haproxy cert injection doesn't handle pacemaker container as expected

Bug #1922106 reported by Damien Ciabrini
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Damien Ciabrini

Bug Description

In Id7308f028f33716be5e3df6699c3f2c12e33e344 we special-cased the certificate injection for HAproxy when it's managed by pacemaker, to avoid temporary disruption that could cause monitoring failure and impact cluster.

However the new cert injection code wrongly assumes that it being passed a container name to determine how to inject certificate, whereas it's being given a container id, e.g.:

2021-03-26 14:13:22 | 2021-03-26 14:13:22.202524 | 52540056-0f8d-4b22-3e2d-000000000087 | ... copy certificate, chgrp, restart haproxy | ... "cmd": "set -e\npodman cp /etc/pki/tls/private/overcloud_endpoint.pem ef191ea103c5:/etc/pki/tls/private/overcloud_endpoint.pem\npodman exec --user root ef191ea103c5 chgrp haproxy /etc/pki/tls/private/overcloud_endpoint.pem\npodman kill --signal=HUP ef191ea103c5\n"

Consequently, the check is never true and the behaviour is not the expected one.

Changed in tripleo:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/784136
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/77358cbcce8d5b7f8a6a083444210eaaaa7646d0
Submitter: "Zuul (22348)"
Branch: master

commit 77358cbcce8d5b7f8a6a083444210eaaaa7646d0
Author: Damien Ciabrini <email address hidden>
Date: Wed Mar 31 18:47:03 2021 +0200

    HA: fix injection of certificate in haproxy container

    Injection of certificate in pacemaker-managed haproxy [1] is never
    exercised due to a bad parsing of container name vs container id.

    Closes-Bug: #1922106

    [1] Id7308f028f33716be5e3df6699c3f2c12e33e344

    Change-Id: Ic6e4264c5ad46bd2589cc907c365af2d42fde63d

Changed in tripleo:
status: Confirmed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 14.1.0

This issue was fixed in the openstack/tripleo-heat-templates 14.1.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.