OpenStack Keystone Charm

Race: apache fails to start with missing SSL certificates

Bug #1709356 reported by David Ames on 2017-08-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Keystone Charm	Fix Released	Critical	David Ames	OpenStack Keystone Charm 17.08

Bug Description

There is a race condition where SSL certificates for the local unit have not been generated before apache attempts to start. Apache then fails to start. When shared-db-relation-changed runs on the leader unit it cannot authenticate with itself leading to:

Traceback (most recent call last):
  File "hooks/shared-db-relation-changed", line 852, in <module>
    main()
  File "hooks/shared-db-relation-changed", line 845, in main
    hooks.execute(sys.argv)
  File "/var/lib/juju/agents/unit-keystone-0/charm/hooks/charmhelpers/core/hookenv.py", line 731, in execute
    self._hooks[hook_name]()
  File "/var/lib/juju/agents/unit-keystone-0/charm/hooks/charmhelpers/contrib/openstack/utils.py", line 1931, in wrapped_f
    restart_functions)
  File "/var/lib/juju/agents/unit-keystone-0/charm/hooks/charmhelpers/core/host.py", line 659, in restart_on_change_helper
    r = lambda_f()
  File "/var/lib/juju/agents/unit-keystone-0/charm/hooks/charmhelpers/contrib/openstack/utils.py", line 1930, in <lambda>
    (lambda: f(*args, **kwargs)), restart_map, stopstart,
  File "/var/lib/juju/agents/unit-keystone-0/charm/hooks/keystone_utils.py", line 1624, in inner_synchronize_ca_if_changed2
    return f(*args, **kwargs)
  File "hooks/shared-db-relation-changed", line 408, in db_changed
    leader_init_db_if_ready(use_current_context=True)
  File "hooks/shared-db-relation-changed", line 382, in leader_init_db_if_ready
    update_all_identity_relation_units(check_db_ready=False)
  File "hooks/shared-db-relation-changed", line 344, in update_all_identity_relation_units
    ensure_initial_admin(config)
  File "/var/lib/juju/agents/unit-keystone-0/charm/hooks/keystone_utils.py", line 1094, in ensure_initial_admin
    return _ensure_initial_admin(config)
  File "/var/lib/juju/agents/unit-keystone-0/charm/hooks/charmhelpers/core/decorators.py", line 40, in _retry_on_exception_inner_2
    return f(*args, **kwargs)
  File "/var/lib/juju/agents/unit-keystone-0/charm/hooks/keystone_utils.py", line 1049, in _ensure_initial_admin
    create_tenant("admin", DEFAULT_DOMAIN)
  File "/var/lib/juju/agents/unit-keystone-0/charm/hooks/keystone_utils.py", line 802, in create_tenant

    manager = get_manager()
  File "/var/lib/juju/agents/unit-keystone-0/charm/hooks/keystone_utils.py", line 890, in get_manager
    api_version)
  File "/var/lib/juju/agents/unit-keystone-0/charm/hooks/charmhelpers/core/decorators.py", line 40, in _retry_on_exception_inner_2
    return f(*args, **kwargs)
  File "/var/lib/juju/agents/unit-keystone-0/charm/hooks/manager.py", line 75, in get_keystone_manager
    for svc in manager.api.services.list():
  File "/usr/lib/python2.7/dist-packages/keystoneclient/v2_0/services.py", line 32, in list
    return self._list("/OS-KSADM/services", "OS-KSADM:services")
  File "/usr/lib/python2.7/dist-packages/keystoneclient/base.py", line 124, in _list
    resp, body = self.client.get(url, **kwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 173, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 331, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 98, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/dist-packages/positional/__init__.py", line 94, in inner
    return func(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneclient/session.py", line 405, in request
    resp = send(**kwargs)
  File "/usr/lib/python2.7/dist-packages/keystoneclient/session.py", line 449, in _send_request
    raise exceptions.ConnectionRefused(msg)
keystoneauth1.exceptions.connection.ConnectFailure: Unable to establish connection to http://localhost:35337/v2.0/OS-KSADM/services

The condition occurs when the juju leader is not the elected ssl-cert-master. This may be where the fix needs to occur.

David Ames (thedac) on 2017-08-08

Changed in charm-keystone:
status:	New → In Progress
importance:	Undecided → Critical
assignee:	nobody → David Ames (thedac)
milestone:	none → 17.08

Revision history for this message

David Ames (thedac) wrote on 2017-08-08:

Ignore the bit about the leader disparity.

Between stable and current master this broke. I am focused on
https://github.com/openstack/charm-keystone/commit/7188af87314f89e80d12bfa21447d2100623abfe

And specifically, the gate for send_ssl_sync_request()
https://github.com/openstack/charm-keystone/blob/master/hooks/keystone_hooks.py#L573

Removing the gate seems to fix things but I would like to get Ed Hope-Morley's input as this was his code.

Revision history for this message

David Ames (thedac) wrote on 2017-08-08:

Removing the gate alone actually does not fix it. But not calling cluster_joined() in config_changed() does.

Needs more info.

Revision history for this message

David Ames (thedac) wrote on 2017-08-08:

Steps to re-create:

Juju deploy the following:

series: xenial
services:
  mysql:
    num_units: 1
    charm: cs:~openstack-charmers-next/percona-cluster
    constraints: mem=3G
    options:
        innodb-buffer-pool-size: 256M
  keystone:
    charm: cs:~openstack-charmers-next/keystone
    num_units: 3
    options:
        vip: $VIP_ADDRESS
        ha-bindiface: ens3
        https-service-endpoints: "true"
        use-https: "yes"
  hacluster:
    charm: cs:~openstack-charmers-next/hacluster
    options:
      corosync_bindiface: ens3
      cluster_count: 3

relations:
- [ hacluster, keystone ]
- [ keystone, mysql ]

On leader node:

systemctl status apache2

● apache2.service - LSB: Apache2 web server
   Loaded: loaded (/etc/init.d/apache2; bad; vendor preset: enabled)
  Drop-In: /lib/systemd/system/apache2.service.d
           └─apache2-systemd.conf
   Active: failed (Result: exit-code) since Tue 2017-08-08 23:25:37 UTC; 2min 37s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 15768 ExecStart=/etc/init.d/apache2 start (code=exited, status=1/FAILURE)

Aug 08 23:25:37 juju-df7973-amulet-1 apache2[15768]: * The apache2 configtest failed.
Aug 08 23:25:37 juju-df7973-amulet-1 apache2[15768]: Output of config test was:
Aug 08 23:25:37 juju-df7973-amulet-1 apache2[15768]: AH00526: Syntax error on line 8 of /etc/apache2/sites-enabled/openstack_https_frontend.conf:
Aug 08 23:25:37 juju-df7973-amulet-1 apache2[15768]: SSLCertificateFile: file '/etc/apache2/ssl/keystone/cert_$UNIT_IP' does not exist or is empt
Aug 08 23:25:37 juju-df7973-amulet-1 apache2[15768]: Action 'configtest' failed.
Aug 08 23:25:37 juju-df7973-amulet-1 apache2[15768]: The Apache error log may have more information.
Aug 08 23:25:37 juju-df7973-amulet-1 systemd[1]: apache2.service: Control process exited, code=exited status=1
Aug 08 23:25:37 juju-df7973-amulet-1 systemd[1]: Failed to start LSB: Apache2 web server.
Aug 08 23:25:37 juju-df7973-amulet-1 systemd[1]: apache2.service: Unit entered failed state.
Aug 08 23:25:37 juju-df7973-amulet-1 systemd[1]: apache2.service: Failed with result 'exit-code'.

Steps to re-create:

Juju deploy the following:

relations:
  - [ hacluster, keystone ]
  - [ keystone, mysql ]

On leader node:

systemctl status apache2

Aug 08 23:25:37 juju-df7973-amulet-1 apache2[15768]:  * The apache2 configtest failed.
Aug 08 23:25:37 juju-df7973-amulet-1 apache2[15768]: Output of config test was:
Aug 08 23:25:37 juju-df7973-amulet-1 apache2[15768]: AH00526: Syntax error on line 8 of /etc/apache2/sites-enabled/openstack_https_frontend.conf:
Aug 08 23:25:37 juju-df7973-amulet-1 apache2[15768]: SSLCertificateFile: file '/etc/apache2/ssl/keystone/cert_$UNIT_IP' does not exist or is empt
Aug 08 23:25:37 juju-df7973-amulet-1 apache2[15768]: Action 'configtest' failed.
Aug 08 23:25:37 juju-df7973-amulet-1 apache2[15768]: The Apache error log may have more information.
Aug 08 23:25:37 juju-df7973-amulet-1 systemd[1]: apache2.service: Control process exited, code=exited status=1
Aug 08 23:25:37 juju-df7973-amulet-1 systemd[1]: Failed to start LSB: Apache2 web server.
Aug 08 23:25:37 juju-df7973-amulet-1 systemd[1]: apache2.service: Unit entered failed state.
Aug 08 23:25:37 juju-df7973-amulet-1 systemd[1]: apache2.service: Failed with result 'exit-code'.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-11: Fix merged to charm-keystone (master)

Reviewed: https://review.openstack.org/487623
Committed: https://git.openstack.org/cgit/openstack/charm-keystone/commit/?id=1328ce58807d0a8c12d60053bf14933c25d44879
Submitter: Jenkins
Branch: master

commit 1328ce58807d0a8c12d60053bf14933c25d44879
Author: David Ames <email address hidden>
Date: Wed Jul 26 23:44:50 2017 +0000

Dual Stack VIPs

    Enable dual stack IPv4 and IPv6 VIPs on the same interface.
    HAProxy always listens on both IPv4 and IPv6 allowing connectivity
    on either protocol.

Update edge cases for is_ssl_cert_master for Bug #1709356.

Update amulet tests for keystoneauth1 tests.

charm-helpers sync for HAProxy template changes.

Closes-Bug: #1709356

Change-Id: I401071fcdd66252f389475d45e8136fc68c474f1

Changed in charm-keystone:
status:	In Progress → Fix Committed

James Page (james-page) on 2017-09-12

Changed in charm-keystone:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.