Bug #1759576 “R5.0-micro-services provision - metadata ssl suppo...” : Bugs : Juniper Openstack

Jeba Paulaiyan (jebap) on 2018-03-29

tags:

added: sanityblocker

Revision history for this message

Abhay Joshi (abhayj) wrote on 2018-03-29:

#1

Ritam,

Metadata support is already there in 5.0-micro-services. You can enable it with the following setting :

# contrail_additions : metadata_ssl_enable is set to "yes" to support the SSL
# encryption feature for vrouter when proxying.
metadata_ssl_enable: "no"

in contrail-kolla-ansible/all.yml file. Please see https://github.com/Juniper/contrail-ansible-deployer/wiki/Contrail-with-Kolla-Ocata and https://github.com/Juniper/contrail-kolla-ansible/blob/contrail/ocata/ansible/group_vars/all.yml.

Revision history for this message

Ramprakash R (ramprakash) wrote on 2018-03-30:

#2

All the parameters that used to be in kolla/globals.yml could be given in instances.yaml as below:

...
...
kolla_config:
kolla_globals:
metadata_ssl_enabe: yes

This should populate the nova.conf with below configs:

enabled_ssl_apis= metadata
nova_metadata_protocol= https
nova_metadata_insecure= True
ssl_cert_file= /etc/nova/ssl/certs/nova.pem
ssl_key_file= /etc/nova/ssl/private/novakey.pem
ssl_ca_file= /etc/nova/ssl/certs/ca.pem

Note that pem files might have to be generated and placed in this directory in the relevant compute hosts. That will not happen automatically during provision in 5.0.

Revision history for this message

vageesan (vageesant) wrote on 2018-03-31: mariadb docker is restarting

#3

Hi Ramprakash,

Provision is failing in my setup with the following log.I see mariadb docker is restarting frequently.Please check into the setup.

SM lite node: 10.204.216.8
Build: 4.1.0-8 ,Ocata – 16.04.2-minimal.
Config file: /root/vageesan/combined_new.json

Thanks
Vageesan.

"2018-03-31 02:35:02,283-INFO-sm_ansible_callback.py:53-append(): TASK [mariadb : Waiting for MariaDB service to be ready]"
"2018-03-31 02:40:59,998-INFO-sm_ansible_callback.py:53-append(): fatal: [10.204.216.11]: FAILED! => (item - None) {"attempts": 10, "changed": false, "failed": true, "module_stderr": "Shared connection to 10.204.216.11 closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/tmp/ansible_RfH8hA/ansible_module_wait_for.py\", line 585, in <module>\r\n main()\r\n File \"/tmp/ansible_RfH8hA/ansible_module_wait_for.py\", line 525, in main\r\n response = s.recv(1024)\r\nsocket.error: [Errno 104] Connection reset by peer\r\n", "msg": "MODULE FAILURE", "rc": 0}"
"2018-03-31 02:41:00,428-INFO-sm_ansible_callback.py:53-append(): fatal: [10.204.216.13]: FAILED! => (item - None) {"attempts": 10, "changed": false, "failed": true, "module_stderr": "Shared connection to 10.204.216.13 closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/tmp/ansible_qeKMWG/ansible_module_wait_for.py\", line 585, in <module>\r\n main()\r\n File \"/tmp/ansible_qeKMWG/ansible_module_wait_for.py\", line 525, in main\r\n response = s.recv(1024)\r\nsocket.error: [Errno 104] Connection reset by peer\r\n", "msg": "MODULE FAILURE", "rc": 0}"
"2018-03-31 02:41:00,432-INFO-sm_ansible_utils.py:496-send_REST_request(): Sending post request to http://10.204.216.8:9002/ansible_status?server_id=10.204.216.11&state=provision_failed"
"2018-03-31 02:41:00,435-DEBUG-server_mgr_status.py:134-put_ansible_status(): Server status Data nodea15 provision_failed 2018_03_31__02_41_00"

Revision history for this message

Sudheendra Rao (sudheendra-k) wrote on 2018-03-31:

#4

+Ritam, please check.

Thanks,
Sudhee.

Sent from my iPhone

> On 31-Mar-2018, at 6:18 AM, Vageesan Thanikachalam <email address hidden> wrote:
>
> Hi Ramprakash,
>
> Provision is failing in my setup with the following log.I see mariadb docker is restarting frequently.Please check into the setup.
>
>
> SM lite node: 10.204.216.8
> Build: 4.1.0-8 ,Ocata – 16.04.2-minimal.
> Config file: /root/vageesan/combined_new.json
>
> Thanks
> Vageesan.
>
> "2018-03-31 02:35:02,283-INFO-sm_ansible_callback.py:53-append(): TASK [mariadb : Waiting for MariaDB service to be ready]"
> "2018-03-31 02:40:59,998-INFO-sm_ansible_callback.py:53-append(): fatal: [10.204.216.11]: FAILED! => (item - None) {"attempts": 10, "changed": false, "failed": true, "module_stderr": "Shared connection to 10.204.216.11 closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/tmp/ansible_RfH8hA/ansible_module_wait_for.py\", line 585, in <module>\r\n main()\r\n File \"/tmp/ansible_RfH8hA/ansible_module_wait_for.py\", line 525, in main\r\n response = s.recv(1024)\r\nsocket.error: [Errno 104] Connection reset by peer\r\n", "msg": "MODULE FAILURE", "rc": 0}"
> "2018-03-31 02:41:00,428-INFO-sm_ansible_callback.py:53-append(): fatal: [10.204.216.13]: FAILED! => (item - None) {"attempts": 10, "changed": false, "failed": true, "module_stderr": "Shared connection to 10.204.216.13 closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/tmp/ansible_qeKMWG/ansible_module_wait_for.py\", line 585, in <module>\r\n main()\r\n File \"/tmp/ansible_qeKMWG/ansible_module_wait_for.py\", line 525, in main\r\n response = s.recv(1024)\r\nsocket.error: [Errno 104] Connection reset by peer\r\n", "msg": "MODULE FAILURE", "rc": 0}"
> "2018-03-31 02:41:00,432-INFO-sm_ansible_utils.py:496-send_REST_request(): Sending post request to http://10.204.216.8:9002/ansible_status?server_id=10.204.216.11&state=provision_failed"
> "2018-03-31 02:41:00,435-DEBUG-server_mgr_status.py:134-put_ansible_status(): Server status Data nodea15 provision_failed 2018_03_31__02_41_00"

+Ritam, please check.

Thanks,
Sudhee.

Sent from my iPhone

> On 31-Mar-2018, at 6:18 AM, Vageesan Thanikachalam <vageesant@juniper.net> wrote:
> 
> Hi Ramprakash,
> 
> Provision is failing in my setup with the following log.I see mariadb docker is restarting frequently.Please check into the setup.
> 
> 
> SM lite node: 10.204.216.8
> Build: 4.1.0-8 ,Ocata – 16.04.2-minimal.
> Config file: /root/vageesan/combined_new.json
> 
> Thanks
> Vageesan.
> 
> "2018-03-31 02:35:02,283-INFO-sm_ansible_callback.py:53-append():  TASK [mariadb : Waiting for MariaDB service to be ready]"
> "2018-03-31 02:40:59,998-INFO-sm_ansible_callback.py:53-append():  fatal: [10.204.216.11]: FAILED! => (item - None) {"attempts": 10, "changed": false, "failed": true, "module_stderr": "Shared connection to 10.204.216.11 closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n  File \"/tmp/ansible_RfH8hA/ansible_module_wait_for.py\", line 585, in <module>\r\n    main()\r\n  File \"/tmp/ansible_RfH8hA/ansible_module_wait_for.py\", line 525, in main\r\n    response = s.recv(1024)\r\nsocket.error: [Errno 104] Connection reset by peer\r\n", "msg": "MODULE FAILURE", "rc": 0}"
> "2018-03-31 02:41:00,428-INFO-sm_ansible_callback.py:53-append():  fatal: [10.204.216.13]: FAILED! => (item - None) {"attempts": 10, "changed": false, "failed": true, "module_stderr": "Shared connection to 10.204.216.13 closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n  File \"/tmp/ansible_qeKMWG/ansible_module_wait_for.py\", line 585, in <module>\r\n    main()\r\n  File \"/tmp/ansible_qeKMWG/ansible_module_wait_for.py\", line 525, in main\r\n    response = s.recv(1024)\r\nsocket.error: [Errno 104] Connection reset by peer\r\n", "msg": "MODULE FAILURE", "rc": 0}"
> "2018-03-31 02:41:00,432-INFO-sm_ansible_utils.py:496-send_REST_request():  Sending post request to http://10.204.216.8:9002/ansible_status?server_id=10.204.216.11&state=provision_failed"
> "2018-03-31 02:41:00,435-DEBUG-server_mgr_status.py:134-put_ansible_status():  Server status Data nodea15 provision_failed 2018_03_31__02_41_00"

