Bug #2064487 “manila-share service restarted when certificates-r...” : Bugs : OpenStack Manila-Ganesha Charm

Seyeong Kim (seyeongkim) on 2024-05-01

tags:

added: sts

Revision history for this message

Jorge Merlino (jorge-merlino) wrote on 2024-05-17 (last edit on 2024-05-17):

#1

I'll add more context to this bug after some investigation. Actually manila-ganesha is masking the
manila-share service every time the certificates-relation-changed hook is called. This occurs through the charms.openstack code that manages this hook that eventually ends up calling the install() method of manila ganesha which intentionally masks manila-share with this reasoning:

# Use goal-state to determine if we are expecting multiple units
# and, if so, mask the manila-share service so that it only ever
# gets run by pacemaker.

The backtrace to get to the install() method call is this:

File "/var/lib/juju/agents/unit-manila-ganesha-0/charm/hooks/certificates-relation-changed", line 22, in <module>
    main()
File "/var/lib/juju/agents/unit-manila-ganesha-0/.venv/lib/python3.8/site-packages/charms/reactive/__init__.py", line 74, in main
    bus.dispatch(restricted=restricted_mode)
File "/var/lib/juju/agents/unit-manila-ganesha-0/.venv/lib/python3.8/site-packages/charms/reactive/bus.py", line 390, in dispatch
    _invoke(other_handlers)
File "/var/lib/juju/agents/unit-manila-ganesha-0/.venv/lib/python3.8/site-packages/charms/reactive/bus.py", line 359, in _invoke
    handler.invoke()
File "/var/lib/juju/agents/unit-manila-ganesha-0/.venv/lib/python3.8/site-packages/charms/reactive/bus.py", line 181, in invoke
    self._action(*args)
File "/var/lib/juju/agents/unit-manila-ganesha-0/charm/reactive/layer_openstack.py", line 150, in default_configure_certificates
    instance.configure_tls(tls)
File "/var/lib/juju/agents/unit-manila-ganesha-0/.venv/lib/python3.8/site-packages/charms_openstack/charm/classes.py", line 987, in configure_tls
    self.configure_apache()
File "/var/lib/juju/agents/unit-manila-ganesha-0/.venv/lib/python3.8/site-packages/charms_openstack/charm/classes.py", line 774, in configure_apache
    self.install()

I think it is important to understand if manila-ganesha actually needs a relation with vault and if it does not we should not allow it to be established.

I'll add more context to this bug after some investigation. Actually manila-ganesha is masking the
manila-share service every time the certificates-relation-changed hook is called. This occurs through the charms.openstack code that manages this hook that eventually ends up calling the install() method of manila ganesha which intentionally masks manila-share with this reasoning:

# Use goal-state to determine if we are expecting multiple units        
# and, if so, mask the manila-share service so that it only ever        
# gets run by pacemaker.

The backtrace to get to the install() method call is this:

File "/var/lib/juju/agents/unit-manila-ganesha-0/charm/hooks/certificates-relation-changed", line 22, in <module>
    main()
File "/var/lib/juju/agents/unit-manila-ganesha-0/.venv/lib/python3.8/site-packages/charms/reactive/__init__.py", line 74, in main
    bus.dispatch(restricted=restricted_mode)
File "/var/lib/juju/agents/unit-manila-ganesha-0/.venv/lib/python3.8/site-packages/charms/reactive/bus.py", line 390, in dispatch
    _invoke(other_handlers)
File "/var/lib/juju/agents/unit-manila-ganesha-0/.venv/lib/python3.8/site-packages/charms/reactive/bus.py", line 359, in _invoke
    handler.invoke()
File "/var/lib/juju/agents/unit-manila-ganesha-0/.venv/lib/python3.8/site-packages/charms/reactive/bus.py", line 181, in invoke
    self._action(*args)
File "/var/lib/juju/agents/unit-manila-ganesha-0/charm/reactive/layer_openstack.py", line 150, in default_configure_certificates
    instance.configure_tls(tls)
File "/var/lib/juju/agents/unit-manila-ganesha-0/.venv/lib/python3.8/site-packages/charms_openstack/charm/classes.py", line 987, in configure_tls
    self.configure_apache()
File "/var/lib/juju/agents/unit-manila-ganesha-0/.venv/lib/python3.8/site-packages/charms_openstack/charm/classes.py", line 774, in configure_apache
    self.install()

I think it is important to understand if manila-ganesha actually needs a relation with vault and if it does not we should not allow it to be established.

Revision history for this message

Alex Kavanagh (ajkavanagh) wrote on 2024-05-17:

#2

So a little more digging in the charm indicates that the payload needs keystone auth credentials and thus, in a TLS environment, does need a relation to vault in order to get the CA chain so that it can TLS auth the connection to a https endpoint for keystone.

What's wrong is that it shouldn't be trying to set up apache or anything like that, as it doesn't have an API to configure (i.e. it's a service that uses other services, but doesn't extend an API to other services to use; that's done in the manila charm).

Alex Kavanagh (ajkavanagh) on 2024-05-17

Changed in charm-manila-ganesha:
status:	New → Triaged
importance:	Undecided → High
assignee:	nobody → Alex Kavanagh (ajkavanagh)

Alex Kavanagh (ajkavanagh) on 2024-05-29

Changed in charm-manila-ganesha:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-06-17: Fix proposed to charm-manila-ganesha (master)

#3

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/charm-manila-ganesha/+/922087

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-07-03: Fix proposed to charm-manila-ganesha (stable/2024.1)

#4

Fix proposed to branch: stable/2024.1
Review: https://review.opendev.org/c/openstack/charm-manila-ganesha/+/923383

OpenStack Manila-Ganesha Charm

manila-share service restarted when certificates-relation-changed(upgrading vault)

Bug Description

Other bug subscribers

Remote bug watches