x509 Certificate Validation For LXD Clouds and Credentials
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Canonical Juju |
Fix Released
|
High
|
Thomas Miller | ||
Bug Description
I have been working with Erik over on discourse about an error he is seeing with some of he's LXD clouds and Juju controller. See https:/
I've met with Eric to look over the effected controller and clouds. From my initial look I can see that both the server certificate and client certificate provided to Juju are correct and match what is on the LXD host and the clients machine.
The error message:
2023-01-13 12:55:21 INFO juju.worker.
2023-01-13 12:55:21 WARNING juju.worker.
2023-01-13 12:55:21 WARNING juju.worker.
2023-01-13 12:55:31 INFO juju.worker.
2023-01-13 12:55:31 WARNING juju.worker.
2023-01-13 12:55:31 WARNING juju.worker.
Comes from the Go standard library where it is trying to validate the TLS connection with LXD host.
LXD signs all server certs with just loop back addresses and from my reading of the lxd client code this check should usually be skipped. The current task is to establish under what circumstances are the ip addresses on the certificates not skipped and figure out how this Juju deployment is getting into this state.
As of now we have no reproducible case for this bug and it appears to only be affecting 1 Juju controller.
Current Juju controller version is 2.9.37.
| Changed in juju: | |
| status: | New → Triaged |
| importance: | Undecided → High |
| assignee: | nobody → Thomas Miller (tlmiller) |
| Erik Lönroth (erik-lonroth) wrote | #1 |
| Erik Lönroth (erik-lonroth) wrote | #2 |
| Thomas Miller (tlmiller) wrote | #3 |
| Changed in juju: | |
| milestone: | none → 2.9.43 |
| Changed in juju: | |
| status: | Triaged → Fix Committed |
| Changed in juju: | |
| status: | Fix Committed → Fix Released |
More input.
I today upgraded the controller from 2.9.37 -> 2.9.38
juju upgrade-controller
That worked.
From there, I normally upgrade all models with this command:
for m in $(juju models --all --format json | jq -r '.models[
It basically loops over all models in the controller and tries to upgrade them.
This works - partially and the output looks like this the first round.
e444c390-
best version:
2.9.38
started upgrade to 2.9.38
e444c390-
best version:
2.9.38
started upgrade to 2.9.38
2c7a52c8-
no upgrades available
997bd7de-
best version:
2.9.38
started upgrade to 2.9.38
ERROR cannot find tool version from simple streams: creating environ for model "controller" (2eb4342a-
ERROR some agents have not upgraded to the current model version 2.9.37: machine-0, machine-3, unit-besu-0, unit-prysm-beacon-1
cdccba01-
best version:
2.9.38
started upgrade to 2.9.38
a68e2aae-
best version:
2.9.38
started upgrade to 2.9.38
... and so on, mixed OK, with ERRORS.
So, I continue to run this command, over and over, until most models are upgraded.
The "certificate errors" goes away in the upgrade (after multiple runs) but eventually, all models are upgraded.
===== Unrelated =====
At this point, only one model remains which gives an error like this:
juju upgrade-model -m d84f172a-
ERROR some agents have not upgraded to the current model version 2.9.37: machine-0, machine-3, unit-besu-0, unit-prysm-beacon-1
So, I introspect the model and see that some agents has lost communications with the controller (See the attached Screenshot):
This is all fine, since the machines in that model are turned off, but I think the "ERROR" should be reduced to WARNING