Revision history for this message

Abhay Joshi (abhayj) wrote on 2018-04-02:

#5

Comment #3 is NOT APPLICABLE to bug described in this report. The bug is invalid as stated in comments #1 and #2. #3 was something tried on 4.1, person finding it concluded it is this bug and reopened!!

Revision history for this message

Ritam Gangopadhyay (ritam) wrote on 2018-04-13:

#6

As expected metadata_ssl_enable set to true doesn't enable metadata service, instead it fails in ssl cert copy.

Moreover it is not clear how setting metadata_ssl_enable under kolla configs will successfully configure the vrouter conf file.

Here is the task that fails and the error:-

TASK ---- Copy ssl certs for metadata if required

2018-04-13 09:24:25,408 p=24825 u=root | TASK [nova : Copy ssl certs for metadata if required] **********************************************************************************************************************************************
2018-04-13 09:24:25,792 p=24825 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/nodem14.pem'
2018-04-13 09:24:25,794 p=24825 u=root | failed: [10.204.216.103] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/nodem14.pem', u'dst': u'/etc/nova/ssl/certs/nova.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/nova.pem", "src": "/etc/contrail_smgr/puppet/ssl/nodem14.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/nodem14.pem'"}

Revision history for this message

Ramprakash R (ramprakash) wrote on 2018-04-13:

#7

As mentioned in comment #2, for 5.0, the ssl cert files will not be generated automatically. It needs to be generated manually and placed wherever "local_ssl_directory" is configured to (default is /etc/contrail_smgr/puppet/ssl - you can change it by setting this variable under kolla_globals section). I believe it should still work. Please update if this still does not work.

Revision history for this message

Nitish Krishna Kaveri (nitishk) wrote on 2018-04-13:

#8

When SSL_ENABLE is set to True in contrail_configuration, the node-init containers create self signed certs per host and put them in /etc/contrail/ssl/certs/ and /etc/contrail/ssl/private/ on the host and inside the relevant containers
I am following the default paths mentioned here:
https://github.com/Juniper/contrail-container-builder/blob/master/containers/base/common.sh#L28

The Check-ins to do this creation/mounting as already merged.
Please set SSL_ENABLE to True and try the above paths

Revision history for this message

Abhay Joshi (abhayj) wrote on 2018-04-13:

#9

Ritam,

Please try #8 above and reopen if still broken.

Revision history for this message

Ritam Gangopadhyay (ritam) wrote on 2018-04-14:

#10

Will try it but still not sure how that solves configuring nova.conf and vrouter.conf with metadata ssl parameters.

Revision history for this message

Ritam Gangopadhyay (ritam) wrote on 2018-04-15:

#11

Download full text (12.3 KiB)

Enabled the below flags:-

[root@nodec28 ~]# cat contrail-ansible-deployer/config/instances.yaml | grep SSL
SSL_ENABLE: True
[root@nodec28 ~]# cat contrail-ansible-deployer/config/instances.yaml | grep metadata_ss
metadata_ssl_enable: yes
[root@nodec28 ~]#

Provisioning failed while searching for cert/key files under contrail_smgr directory.
1. Looks like the path needs to be changed in the task.
2. Cert/Key file copy should happen before openstack provisioning is done because copy code is part of contrail provisioning right now which happens after openstack provisioning.
3. I am not sure who needs to look into it, whether from contrail side or openstack side so moving it back to triage.

Here is the ansible task failure seen on my setup, setup is nodec28 and available.

**********************************
**********************************
**********************************
**********************************

2018-04-15 10:15:14,534 p=26013 u=root | TASK [nova : Copy ssl certs for metadata if required] **********************************************************************************************************************************************
2018-04-15 10:15:14,679 p=26013 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/nodei19.pem'
2018-04-15 10:15:14,679 p=26013 u=root | failed: [10.204.217.131] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/nodei19.pem', u'dst': u'/etc/nova/ssl/certs/nova.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/nova.pem", "src": "/etc/contrail_smgr/puppet/ssl/nodei19.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/nodei19.pem'"}
2018-04-15 10:15:14,746 p=26013 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/nodeg37.pem'
2018-04-15 10:15:14,747 p=26013 u=root | failed: [10.204.217.77] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/nodeg37.pem', u'dst': u'/etc/nova/ssl/certs/nova.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/nova.pem", "src": "/etc/contrail_smgr/puppet/ssl/nodeg37.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/nodeg37.pem'"}
2018-04-15 10:15:14,748 p=26013 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/ca-cert.pem'
2018-04-15 10:15:14,748 p=26013 u=root | failed: [10.204.217.131] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/ca-cert.pem', u'dst': u'/etc/nova/ssl/certs/ca.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/ca.pem", "src": "/etc/contrail_smgr/puppet/ssl/ca-cert.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/ca-cert.pem'"}
2018-04-15 10:15:14,749 p=26013 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/ca-cert.pem...

Enabled the below flags:-

[root@nodec28 ~]# cat contrail-ansible-deployer/config/instances.yaml | grep SSL
  SSL_ENABLE: True
[root@nodec28 ~]# cat contrail-ansible-deployer/config/instances.yaml | grep metadata_ss
    metadata_ssl_enable: yes
[root@nodec28 ~]#

Provisioning failed while searching for cert/key files under contrail_smgr directory. 
1. Looks like the path needs to be changed in the task.
2. Cert/Key file copy should happen before openstack provisioning is done because copy code is part of contrail provisioning right now which happens after openstack provisioning.
3. I am not sure who needs to look into it, whether from contrail side or openstack side so moving it back to triage.

Here is the ansible task failure seen on my setup, setup is nodec28 and available.

**********************************
**********************************
**********************************
**********************************

