Juniper Openstack

Contrail :: 16.04 10 newton :: provisioning failed due to metadata ssl parameter validation.

Bug #1721834 reported by Ritam Gangopadhyay on 2017-10-06

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R4.0	Fix Committed	Critical	Nitish Krishna Kaveri	Juniper Openstack r4.0.3.0
R4.1	Fix Committed	Critical	Nitish Krishna Kaveri	Juniper Openstack r4.1.0.0-fcs "r4.1"
Trunk	Fix Committed	Critical	Nitish Krishna Kaveri	Juniper Openstack r5.0.0

Bug Description

Metadata ssl variable schema validation needs to be implemented in contrail docker repo.

Setup:-

nodem5 -- 10.204.216.94 -- all in one node

root@nodem5:/opt/contrail/server_manager/ansible/playbooks/r41newton10/playbooks# docker exec -it controller contrail-status
== Contrail Control ==
contrail-control: inactive (disabled on boot)
contrail-named: inactive (disabled on boot)
contrail-dns: inactive (disabled on boot)
contrail-control-nodemgr: inactive (disabled on boot)
== Contrail Config ==
contrail-api: inactive (disabled on boot)
contrail-schema: inactive (disabled on boot)
contrail-svc-monitor: inactive (disabled on boot)
contrail-device-manager: inactive (disabled on boot)
contrail-config-nodemgr: inactive (disabled on boot)
== Contrail Config Database==
contrail-database: inactive (disabled on boot)

== Contrail Web UI ==
contrail-webui: inactive (disabled on boot)
contrail-webui-middleware: inactive (disabled on boot)
== Contrail Support Services ==
zookeeper: inactive
rabbitmq-server: inactive (disabled on boot)
root@nodem5:/opt/contrail/server_manager/ansible/playbooks/r41newton10/playbooks#

root@nodem5:/# docker exec -it controller journalctl -u contrail-ansible
-- Logs begin at Fri 2017-10-06 17:29:17 IST, end at Fri 2017-10-06 22:16:55 IST. --
Oct 06 17:29:23 nodem5 systemd[1]: Starting Contrail controller configuration...
Oct 06 17:29:24 nodem5 contrailctl[22]: Additional properties are not allowed ('metadata_ssl_enable' was unexpected)
Oct 06 17:29:29 nodem5 systemd[1]: contrail-ansible.service: Main process exited, code=exited, status=1/FAILURE
Oct 06 17:29:29 nodem5 systemd[1]: Failed to start Contrail controller configuration.
Oct 06 17:29:31 nodem5 systemd[1]: contrail-ansible.service: Unit entered failed state.
Oct 06 17:29:31 nodem5 systemd[1]: contrail-ansible.service: Failed with result 'exit-code'.
root@nodem5:/#

See original description

Tags:

Ritam Gangopadhyay (ritam) on 2017-10-06

description:

updated

Ritam Gangopadhyay (ritam) on 2017-10-06

information type:

Proprietary → Public

Ritam Gangopadhyay (ritam) on 2017-10-06

tags:

added: blocker feature

Revision history for this message

Ritam Gangopadhyay (ritam) wrote on 2017-10-06:

metadata_ssl_enable needs to be set to true in json. Based on this Nova.conf and agent.conf are updated with metadata ssl encryption parameters.

When I set this parameter, internal ansible fails to validate the schema. So ansible launches the containers, but due to schema validation failure by internal ansible none of the services are launced

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-09: [Review update] master

Review in progress for https://review.opencontrail.org/36354
Submitter: Nitish Krishna Kaveri (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-09:

Review in progress for https://review.opencontrail.org/36355
Submitter: Nitish Krishna Kaveri (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-09: [Review update] R4.1

Review in progress for https://review.opencontrail.org/36356
Submitter: Nitish Krishna Kaveri (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-09:

Review in progress for https://review.opencontrail.org/36357
Submitter: Nitish Krishna Kaveri (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-11: A change has been merged

Reviewed: https://review.opencontrail.org/36354
Committed: http://github.com/Juniper/contrail-puppet/commit/e478b2f91c25a49ae807f5757e58a2906910a3cf
Submitter: Zuul (<email address hidden>)
Branch: master

commit e478b2f91c25a49ae807f5757e58a2906910a3cf
Author: nitishkrishna <email address hidden>
Date: Mon Oct 9 10:15:13 2017 -0700

Partial-Bug: #1721834 - Removing enable_metadata_ssl from global_config

Putting it in global_config causes it to be validated in containers which do not have this feature

Change-Id: I0078f969ec50a47c0c845c5f32eba11cd62ca26d

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-11:

Reviewed: https://review.opencontrail.org/36355
Committed: http://github.com/Juniper/contrail-server-manager/commit/511e67377d78f8cc44bff26ff95e89fc0a7762f9
Submitter: Zuul (<email address hidden>)
Branch: master

commit 511e67377d78f8cc44bff26ff95e89fc0a7762f9
Author: nitishkrishna <email address hidden>
Date: Mon Oct 9 10:18:36 2017 -0700

Closes-Bug: #1721834 - Removing enable_metadata_ssl from global_config

Putting it in global_config causes it to be validated in containers which do not have this feature
Moving to same level as enable_lbaas

Change-Id: Ia8ef60c87998d47e3f88c3abe85c4cdb8d8c054d

Revision history for this message

Ritam Gangopadhyay (ritam) wrote on 2017-10-11:

#10

nova.conf is not getting updated with these parameters,

[DEFAULT]
enabled_ssl_apis= metadata
nova_metadata_protocol= https
nova_metadata_insecure= True
ssl_cert_file= /etc/nova/ssl/certs/nova.pem
ssl_key_file= /etc/nova/ssl/private/novakey.pem
ssl_ca_file= /etc/nova/ssl/certs/ca.pem

when "metadata_ssl_enable": true is set in cluster

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-12: [Review update] master

#11

Review in progress for https://review.opencontrail.org/36440
Submitter: Nitish Krishna Kaveri (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-12: [Review update] R4.1

