186fb49
Author: Ignatious Johnson Christopher <email address hidden>
Date: Mon Nov 21 15:50:03 2016 -0800

Certificates needs to be chanined and bundled
in the order (certfile, keyfile and cacert).

1. Chaining in the certificate in correct order

Change-Id: I9cc8a0aaf1468b77a856e5624ed2d7f7fa34ed03
Closes-Bug: 1639426

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-11-30:

#29

Reviewed: https://review.opencontrail.org/26348
Committed: http://github.org/Juniper/contrail-neutron-plugin/commit/b41d600c1d2e308fe46b4ba63e735af2b63d4282
Submitter: Zuul (<email address hidden>)
Branch: R3.1

commit b41d600c1d2e308fe46b4ba63e735af2b63d4282
Author: Ignatious Johnson Christopher <email address hidden>
Date: Mon Nov 21 15:50:03 2016 -0800

Certificates needs to be chanined and bundled
in the order (certfile, keyfile and cacert).

1. Chaining in the certificate in correct order

Change-Id: I726f3e3543580aac2ad1adc14aba5cc9d2ffa3b5
Closes-Bug: 1639426

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-11-30:

#30

Reviewed: https://review.opencontrail.org/26347
Committed: http://github.org/Juniper/contrail-controller/commit/df192ce6f9623c628dee975754027f827dbc28d9
Submitter: Zuul (<email address hidden>)
Branch: master

commit df192ce6f9623c628dee975754027f827dbc28d9
Author: Ignatious Johnson Christopher <email address hidden>
Date: Mon Nov 21 15:07:15 2016 -0800

Certificates needs to be chanined and bundled
in the order (certfile, keyfile and cacert).

1. Chaining in the certificate in correct order
2. Making certfile/keyfile optional

Closes-Bug: 1639426
Closes-Bug: 1630513

Conflicts:
src/api-lib/vnc_api.py

Change-Id: Ib5e66bfdd27795bd090c3b3b49207241cbc5f0ae

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-02:

#32

Reviewed: https://review.opencontrail.org/26346
Committed: http://github.org/Juniper/contrail-controller/commit/60192ce6c5ca663c4faf8b0f1641a0661d96a6e9
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit 60192ce6c5ca663c4faf8b0f1641a0661d96a6e9
Author: Ignatious Johnson Christopher <email address hidden>
Date: Mon Nov 21 15:07:15 2016 -0800

Certificates needs to be chanined and bundled
in the order (certfile, keyfile and cacert).

1. Chaining in the certificate in correct order
2. Making certfile/keyfile optional

Closes-Bug: 1639426
Closes-Bug: 1630513

Conflicts:
src/api-lib/vnc_api.py

Change-Id: I599389972824c1cad37962306fac023bf16ce91c

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-06:

#33

Reviewed: https://review.opencontrail.org/26345
Committed: http://github.org/Juniper/contrail-controller/commit/8d5be39d807df9993e84279fe9bf9c409a2dda20
Submitter: Zuul (<email address hidden>)
Branch: R3.1

commit 8d5be39d807df9993e84279fe9bf9c409a2dda20
Author: Ignatious Johnson Christopher <email address hidden>
Date: Mon Nov 21 15:07:15 2016 -0800

Certificates needs to be chanined and bundled
in the order (certfile, keyfile and cacert).

1. Chaining in the certificate in correct order
2. Making certfile/keyfile optional

Change-Id: Ic4e6da9dbbb2118b840ba7d693bf5ee6803f6b01
Closes-Bug: 1639426
Closes-Bug: 1630513

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-14: [Review update] R3.0.3.x

#34

Review in progress for https://review.opencontrail.org/27292
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-14:

#36

Review in progress for https://review.opencontrail.org/27293
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-14:

#38

Review in progress for https://review.opencontrail.org/27292
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-14: A change has been merged

#42

Reviewed: https://review.opencontrail.org/27292
Committed: http://github.org/Juniper/contrail-controller/commit/18a920da6f4ce95a66565a5e61ed9b5d6af39d4f
Submitter: Zuul (<email address hidden>)
Branch: R3.0.3.x

commit 18a920da6f4ce95a66565a5e61ed9b5d6af39d4f
Author: Ignatious Johnson Christopher <email address hidden>
Date: Mon Nov 21 15:07:15 2016 -0800

Certificates needs to be chanined and bundled
in the order (certfile, keyfile and cacert).

1. Chaining in the certificate in correct order
2. Making certfile/keyfile optional

Closes-Bug: 1639426
Closes-Bug: 1630513

Getting certs as argument to the VncApi class and creating
unique certbundle for request to different api-servers.
Closes-Bug: 1644713
Closes-Bug: 1644707

Change-Id: Ib5e66bfdd27795bd090c3b3b49207241cbc5f0ae
(cherry picked from commit df192ce6f9623c628dee975754027f827dbc28d9)
(cherry picked from commit d49aec87815d0b881aaec405832c5ac581e29c3d)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-14:

#43

Reviewed: https://review.opencontrail.org/27293
Committed: http://github.org/Juniper/contrail-neutron-plugin/commit/d298d9b8b17fd93da54aabd7e6eaff100861aeed
Submitter: Zuul (<email address hidden>)
Branch: R3.0.3.x

commit d298d9b8b17fd93da54aabd7e6eaff100861aeed
Author: Ignatious Johnson Christopher <email address hidden>
Date: Mon Nov 21 15:50:03 2016 -0800

Certificates needs to be chanined and bundled
in the order (certfile, keyfile and cacert).