2018-04-15 10:15:14,534 p=26013 u=root |  TASK [nova : Copy ssl certs for metadata if required] **********************************************************************************************************************************************
2018-04-15 10:15:14,679 p=26013 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/nodei19.pem'
2018-04-15 10:15:14,679 p=26013 u=root |  failed: [10.204.217.131] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/nodei19.pem', u'dst': u'/etc/nova/ssl/certs/nova.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/nova.pem", "src": "/etc/contrail_smgr/puppet/ssl/nodei19.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/nodei19.pem'"}
2018-04-15 10:15:14,746 p=26013 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/nodeg37.pem'
2018-04-15 10:15:14,747 p=26013 u=root |  failed: [10.204.217.77] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/nodeg37.pem', u'dst': u'/etc/nova/ssl/certs/nova.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/nova.pem", "src": "/etc/contrail_smgr/puppet/ssl/nodeg37.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/nodeg37.pem'"}
2018-04-15 10:15:14,748 p=26013 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/ca-cert.pem'
2018-04-15 10:15:14,748 p=26013 u=root |  failed: [10.204.217.131] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/ca-cert.pem', u'dst': u'/etc/nova/ssl/certs/ca.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/ca.pem", "src": "/etc/contrail_smgr/puppet/ssl/ca-cert.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/ca-cert.pem'"}
2018-04-15 10:15:14,749 p=26013 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/ca-cert.pem'
2018-04-15 10:15:14,749 p=26013 u=root |  failed: [10.204.217.77] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/ca-cert.pem', u'dst': u'/etc/nova/ssl/certs/ca.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/ca.pem", "src": "/etc/contrail_smgr/puppet/ssl/ca-cert.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/ca-cert.pem'"}
2018-04-15 10:15:14,750 p=26013 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/nodec33.pem'
2018-04-15 10:15:14,750 p=26013 u=root |  failed: [10.204.217.168] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/nodec33.pem', u'dst': u'/etc/nova/ssl/certs/nova.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/nova.pem", "src": "/etc/contrail_smgr/puppet/ssl/nodec33.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/nodec33.pem'"}
2018-04-15 10:15:14,751 p=26013 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/nodei19-privkey.pem'
2018-04-15 10:15:14,761 p=26013 u=root |  failed: [10.204.217.131] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/nodei19-privkey.pem', u'dst': u'/etc/nova/ssl/private/novakey.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/private/novakey.pem", "src": "/etc/contrail_smgr/puppet/ssl/nodei19-privkey.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/nodei19-privkey.pem'"}
2018-04-15 10:15:14,773 p=26013 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/nodeg37-privkey.pem'
2018-04-15 10:15:14,774 p=26013 u=root |  failed: [10.204.217.77] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/nodeg37-privkey.pem', u'dst': u'/etc/nova/ssl/private/novakey.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/private/novakey.pem", "src": "/etc/contrail_smgr/puppet/ssl/nodeg37-privkey.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/nodeg37-privkey.pem'"}
2018-04-15 10:15:14,783 p=26013 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/nodei20.pem'
2018-04-15 10:15:14,783 p=26013 u=root |  failed: [10.204.217.132] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/nodei20.pem', u'dst': u'/etc/nova/ssl/certs/nova.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/nova.pem", "src": "/etc/contrail_smgr/puppet/ssl/nodei20.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/nodei20.pem'"}
2018-04-15 10:15:14,792 p=26013 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/nodei17.pem'
2018-04-15 10:15:14,792 p=26013 u=root |  failed: [10.204.217.129] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/nodei17.pem', u'dst': u'/etc/nova/ssl/certs/nova.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/nova.pem", "src": "/etc/contrail_smgr/puppet/ssl/nodei17.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/nodei17.pem'"}
2018-04-15 10:15:14,803 p=26013 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/ca-cert.pem'
2018-04-15 10:15:14,804 p=26013 u=root |  failed: [10.204.217.168] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/ca-cert.pem', u'dst': u'/etc/nova/ssl/certs/ca.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/ca.pem", "src": "/etc/contrail_smgr/puppet/ssl/ca-cert.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/ca-cert.pem'"}
2018-04-15 10:15:14,823 p=26013 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/ca-cert.pem'
2018-04-15 10:15:14,823 p=26013 u=root |  failed: [10.204.217.132] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/ca-cert.pem', u'dst': u'/etc/nova/ssl/certs/ca.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/ca.pem", "src": "/etc/contrail_smgr/puppet/ssl/ca-cert.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/ca-cert.pem'"}
2018-04-15 10:15:14,837 p=26013 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/ca-cert.pem'
2018-04-15 10:15:14,837 p=26013 u=root |  failed: [10.204.217.129] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/ca-cert.pem', u'dst': u'/etc/nova/ssl/certs/ca.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/ca.pem", "src": "/etc/contrail_smgr/puppet/ssl/ca-cert.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/ca-cert.pem'"}
2018-04-15 10:15:14,860 p=26013 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/nodec33-privkey.pem'
2018-04-15 10:15:14,860 p=26013 u=root |  failed: [10.204.217.168] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/nodec33-privkey.pem', u'dst': u'/etc/nova/ssl/private/novakey.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/private/novakey.pem", "src": "/etc/contrail_smgr/puppet/ssl/nodec33-privkey.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/nodec33-privkey.pem'"}
2018-04-15 10:15:14,863 p=26013 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/nodec50.pem'
2018-04-15 10:15:14,864 p=26013 u=root |  failed: [10.204.217.153] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/nodec50.pem', u'dst': u'/etc/nova/ssl/certs/nova.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/nova.pem", "src": "/etc/contrail_smgr/puppet/ssl/nodec50.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/nodec50.pem'"}
2018-04-15 10:15:14,873 p=26013 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/nodei20-privkey.pem'
2018-04-15 10:15:14,874 p=26013 u=root |  failed: [10.204.217.132] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/nodei20-privkey.pem', u'dst': u'/etc/nova/ssl/private/novakey.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/private/novakey.pem", "src": "/etc/contrail_smgr/puppet/ssl/nodei20-privkey.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/nodei20-privkey.pem'"}
2018-04-15 10:15:14,889 p=26013 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/nodei17-privkey.pem'
2018-04-15 10:15:14,889 p=26013 u=root |  failed: [10.204.217.129] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/nodei17-privkey.pem', u'dst': u'/etc/nova/ssl/private/novakey.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/private/novakey.pem", "src": "/etc/contrail_smgr/puppet/ssl/nodei17-privkey.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/nodei17-privkey.pem'"}
2018-04-15 10:15:14,896 p=26013 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/ca-cert.pem'
2018-04-15 10:15:14,897 p=26013 u=root |  failed: [10.204.217.153] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/ca-cert.pem', u'dst': u'/etc/nova/ssl/certs/ca.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/ca.pem", "src": "/etc/contrail_smgr/puppet/ssl/ca-cert.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/ca-cert.pem'"}
2018-04-15 10:15:14,943 p=26013 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail_smgr/puppet/ssl/nodec50-privkey.pem'
2018-04-15 10:15:14,943 p=26013 u=root |  failed: [10.204.217.153] (item={u'src': u'/etc/contrail_smgr/puppet/ssl/nodec50-privkey.pem', u'dst': u'/etc/nova/ssl/private/novakey.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/private/novakey.pem", "src": "/etc/contrail_smgr/puppet/ssl/nodec50-privkey.pem"}, "msg": "Could not find or access '/etc/contrail_smgr/puppet/ssl/nodec50-privkey.pem'"}
2018-04-15 10:15:14,946 p=26013 u=root |        to retry, use: --limit @/root/contrail-ansible-deployer/playbooks/install_contrail.retry

2018-04-15 10:15:14,946 p=26013 u=root |  PLAY RECAP *****************************************************************************************************************************************************************************************

Revision history for this message

Abhay Joshi (abhayj) wrote on 2018-04-16:

#12

Hi Alexey,

Can you please confirm if your change for SSL certs in control, also takes care of vrouter? If not, please add that too.

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-19: [Review update] master

#13

Review in progress for https://review.opencontrail.org/42187
Submitter: alexey-mr (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-19: [Review update] R5.0

#15

Review in progress for https://review.opencontrail.org/42188
Submitter: alexey-mr (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-20: [Review update] master

#17

Review in progress for https://review.opencontrail.org/42187
Submitter: alexey-mr (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-20: [Review update] R5.0

#19

Review in progress for https://review.opencontrail.org/42188
Submitter: alexey-mr (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-20: [Review update] master

#21

Review in progress for https://review.opencontrail.org/42187
Submitter: Andrey Pavlov (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-20: [Review update] R5.0

#23

Review in progress for https://review.opencontrail.org/42188
Submitter: Andrey Pavlov (<email address hidden>)

Revision history for this message

alexey-mr (alexey-morlang) wrote on 2018-04-20:

#25

To populate vrouter agent config with ssl settins for metadata it is needed to provide variables:
METADATA_SSL_ENABLE=true
# parameters below are optional (if keep them empty insecure ssl be used (w/o cert strict checking), if some orchestrator layer support cert/key generation the exact files could be passed via:
METADATA_SSL_CERTFILE
METADATA_SSL_KEYFILE
METADATA_SSL_CA_CERTFILE
(If provided certs if not in PEM format the format should be specified in METADATA_SSL_CERT_TYPE)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-20: A change has been merged

