The following patch:
~~~~
Per-Role krb-service-principal for CompactServices
Filter krb-service-principals for the CompactServices
based on the networks associated with the role.
Filtering for the IndividualServices was added in previous
fix https://review.openstack.org/646005, which did'nt
fully fix the bug.
Closes-Bug: #1821377
Change-Id: Id54477ca5581e1f5fe8a09c3bc60a238d114dbb2
(cherry picked from commit 578bcb2ffa)
tags/10.6.1
~~~~
LINK: https://opendev.org/openstack/tripleo-heat-templates/commit/223ddba9137a3c9129fc33593db086518bf75a78?lang=en-US
Contains additional filtering (as means to workaround nova metadata fields size limit: each field cannot exceed 256 bytes).
However, the filtering might be a little too aggressive:
l63: {%- for network in networks if network.vip|default(false) and network.name in role.networks %}
^^^^^^^^^^^^^^^^^^^^^^^^^^
$ cat network_data.yaml
- name: SomeNetwork
name_lower: somenet
vip: false <<<<<<<<<<<<<<<<<
ip_subnet: xxx.xxx.xxx.0/xx
allocation_pools: [{'start': 'xxx.xxx.xxx.xxx', 'end': 'xxx.xxx.xxx.xxx'}]
vlan: xxxxxxxx
< snip >
os-collect-config logs:
Nov 22 15:00:22 ctrl1.example.com os-collect-config[12345]: "Warning: Could not get certificate: Execution of '/usr/bin/getcert request -I contrail -f /etc/contrail/ssl/certs/server.pem -c IPA -N CN=ctrl1.example.com -K contrail/ctrl1.example.com -D ctl1.ctlplane.example.com -D ctl1.somenet.example.com-D < snip > -D -D -D -D -D -C sudo docker ps -q --filter=name=\"contrail*\" | xargs -i sudo docker restart {} -w -k /etc/contrail/ssl/private/server-privkey.pem' returned 3: New signing request \"contrail\" added.",
Nov 22 15:00:22 ctrl1.example.com os-collect-config[12345]: "Error: /Stage[main]/Tripleo::Certmonger::Contrail/Certmonger_certificate[contrail]: Could not evaluate: Could not get certificate: Server at https://idm.example.com/ipa/xml failed request, will retry: 4001 (RPC failed at server. The service principal for subject alt name ctl1.somenet.example.com in certificate request does not exist).",
Nov 22 15:00:22 ctrl1.example.com os-collect-config[12345]: "Warning: Could not get certificate: Execution of '/usr/bin/getcert request -I httpd-somenet -f /etc/pki/tls/certs/httpd/httpd-somenet.crt -c IPA -N CN=ctl1.somenet.example.com -K HTTP/ctl1.somenet.xxxxxxxxxxxxxxxx -D ctl1.somenetxxxxxxxxxxxxxxxxx -C pkill -USR1 httpd -w -k /etc/pki/tls/private/httpd/httpd-somenet.key' returned 3: New signing request \"httpd-somenet\" added.",
Nov 22 15:00:22 ctrl1.example.com os-collect-config[12345]: "Error: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Httpd[httpd-somenet]/Certmonger_certificate[httpd-somenet]: Could not evaluate: Could not get certificate: Server at https://idm.example.com/ipa/xml failed request, will retry: 4001 (RPC failed at server. The host 'ctl1.somenet.example.com' does not exist to add a service to.).",
Nov 22 15:00:22 ctrl1.example.com os-collect-config[12345]: "Warning: /Stage[main]/Tripleo::Certmonger::Ca::Crl/Exec[tripleo-ca-crl]: Skipping because of failed dependencies",
Nov 22 15:00:22 ctrl1.example.com os-collect-config[12345]: "Warning: /Stage[main]/Tripleo::Certmonger::Ca::Crl/File[tripleo-ca-crl-file]: Skipping because of failed dependencies",
Nov 22 15:00:22 ctrl1.example.com os-collect-config[12345]: "Warning: /Stage[main]/Tripleo::Certmonger::Ca::Crl/Exec[tripleo-ca-crl-process-command]: Skipping because of failed dependencies",
Nov 22 15:00:22 ctrl1.example.com os-collect-config[12345]: "Warning: /Stage[main]/Tripleo::Certmonger::Ca::Crl/Cron[tripleo-refresh-crl-file]: Skipping because of failed dependencies"
Nov 22 15:00:22 ctrl1.example.com os-collect-config[12345]: ]
Nov 22 15:00:22 ctrl1.example.com os-collect-config[12345]: }
Nov 22 15:00:22 ctrl1.example.com os-collect-config[12345]: to retry, use: --limit @/var/lib/heat-config/heat-config-ansible/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_playbook.retry
Nov 22 15:00:22 ctrl1.example.com os-collect-config[12345]: PLAY RECAP *********************************************************************
Nov 22 15:00:22 ctrl1.example.com os-collect-config[12345]: localhost : ok=26 changed=13 unreachable=0 failed=1
Nov 22 15:00:22 ctrl1.example.com os-collect-config[12345]: [2019-11-22 15:00:22,217] (heat-config) [ERROR] Error running /var/lib/heat-config/heat-config-ansible/_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxplaybook.yaml. [2]
Nov 22 15:00:22 ctrl1.example.com os-collect-config[12345]: [2019-11-22 15:00:22,223] (heat-config) [INFO] Completed /usr/libexec/heat-config/hooks/ansible
Nov 22 15:00:22 ctrl1.example.com os-collect-config[12345]: [2019-11-22 15:00:22,224] (heat-config) [DEBUG] Running heat-config-notify /var/lib/heat-config/deployed/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.json < /var/lib/heat-config/deployed/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.notify.json
I have reproduced this issue with just the default managment network enabled:
Dec 05 13:04:57 overcloud- controller- 0.lab.example. com os-collect- config[ 9657]: "Error: /Stage[ main]/Tripleo: :Profile: :Base:: Certmonger_ user/Tripleo: :Certmonger: :Httpd[ httpd-managemen t]/Certmonger_ certificate[ httpd-managemen t]: Could not evaluate: Could not get certificat /idm.lab. example. com/ipa/ xml failed request, will retry: 4001 (RPC failed at server. The host 'overcloud- controller- 0.management. lab.example. com' does not exist to add a service to.).",
e: Server at https:/