decomposed neutron node does not support SSL

Bug #1665353 reported by Lukasz Pelczyk on 2017-02-16
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
High
Vladimir Khlyunev
Nominated for Ocata by Vladimir Khlyunev
Newton
High
Vladimir Khlyunev

Bug Description

Detailed bug description:
Fuel deployment crashes on Neutron node on openstack-network-networks task. TLS and HTTPS with self-signed certs are used.

Steps to reproduce:
According to: https://docs.openstack.org/developer/fuel-docs/userdocs/fuel-user-guide/configure-environment/decompose-services.html
1) Redefine controller (remove neutron tag)
2) Define neutron node from below yaml:
[root@fuel roles_plugin]# cat roles_definition/neutron.yaml
meta:
  conflicts:
    - compute
  description: >
    Neutron node, with separated DHCP, L3, and metadata Agents.
  group: base
  has_primary: true
  limits:
    min: 1
    overrides:
      - condition: settings:neutron_advanced_configuration.neutron_l3_ha.value == true
        message: >
          Neutron L3 HA requires at least 2 Netnodes to function
          properly.
        min: 2
    recommended: 3
  name: Neutron
  public_for_dvr_required: true
  public_ip_required: true
  tags:
    - neutron
  update_required:
  - compute
  - cinder
  - controller
  - neutron
  - rabbitmq
name: neutron
volumes_roles_mapping:
  - allocate_size: min
    id: os
  - allocate_size: all
    id: logs

3) In webui enable:
TLS for OpenStack public endpoints
Enable TLS termination on HAProxy for OpenStack services
HTTPS for Horizon
Secure access to Horizon enabling HTTPS instead of HTTP
4) Start deployment

Expected results:
Successful deployment

Actual result:
Notice: Puppet::Type::Neutron_network::ProviderNeutron: Unable to complete neutron request due to non-fatal error: "Execution of '/usr/bin/neutron net-list --format=csv --column=id --quote=none' returned 1: Unable to establish connection to https://public.fuel.local:9696/v2.0/networks.json". Retrying for 9 sec.

Reproducibility:
See description.

Workaround:
Check: /etc/puppet/mitaka-9.0/modules/osnailyfacter/modular/ssl/tasks.yaml
Below tasks were defined in plugin, to be performed on neutron nodes:
ssl-keys-saving
ssl-add-trust-chain
ssl-dns-setup

Impact:
Critical - it will affect all production deployments of MOS9.2 with decomposed neutron nodes.

Description of the environment:
 System: Standard fuel 9.2 / MOS 9.2 upgraded according to https://docs.mirantis.com/openstack/fuel/fuel-9.2/release-notes/update-product.html
 Reference architecture: -
 Network model: Neutron with tunneling segmentation

tags: added: ct1 customer-found
tags: added: st1
removed: ct1
Oleksiy Molchanov (omolchanov) wrote :

Marking as Incomplete, please attach diagnostic snapshot.

Changed in fuel:
status: New → Incomplete
Stanislaw Bogatkin (sbogatkin) wrote :

Problem is that there is not enough to just include ssl-related tasks to the plugins. All the ssl-related tasks have running scope with role tags, like (excerpt from ssl-keys-saving):

tags: [primary-controller, controller, compute, compute-vmware, cinder, cinder-vmware, primary-mongo, mongo, ceph-osd, virt, primary-keystone, keystone]

So, if you have a node with new role (like decomposed neutron one), you need to change the ssl tasks scope to ran on that node. There is nothing to change in Fuel itself in this case as we cannot magically predict new roles names (and we also cannot run ssl-related tasks on all nodes, like computes, cause of security matters) that will be used by plugins. Therefore, plugin maker must be personally assured that needed tasks are changed for sake of his plugin.

Because of aforementioned I close this bug as invalid.

Changed in fuel:
status: Incomplete → Invalid
milestone: none → 11.0
assignee: nobody → Stanislaw Bogatkin (sbogatkin)
importance: Undecided → High

Fix proposed to branch: master
Review: https://review.openstack.org/448422

Changed in fuel:
assignee: Stanislaw Bogatkin (sbogatkin) → Vladimir Khlyunev (vkhlyunev)
status: Invalid → In Progress

Reviewed: https://review.openstack.org/448422
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=22d5c26b3b48fd051c553b0d2b55b9d28d96e0d1
Submitter: Jenkins
Branch: master

commit 22d5c26b3b48fd051c553b0d2b55b9d28d96e0d1
Author: Vladimir Khlyunev <email address hidden>
Date: Wed Mar 22 11:23:42 2017 +0400

    Execute ssl-dns-setup task on all pre-defined tags

    As we have pre-defined tags inside fuel we should ensure
    that all of tags are able to be deployed properly.
    ssl-dns-setup task was skipped for all non-controller tags which
    leads to not configured dns server on these nodes (and as result -
    failed upload_cirros task).

    Change-Id: I045bb7e709d6e18e2beb934b42094cbb4bc61f00
    Closes-bug: 1665353

Changed in fuel:
status: In Progress → Fix Committed

Change abandoned by Fuel DevOps Robot (<email address hidden>) on branch: stable/ocata
Review: https://review.openstack.org/449017
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers