[centos64_build_1804] Broken Contrail Command install
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
R5.0 |
Invalid
|
Critical
|
Leela Bharath Kumar Kassetti | |||
Trunk |
Invalid
|
Critical
|
Leela Bharath Kumar Kassetti |
Bug Description
DESCRIPTION
-------------
I'm following the official install guide for Contrail Command using a CentOS 7.5 ISO image (build 1804) and the install fails at step 4 while trying to download some Python dependencies from this site that uses TLS1.2 -> https:/
Unfortunately CentOS 7 has deprecated the use of legacy SSL/TLS crypto hence the install fails because it cannot check the site's certificate.
The OpenSSL version used by CentOS7.5 is 1.0.2k and CentOS doesn't provide RPMs with newer OpenSSL versions. The only fix I could find is to download the latest OpenSSL source (1.1.1 as of writing this), then recompile it and link it instead of the old 1.0.2k version.
REPRO STEPS
-------------
1. Download a minimal CentOS7.5 ISO and install it on your VM/BMS.
I have used:
ISO image: CentOS-
MD5: fabdc67ff3a1674
VM: VMware ESXi / 2.3Ghz quad-core / 16GB RAM / 50GB HDD
2. Follow the install steps in the official Contrail Command guide to the letter:
https:/
3. When reaching step #4 in that guide you will hit the problem while the Ansible playbook tries to pull some dependencies from pypi.python.org:
[root@contrail-
[root@contrail-
[...]
TASK [install_packages : install docker-py] *******
fatal: [172.27.0.2]: FAILED! => {"changed": false, "cmd": "/usr/bin/pip2 install docker-py==1.10.6", "msg": "stdout: Collecting docker-py==1.10.6\n Could not fetch URL https:/
to retry, use: --limit @/var/tmp/
PLAY RECAP *******
172.27.0.2 : ok=13 changed=6 unreachable=0 failed=1
localhost : ok=4 changed=2 unreachable=0 failed=0
WORKAROUND - REINSTALL OPENSSL FROM SOURCE
-------
[root@contrail-
OpenSSL 1.0.2k-fips 26 Jan 2017
Before you proceed you must make sure the time is synchronized via NTP.
[root@contrail-
[root@contrail-
[root@contrail-
Download the latest OpenSSL, unpack it and install from source - https:/
[root@contrail-
[root@contrail-
[root@contrail-
[root@contrail-
[root@contrail-
[root@contrail-
Now statically link the new OpenSSL version(1.1.1) instead of the official CentOS one (1.0.2 at the time of writing this).
Create the following file:
[root@contrail-
And paste in the following content in that file:
pathmunge /usr/local/
Next create this ldconfig file to define the new path:
[root@contrail-
And paste in the following content in that file:
/usr/local/
Relink all libraries:
[root@contrail-
Now confirm that OpenSSL is using the new version:
[root@contrail-
OpenSSL 1.1.1 11 Sep 2018
Now back to installing Contrail Command, make sure that docker is running delete all previous imcomplete containers and rebuild them:
[root@contrail-
[root@contrail-
[root@contrail-
[root@contrail-
[root@contrail-
Follow the progress by monitoring the Docker logs:
[root@contrail-
DONE. Move on to Step 6 from the install guide.
information type: | Proprietary → Public |
tags: | added: contrail-command provisioning |
Are you seeing this error "There was a problem confirming the ssl certificate: [SSL: CERTIFICATE_ VERIFY_ FAILED] " if you try to manually install any pip package or is this specific to docker-py installation.
P.S:
We are no longer installing docker-py as part of contrail-command installation.