tripleo

Deployment fails when enabling TLS when with 3 controllers in 3 profiles

Bug #1822327 reported by Emilien Macchi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Emilien Macchi
tripleo ussuri-3 "tripleo ussuri-3"

Bug Description

Source: https://bugzilla.redhat.com/show_bug.cgi?id=1690558

Description of problem:
When deploying with controllers split into 3 profiles. haproxy fails to build configuration when trying to enable TLS.

Version-Release number of selected component (if applicable): OSP13

How reproducible: Always

Steps to Reproduce:
Deploy overcloud with TLS
~~~
openstack overcloud deploy --templates --stack xxxx -e templates/cli-replacement.yaml -e templates/glance_swift_config.yaml -e templates/network-environment.yaml -e templates/storage-environment.yaml -e /usr/share/openstack-tripleo-heat-templates/environments/network-isolation.yaml -e templates/logging-environment.yaml -e templates/cloudname.yaml -e templates/overcloud_images.yaml -e templates/ldap-environment.yaml -e templates/mount_nfs.yaml -e templates/cinder-backends01.yaml -e templates/cinder-backends02.yaml -e templates/cinder-backends03.yaml -e templates/enable-tls.yaml -r templates/roles_data.yaml --debug
~~~

Actual results:

Error from stack:
    ~~~
    2019-02-2X 19:34:04Z [xxxx.AllNodesDeploySteps]: CREATE_FAILED Resource CREATE failed: Error: resources.Controller02Deployment_Step1.resources[0]: Deployment to server failed: deploy_status_code: Deployment exited with non-zero status code: 2

     Stack xxxx CREATE_FAILED

    xxxx.AllNodesDeploySteps.Controller02Deployment_Step1.0:
      resource_type: OS::Heat::StructuredDeployment
      physical_resource_id: xxxxxxxxxxxxxxxxxxxxxxxxxxx
      status: CREATE_FAILED
      status_reason: |
        Error: resources[0]: Deployment to server failed: deploy_status_code : Deployment exited with non-zero status code: 2
      deploy_stdout: |
        ...
                "2019-02-2x 19:34:00,928 INFO: xxxx -- Removing container: docker-puppet-heat_api_cfn",
                "2019-02-2x 19:34:00,960 INFO: xxxx -- Finished processing puppet configs for heat_api_cfn",
                "2019-02-2x 19:34:00,960 ERROR: xxxx -- ERROR configuring haproxy"
            ]
        }
            to retry, use: --limit @/var/lib/heat-config/heat-config-ansible/xxxxxxxxxxxxxxxxxx_playbook.retry

        PLAY RECAP *********************************************************************
        localhost : ok=24 changed=12 unreachable=0 failed=1

        (truncated, view all with --long)
      deploy_stderr: |

    xxx.AllNodesDeploySteps.Controller03Deployment_Step1.0:
      resource_type: OS::Heat::StructuredDeployment
      physical_resource_id: xxxxxxxxxxxxxxxxxxxxx
      status: CREATE_FAILED
      status_reason: |
        Error: resources[0]: Deployment to server failed: deploy_status_code : Deployment exited with non-zero status code: 2
      deploy_stdout: |
        ...
                "2019-02-2X 19:34:00,272 INFO: xxxx -- Removing container: docker-puppet-heat_api_cfn",
                "2019-02-2X 19:34:00,313 INFO: xxxx -- Finished processing puppet configs for heat_api_cfn",
                "2019-02-2X 19:34:00,313 ERROR: xxxxx -- ERROR configuring haproxy"
            ]
        }
            to retry, use: --limit @/var/lib/heat-config/heat-config-ansible/xxxxxxxxxxxxxxxxxxxxxx_playbook.retry

        PLAY RECAP *********************************************************************
        localhost : ok=24 changed=12 unreachable=0 failed=1

Expected results: Overcloud deployed with TLS

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/648692

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/queens)

Reviewed: https://review.openstack.org/648692
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=f6c4f652c774ed2ef0a6e4307be7096e41dc02f3
Submitter: Zuul
Branch: stable/queens

commit f6c4f652c774ed2ef0a6e4307be7096e41dc02f3
Author: Emilien Macchi <email address hidden>
Date: Fri Mar 29 09:49:01 2019 -0400

    [queens-only] Remove primary role constraint to deploy NodeTLSData

    NodeTLSData is needed everywhere HAproxy is deployed.
    Therefore, if multiple roles have HAproxy, we need to remove the primary
    role constraint on this resource otherwise it's only deployed on the
    node tagged controller & primary.
    With this patch, we'll deploy NodeTLSData on roles tagged "controller".

    Change-Id: I670d292f6051a373298e4ff0cc59f763aa3eee63
    Closes-Bug: 1822327

tags: added: in-stable-queens
Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: stein-rc1 → train-1
Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: train-1 → train-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/666658

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-heat-templates (master)

Change abandoned by Emilien Macchi (<email address hidden>) on branch: master
Review: https://review.opendev.org/666658
Reason: this was fixed in https://review.opendev.org/#/c/605728/ and not backported to Queens.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 8.4.0

This issue was fixed in the openstack/tripleo-heat-templates 8.4.0 release.

Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: train-2 → train-3
Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: train-3 → ussuri-1
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: ussuri-1 → ussuri-2
wes hayutin (weshayutin)
Changed in tripleo:
milestone: ussuri-2 → ussuri-3
Emilien Macchi (emilienm)
Changed in tripleo:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.