#26

Reviewed: https://review.opencontrail.org/42188
Committed: http://github.com/Juniper/contrail-container-builder/commit/0f57372a4e9900e8ed7a54b21faee4a06b6759fe
Submitter: Zuul v3 CI (<email address hidden>)
Branch: R5.0

commit 0f57372a4e9900e8ed7a54b21faee4a06b6759fe
Author: alexey-mr <email address hidden>
Date: Thu Apr 19 18:41:55 2018 +0300

Provision metadata ssl options for agent config

Change-Id: I1bce4f06b0fcedcc298de65eaebf4afcf57ac182
Closes-Bug: #1759576

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-20:

#27

Reviewed: https://review.opencontrail.org/42187
Committed: http://github.com/Juniper/contrail-container-builder/commit/fe74357a68453b47ba1e1c19134926d97d492055
Submitter: Zuul v3 CI (<email address hidden>)
Branch: master

commit fe74357a68453b47ba1e1c19134926d97d492055
Author: alexey-mr <email address hidden>
Date: Thu Apr 19 18:41:55 2018 +0300

Provision metadata ssl options for agent config

Change-Id: I1bce4f06b0fcedcc298de65eaebf4afcf57ac182
Closes-Bug: #1759576

Revision history for this message

Ritam Gangopadhyay (ritam) wrote on 2018-04-24:

#28

Download full text (5.0 KiB)

Provisioning fails to find certs while bringing up nova with the following error:-

2018-04-24 10:25:12,661 p=1887 u=root | TASK [nova : Copy ssl certs for metadata if required] **********************************************************************************************************************************************
2018-04-24 10:25:12,964 p=1887 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail/ssl/nodei19.pem'
2018-04-24 10:25:12,964 p=1887 u=root | failed: [10.204.217.131] (item={u'src': u'/etc/contrail/ssl/nodei19.pem', u'dst': u'/etc/nova/ssl/certs/nova.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/nova.pem", "src": "/etc/contrail/ssl/nodei19.pem"}, "msg": "Could not find or access '/etc/contrail/ssl/nodei19.pem'"}
2018-04-24 10:25:12,965 p=1887 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail/ssl/nodeg37.pem'
2018-04-24 10:25:12,965 p=1887 u=root | failed: [10.204.217.77] (item={u'src': u'/etc/contrail/ssl/nodeg37.pem', u'dst': u'/etc/nova/ssl/certs/nova.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/nova.pem", "src": "/etc/contrail/ssl/nodeg37.pem"}, "msg": "Could not find or access '/etc/contrail/ssl/nodeg37.pem'"}
2018-04-24 10:25:12,966 p=1887 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail/ssl/ca-cert.pem'
2018-04-24 10:25:12,966 p=1887 u=root | failed: [10.204.217.131] (item={u'src': u'/etc/contrail/ssl/ca-cert.pem', u'dst': u'/etc/nova/ssl/certs/ca.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/ca.pem", "src": "/etc/contrail/ssl/ca-cert.pem"}, "msg": "Could not find or access '/etc/contrail/ssl/ca-cert.pem'"}
2018-04-24 10:25:12,967 p=1887 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail/ssl/nodec33.pem'
2018-04-24 10:25:12,967 p=1887 u=root | failed: [10.204.217.168] (item={u'src': u'/etc/contrail/ssl/nodec33.pem', u'dst': u'/etc/nova/ssl/certs/nova.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/nova.pem", "src": "/etc/contrail/ssl/nodec33.pem"}, "msg": "Could not find or access '/etc/contrail/ssl/nodec33.pem'"}
2018-04-24 10:25:12,968 p=1887 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail/ssl/nodei20.pem'
2018-04-24 10:25:12,968 p=1887 u=root | failed: [10.204.217.132] (item={u'src': u'/etc/contrail/ssl/nodei20.pem', u'dst': u'/etc/nova/ssl/certs/nova.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/nova.pem", "src": "/etc/contrail/ssl/nodei20.pem"}, "msg": "Could not find or access '/etc/contrail/ssl/nodei20.pem'"}
2018-04-24 10:25:12,978 p=1887 u=root | An exception occurred during task execution. To see the full traceback, use -vvv. The e...

Provisioning fails to find certs while bringing up nova with the following error:-

2018-04-24 10:25:12,661 p=1887 u=root |  TASK [nova : Copy ssl certs for metadata if required] **********************************************************************************************************************************************
2018-04-24 10:25:12,964 p=1887 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail/ssl/nodei19.pem'
2018-04-24 10:25:12,964 p=1887 u=root |  failed: [10.204.217.131] (item={u'src': u'/etc/contrail/ssl/nodei19.pem', u'dst': u'/etc/nova/ssl/certs/nova.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/nova.pem", "src": "/etc/contrail/ssl/nodei19.pem"}, "msg": "Could not find or access '/etc/contrail/ssl/nodei19.pem'"}
2018-04-24 10:25:12,965 p=1887 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail/ssl/nodeg37.pem'
2018-04-24 10:25:12,965 p=1887 u=root |  failed: [10.204.217.77] (item={u'src': u'/etc/contrail/ssl/nodeg37.pem', u'dst': u'/etc/nova/ssl/certs/nova.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/nova.pem", "src": "/etc/contrail/ssl/nodeg37.pem"}, "msg": "Could not find or access '/etc/contrail/ssl/nodeg37.pem'"}
2018-04-24 10:25:12,966 p=1887 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail/ssl/ca-cert.pem'
2018-04-24 10:25:12,966 p=1887 u=root |  failed: [10.204.217.131] (item={u'src': u'/etc/contrail/ssl/ca-cert.pem', u'dst': u'/etc/nova/ssl/certs/ca.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/ca.pem", "src": "/etc/contrail/ssl/ca-cert.pem"}, "msg": "Could not find or access '/etc/contrail/ssl/ca-cert.pem'"}
2018-04-24 10:25:12,967 p=1887 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail/ssl/nodec33.pem'
2018-04-24 10:25:12,967 p=1887 u=root |  failed: [10.204.217.168] (item={u'src': u'/etc/contrail/ssl/nodec33.pem', u'dst': u'/etc/nova/ssl/certs/nova.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/nova.pem", "src": "/etc/contrail/ssl/nodec33.pem"}, "msg": "Could not find or access '/etc/contrail/ssl/nodec33.pem'"}
2018-04-24 10:25:12,968 p=1887 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail/ssl/nodei20.pem'
2018-04-24 10:25:12,968 p=1887 u=root |  failed: [10.204.217.132] (item={u'src': u'/etc/contrail/ssl/nodei20.pem', u'dst': u'/etc/nova/ssl/certs/nova.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/nova.pem", "src": "/etc/contrail/ssl/nodei20.pem"}, "msg": "Could not find or access '/etc/contrail/ssl/nodei20.pem'"}
2018-04-24 10:25:12,978 p=1887 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail/ssl/nodei17.pem'
2018-04-24 10:25:12,979 p=1887 u=root |  failed: [10.204.217.129] (item={u'src': u'/etc/contrail/ssl/nodei17.pem', u'dst': u'/etc/nova/ssl/certs/nova.pem'}) => {"changed": false, "item": {"dst": "/etc/nova/ssl/certs/nova.pem", "src": "/etc/contrail/ssl/nodei17.pem"}, "msg": "Could not find or access '/etc/contrail/ssl/nodei17.pem'"}
2018-04-24 10:25:12,980 p=1887 u=root |  An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AnsibleFileNotFound: Could not find or access '/etc/contrail/ssl/nodei19-privkey.pem'

************************
************************
************************
************************

In instances.yaml I have set the following parameters:-

contrail_configuration:
  SSL_ENABLE: True
  METADATA_SSL_ENABLE: True

kolla_config:
  kolla_globals:
    metadata_ssl_enable: "yes"
    local_ssl_directory: "/etc/contrail/ssl"

************************
************************
************************

On this I only see ca-cert and key copied under the ssl directory and cert.pem and priv key missing

[root@nodec28 ~]# ls -la /etc/contrail/ssl/certs/
total 20
drwxr-xr-x 2 root root 4096 Apr 24 12:45 .
drwxr-xr-x 4 root root 4096 Apr 24 09:10 ..
-rw-r--r-- 1 root root 1948 Apr 24 09:10 ca-cert.pem
[root@nodec28 ~]# ls -la /etc/contrail/ssl/private/
total 16
drwx------ 2 root root 4096 Apr 24 12:45 .
drwxr-xr-x 4 root root 4096 Apr 24 09:10 ..
-rw------- 1 root root 3243 Apr 24 09:10 ca-key.pem
[root@nodec28 ~]#

the cert and priv key are generated while contrail provisioning and not available to nova while kolla provisioning.