1. Chaining in the certificate in correct order

Change-Id: I726f3e3543580aac2ad1adc14aba5cc9d2ffa3b5
Closes-Bug: 1639426
(cherry picked from commit 61257dbdf6f2a11775bf2db605adc4dcc6f45068)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-20:

#44

Reviewed: https://review.opencontrail.org/27357
Committed: http://github.org/Juniper/contrail-controller/commit/fa7307e874566ceaf4c083dc82508587de19ed55
Submitter: Zuul (<email address hidden>)
Branch: R3.0

commit fa7307e874566ceaf4c083dc82508587de19ed55
Author: Ignatious Johnson Christopher <email address hidden>
Date: Wed Oct 19 12:32:17 2016 -0700

Making certfile/keyfile optional, so that vnc_api can rely on CA or CA/CERT.

Change-Id: Iffb9bf9d8cf23fe3943335565bf2adaf878c5df8
Partial-Bug: 1630513
(cherry picked from commit d7407a1fbb0876f0a84a0864824b3eb3c6ef591d)

Issue:
Password is displayed in the log files of the config daemon, during
uncaught exceptions.

Fix:
cgitb sets sys.excepthook to format uncaught exceptions. Deriving the
cgitb Hook and modifying the handle method to mask password along
with formatting.

Change-Id: I5b4251f2ebe0205465b15430a9ef38ef04b3a634
Closes-Bug: 1626317
(cherry picked from commit 6dc670c851d31b12ffa0f07f418b74705e3b5902)

Certificates needs to be chanined and bundled
in the order (certfile, keyfile and cacert).

1. Chaining in the certificate in correct order
2. Making certfile/keyfile optional

Closes-Bug: 1639426
Closes-Bug: 1630513

Getting certs as argument to the VncApi class and creating
unique certbundle for request to different api-servers.
Closes-Bug: 1644713
Closes-Bug: 1644707

Change-Id: Ib5e66bfdd27795bd090c3b3b49207241cbc5f0ae
(cherry picked from commit df192ce6f9623c628dee975754027f827dbc28d9)
(cherry picked from commit d49aec87815d0b881aaec405832c5ac581e29c3d)
(cherry picked from commit 18a920da6f4ce95a66565a5e61ed9b5d6af39d4f)

Conflicts:
src/api-lib/vnc_api.py

Adding the missing import, due to cherry-pick from
a branch which has import os earlier to commit.

Change-Id: Ibbdf7173ffd30d64526a7ecb525c109ff37098a3
Closes-Bug: 1644707
(cherry picked from commit 6223e65dd1ecda43ab6b686a924eaa5d2ff9c035)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-01-14: [Review update] R3.1.1.x

#45

Review in progress for https://review.opencontrail.org/27897
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-01-14:

#47

Review in progress for https://review.opencontrail.org/27898
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-01-31: A change has been merged

#49

Reviewed: https://review.opencontrail.org/27897
Committed: http://github.org/Juniper/contrail-neutron-plugin/commit/7c05eb040cfeb21641c453a4bd55f835364acd06
Submitter: Zuul (<email address hidden>)
Branch: R3.1.1.x

commit 7c05eb040cfeb21641c453a4bd55f835364acd06
Author: Ignatious Johnson Christopher <email address hidden>
Date: Mon Nov 21 15:50:03 2016 -0800

Certificates needs to be chanined and bundled
in the order (certfile, keyfile and cacert).

1. Chaining in the certificate in correct order

Change-Id: I726f3e3543580aac2ad1adc14aba5cc9d2ffa3b5
Closes-Bug: 1639426
(cherry picked from commit 61257dbdf6f2a11775bf2db605adc4dcc6f45068)
(cherry picked from commit d298d9b8b17fd93da54aabd7e6eaff100861aeed)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-01-31:

#50

Reviewed: https://review.opencontrail.org/27898
Committed: http://github.org/Juniper/contrail-controller/commit/edeac12c6f0fb44e79039d914da28153fca10cb7
Submitter: Zuul (<email address hidden>)
Branch: R3.1.1.x

commit edeac12c6f0fb44e79039d914da28153fca10cb7
Author: Ignatious Johnson Christopher <email address hidden>
Date: Mon Nov 21 15:07:15 2016 -0800

Certificates needs to be chanined and bundled
in the order (certfile, keyfile and cacert).

1. Chaining in the certificate in correct order
2. Making certfile/keyfile optional

Closes-Bug: 1639426
Closes-Bug: 1630513

Getting certs as argument to the VncApi class and creating
unique certbundle for request to different api-servers.
Closes-Bug: 1644713
Closes-Bug: 1644707

Conflicts:
src/api-lib/vnc_api.py

When insecure flag is set to True in contrail-keystone-auth.conf,
contrail-api fails to start as the cafile is not initialized.
Initializing cafile to empty string, to handle insecure connections.

Change-Id: I23e4fd8ba533000e041fc892845ccc0bbd50fc48
Closes-Bug: 1650697
(cherry picked from commit 9c6d9ca425e9030fdab01db81f15eac479772854)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.