OpenStack Glance Charm

Services need restarting if certificates change

Bug #1828530 reported by Liam Young
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Glance Charm
Fix Released
Undecided
Liam Young
OpenStack Glance Charm 19.07
OpenStack Keystone Charm
Fix Released
Undecided
Liam Young
OpenStack Keystone Charm 19.07
OpenStack Neutron API Charm
Fix Released
Undecided
Liam Young
OpenStack Neutron API Charm 19.07
OpenStack Nova Cloud Controller Charm
Fix Released
Undecided
Liam Young
OpenStack Nova Cloud Controller Charm 19.07

Bug Description

If the certificates provides via the certificates relation change then apache2 needs restarting after they are written to disk, otherwise apache continues to use the old certificates.

This can be seen in a debug hooks session:

root@juju-a131c2-zaza-d637e467b7f0-8:/var/lib/juju/agents/unit-keystone-0/charm# md5sum /etc/apache2/ssl/keystone/*
27c112c6457cf759c204cd80150f758f /etc/apache2/ssl/keystone/cert_10.5.0.198
27c112c6457cf759c204cd80150f758f /etc/apache2/ssl/keystone/cert_juju-a131c2-zaza-d637e467b7f0-8.project.serverstack
09150397f4c8134441b51b19397a42d8 /etc/apache2/ssl/keystone/key_10.5.0.198
09150397f4c8134441b51b19397a42d8 /etc/apache2/ssl/keystone/key_juju-a131c2-zaza-d637e467b7f0-8.project.serverstack

# ./hooks/certificates-relation-changed

# md5sum /etc/apache2/ssl/keystone/*
57f3bf1204e42efae1862287c4b9624d /etc/apache2/ssl/keystone/cert_10.5.0.198
57f3bf1204e42efae1862287c4b9624d /etc/apache2/ssl/keystone/cert_juju-a131c2-zaza-d637e467b7f0-8.project.serverstack
30eea1d82ac5161256d333e7ad701ce9 /etc/apache2/ssl/keystone/key_10.5.0.198
30eea1d82ac5161256d333e7ad701ce9 /etc/apache2/ssl/keystone/key_juju-a131c2-zaza-d637e467b7f0-8.project.serverstack

# curl https://10.5.0.198:5000
curl: (35) error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding

# systemctl restart apache2

# curl https://10.5.0.198:5000
{"versions": {"values": [{"id": "v3.11", "status": "stable", "updated": "2018-10-15T00:00:00Z", "links": [{"rel": "self", "href": "https://10.5.0.198:5000/v3/"}], "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}]}]}}root@juju-

Liam Young (gnuoy)
Changed in charm-keystone:
status: New → In Progress
assignee: nobody → Liam Young (gnuoy)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/658315

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-keystone (master)

Reviewed: https://review.opendev.org/658315
Committed: https://git.openstack.org/cgit/openstack/charm-keystone/commit/?id=1f5a09b55ebfed7f3a0597316cffb04f512dc443
Submitter: Zuul
Branch: master

commit 1f5a09b55ebfed7f3a0597316cffb04f512dc443
Author: Liam Young <email address hidden>
Date: Fri May 10 09:12:36 2019 +0000

    Check Apache ssl dir when determining restart map

    If the certificates that Apache is using change then Apache needs to
    be restarted. This change adds the SSL directory to the restart map
    to ensure any certificate changes trigger a restart.

    Change-Id: I1fd46865350e6a9cb35f4209fcf8dd201e6f1441
    Closes-Bug: 1828530

Changed in charm-keystone:
status: In Progress → Fix Committed
Liam Young (gnuoy)
Changed in charm-glance:
status: New → In Progress
Changed in charm-neutron-api:
status: New → In Progress
assignee: nobody → Liam Young (gnuoy)
Changed in charm-glance:
assignee: nobody → Liam Young (gnuoy)
summary: - Apache2 needs to be restarted if certificates change
+ Services need restarting if certificates change
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-glance (master)

Fix proposed to branch: master
Review: https://review.opendev.org/658350

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-neutron-api (master)

Fix proposed to branch: master
Review: https://review.opendev.org/658356

Liam Young (gnuoy)
Changed in charm-nova-cloud-controller:
status: New → In Progress
assignee: nobody → Liam Young (gnuoy)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-nova-cloud-controller (master)

Fix proposed to branch: master
Review: https://review.opendev.org/658387

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-glance (master)

Reviewed: https://review.opendev.org/658350
Committed: https://git.openstack.org/cgit/openstack/charm-glance/commit/?id=c9f44a7ceccea85693bb0afed6e721ca953fb04a
Submitter: Zuul
Branch: master

commit c9f44a7ceccea85693bb0afed6e721ca953fb04a
Author: Liam Young <email address hidden>
Date: Fri May 10 12:48:01 2019 +0000

    Check Apache ssl dir when determining restart map

    If the certificates that Apache is using change then services needs
    to be restarted. This change adds the SSL directory to the restart
    map to ensure any certificate changes trigger a restart.

    Change-Id: Idbdceb5acd80c06a2bde02f9df88a9d9fd2404fb
    Closes-Bug: 1828530

Changed in charm-glance:
status: In Progress → Fix Committed
Changed in charm-neutron-api:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-neutron-api (master)

Reviewed: https://review.opendev.org/658356
Committed: https://git.openstack.org/cgit/openstack/charm-neutron-api/commit/?id=1cdfc381ad55e7ad1e8b9579091bb16589f2c5d8
Submitter: Zuul
Branch: master

commit 1cdfc381ad55e7ad1e8b9579091bb16589f2c5d8
Author: Liam Young <email address hidden>
Date: Fri May 10 13:09:22 2019 +0000

    Check Apache ssl dir when determining restart map

    If the certificates change then services needs to
    be restarted. This change adds the SSL directory to the restart map
    to ensure any certificate changes trigger a restart.

    Change-Id: I891b3104c08c6b9cde06ce30d4279a239ae329b1
    Closes-Bug: 1828530

Changed in charm-nova-cloud-controller:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-nova-cloud-controller (master)

Reviewed: https://review.opendev.org/658387
Committed: https://git.openstack.org/cgit/openstack/charm-nova-cloud-controller/commit/?id=822daf2794f44f61f5336a180752ba9e5482be81
Submitter: Zuul
Branch: master

commit 822daf2794f44f61f5336a180752ba9e5482be81
Author: Liam Young <email address hidden>
Date: Fri May 10 15:01:04 2019 +0000

    Check Apache ssl dir when determining restart map

    If the certificates change then services needs to be restarted. This
    change adds the SSL directory to the restart map to ensure any
    certificate changes trigger a restart.

    Also, if the certificates change we need to pass those on to
    nova-compute.

    Change-Id: I4cb2f760c26f0804d3cb7466c8aa741d5e0ec314
    Closes-Bug: 1828530

James Page (james-page)
Changed in charm-keystone:
milestone: none → 19.07
Changed in charm-glance:
milestone: none → 19.07
Changed in charm-neutron-api:
milestone: none → 19.07
Changed in charm-nova-cloud-controller:
milestone: none → 19.07
David Ames (thedac)
Changed in charm-keystone:
status: Fix Committed → Fix Released
Changed in charm-glance:
status: Fix Committed → Fix Released
Changed in charm-neutron-api:
status: Fix Committed → Fix Released
Changed in charm-nova-cloud-controller:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.