TLS everywhere timeouts on getcert resubmit
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
Medium
|
Grzegorz Grasza |
Bug Description
Description
===========
TLS everywhere brownfield deployment randomly times out on deploying the overcloud. On deeper inspection, there is an issue with the getcert resubmit command, which is run with the '-w' option, waiting on certmonger without a timeout.
/usr/bin/getcert resubmit -i libvirt-
There is a repeated message in the logs from certmonger:
Certificate in file "/etc/pki/
It turns out that /etc/pki/
Steps to reproduce
==================
This can happen with different cert files, also mentioned in https:/
In my case, the first overcloud deployment finished with an error:
Error response from daemon: error while creating mount source path '/etc/pki/
And with an Ansible timeout the second time.
The underlying issue
=======
Digging further in, I found out there is an issue with docker volumes, that results in docker daemon creating the directory in place of a path that doesn't exist https:/
This happens when new containers are started with new configuration, before certificates are generated and placed in the appropriate paths.
To resolve the issue, we should only mount directories with certificates, or make sure the files mentioned in the volumes configuration are created beforehand.
Using podman wouldn't exhibit this timeout issue - podman returns with an error, if the file doesn't exist.
Hotfix
======
Remove the directories before Ansible times out, restart docker containers.
Changed in tripleo: | |
status: | New → Triaged |
importance: | Undecided → Medium |
milestone: | none → train-1 |
Changed in tripleo: | |
milestone: | train-1 → train-2 |
Changed in tripleo: | |
milestone: | train-2 → train-3 |
Changed in tripleo: | |
status: | Triaged → Fix Committed |
assignee: | nobody → Grzegorz Grasza (xek) |
Changed in tripleo: | |
status: | Fix Committed → Fix Released |
Related fix proposed to branch: master /review. opendev. org/672239
Review: https:/