tripleo

Undercloud vips not validated when generating service certificate

Bug #1643655 reported by Ben Nemec
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Alex Schultz
tripleo ocata-3 "ocata-3"

Bug Description

If a mistake is made in undercloud.conf where a vip is not in the proper cidr and generate_service_certificate is in use for ssl enablement, the vip error will not be caught by the validation code. This is because the validator only check undercloud_service_certificate when deciding whether to check vips.

As an added bonus, there isn't unit test coverage of vip validation so even if it were completely broken we wouldn't have noticed right away.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to instack-undercloud (master)

Fix proposed to branch: master
Review: https://review.openstack.org/400364

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
Juan Antonio Osorio Robles (juan-osorio-robles) wrote :

this disallows FQDNs in the undercloud endpoints... If we are going to validate, it needs to be smarter as to still allow FQDNs.

OpenStack Infra (hudson-openstack)
Changed in tripleo:
assignee: Ben Nemec (bnemec) → Alex Schultz (alex-schultz)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to instack-undercloud (master)

Reviewed: https://review.openstack.org/400364
Committed: https://git.openstack.org/cgit/openstack/instack-undercloud/commit/?id=9c6424df5d9d0cb41ec78cbdddb520f1c1ec604b
Submitter: Jenkins
Branch: master

commit 9c6424df5d9d0cb41ec78cbdddb520f1c1ec604b
Author: Ben Nemec <email address hidden>
Date: Mon Nov 21 18:53:53 2016 +0000

    Validate vips when generating certificate too

    When generate_service_certificate is True,
    undercloud_service_certificate will not necessarily be set when it
    is passed to validation. We need to check if either value is set
    when deciding whether to validate vips.

    Unit tests for this behavior were missing as well, so those have
    been added.

    Another consideration for this change is that we have started
    passing non-IP values to these vip parameters when configuring
    ssl. This is counterintuitive, but apparently works as intended
    so let's just rename the parameters and handle both IPs and DNS
    names for those values.

    Change-Id: I53151d4f555d5d161a3e53ce5f022e3bf3b2ffbd
    Closes-Bug: 1643655

Changed in tripleo:
status: In Progress → Fix Released
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: none → ocata-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/425296

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/425296
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=2d4015019a02bc7609f359961460494fc890e049
Submitter: Jenkins
Branch: master

commit 2d4015019a02bc7609f359961460494fc890e049
Author: Martin André <email address hidden>
Date: Wed Jan 25 18:12:23 2017 +0100

    Rename controller_admin_vip to controller_admin_host

    Bring change of I53151d4f555d5d161a3e53ce5f022e3bf3b2ffbd into
    puppet-tripleo.

    Change-Id: I1227956a0389497eedc00e4ec817f52be608dc75
    Related-Bug: #1643655

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/instack-undercloud 6.0.0.0rc1

This issue was fixed in the openstack/instack-undercloud 6.0.0.0rc1 release candidate.

Alex Schultz (alex-schultz)
no longer affects: tripleo/newton
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.