R5.0-micro-services provision - metadata ssl support for vrouter.
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
R5.0 |
Invalid
|
Critical
|
alexey-mr | |||
Trunk |
Incomplete
|
Critical
|
alexey-mr |
Bug Description
To enable ssl for openstack metadata service following needs to be updated in default section of nova.conf on the openstack node:
• enabled_ssl_apis = metadata
• nova_metadata_
• nova_metadata_
• ssl_cert_file = /etc/contrail/
• ssl_key_file = /etc/contrail/
• ssl_ca_file = /etc/contrail/
On the vrouter config side ssl fields need to be updated too. The feature description is as below.
https:/
tags: | added: sanityblocker |
Abhay Joshi (abhayj) wrote : | #1 |
Ramprakash R (ramprakash) wrote : | #2 |
All the parameters that used to be in kolla/globals.yml could be given in instances.yaml as below:
...
...
kolla_config:
kolla_globals:
metadata_
This should populate the nova.conf with below configs:
enabled_ssl_apis= metadata
nova_metadata_
nova_metadata_
ssl_cert_file= /etc/nova/
ssl_key_file= /etc/nova/
ssl_ca_file= /etc/nova/
Note that pem files might have to be generated and placed in this directory in the relevant compute hosts. That will not happen automatically during provision in 5.0.
vageesan (vageesant) wrote : mariadb docker is restarting | #3 |
Hi Ramprakash,
Provision is failing in my setup with the following log.I see mariadb docker is restarting frequently.Please check into the setup.
SM lite node: 10.204.216.8
Build: 4.1.0-8 ,Ocata – 16.04.2-minimal.
Config file: /root/vageesan/
Thanks
Vageesan.
"2018-03-31 02:35:02,
"2018-03-31 02:40:59,
"2018-03-31 02:41:00,
"2018-03-31 02:41:00,
"2018-03-31 02:41:00,
Sudheendra Rao (sudheendra-k) wrote : | #4 |
+Ritam, please check.
Thanks,
Sudhee.
Sent from my iPhone
> On 31-Mar-2018, at 6:18 AM, Vageesan Thanikachalam <email address hidden> wrote:
>
> Hi Ramprakash,
>
> Provision is failing in my setup with the following log.I see mariadb docker is restarting frequently.Please check into the setup.
>
>
> SM lite node: 10.204.216.8
> Build: 4.1.0-8 ,Ocata – 16.04.2-minimal.
> Config file: /root/vageesan/
>
> Thanks
> Vageesan.
>
> "2018-03-31 02:35:02,
> "2018-03-31 02:40:59,
> "2018-03-31 02:41:00,
> "2018-03-31 02:41:00,
> "2018-03-31 02:41:00,
Abhay Joshi (abhayj) wrote : | #5 |
Comment #3 is NOT APPLICABLE to bug described in this report. The bug is invalid as stated in comments #1 and #2. #3 was something tried on 4.1, person finding it concluded it is this bug and reopened!!
Ritam Gangopadhyay (ritam) wrote : | #6 |
As expected metadata_ssl_enable set to true doesn't enable metadata service, instead it fails in ssl cert copy.
Moreover it is not clear how setting metadata_ssl_enable under kolla configs will successfully configure the vrouter conf file.
Here is the task that fails and the error:-
TASK ---- Copy ssl certs for metadata if required
2018-04-13 09:24:25,408 p=24825 u=root | TASK [nova : Copy ssl certs for metadata if required] *******
2018-04-13 09:24:25,792 p=24825 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotF
2018-04-13 09:24:25,794 p=24825 u=root | failed: [10.204.216.103] (item={u'src': u'/etc/
Ramprakash R (ramprakash) wrote : | #7 |
As mentioned in comment #2, for 5.0, the ssl cert files will not be generated automatically. It needs to be generated manually and placed wherever "local_
Nitish Krishna Kaveri (nitishk) wrote : | #8 |
When SSL_ENABLE is set to True in contrail_
I am following the default paths mentioned here:
https:/
The Check-ins to do this creation/mounting as already merged.
Please set SSL_ENABLE to True and try the above paths
Abhay Joshi (abhayj) wrote : | #9 |
Ritam,
Please try #8 above and reopen if still broken.
Ritam Gangopadhyay (ritam) wrote : | #10 |
Will try it but still not sure how that solves configuring nova.conf and vrouter.conf with metadata ssl parameters.
