Juniper Openstack

Contrail :: 16.04 37 Ocata :: metadata ssl configuration fails in nova side.

Bug #1730631 reported by Ritam Gangopadhyay
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R4.1
Fix Committed
Critical
Ramprakash R
Juniper Openstack r4.1.0.0-fcs "r4.1"
Trunk
Fix Committed
Critical
Ramprakash R
Juniper Openstack r5.0.0

Bug Description

root@nodei19:~# docker exec -it nova_api bash
(nova-api)[nova@nodei19 /]$ grep metadata /etc/nova/nova.conf
metadata_workers = 5
metadata_listen = 192.168.100.15
metadata_listen_port = 8775
metadata_proxy_shared_secret = D282E3EF77FE
service_metadata_proxy = true
(nova-api)[nova@nodei19 /]$ grep nova_metadata /etc/nova/nova.conf
(nova-api)[nova@nodei19 /]$ grep ssl /etc/nova/nova.conf

Setup:-

SMLite on node - nodec28 - 10.204.217.13

Revision history for this message
Abhay Joshi (abhayj) wrote :

Ritam,

It's good that you have narrowed down what is missing, but that is more like a cause. It is important to note in the bug what is the impact/symptom. That is missing. Without that, it is hard for someone to figure out if what you are stating above is the correct cause or not.

Can you please provide those details?

Thanks,

Abhay

Changed in juniperopenstack:
status: New → Incomplete
assignee: Abhay Joshi (abhayj) → Ritam Gangopadhyay (ritam)
Ritam Gangopadhyay (ritam)
Changed in juniperopenstack:
status: Incomplete → New
Revision history for this message
Ritam Gangopadhyay (ritam) wrote :

The impact is metadata ssl encryption feature "vRouter support for SSL meta-data service when proxying" won't work without the server side config in nova.conf

Expectation is when:-

    "contrail_4": {
         "metadata_ssl_enable": true,

is set to true, nova side config should be updated with below parameters

enabled_ssl_apis= metadata
nova_metadata_protocol= https
nova_metadata_insecure= False
ssl_cert_file= /etc/nova/ssl/certs/nova.pem
ssl_key_file= /etc/nova/ssl/private/novakey.pem
ssl_ca_file= /etc/nova/ssl/certs/ca.pem

All the changes to support this till date has gone into puppet side to configure openstack and here are few bugs that were filled related to that:-
https://bugs.launchpad.net/juniperopenstack/+bug/1711049
https://bugs.launchpad.net/juniperopenstack/+bug/1721834
https://bugs.launchpad.net/juniperopenstack/+bug/1724468

Similarly this needs to be taken care for Ocata where nova is being provisioned using kolla.

Changed in juniperopenstack:
assignee: Ritam Gangopadhyay (ritam) → Abhay Joshi (abhayj)
Revision history for this message
Abhay Joshi (abhayj) wrote :

Thanks for sharing the details.

Changed in juniperopenstack:
assignee: Abhay Joshi (abhayj) → Ramprakash R (ramprakash)
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/37340
Submitter: Ramprakash R (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/37341
Submitter: Ramprakash R (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.1

Review in progress for https://review.opencontrail.org/37342
Submitter: Ramprakash R (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/37343
Submitter: Ramprakash R (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/37340
Submitter: Ramprakash R (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.1

Review in progress for https://review.opencontrail.org/37342
Submitter: Ramprakash R (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/37343
Committed: http://github.com/Juniper/contrail-ansible/commit/978a5bb448cfe136a83e8e80d0841a1a69237c95
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit 978a5bb448cfe136a83e8e80d0841a1a69237c95
Author: Ramprakash Ram Mohan <email address hidden>
Date: Wed Nov 8 21:43:07 2017 -0800

metadata ssl configuration support for Ocata

When metadata_ssl_enable is set to 'true' under contrail_4 in the cluster.json,
set the following settings in the nova.conf of the nova_api container:
enabled_ssl_apis= metadata
nova_metadata_protocol = https
nova_metadata_insecure = True
ssl_cert_file = /etc/nova/ssl/certs/nova.pem
ssl_key_file = /etc/nova/ssl/private/novakey.pem
ssl_ca_file = /etc/nova/ssl/certs/ca.pem

Also the following files are copied from the server-manager node to the
openstack node:
1. /etc/contrail_smgr/puppet/ssl/<hostname>.pem as /etc/nova/ssl/certs/nova.pem
2. /etc/contrail_smgr/puppet/ssl/<hostname>-privkey.pem as
/etc/nova/ssl/private/novakey.pem
3. /etc/contrail_smgr/puppet/ssl/ca-cert.pem as /etc/nova/ssl/certs/ca.pem

To enable this, metadata_ssl_enable knob has been added to the
etc/kolla/globals.yml

Change-Id: I45e7448a97dc129d17a5248d7290827b57a95423
Partial-bug: #1730631

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/37341
Committed: http://github.com/Juniper/contrail-ansible/commit/759643300f7c94ca18bf47ce59a124384baed4d0
Submitter: Zuul (<email address hidden>)
Branch: master

commit 759643300f7c94ca18bf47ce59a124384baed4d0
Author: Ramprakash Ram Mohan <email address hidden>
Date: Wed Nov 8 21:43:07 2017 -0800

metadata ssl configuration support for Ocata

When metadata_ssl_enable is set to 'true' under contrail_4 in the cluster.json,
set the following settings in the nova.conf of the nova_api container:
enabled_ssl_apis= metadata
nova_metadata_protocol = https
nova_metadata_insecure = True
ssl_cert_file = /etc/nova/ssl/certs/nova.pem
ssl_key_file = /etc/nova/ssl/private/novakey.pem
ssl_ca_file = /etc/nova/ssl/certs/ca.pem