************************
************************
************************

Also tried with:-
setting kolla_enable_tls_external: "yes" and generating the certs but was not able to solve the issue as this task keeps looking for the certs and fails.

Revision history for this message

alexey-mr (alexey-morlang) wrote on 2018-04-24:

#29

There is no needs to use certs for nova provisioning.
Instead it is needed to configure openstack to enable SSL on VIPs (for haproxy) only, metadata are to be accessed via VIP from compute nodes. And it is to be done by kolla - not by contail-container-build or contrail-ansible-depllyer.

Revision history for this message

Nitish Krishna Kaveri (nitishk) wrote on 2018-04-24:

#30

I think I know what the issue is. Let me debug and close

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-24: [Review update] contrail/ocata

#31

Review in progress for https://review.opencontrail.org/42476
Submitter: alexey-mr (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-24:

#33

Review in progress for https://review.opencontrail.org/42477
Submitter: Nitish Krishna Kaveri (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-24:

#34

Review in progress for https://review.opencontrail.org/42476
Submitter: Andrey Pavlov (<email address hidden>)

Revision history for this message

Ritam Gangopadhyay (ritam) wrote on 2018-04-24:

#36

Download full text (41.6 KiB)

With review 42476 patched and below knobs in by instances.yml

contrail_configuration:
METADATA_SSL_ENABLE: True

kolla_config:
  kolla_globals:
    metadata_ssl_enable: "yes"
    tls_bind_info_internal: "yes"

**********************************************
**********************************************
**********************************************

I am hitting haproxy bring up error

TASK [haproxy : Copying over haproxy.cfg] **********************************************************************************************************************************************************
failed: [10.204.217.131] (item=/root/contrail-kolla-ansible/ansible/roles/haproxy/templates/haproxy.cfg.j2) => {"changed": false, "item": "/root/contrail-kolla-ansible/ansible/roles/haproxy/templates/haproxy.cfg.j2", "msg": "AnsibleError: template error while templating string: expected token ':', got '}'. String: {% set tls_bind_info = 'ssl crt /etc/haproxy/haproxy.pem' if kolla_enable_tls_external | bool else '' %}\n{% set tls_bind_info_internal = 'ssl crt /etc/haproxy/haproxy-internal.pem' if kolla_enable_tls_internal | bool else '' %}\n{% set tls_bind_info_nova_metadata = {{ tls_bind_info_internal }} if metadata_ssl_enable | bool else '' %}\nglobal\n chroot /var/lib/haproxy\n user haproxy\n group haproxy\n daemon\n{% if orchestration_engine != 'KUBERNETES' %}\n log {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}:{{ fluentd_syslog_port }} local1\n{% endif %}\n maxconn 4000\n stats socket /var/lib/kolla/haproxy/haproxy.sock\n{% if kolla_enable_tls_external | bool %}\n ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES\n ssl-default-bind-options no-sslv3 no-tlsv10\n tune.ssl.default-dh-param 4096\n{% endif %}\n\ndefaults\n log global\n mode http\n option redispatch\n option httplog\n option forwardfor\n retries 3\n timeout http-request 10s\n timeout queue 1m\n timeout connect 10s\n timeout client {{ haproxy_client_timeout }}\n timeout server {{ haproxy_server_timeout }}\n timeout check 10s\n\nlisten stats\n bind {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}:{{ haproxy_stats_port }}\n mode http\n stats enable\n stats uri /\n stats refresh 15s\n stats realm Haproxy\\ Stats\n stats auth {{ haproxy_user }}:{{ haproxy_password }}\n\n{% if enable_rabbitmq | bool %}\nlisten rabbitmq_management\n bind {{ kolla_internal_vip_address }}:{{ rabbitmq_management_port }}\n{% for host in groups['rabbitmq'] %}\n server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rabbitmq_management_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n\n{% if enable_mongodb | bool %}\nlisten mongodb\n bind {{ kolla_internal_vip_address }}:{{ mongodb_port }}\n{% for host in groups['mongodb'] %}\n server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ mongodb_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n\n{% if enable_keystone | bool %}\nlisten keystone_internal\n bind {{ kolla_internal_vip_a...

With review 42476 patched and below knobs in by instances.yml

contrail_configuration:
  METADATA_SSL_ENABLE: True

kolla_config:
  kolla_globals:
    metadata_ssl_enable: "yes"
    tls_bind_info_internal: "yes"

**********************************************
**********************************************
**********************************************

