tripleo

containerized cinder pacemaker bundles are missing ssl CA certs

Bug #1747326 reported by Steve Baker
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Steve Baker
tripleo queens-rc1

Bug Description

Pacemaker containerized cinder-volume[1] and cinder-backup[2] are missing the required CA cert mounts. This can cause failures in the tempest VolumeBackup tests failing when Overcloud is using SSL,
due to being unable to verify ssl certificate,
cause seems to be that openstack-cinder-backup-docker-0 does not have access/config to /etc/pki/ content.

snippet of output from failing test tempest.api.volume.admin.test_volumes_backup.VolumesBackupsAdminTest.test_volume_backup_export_import[id-a99c54a1-dd80-4724-8a13-13bf58d4068d]
> Response - Headers: {'status': '200', u'content-length': '922', 'content-location': 'https://10.0.0.101:13776/v2/d2523afb79544a4197fa79f2c5837ce6/backups/57af9d07-80f6-4706-add7-9337270dc950',
> u'x-compute-request-id': 'req-0581536b-4bca-45d7-8d58-86c49ecbf825', u'vary': 'Accept-Encoding', u'server': 'Apache', u'connection': 'close', u'date': 'Tue, 30 Jan 2018 14:03:46 GMT',
> u'content-type': 'application/json', u'x-openstack-request-id': 'req-0581536b-4bca-45d7-8d58-86c49ecbf825'}
> Body: {"backup": {"status": "error", "object_count": 0, "container": "volumebackups",
> "name": "tempest-VolumesBackupsAdminTest-Backup-1258019896",
> "links": [{"href": "https://10.0.0.101:13776/v2/d2523afb79544a4197fa79f2c5837ce6/backups/57af9d07-80f6-4706-add7-9337270dc950", "rel": "self"},
> {"href": "https://10.0.0.101:13776/d2523afb79544a4197fa79f2c5837ce6/backups/57af9d07-80f6-4706-add7-9337270dc950", "rel": "bookmark"}],
> "availability_zone": "nova", "created_at": "2018-01-30T14:03:23.000000", "description": null,
> "updated_at": "2018-01-30T14:03:45.000000", "data_timestamp": "2018-01-30T14:03:23.000000", "has_dependent_backups": false,
> "snapshot_id": null, "volume_id": "ca53f42d-d9c8-4776-95b3-b17f58c6c899",
>
> "fail_reason": "(\"bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)\",)",
>
> "is_incremental": false, "id": "57af9d07-80f6-4706-add7-9337270dc950", "size": 1}}

It should be enough to add the 4 /etc/pki mounts as for other pcs managed containers like rabbitmq[3]

[1] http://git.openstack.org/cgit/openstack/puppet-tripleo/tree/manifests/profile/pacemaker/cinder/volume_bundle.pp#n81
[2] http://git.openstack.org/cgit/openstack/puppet-tripleo/tree/manifests/profile/pacemaker/cinder/backup_bundle.pp#n81
[3] http://git.openstack.org/cgit/openstack/puppet-tripleo/tree/manifests/profile/pacemaker/rabbitmq_bundle.pp#n136

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/540693

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/541448

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/540693
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=82892046f05edcc1f3ad275a6cbe778004f8675a
Submitter: Zuul
Branch: master

commit 82892046f05edcc1f3ad275a6cbe778004f8675a
Author: Steve Baker <email address hidden>
Date: Mon Feb 5 14:54:23 2018 +1300

    Add missing pacemaker cindier CA cert mounts

    This adds the same CA cert mounts which other pacemaker managed
    containers like rabbitmq, redis, and haproxy.

    With this change, cinder-backup should work correctly when running SSL
    enabled.

    Change-Id: I199c03ba36a24e6b1caf535ed285047952ac9eb0
    Closes-Bug: #1747326

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/pike)

Reviewed: https://review.openstack.org/541448
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=fecece15053e4d6857647520bf9e9b28ccd6d8d6
Submitter: Zuul
Branch: stable/pike

commit fecece15053e4d6857647520bf9e9b28ccd6d8d6
Author: Steve Baker <email address hidden>
Date: Mon Feb 5 14:54:23 2018 +1300

    Add missing pacemaker cindier CA cert mounts

    This adds the same CA cert mounts which other pacemaker managed
    containers like rabbitmq, redis, and haproxy.
    With this change, cinder-backup should work correctly when running SSL
    enabled.

    Depends-On: I2bd45ab879307976b3d74d627e396ba8ad22625f
    Change-Id: I199c03ba36a24e6b1caf535ed285047952ac9eb0
    Closes-Bug: #1747326
    (cherry picked from commit 82892046f05edcc1f3ad275a6cbe778004f8675a)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 7.4.9

This issue was fixed in the openstack/puppet-tripleo 7.4.9 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 8.3.0

This issue was fixed in the openstack/puppet-tripleo 8.3.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.