Also the following files are copied from the server-manager node to the
openstack node:
1. /etc/contrail_smgr/puppet/ssl/<hostname>.pem as /etc/nova/ssl/certs/nova.pem
2. /etc/contrail_smgr/puppet/ssl/<hostname>-privkey.pem as
/etc/nova/ssl/private/novakey.pem
3. /etc/contrail_smgr/puppet/ssl/ca-cert.pem as /etc/nova/ssl/certs/ca.pem

To enable this, metadata_ssl_enable knob has been added to the
etc/kolla/globals.yml

Change-Id: I45e7448a97dc129d17a5248d7290827b57a95423
Partial-bug: #1730631

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/37340
Committed: http://github.com/Juniper/contrail-server-manager/commit/a321ca36bc0ce9220e0697a33628e7b211abe0f3
Submitter: Zuul (<email address hidden>)
Branch: master

commit a321ca36bc0ce9220e0697a33628e7b211abe0f3
Author: Ramprakash Ram Mohan <email address hidden>
Date: Wed Nov 8 21:55:01 2017 -0800

Derive metadata_ssl_enable from contrail_4 to kolla_globals

Change-Id: I27ef7b9f36b0de1c044615d896f9174ded69ef3a
Closes-bug: #1730631

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/37342
Committed: http://github.com/Juniper/contrail-server-manager/commit/d61702072b10bac33d9b3af82320a5c5f255a287
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit d61702072b10bac33d9b3af82320a5c5f255a287
Author: Ramprakash Ram Mohan <email address hidden>
Date: Wed Nov 8 21:55:01 2017 -0800

Derive metadata_ssl_enable from contrail_4 to kolla_globals

Change-Id: I27ef7b9f36b0de1c044615d896f9174ded69ef3a
Closes-bug: #1730631

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/37913
Submitter: Ramprakash R (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.1

Review in progress for https://review.opencontrail.org/37914
Submitter: Ramprakash R (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/37914
Committed: http://github.com/Juniper/contrail-ansible/commit/85369ae5cf13ce2c98967af155d993d67ba317d3
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit 85369ae5cf13ce2c98967af155d993d67ba317d3
Author: Ramprakash Ram Mohan <email address hidden>
Date: Wed Nov 8 21:43:07 2017 -0800

metadata ssl configuration support for Ocata

When metadata_ssl_enable is set to 'true' under contrail_4 in the cluster.json,
set the following settings in the nova.conf of the nova_api container:
enabled_ssl_apis= metadata
nova_metadata_protocol = https
nova_metadata_insecure = False
ssl_cert_file = /etc/nova/ssl/certs/nova.pem
ssl_key_file = /etc/nova/ssl/private/novakey.pem
ssl_ca_file = /etc/nova/ssl/certs/ca.pem

Also the following files are copied from the server-manager node to the
openstack node:
1. /etc/contrail_smgr/puppet/ssl/<hostname>.pem as /etc/nova/ssl/certs/nova.pem
2. /etc/contrail_smgr/puppet/ssl/<hostname>-privkey.pem as
/etc/nova/ssl/private/novakey.pem
3. /etc/contrail_smgr/puppet/ssl/ca-cert.pem as /etc/nova/ssl/certs/ca.pem

To enable this, metadata_ssl_enable knob has been added to the
etc/kolla/globals.yml

Change-Id: I7eaeff8938231405c002808f310cff8820097ede
Closes-bug: #1730631

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/37913
Committed: http://github.com/Juniper/contrail-ansible/commit/98fa89bf42149ef455851086d87aec6b6ca5eb35
Submitter: Zuul (<email address hidden>)
Branch: master

commit 98fa89bf42149ef455851086d87aec6b6ca5eb35
Author: Ramprakash Ram Mohan <email address hidden>
Date: Wed Nov 8 21:43:07 2017 -0800

metadata ssl configuration support for Ocata

When metadata_ssl_enable is set to 'true' under contrail_4 in the cluster.json,
set the following settings in the nova.conf of the nova_api container:
enabled_ssl_apis= metadata
nova_metadata_protocol = https
nova_metadata_insecure = False
ssl_cert_file = /etc/nova/ssl/certs/nova.pem
ssl_key_file = /etc/nova/ssl/private/novakey.pem
ssl_ca_file = /etc/nova/ssl/certs/ca.pem

Also the following files are copied from the server-manager node to the
openstack node:
1. /etc/contrail_smgr/puppet/ssl/<hostname>.pem as /etc/nova/ssl/certs/nova.pem
2. /etc/contrail_smgr/puppet/ssl/<hostname>-privkey.pem as
/etc/nova/ssl/private/novakey.pem
3. /etc/contrail_smgr/puppet/ssl/ca-cert.pem as /etc/nova/ssl/certs/ca.pem

To enable this, metadata_ssl_enable knob has been added to the
etc/kolla/globals.yml

Change-Id: I7eaeff8938231405c002808f310cff8820097ede
Closes-bug: #1730631

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.