I am hitting haproxy bring up error

TASK [haproxy : Copying over haproxy.cfg] **********************************************************************************************************************************************************
failed: [10.204.217.131] (item=/root/contrail-kolla-ansible/ansible/roles/haproxy/templates/haproxy.cfg.j2) => {"changed": false, "item": "/root/contrail-kolla-ansible/ansible/roles/haproxy/templates/haproxy.cfg.j2", "msg": "AnsibleError: template error while templating string: expected token ':', got '}'. String: {% set tls_bind_info = 'ssl crt /etc/haproxy/haproxy.pem' if kolla_enable_tls_external | bool else '' %}\n{% set tls_bind_info_internal = 'ssl crt /etc/haproxy/haproxy-internal.pem' if kolla_enable_tls_internal | bool else '' %}\n{% set tls_bind_info_nova_metadata = {{ tls_bind_info_internal }} if metadata_ssl_enable | bool else '' %}\nglobal\n  chroot /var/lib/haproxy\n  user haproxy\n  group haproxy\n  daemon\n{% if orchestration_engine != 'KUBERNETES' %}\n  log {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}:{{ fluentd_syslog_port }} local1\n{% endif %}\n  maxconn 4000\n  stats socket /var/lib/kolla/haproxy/haproxy.sock\n{% if kolla_enable_tls_external | bool %}\n  ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES\n  ssl-default-bind-options no-sslv3 no-tlsv10\n  tune.ssl.default-dh-param 4096\n{% endif %}\n\ndefaults\n  log global\n  mode http\n  option redispatch\n  option httplog\n  option forwardfor\n  retries 3\n  timeout http-request 10s\n  timeout queue 1m\n  timeout connect 10s\n  timeout client {{ haproxy_client_timeout }}\n  timeout server {{ haproxy_server_timeout }}\n  timeout check 10s\n\nlisten stats\n   bind {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}:{{ haproxy_stats_port }}\n   mode http\n   stats enable\n   stats uri /\n   stats refresh 15s\n   stats realm Haproxy\\ Stats\n   stats auth {{ haproxy_user }}:{{ haproxy_password }}\n\n{% if enable_rabbitmq | bool %}\nlisten rabbitmq_management\n  bind {{ kolla_internal_vip_address }}:{{ rabbitmq_management_port }}\n{% for host in groups['rabbitmq'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rabbitmq_management_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n\n{% if enable_mongodb | bool %}\nlisten mongodb\n  bind {{ kolla_internal_vip_address }}:{{ mongodb_port }}\n{% for host in groups['mongodb'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ mongodb_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n\n{% if enable_keystone | bool %}\nlisten keystone_internal\n  bind {{ kolla_internal_vip_address }}:{{ keystone_public_port }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n{% for host in groups['keystone'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_public_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten keystone_external\n  bind {{ kolla_external_vip_address }}:{{ keystone_public_port }} {{ tls_bind_info }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n  http-request set-header X-Forwarded-Proto https if { ssl_fc }\n{% for host in groups['keystone'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_public_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n\nlisten keystone_admin\n  bind {{ kolla_internal_vip_address }}:{{ keystone_admin_port }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n{% for host in groups['keystone'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_admin_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n\n{% if enable_glance | bool %}\nlisten glance_registry\n  bind {{ kolla_internal_vip_address }}:{{ glance_registry_port }}\n{% for host in groups['glance-registry'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ glance_registry_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n\nlisten glance_api\n  bind {{ kolla_internal_vip_address }}:{{ glance_api_port }}\n  timeout client {{ haproxy_glance_api_client_timeout }}\n  timeout server {{ haproxy_glance_api_server_timeout }}\n{% for host in groups['glance-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ glance_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten glance_api_external\n  bind {{ kolla_external_vip_address }}:{{ glance_api_port }} {{ tls_bind_info }}\n{% for host in groups['glance-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ glance_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_nova | bool %}\nlisten nova_api\n  bind {{ kolla_internal_vip_address }}:{{ nova_api_port }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n{% for host in groups['nova-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n\nlisten nova_metadata\n  bind {{ kolla_internal_vip_address }}:{{ nova_metadata_port }} {{ tls_bind_info_nova_metadata }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n  http-request set-header X-Forwarded-Proto https if { ssl_fc }\n{% for host in groups['nova-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_metadata_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n\nlisten placement_api\n  bind {{ kolla_internal_vip_address }}:{{ placement_api_port }}\n  http-request del-header X-Forwarded-Proto\n{% for host in groups['placement-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ placement_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n\n{% if nova_console == 'novnc' %}\nlisten nova_novncproxy\n  bind {{ kolla_internal_vip_address }}:{{ nova_novncproxy_port }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n  http-request set-header X-Forwarded-Proto https if { ssl_fc }\n{% for host in groups['nova-novncproxy'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_novncproxy_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% elif nova_console == 'spice' %}\nlisten nova_spicehtml5proxy\n  bind {{ kolla_internal_vip_address }}:{{ nova_spicehtml5proxy_port }}\n{% for host in groups['nova-spicehtml5proxy'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_spicehtml5proxy_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n\n{% if enable_nova_serialconsole_proxy | bool %}\nlisten nova_serialconsole_proxy\n  bind {{ kolla_internal_vip_address }}:{{ nova_serialproxy_port }}\n{% for host in groups['nova-serialproxy'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_serialproxy_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten nova_api_external\n  bind {{ kolla_external_vip_address }}:{{ nova_api_port }} {{ tls_bind_info }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n  http-request set-header X-Forwarded-Proto https if { ssl_fc }\n{% for host in groups['nova-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n\nlisten nova_metadata_external\n  bind {{ kolla_external_vip_address }}:{{ nova_metadata_port }} {{ tls_bind_info }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n  http-request set-header X-Forwarded-Proto https if { ssl_fc }\n{% for host in groups['nova-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_metadata_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n\nlisten placement_api_external\n  bind {{ kolla_external_vip_address }}:{{ placement_api_port }}\n  http-request del-header X-Forwarded-Proto\n  http-request set-header X-Forwarded-Proto https if { ssl_fc }\n{% for host in groups['placement-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ placement_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n\n{% if nova_console == 'novnc' %}\nlisten nova_novncproxy_external\n  bind {{ kolla_external_vip_address }}:{{ nova_novncproxy_port }} {{ tls_bind_info }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n  http-request set-header X-Forwarded-Proto https if { ssl_fc }\n{% for host in groups['nova-novncproxy'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_novncproxy_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% elif nova_console == 'spice' %}\nlisten nova_spicehtml5proxy_external\n  bind {{ kolla_external_vip_address }}:{{ nova_spicehtml5proxy_port }} {{ tls_bind_info }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n  http-request set-header X-Forwarded-Proto https if { ssl_fc }\n{% for host in groups['nova-spicehtml5proxy'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_spicehtml5proxy_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n\n{% if enable_nova_serialconsole_proxy | bool %}\nlisten nova_serialconsole_proxy_external\n  bind {{ kolla_external_vip_address }}:{{ nova_serialproxy_port }} {{ tls_bind_info }}\n  http-request del-header X-Forwarded-Proto\n  http-request set-header X-Forwarded-Proto https if { ssl_fc }\n{% for host in groups['nova-serialproxy'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_serialproxy_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n{% endif %}\n\n{% if enable_neutron | bool %}\nlisten neutron_server\n  bind {{ kolla_internal_vip_address }}:{{ neutron_server_port }}\n{% for host in groups['neutron-server'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ neutron_server_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten neutron_server_external\n  bind {{ kolla_external_vip_address }}:{{ neutron_server_port }} {{ tls_bind_info }}\n{% for host in groups['neutron-server'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ neutron_server_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_horizon | bool %}\nlisten horizon\n  bind {{ kolla_internal_vip_address }}:{{ horizon_port }}\n  balance source\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n{% for host in groups['horizon'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ horizon_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n\n{% if haproxy_enable_external_vip | bool %}\n{% if kolla_enable_tls_external | bool %}\nlisten horizon_external\n  bind {{ kolla_external_vip_address }}:443 {{ tls_bind_info }}\n  balance source\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n  http-request set-header X-Forwarded-Proto https if { ssl_fc }\n{% for host in groups['horizon'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ horizon_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n\nfrontend horizon_external_redirect\n   bind {{ kolla_external_vip_address }}:{{ horizon_port }}\n   redirect scheme https code 301 if !{ ssl_fc }\n{% else %}\nlisten horizon_external\n  bind {{ kolla_external_vip_address }}:{{ horizon_port }}\n{% for host in groups['horizon'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ horizon_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n{% endif %}\n\n{% if enable_cinder | bool %}\nlisten cinder_api\n  bind {{ kolla_internal_vip_address }}:{{ cinder_api_port }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n{% for host in groups['cinder-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cinder_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten cinder_api_external\n  bind {{ kolla_external_vip_address }}:{{ cinder_api_port }} {{ tls_bind_info }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n  http-request set-header X-Forwarded-Proto https if { ssl_fc }\n{% for host in groups['cinder-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cinder_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_cloudkitty | bool %}\nlisten cloudkitty_api\n  bind {{ kolla_internal_vip_address }}:{{ cloudkitty_api_port }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n{% for host in groups['cloudkitty-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cloudkitty_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten cloudkitty_api_external\n  bind {{ kolla_external_vip_address }}:{{ cloudkitty_api_port }} {{ tls_bind_info }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n  http-request set-header X-Forwarded-Proto https if { ssl_fc }\n{% for host in groups['cloudkitty-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cloudkitty_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_octavia | bool %}\nlisten octavia_api\n  bind {{ kolla_internal_vip_address }}:{{ octavia_api_port }}\n  http-request del-header X-Forwarded-Proto\n{% for host in groups['octavia-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ octavia_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n\n{% if haproxy_enable_external_vip | bool %}\nlisten octavia_api_external\n  bind {{ kolla_external_vip_address }}:{{ octavia_api_port }} {{ tls_bind_info }}\n  http-request del-header X-Forwarded-Proto\n  http-request set-header X-Forwarded-Proto https if { ssl_fc }\n{% for host in groups['octavia-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ octavia_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_panko | bool %}\nlisten panko_api\n  bind {{ kolla_internal_vip_address }}:{{ panko_api_port }}\n  http-request del-header X-Forwarded-Proto\n{% for host in groups['panko-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ panko_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten panko_api_external\n  bind {{ kolla_external_vip_address }}:{{ panko_api_port }} {{ tls_bind_info }}\n  http-request del-header X-Forwarded-Proto\n  http-request set-header X-Forwarded-Proto https if { ssl_fc }\n{% for host in groups['panko-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ panko_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_heat | bool %}\nlisten heat_api\n  bind {{ kolla_internal_vip_address }}:{{ heat_api_port }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n{% for host in groups['heat-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n\nlisten heat_api_cfn\n  bind {{ kolla_internal_vip_address }}:{{ heat_api_cfn_port }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n{% for host in groups['heat-api-cfn'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_cfn_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten heat_api_external\n  bind {{ kolla_external_vip_address }}:{{ heat_api_port }} {{ tls_bind_info }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n  http-request set-header X-Forwarded-Proto https if { ssl_fc }\n{% for host in groups['heat-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n\nlisten heat_api_cfn_external\n  bind {{ kolla_external_vip_address }}:{{ heat_api_cfn_port }} {{ tls_bind_info }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n  http-request set-header X-Forwarded-Proto https if { ssl_fc }\n{% for host in groups['heat-api-cfn'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_cfn_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_grafana | bool %}\nlisten grafana_server\n  bind {{ kolla_internal_vip_address }}:{{ grafana_server_port }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n  http-request set-header X-Forwarded-Proto https if { ssl_fc }\n{% for host in groups['grafana'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ grafana_server_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten grafana_server_external\n  bind {{ kolla_external_vip_address }}:{{ grafana_server_port }} {{ tls_bind_info }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n  http-request set-header X-Forwarded-Proto https if { ssl_fc }\n{% for host in groups['grafana'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ grafana_server_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_ironic | bool %}\nlisten ironic_api\n  bind {{ kolla_internal_vip_address }}:{{ ironic_api_port }}\n{% for host in groups['ironic-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ ironic_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\nlisten ironic_inspector\n  bind {{ kolla_internal_vip_address }}:{{ ironic_inspector_port }}\n{% for host in groups['ironic-inspector'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ ironic_inspector_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten ironic_api_external\n  bind {{ kolla_external_vip_address }}:{{ ironic_api_port }} {{ tls_bind_info }}\n{% for host in groups['ironic-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ ironic_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\nlisten ironic_inspector_external\n  bind {{ kolla_external_vip_address }}:{{ ironic_inspector_port }} {{ tls_bind_info }}\n  http-request del-header X-Forwarded-Proto\n  http-request set-header X-Forwarded-Proto https if { ssl_fc }\n{% for host in groups['ironic-inspector'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ ironic_inspector_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_karbor | bool %}\nlisten karbor_api\n  bind {{ kolla_internal_vip_address }}:{{ karbor_api_port }}\n{% for host in groups['karbor-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ karbor_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten karbor_api_external\n  bind {{ kolla_external_vip_address }}:{{ karbor_api_port }} {{ tls_bind_info }}\n{% for host in groups['karbor-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ karbor_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n\n{% if enable_freezer | bool %}\nlisten freezer_api\n  bind {{ kolla_internal_vip_address }}:{{ freezer_api_port }}\n{% for host in groups['freezer-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ freezer_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten freezer_api_external\n  bind {{ kolla_external_vip_address }}:{{ freezer_api_port }} {{ tls_bind_info }}\n{% for host in groups['freezer-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ freezer_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n\n{% if enable_senlin | bool %}\nlisten senlin_api\n  bind {{ kolla_internal_vip_address }}:{{ senlin_api_port }}\n{% for host in groups['senlin-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ senlin_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten senlin_api_external\n  bind {{ kolla_external_vip_address }}:{{ senlin_api_port }} {{ tls_bind_info }}\n{% for host in groups['senlin-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ senlin_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_solum | bool %}\nlisten solum_application_deployment\n  bind {{ kolla_internal_vip_address }}:{{ solum_application_deployment_port }}\n{% for host in groups['solum-application-deployment'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ solum_application_deployment_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n\nlisten solum_image_builder\n  bind {{ kolla_internal_vip_address }}:{{ solum_image_builder_port }}\n{% for host in groups['solum-image-builder'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ solum_image_builder_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten solum_application_deployment_external\n  bind {{ kolla_external_vip_address }}:{{ solum_application_deployment_port }} {{ tls_bind_info }}\n{% for host in groups['solum-application-deployment'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ solum_application_deployment_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n\nlisten solum_image_builder_external\n  bind {{ kolla_external_vip_address }}:{{ solum_image_builder_port }} {{ tls_bind_info }}\n{% for host in groups['solum-image-builder'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ solum_image_builder_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_swift | bool %}\nlisten swift_api\n  bind {{ kolla_internal_vip_address }}:{{ swift_proxy_server_port }}\n{% for host in groups['swift-proxy-server'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ swift_proxy_server_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten swift_api_external\n  bind {{ kolla_external_vip_address }}:{{ swift_proxy_server_port }} {{ tls_bind_info }}\n{% for host in groups['swift-proxy-server'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ swift_proxy_server_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_murano | bool %}\nlisten murano_api\n  bind {{ kolla_internal_vip_address }}:{{ murano_api_port }}\n{% for host in groups['murano-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ murano_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten murano_api_external\n  bind {{ kolla_external_vip_address }}:{{ murano_api_port }} {{ tls_bind_info }}\n{% for host in groups['murano-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ murano_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_manila | bool %}\nlisten manila_api\n  bind {{ kolla_internal_vip_address }}:{{ manila_api_port }}\n{% for host in groups['manila-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ manila_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten manila_api_external\n  bind {{ kolla_external_vip_address }}:{{ manila_api_port }} {{ tls_bind_info }}\n{% for host in groups['manila-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ manila_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_magnum | bool %}\nlisten magnum_api\n  bind {{ kolla_internal_vip_address }}:{{ magnum_api_port }}\n{% for host in groups['magnum-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ magnum_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten magnum_api_external\n  bind {{ kolla_external_vip_address }}:{{ magnum_api_port }} {{ tls_bind_info }}\n{% for host in groups['magnum-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ magnum_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_watcher | bool and enable_ceilometer | bool %}\nlisten watcher_api\n  bind {{ kolla_internal_vip_address }}:{{ watcher_api_port }}\n{% for host in groups['watcher-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ watcher_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten watcher_api_external\n  bind {{ kolla_external_vip_address }}:{{ watcher_api_port }} {{ tls_bind_info }}\n{% for host in groups['watcher-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ watcher_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_sahara | bool %}\nlisten sahara_api\n  bind {{ kolla_internal_vip_address }}:{{ sahara_api_port }}\n{% for host in groups['sahara-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ sahara_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten sahara_api_external\n  bind {{ kolla_external_vip_address }}:{{ sahara_api_port }} {{ tls_bind_info }}\n{% for host in groups['sahara-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ sahara_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_searchlight | bool %}\nlisten searchlight_api\n  bind {{ kolla_internal_vip_address }}:{{ searchlight_api_port }}\n{% for host in groups['searchlight-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ searchlight_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten searchlight_api_external\n  bind {{ kolla_external_vip_address }}:{{ searchlight_api_port }} {{ tls_bind_info }}\n{% for host in groups['searchlight-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ searchlight_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_ceph | bool and enable_ceph_rgw | bool %}\nlisten radosgw\n  bind {{ kolla_internal_vip_address }}:{{ rgw_port }}\n{% for host in groups['ceph-rgw'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rgw_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten radosgw_external\n  bind {{ kolla_external_vip_address }}:{{ rgw_port }} {{ tls_bind_info }}\n{% for host in groups['ceph-rgw'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rgw_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_kibana | bool %}\n\nuserlist kibanauser\n  user {{ kibana_user }} insecure-password {{ kibana_password }}\n\nlisten kibana\n  bind {{ kolla_internal_vip_address }}:{{ kibana_server_port }}\n  acl auth_acl http_auth(kibanauser)\n  http-request auth realm basicauth unless auth_acl\n{% for host in groups['kibana'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ kibana_server_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten kibana_external\n  bind {{ kolla_external_vip_address }}:{{ kibana_server_port }} {{ tls_bind_info }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n  http-request set-header X-Forwarded-Proto https if { ssl_fc }\n  acl auth_acl http_auth(kibanauser)\n  http-request auth realm basicauth unless auth_acl\n{% for host in groups['kibana'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ kibana_server_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_gnocchi | bool %}\nlisten gnocchi_api\n  bind {{ kolla_internal_vip_address }}:{{ gnocchi_api_port }}\n{% for host in groups['gnocchi-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ gnocchi_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten gnocchi_api_external\n  bind {{ kolla_external_vip_address }}:{{ gnocchi_api_port }} {{ tls_bind_info }}\n{% for host in groups['gnocchi-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ gnocchi_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_elasticsearch | bool %}\nlisten elasticsearch\n  option dontlog-normal\n  bind {{ kolla_internal_vip_address }}:{{ elasticsearch_port }}\n{% for host in groups['elasticsearch'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ elasticsearch_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n\n{% if enable_barbican | bool %}\nlisten barbican_api\n  bind {{ kolla_internal_vip_address }}:{{ barbican_api_port }}\n{% for host in groups['barbican-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ barbican_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten barbican_api_external\n  bind {{ kolla_external_vip_address }}:{{ barbican_api_port }} {{ tls_bind_info }}\n{% for host in groups['barbican-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ barbican_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_ceilometer | bool %}\nlisten ceilometer_api\n  bind {{ kolla_internal_vip_address }}:{{ ceilometer_api_port }}\n{% for host in groups['ceilometer-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ ceilometer_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten ceilometer_api_external\n  bind {{ kolla_external_vip_address }}:{{ ceilometer_api_port }} {{ tls_bind_info }}\n{% for host in groups['ceilometer-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ ceilometer_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_aodh | bool %}\nlisten aodh_api\n  bind {{ kolla_internal_vip_address }}:{{ aodh_api_port }}\n{% for host in groups['aodh-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ aodh_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten aodh_api_external\n  bind {{ kolla_external_vip_address }}:{{ aodh_api_port }} {{ tls_bind_info }}\n{% for host in groups['aodh-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ aodh_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_trove | bool %}\nlisten trove_api\n  bind {{ kolla_internal_vip_address }}:{{ trove_api_port }}\n{% for host in groups['trove-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ trove_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten trove_api_external\n  bind {{ kolla_external_vip_address }}:{{ trove_api_port }} {{ tls_bind_info }}\n{% for host in groups['trove-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ trove_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_congress | bool %}\nlisten congress_api\n  bind {{ kolla_internal_vip_address }}:{{ congress_api_port }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n{% for host in groups['congress-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ congress_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten congress_api_external\n  bind {{ kolla_external_vip_address }}:{{ congress_api_port }} {{ tls_bind_info }}\n  http-request del-header X-Forwarded-Proto if { ssl_fc }\n  http-request set-header X-Forwarded-Proto https if { ssl_fc }\n{% for host in groups['congress-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ congress_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_designate | bool %}\nlisten designate_api\n  bind {{ kolla_internal_vip_address }}:{{ designate_api_port }}\n{% for host in groups['designate-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ designate_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten designate_api_external\n  bind {{ kolla_external_vip_address }}:{{ designate_api_port }} {{ tls_bind_info }}\n{% for host in groups['designate-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ designate_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_mistral | bool %}\nlisten mistral_api\n  bind {{ kolla_internal_vip_address }}:{{ mistral_api_port }}\n{% for host in groups['mistral-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ mistral_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten mistral_api_external\n  bind {{ kolla_external_vip_address }}:{{ mistral_api_port }} {{ tls_bind_info }}\n{% for host in groups['mistral-api'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ mistral_api_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n{% if enable_tacker | bool %}\nlisten tacker_server\n  bind {{ kolla_internal_vip_address }}:{{ tacker_server_port }}\n{% for host in groups['tacker'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ tacker_server_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% if haproxy_enable_external_vip | bool %}\n\nlisten tacker_server_external\n  bind {{ kolla_external_vip_address }}:{{ tacker_server_port }} {{ tls_bind_info }}\n{% for host in groups['tacker'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ tacker_server_port }} check inter 2000 rise 2 fall 5\n{% endfor %}\n{% endif %}\n{% endif %}\n\n# (NOTE): This defaults section deletes forwardfor as recommended by:\n#         https://marc.info/?l=haproxy&m=141684110710132&w=1\n\ndefaults\n  log global\n  mode http\n  option redispatch\n  option httplog\n  retries 3\n  timeout http-request 10s\n  timeout queue 1m\n  timeout connect 10s\n  timeout client 1m\n  timeout server 1m\n  timeout check 10s\n\n{% if enable_mariadb | bool %}\nlisten mariadb\n  mode tcp\n  timeout client 3600s\n  timeout server 3600s\n  option tcplog\n  option tcpka\n  option mysql-check user haproxy post-41\n  bind {{ kolla_internal_vip_address }}:{{ mariadb_port }}\n{% for host in groups['mariadb'] %}\n  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ mariadb_port }} check inter 2000 rise 2 fall 5 {% if not loop.first %}backup{% endif %}\n\n{% endfor %}\n{% endif %}\n"}