#13

Review in progress for https://review.opencontrail.org/36464
Submitter: Nitish Krishna Kaveri (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-12: [Review update] R4.0

#15

Review in progress for https://review.opencontrail.org/36473
Submitter: Nitish Krishna Kaveri (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-12:

#17

Review in progress for https://review.opencontrail.org/36474
Submitter: Nitish Krishna Kaveri (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-12:

#18

Review in progress for https://review.opencontrail.org/36475
Submitter: Nitish Krishna Kaveri (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-13: A change has been merged

#20

Reviewed: https://review.opencontrail.org/36475
Committed: http://github.com/Juniper/contrail-server-manager/commit/b3286a2f80debbdb6455de485dde108320e86f7e
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit b3286a2f80debbdb6455de485dde108320e86f7e
Author: nitishkrishna <email address hidden>
Date: Mon Oct 9 10:18:36 2017 -0700

Closes-Bug: #1721834 - Removing enable_metadata_ssl from global_config

Putting it in global_config causes it to be validated in containers which do not have this feature
Moving to same level as enable_lbaas

Change-Id: Ia8ef60c87998d47e3f88c3abe85c4cdb8d8c054d

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-13:

#21

Reviewed: https://review.opencontrail.org/36473
Committed: http://github.com/Juniper/contrail-server-manager/commit/6f901ffde5348c3ea34818fea0abcb33418ac7ad
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit 6f901ffde5348c3ea34818fea0abcb33418ac7ad
Author: nitishkrishna <email address hidden>
Date: Wed Oct 11 16:09:04 2017 -0700

Closes-Bug: #1722934 - Deprecating contrail section in cluster params
Closes-Bug: #1721834

All params have to be specified in contrail_4 section
Any parameters needed by puppet will be auto-derived into contrail section
Any new parameters needed by puppet will need to be added to this list

Change-Id: I354919e1d78f3e6ef7c96d1ce9b4e361487b08ff

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-13:

#22

Reviewed: https://review.opencontrail.org/36440
Committed: http://github.com/Juniper/contrail-server-manager/commit/adcb2659521eda2a6ccef1d2936d28cfdffa2a41
Submitter: Zuul (<email address hidden>)
Branch: master

commit adcb2659521eda2a6ccef1d2936d28cfdffa2a41
Author: nitishkrishna <email address hidden>
Date: Wed Oct 11 16:09:04 2017 -0700

Closes-Bug: #1722934 - Deprecating contrail section in cluster params
Closes-Bug: #1721834

All params have to be specified in contrail_4 section
Any parameters needed by puppet will be auto-derived into contrail section
Any new parameters needed by puppet will need to be added to this list

Change-Id: I354919e1d78f3e6ef7c96d1ce9b4e361487b08ff

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-14:

#23

Reviewed: https://review.opencontrail.org/36357
Committed: http://github.com/Juniper/contrail-server-manager/commit/ff492ed4c6fb7c4ace45e3f37759295e3215dfe4
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit ff492ed4c6fb7c4ace45e3f37759295e3215dfe4
Author: nitishkrishna <email address hidden>
Date: Mon Oct 9 10:18:36 2017 -0700

Closes-Bug: #1721834 - Removing enable_metadata_ssl from global_config

Putting it in global_config causes it to be validated in containers which do not have this feature
Moving to same level as enable_lbaas

Change-Id: Ia8ef60c87998d47e3f88c3abe85c4cdb8d8c054d

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-15:

#24

Reviewed: https://review.opencontrail.org/36474
Committed: http://github.com/Juniper/contrail-puppet/commit/0550b5db2c1b7c57fdc3be1d6c320f0178a97dec
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit 0550b5db2c1b7c57fdc3be1d6c320f0178a97dec
Author: nitishkrishna <email address hidden>
Date: Mon Oct 9 10:15:13 2017 -0700

Partial-Bug: #1721834 - Removing enable_metadata_ssl from global_config

Putting it in global_config causes it to be validated in containers which do not have this feature

Change-Id: I0078f969ec50a47c0c845c5f32eba11cd62ca26d
(cherry picked from commit e478b2f91c25a49ae807f5757e58a2906910a3cf)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-15:

#25

Reviewed: https://review.opencontrail.org/36464
Committed: http://github.com/Juniper/contrail-server-manager/commit/7dd69486ef8ac68fb356a2c0eb0db8ce7888a686
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit 7dd69486ef8ac68fb356a2c0eb0db8ce7888a686
Author: nitishkrishna <email address hidden>
Date: Wed Oct 11 16:09:04 2017 -0700

Closes-Bug: #1722934 - Deprecating contrail section in cluster params
Closes-Bug: #1721834

All params have to be specified in contrail_4 section
Any parameters needed by puppet will be auto-derived into contrail section
Any new parameters needed by puppet will need to be added to this list

Change-Id: I354919e1d78f3e6ef7c96d1ce9b4e361487b08ff

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-10-15:

#26

Reviewed: https://review.opencontrail.org/36356
Committed: http://github.com/Juniper/contrail-puppet/commit/14519b942e2b34fda85c60212fd5f425a41cf510
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit 14519b942e2b34fda85c60212fd5f425a41cf510
Author: nitishkrishna <email address hidden>
Date: Mon Oct 9 10:15:13 2017 -0700

Partial-Bug: #1721834 - Removing enable_metadata_ssl from global_config

Putting it in global_config causes it to be validated in containers which do not have this feature

Change-Id: I0078f969ec50a47c0c845c5f32eba11cd62ca26d

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.