Ritam Gangopadhyay (ritam) wrote : | #11 |
Enabled the below flags:-
[root@nodec28 ~]# cat contrail-
SSL_ENABLE: True
[root@nodec28 ~]# cat contrail-
metadata_
[root@nodec28 ~]#
Provisioning failed while searching for cert/key files under contrail_smgr directory.
1. Looks like the path needs to be changed in the task.
2. Cert/Key file copy should happen before openstack provisioning is done because copy code is part of contrail provisioning right now which happens after openstack provisioning.
3. I am not sure who needs to look into it, whether from contrail side or openstack side so moving it back to triage.
Here is the ansible task failure seen on my setup, setup is nodec28 and available.
*******
*******
*******
*******
2018-04-15 10:15:14,534 p=26013 u=root | TASK [nova : Copy ssl certs for metadata if required] *******
2018-04-15 10:15:14,679 p=26013 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotF
2018-04-15 10:15:14,679 p=26013 u=root | failed: [10.204.217.131] (item={u'src': u'/etc/
2018-04-15 10:15:14,746 p=26013 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotF
2018-04-15 10:15:14,747 p=26013 u=root | failed: [10.204.217.77] (item={u'src': u'/etc/
2018-04-15 10:15:14,748 p=26013 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotF
2018-04-15 10:15:14,748 p=26013 u=root | failed: [10.204.217.131] (item={u'src': u'/etc/
2018-04-15 10:15:14,749 p=26013 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotF
Abhay Joshi (abhayj) wrote : | #12 |
Hi Alexey,
Can you please confirm if your change for SSL certs in control, also takes care of vrouter? If not, please add that too.
OpenContrail Admin (ci-admin-f) wrote : [Review update] master | #13 |
Review in progress for https:/
Submitter: alexey-mr (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] R5.0 | #15 |
Review in progress for https:/
Submitter: alexey-mr (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] master | #17 |
Review in progress for https:/
Submitter: alexey-mr (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] R5.0 | #19 |
Review in progress for https:/
Submitter: alexey-mr (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] master | #21 |
Review in progress for https:/
Submitter: Andrey Pavlov (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] R5.0 | #23 |
Review in progress for https:/
Submitter: Andrey Pavlov (<email address hidden>)
alexey-mr (alexey-morlang) wrote : | #25 |
To populate vrouter agent config with ssl settins for metadata it is needed to provide variables:
METADATA_
# parameters below are optional (if keep them empty insecure ssl be used (w/o cert strict checking), if some orchestrator layer support cert/key generation the exact files could be passed via:
METADATA_
METADATA_
METADATA_
(If provided certs if not in PEM format the format should be specified in METADATA_
OpenContrail Admin (ci-admin-f) wrote : A change has been merged | #26 |
Reviewed: https:/
Committed: http://
Submitter: Zuul v3 CI (<email address hidden>)
Branch: R5.0
commit 0f57372a4e9900e
Author: alexey-mr <email address hidden>
Date: Thu Apr 19 18:41:55 2018 +0300
Provision metadata ssl options for agent config
Change-Id: I1bce4f06b0fced
Closes-Bug: #1759576
OpenContrail Admin (ci-admin-f) wrote : | #27 |
Reviewed: https:/
Committed: http://
Submitter: Zuul v3 CI (<email address hidden>)
Branch: master
commit fe74357a68453b4
Author: alexey-mr <email address hidden>
Date: Thu Apr 19 18:41:55 2018 +0300
Provision metadata ssl options for agent config
Change-Id: I1bce4f06b0fced
Closes-Bug: #1759576
Ritam Gangopadhyay (ritam) wrote : | #28 |
Provisioning fails to find certs while bringing up nova with the following error:-
2018-04-24 10:25:12,661 p=1887 u=root | TASK [nova : Copy ssl certs for metadata if required] *******
2018-04-24 10:25:12,964 p=1887 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotF
2018-04-24 10:25:12,964 p=1887 u=root | failed: [10.204.217.131] (item={u'src': u'/etc/
2018-04-24 10:25:12,965 p=1887 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotF
2018-04-24 10:25:12,965 p=1887 u=root | failed: [10.204.217.77] (item={u'src': u'/etc/
2018-04-24 10:25:12,966 p=1887 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotF
2018-04-24 10:25:12,966 p=1887 u=root | failed: [10.204.217.131] (item={u'src': u'/etc/
2018-04-24 10:25:12,967 p=1887 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotF
2018-04-24 10:25:12,967 p=1887 u=root | failed: [10.204.217.168] (item={u'src': u'/etc/
2018-04-24 10:25:12,968 p=1887 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotF
2018-04-24 10:25:12,968 p=1887 u=root | failed: [10.204.217.132] (item={u'src': u'/etc/
2018-04-24 10:25:12,978 p=1887 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The e...
alexey-mr (alexey-morlang) wrote : | #29 |
There is no needs to use certs for nova provisioning.
