Does not support rabbitmq-server with ssl=only

Bug #1807233 reported by Vern Hart on 2018-12-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Base Layer
Critical
David Ames
charm-neutron-dynamic-routing
Critical
David Ames
charms.openstack
Critical
David Ames

Bug Description

I configured rabbitmq-server charm with ssl=only and, though there are no errors in the logs, bgp stopped working.

After turning debug on for neutron-dynamic-routing, I see in the logs:

    2018-12-06 15:45:41.510 114081 DEBUG oslo_service.service [req-817d7f76-4a50-4dbb-941a-e47f1b91b575 - - - - -] oslo_messaging_rabbit.ssl = False log_opt_values /usr/lib/python2.7/dist-packages/oslo_config/cfg.py:2898
    2018-12-06 15:45:41.510 114081 DEBUG oslo_service.service [req-817d7f76-4a50-4dbb-941a-e47f1b91b575 - - - - -] oslo_messaging_rabbit.ssl_ca_file = log_opt_values /usr/lib/python2.7/dist-packages/oslo_config/cfg.py:2898
    2018-12-06 15:45:41.511 114081 DEBUG oslo_service.service [req-817d7f76-4a50-4dbb-941a-e47f1b91b575 - - - - -] oslo_messaging_rabbit.ssl_cert_file = log_opt_values /usr/lib/python2.7/dist-packages/oslo_config/cfg.py:2898
    2018-12-06 15:45:41.511 114081 DEBUG oslo_service.service [req-817d7f76-4a50-4dbb-941a-e47f1b91b575 - - - - -] oslo_messaging_rabbit.ssl_key_file = log_opt_values /usr/lib/python2.7/dist-packages/oslo_config/cfg.py:2898
    2018-12-06 15:45:41.511 114081 DEBUG oslo_service.service [req-817d7f76-4a50-4dbb-941a-e47f1b91b575 - - - - -] oslo_messaging_rabbit.ssl_version = log_opt_values /usr/lib/python2.7/dist-packages/oslo_config/cfg.py:2898

This is consistent with the fact that there is no [oslo_messaging_rabbit] section in the /etc/neutron/neutron.conf on the neutron-dynamic-routing units.

Comparing the neutron.conf template on neutron-api with the template on neutron-dynamic-routing, the neutron-api template has:

    {% include "section-rabbitmq-oslo" %}

    {% include "section-oslo-notifications" %}

Whereas the neutron-dynamic-routing neutron.conf template only has:

    {% if amqp.transport_url -%}
    transport_url = {{ amqp.transport_url }}
    {% endif -%}

Which, incidentally, appears to be in the wrong section since it's in [DEFAULT] instead of [oslo_messaging_notifications].

David Ames (thedac) on 2018-12-06
Changed in charm-neutron-dynamic-routing:
status: New → Confirmed
importance: Undecided → Critical
assignee: nobody → David Ames (thedac)
milestone: none → 19.04
Vern Hart (vhart) wrote :

I copied the [oslo_messaging_rabbit] section from the neutron-api unit's neutron.conf to neutron.conf on the neutron-dynamic-routing unit and copied /etc/neutron/rabbit-client-ca.pem as well.

After restarting neutron-bgp-dragent service, the service is marked Alive in openstack network agent list.

David Ames (thedac) on 2018-12-06
Changed in charms.openstack:
status: New → Triaged
Changed in layer-openstack:
status: New → Triaged
importance: Undecided → Critical
Changed in charms.openstack:
importance: Undecided → Critical
Changed in layer-openstack:
assignee: nobody → David Ames (thedac)
Changed in charms.openstack:
assignee: nobody → David Ames (thedac)
Changed in layer-openstack:
milestone: none → 19.04
David Ames (thedac) wrote :

Three things to fix:

The ssl = True and ssl_ca_file = $PATH_TO_CERT settings were not being rendered in [oslo_messaging_rabbit]. This will be fixed in charm-layer-openstack.

NOTE: transport_rul MUST be in the [DEFAULT] section. That is still correct.

And the certificate was not being created from the rabbitmq interface. This will be fixed in charm-neutron-dyanmic-routing with a call to configure_ssl().

However, all the SSL configuration happens in the charms.openstack HAOpenStackCharm class but neutron-dynamic-routing is simply a principle charm (Non-HA-API) and uses the OpenStackCharm class. The ssl configuration methods need to be moved into the OpenStackCharm class in charms.openstack.

These are in progress being tested now.

Fix proposed to branch: master
Review: https://review.openstack.org/623295

Changed in charms.openstack:
status: Triaged → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/623297

Changed in charm-neutron-dynamic-routing:
status: Confirmed → In Progress
David Ames (thedac) wrote :

Although I would not recommend this in a production cloud, for testing purposes while we wait for reviews the built charm with the above fixes can be found here:

cs:~thedac/neutron-dynamic-routing-5

Changed in layer-openstack:
status: Triaged → In Progress

Reviewed: https://review.openstack.org/623295
Committed: https://git.openstack.org/cgit/openstack/charms.openstack/commit/?id=bba344aa6c4b2403f2eb771897443684eb8993d2
Submitter: Zuul
Branch: master

commit bba344aa6c4b2403f2eb771897443684eb8993d2
Author: David Ames <email address hidden>
Date: Thu Dec 6 10:46:15 2018 -0800

    Move configure_ssl to OpenStackCharm class

    OpenStack principle charms (non-HA-API charms) may still require SSL
    configuration to communicate with the rest of the cloud.

    Move the pertinent methods from the HAOpenStackCharm class to the
    OpenStackCharm class. Leave the API specific methods where they are.

    Change-Id: Ie17b481bce3e3bfdf71b15ca7667f8688739d608
    Partial-Bug: #1807233

Reviewed: https://review.openstack.org/623297
Committed: https://git.openstack.org/cgit/openstack/charm-neutron-dynamic-routing/commit/?id=f17e32ea25e54d28c01e5a924c138dd9a9e40063
Submitter: Zuul
Branch: master

commit f17e32ea25e54d28c01e5a924c138dd9a9e40063
Author: David Ames <email address hidden>
Date: Thu Dec 6 11:36:09 2018 -0800

    Neutron-dynamic-routing support for SSL rabbitmq

    The charm was failing to setup enough SSL configuration to communicate
    with rabbitmq when rabbitmq uses SSL. This led to Bug:#1807233.

    The change and its dependencies guarantees the charm will setup all the
    configuration and certificates required for communication with rabbitmq
    and SSL.

    Depends-On: I6bb56a59cd65310d644aa25ae203996b22ec4b4e
    Change-Id: Id78aba7766e045003ad5661ca31d6a6de57d704a
    Closes-Bug: #1807233

Changed in charm-neutron-dynamic-routing:
status: In Progress → Fix Committed
David Ames (thedac) on 2018-12-07
Changed in layer-openstack:
status: In Progress → Fix Committed
Changed in charms.openstack:
status: In Progress → Fix Committed
David Ames (thedac) on 2019-04-17
Changed in charm-neutron-dynamic-routing:
status: Fix Committed → Fix Released
Changed in layer-openstack:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers