nova-compute service stops working in TLS-enabled deployment
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Nova Cloud Controller Charm |
Fix Released
|
Critical
|
Frode Nordahl | ||
OpenStack Nova Compute Charm |
Invalid
|
Undecided
|
Unassigned |
Bug Description
In a TLS-enabled deployment where certificates are either provided by Vault's self signed root CA or through the ssl_* configuration options using self-signed certificates, the nova-compute service will stop working. If the deployment has TLS enabled with certificates signed by a CA authority shipped with the Ubuntu distribution it will work fine.
Historically the nova-compute service has primarily communicated with the world around it through the message queue and as such we have to date not provided it with means to communicate with TLS-enabled services.
However, it appears something has changed which makes this a requirement. If you deploy a focal-ussuri bundle with Vault and certificate relations to all services today, the nova-compute services will start and register before TLS is enabled and look OK for a little bit. If you leave it up the nova-compute services will eventually all stop and you will find log messages like this in it's log:
2021-01-15 11:14:12.457 60502 CRITICAL nova [req-97b3da1c-
2021-01-15 11:14:12.457 60502 ERROR nova Traceback (most recent call last):
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova cnx.do_handshake()
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova self._raise_
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova _raise_
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova raise exception_
2021-01-15 11:14:12.457 60502 ERROR nova OpenSSL.SSL.Error: [('SSL routines', 'tls_process_
2021-01-15 11:14:12.457 60502 ERROR nova
2021-01-15 11:14:12.457 60502 ERROR nova During handling of the above exception, another exception occurred:
2021-01-15 11:14:12.457 60502 ERROR nova
2021-01-15 11:14:12.457 60502 ERROR nova Traceback (most recent call last):
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova httplib_response = self._make_request(
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova self._validate_
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova conn.connect()
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova self.sock = ssl_wrap_socket(
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova return context.
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova raise ssl.SSLError("bad handshake: %r" % e)
2021-01-15 11:14:12.457 60502 ERROR nova ssl.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_
2021-01-15 11:14:12.457 60502 ERROR nova
2021-01-15 11:14:12.457 60502 ERROR nova During handling of the above exception, another exception occurred:
2021-01-15 11:14:12.457 60502 ERROR nova
2021-01-15 11:14:12.457 60502 ERROR nova Traceback (most recent call last):
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova resp = conn.urlopen(
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova retries = retries.increment(
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova raise MaxRetryError(
2021-01-15 11:14:12.457 60502 ERROR nova urllib3.
2021-01-15 11:14:12.457 60502 ERROR nova
2021-01-15 11:14:12.457 60502 ERROR nova During handling of the above exception, another exception occurred:
2021-01-15 11:14:12.457 60502 ERROR nova
2021-01-15 11:14:12.457 60502 ERROR nova Traceback (most recent call last):
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova resp = self.session.
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova resp = self.send(prep, **send_kwargs)
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova r = adapter.
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova raise SSLError(e, request=request)
2021-01-15 11:14:12.457 60502 ERROR nova requests.
2021-01-15 11:14:12.457 60502 ERROR nova
2021-01-15 11:14:12.457 60502 ERROR nova During handling of the above exception, another exception occurred:
2021-01-15 11:14:12.457 60502 ERROR nova
2021-01-15 11:14:12.457 60502 ERROR nova Traceback (most recent call last):
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova disc = self.get_
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova return discover.
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova disc = Discover(session, url, authenticated=
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova self._data = get_version_
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova resp = session.get(url, headers=headers, authenticated=
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova return self.request(url, 'GET', **kwargs)
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova resp = send(**kwargs)
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova raise exceptions.
2021-01-15 11:14:12.457 60502 ERROR nova keystoneauth1.
2021-01-15 11:14:12.457 60502 ERROR nova
2021-01-15 11:14:12.457 60502 ERROR nova During handling of the above exception, another exception occurred:
2021-01-15 11:14:12.457 60502 ERROR nova
2021-01-15 11:14:12.457 60502 ERROR nova Traceback (most recent call last):
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/bin/
2021-01-15 11:14:12.457 60502 ERROR nova sys.exit(main())
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova server = service.
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova service_obj = cls(host, binary, topic, manager,
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova self.manager = manager_
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova self.reportclient = report.
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova self._client = self._create_
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova client = self._adapter or utils.get_
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova return getattr(conn, service_type)
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova endpoint = proxy_mod.
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova return self.session.
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova return auth.get_
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova endpoint_data = self.get_
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova service_catalog = self.get_
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova self.auth_ref = self.get_
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova self._plugin = self._do_
2021-01-15 11:14:12.457 60502 ERROR nova File "/usr/lib/
2021-01-15 11:14:12.457 60502 ERROR nova raise exceptions.
2021-01-15 11:14:12.457 60502 ERROR nova keystoneauth1.
2021-01-15 11:14:12.457 60502 ERROR nova
And surely enough, the nova-compute charm does not have any ssl_ca configuration option nor certificates relation that would allow it to install a CA certificate Nova could use to authenticate the API endpoints it speaks to.
Changed in charm-nova-cloud-controller: | |
status: | New → In Progress |
importance: | Undecided → Critical |
assignee: | nobody → Frode Nordahl (fnordahl) |
milestone: | none → 21.01 |
Changed in charm-nova-compute: | |
status: | In Progress → Invalid |
Changed in charm-nova-compute: | |
importance: | Critical → Undecided |
assignee: | Frode Nordahl (fnordahl) → nobody |
milestone: | 21.01 → none |
Changed in charm-nova-cloud-controller: | |
status: | In Progress → Fix Committed |
Changed in charm-nova-cloud-controller: | |
status: | Fix Committed → Fix Released |
Apparently the nova-cloud- controller charm seeks to share it's CA certificate with the nova-compute charms over its cloud-compute relation.
However, the code looks for /usr/local/ share/ca- certificates/ keystone_ juju_ca_ cert.crt but vault_juju_ ca_cert. crt is the file on disk.
CA_CERT_PATH = '/usr/local/ share/ca- certificates/ keystone_ juju_ca_ cert.crt'
def keystone_ ca_cert_ b64(): isfile( CA_CERT_ PATH): b64encode( _in.read( )).decode( 'utf-8' )
'''Returns the local Keystone-provided CA cert if it exists, or None.'''
if not os.path.
return None
with open(CA_CERT_PATH, 'rb') as _in:
return base64.