Ironic Inspector

IPA fails ironic devstack jobs when tls-proxy is enabled in devstack

Bug #1694842 reported by Clark Boylan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ironic
Fix Released
High
Ramamani Yeleswarapu
Ironic Inspector
Invalid
High
Ramamani Yeleswarapu

Bug Description

Little background on this is I have slowly been trying to get various jobs that use devstack to pass with tls-proxy enabled with the eventual goal being that tls-proxy is just enabled in devstack by default.

One class of jobs that fail are those that use IPA and devstack together because the fake baremetal nodes fail to talk to the glance api when it has a cert signed by the temporary devstack CA in front of it.

There are two ways we can address this. The first is get the image to trust the devstack CA. This is problematic bceause this CA is different for every job run so we will need to modify the IPA image somehow in every test to update the trusted certs there to include the devstack CA. The second is to just not verify tls cert authenticity. This is definitely more straightforward but likely less than ideal if anyone is using the images we run in test in production too.

For test log details you can look at the jobs run against https://review.openstack.org/#/c/372374/ which is a throw away change that just forces TLS on to test things. You can also use that to test any changes you might make using depends on.

Revision history for this message
Dmitry Tantsur (divius) wrote :

Moved to ironic, as I think it should be fixed in the devstack plugin.

Changed in ironic-python-agent:
status: New → Triaged
importance: Undecided → High
affects: ironic-python-agent → ironic
Changed in ironic:
assignee: nobody → Dmitry Tantsur (divius)
Changed in ironic-inspector:
status: New → Triaged
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic (master)

Fix proposed to branch: master
Review: https://review.openstack.org/469836

Changed in ironic:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to ironic (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/469837

Revision history for this message
Ramamani Yeleswarapu (ramamani-yeleswarapu) wrote :

Hi Dmitry, a fix is needed for ironic-inspector as well?

Ramamani Yeleswarapu (ramamani-yeleswarapu)
Changed in ironic-inspector:
assignee: nobody → Ramamani Yeleswarapu (ramamani-yeleswarapu)
OpenStack Infra (hudson-openstack)
Changed in ironic:
assignee: Dmitry Tantsur (divius) → Ramamani Yeleswarapu (ramamani-yeleswarapu)
OpenStack Infra (hudson-openstack)
Changed in ironic:
assignee: Ramamani Yeleswarapu (ramamani-yeleswarapu) → John L. Villalovos (happycamp)
OpenStack Infra (hudson-openstack)
Changed in ironic:
assignee: John L. Villalovos (happycamp) → Ramamani Yeleswarapu (ramamani-yeleswarapu)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to ironic-inspector (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/489778

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic (master)

Reviewed: https://review.openstack.org/469836
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=f75ff901a9e9253e695900f5a821f39a1a5dfb67
Submitter: Jenkins
Branch: master

commit f75ff901a9e9253e695900f5a821f39a1a5dfb67
Author: Dmitry Tantsur <email address hidden>
Date: Thu Jun 1 12:35:33 2017 +0200

    [devstack] add support for running behind tls-proxy

    * pass ipa-insecure=1 to the ramdisk

      DevStack is moving to having TLS by default with self-signed certificates.
      As embedding these certificates in the image will require rebuilding it
      on every run, let's just not verify them in devstack.

    * enable running ironic-api behind tls-proxy

    Change-Id: Id1c3c44e044c2741f7f3f2ce5510a11ebb2344d9
    Closes-Bug: #1694842
    Co-Authored-By: Ramamani Yeleswarapu <email address hidden>

Changed in ironic:
status: In Progress → Fix Released
Revision history for this message
Ramamani Yeleswarapu (ramamani-yeleswarapu) wrote :

Posted a patch to project-config to enable tls for ironic gate jobs (except the grenade jobs):

https://review.openstack.org/#/c/492231/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to ironic (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/492664

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ironic 9.0.0

This issue was fixed in the openstack/ironic 9.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to ironic (stable/newton)

Related fix proposed to branch: stable/newton
Review: https://review.openstack.org/495428

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to ironic (stable/ocata)

Related fix proposed to branch: stable/ocata
Review: https://review.openstack.org/495430

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to ironic (stable/pike)

Related fix proposed to branch: stable/pike
Review: https://review.openstack.org/495432

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to ironic (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/499768

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on ironic (stable/newton)

Change abandoned by Dmitry Tantsur (<email address hidden>) on branch: stable/newton
Review: https://review.openstack.org/495428
Reason: Hi! As stable/newton goes EOL really soon, I have to abandon this change.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on ironic (stable/ocata)

Change abandoned by Ramamani Yeleswarapu (<email address hidden>) on branch: stable/ocata
Review: https://review.openstack.org/495430
Reason: Testing complete. Patch merged.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on ironic (stable/pike)

Change abandoned by Ramamani Yeleswarapu (<email address hidden>) on branch: stable/pike
Review: https://review.openstack.org/495432
Reason: Testing complete. Patch merged.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on ironic (master)

Change abandoned by Ramamani Yeleswarapu (<email address hidden>) on branch: master
Review: https://review.openstack.org/492664
Reason: Testing complete. Patch merged.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Ramamani Yeleswarapu (<email address hidden>) on branch: master
Review: https://review.openstack.org/499768
Reason: Testing complete. Patch merged.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on ironic-inspector (master)

Change abandoned by Ramamani Yeleswarapu (<email address hidden>) on branch: master
Review: https://review.openstack.org/489778
Reason: Testing complete.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on ironic (master)

Change abandoned by Dmitry Tantsur (<email address hidden>) on branch: master
Review: https://review.openstack.org/469837
Reason: I think this is no longer needed

Revision history for this message
Julia Kreger (juliaashleykreger) wrote :

Changing ironic-inspector state to incomplete. The bug was for IPA, and fixed in ironic's devstack plugin. I'm unsure if any further action is required in ironic-inspector at this time.

Changed in ironic-inspector:
status: Triaged → Incomplete
Revision history for this message
Julia Kreger (juliaashleykreger) wrote :

Given the age, marking invalid.

Changed in ironic-inspector:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.