tripleo

environment/ssl/enable-internal-tls.yaml is missing notify ssl variables

Bug #1795462 reported by Michele Baldessari on 2018-10-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Michele Baldessari	tripleo stein-1

Bug Description

https://github.com/openstack/tripleo-heat-templates/blob/master/environments/ssl/enable-internal-tls.yaml#L22 uses RPCUseSSL only and misses the NotifyUseSSL variable.

The reason this is a problem is that commands/services that will kick off a notification are likely to hang due to this.

Imagine the following scenario:
1. TLS configured everywhere
2. keystone-manage bootstrap actually hangs

The reason for this is that the messaging string in the keystone container will look like the following:
[oslo_messaging_notifications]
transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0

By gdb-ing on to the keystone-manage process (thanks Damien, for the idea) we can see that we are stuck in oslo calls connecting to rabbit without tls

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-01: Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/607002

Changed in tripleo:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-03: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/607002
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=0acfc345e1d8d7d475d4af73f9569be7b5d73a02
Submitter: Zuul
Branch: master

commit 0acfc345e1d8d7d475d4af73f9569be7b5d73a02
Author: Michele Baldessari <email address hidden>
Date: Mon Oct 1 18:33:33 2018 +0200

Add UseNotifySSL to environments/ssl/enable-internal-tls.yaml

    https://github.com/openstack/tripleo-heat-templates/blob/master/environments/ssl/enable-internal-tls.yaml#L22
    uses RPCUseSSL only and misses the NotifyUseSSL variable.
    The reason this is a problem is that commands/services that will kick
    off a notification are likely to hang due to this. Imagine the
    following scenario:

1. TLS configured everywhere
2. keystone-manage bootstrap actually hangs

    The reason for this is that the messaging string in the keystone container will look like the following:
    [oslo_messaging_notifications]
    transport_url=rabbit://guest:<email address hidden>:5672/?ssl=0

    By gdb-ing on to the keystone-manage process (thanks Damien, for the
    idea) we can see that we are stuck in oslo calls connecting to rabbit
    without tls

Closes-Bug: #1795462
Change-Id: I0d25527131fa4cd293994a0511bba1144510c4d8

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-03: Fix proposed to tripleo-heat-templates (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/607523

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-03: Fix merged to tripleo-heat-templates (stable/rocky)

Reviewed: https://review.openstack.org/607523
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=43b27a36f3d5946c465883284d6c3dc43949f751
Submitter: Zuul
Branch: stable/rocky

commit 43b27a36f3d5946c465883284d6c3dc43949f751
Author: Michele Baldessari <email address hidden>
Date: Mon Oct 1 18:33:33 2018 +0200

Add UseNotifySSL to environments/ssl/enable-internal-tls.yaml

1. TLS configured everywhere
2. keystone-manage bootstrap actually hangs

    By gdb-ing on to the keystone-manage process (thanks Damien, for the
    idea) we can see that we are stuck in oslo calls connecting to rabbit
    without tls

    Closes-Bug: #1795462
    Change-Id: I0d25527131fa4cd293994a0511bba1144510c4d8
    (cherry picked from commit 0acfc345e1d8d7d475d4af73f9569be7b5d73a02)