Instead it is needed to configure openstack to enable SSL on VIPs (for haproxy) only, metadata are to be accessed via VIP from compute nodes. And it is to be done by kolla - not by contail-
Nitish Krishna Kaveri (nitishk) wrote : | #30 |
I think I know what the issue is. Let me debug and close
OpenContrail Admin (ci-admin-f) wrote : [Review update] contrail/ocata | #31 |
Review in progress for https:/
Submitter: alexey-mr (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : | #33 |
Review in progress for https:/
Submitter: Nitish Krishna Kaveri (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : | #34 |
Review in progress for https:/
Submitter: Andrey Pavlov (<email address hidden>)
Ritam Gangopadhyay (ritam) wrote : | #36 |
With review 42476 patched and below knobs in by instances.yml
contrail_
METADATA_
kolla_config:
kolla_globals:
metadata_
tls_
*******
*******
*******
I am hitting haproxy bring up error
TASK [haproxy : Copying over haproxy.cfg] *******
failed: [10.204.217.131] (item=/
Ritam Gangopadhyay (ritam) wrote : | #37 |
With review 42476 patched and below knobs in by instances.yml
contrail_
METADATA_
kolla_config:
kolla_globals:
metadata_
tls_
*******
*******
*******
I am hitting haproxy bring up error
TASK [haproxy : Copying over haproxy.cfg] *******
failed: [10.204.217.131] (item=/
Ritam Gangopadhyay (ritam) wrote : | #38 |
These are just few lines of the error full logs can be found at /var/log/
OpenContrail Admin (ci-admin-f) wrote : | #39 |
Review in progress for https:/
Submitter: Andrey Pavlov (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] master | #40 |
Review in progress for https:/
Submitter: alexey-mr (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] R5.0 | #41 |
Review in progress for https:/
Submitter: alexey-mr (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] master | #42 |
Review in progress for https:/
Submitter: alexey-mr (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] R5.0 | #43 |
Review in progress for https:/
Submitter: alexey-mr (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : | #44 |
Review in progress for https:/
Submitter: Andrey Pavlov (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] master | #46 |
Review in progress for https:/
Submitter: Andrey Pavlov (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] R5.0 | #47 |
Review in progress for https:/
Submitter: Andrey Pavlov (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] master | #48 |
Review in progress for https:/
Submitter: Andrey Pavlov (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] contrail/ocata | #49 |
Review in progress for https:/
Submitter: Andrey Pavlov (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] master | #50 |
Review in progress for https:/
Submitter: Andrey Pavlov (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : | #51 |
Review in progress for https:/
Submitter: alexey-mr (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] R5.0 | #52 |
Review in progress for https:/
Submitter: alexey-mr (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] master | #53 |
Review in progress for https:/
Submitter: Andrey Pavlov (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] R5.0 | #54 |
Review in progress for https:/
Submitter: Andrey Pavlov (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] contrail/ocata | #55 |
Review in progress for https:/
Submitter: Andrey Pavlov (<email address hidden>)
tags: | added: releasenote |
tags: |
added: sanity removed: sanityblocker |
alexey-mr (alexey-morlang) wrote : | #56 |
We've discussed it yesterday and Michael's position is to wait for RHOSP13 where this feature is supported. Kolla and Helm doesn't support this feature for internal api, so we will not support it too in Kolla/Helm deployments. We agree with Michael.
Rudra, please deal with this bug as you see fit.
Sivakumar Ganapathy (hotlava51) wrote : | #57 |
Removed vrouter tag as it is not a vrouter bug.
tags: | removed: vrouter |
Ritam Gangopadhyay (ritam) wrote : | #58 |
As per comment #56 metadata ssl feature is no longer supported from R5.0 so moving this bug to invalid.
Ritam,
Metadata support is already there in 5.0-micro-services. You can enable it with the following setting :
# contrail_additions : metadata_ssl_enable is set to "yes" to support the SSL ssl_enable: "no"
# encryption feature for vrouter when proxying.
metadata_
in contrail- kolla-ansible/ all.yml file. Please see https:/ /github. com/Juniper/ contrail- ansible- deployer/ wiki/Contrail- with-Kolla- Ocata and https:/ /github. com/Juniper/ contrail- kolla-ansible/ blob/contrail/ ocata/ansible/ group_vars/ all.yml.