Revision history for this message

Ritam Gangopadhyay (ritam) wrote on 2018-04-24:

#37

With review 42476 patched and below knobs in by instances.yml

contrail_configuration:
METADATA_SSL_ENABLE: True

kolla_config:
  kolla_globals:
    metadata_ssl_enable: "yes"
    tls_bind_info_internal: "yes"

**********************************************
**********************************************
**********************************************

I am hitting haproxy bring up error

TASK [haproxy : Copying over haproxy.cfg] **********************************************************************************************************************************************************
failed: [10.204.217.131] (item=/root/contrail-kolla-ansible/ansible/roles/haproxy/templates/haproxy.cfg.j2) => {"changed": false, "item": "/root/contrail-kolla-ansible/ansible/roles/haproxy/templates/haproxy.cfg.j2", "msg": "AnsibleError: template error while templating string: expected token ':', got '}'. String: {% set tls_bind_info = 'ssl crt /etc/haproxy/haproxy.pem' if kolla_enable_tls_external | bool else '' %}\n{% set tls_bind_info_internal = 'ssl crt /etc/haproxy/haproxy-internal.pem' if kolla_enable_tls_internal | bool else '' %}\n{% set tls_bind_info_nova_metadata = {{ tls_bind_info_internal }} if metadata_ssl_enable | bool else '' %}\nglobal\n chroot /var/lib/haproxy\n user haproxy\n group haproxy\n daemon\n{% if orchestration_engine != 'KUBERNETES' %}\n log {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}:{{ fluentd_syslog_port }} local1\n{% endif %}\n maxconn 4000\n stats socket /var/lib/kolla/haproxy/haproxy.sock\n{% if kolla_enable_tls_external | bool %}\n ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES\n ssl-default-bind-options no-sslv3 no-tlsv10\n tune.ssl.default-dh-param 4096\n{%

Revision history for this message

Ritam Gangopadhyay (ritam) wrote on 2018-04-24:

#38

These are just few lines of the error full logs can be found at /var/log/ansible.log on c28

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-24:

#39

Review in progress for https://review.opencontrail.org/42476
Submitter: Andrey Pavlov (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-24: [Review update] master

#40

Review in progress for https://review.opencontrail.org/42483
Submitter: alexey-mr (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-24: [Review update] R5.0

#41

Review in progress for https://review.opencontrail.org/42484
Submitter: alexey-mr (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-24: [Review update] master

#42

Review in progress for https://review.opencontrail.org/42483
Submitter: alexey-mr (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-24: [Review update] R5.0

#43

Review in progress for https://review.opencontrail.org/42484
Submitter: alexey-mr (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-25:

#44

Review in progress for https://review.opencontrail.org/42484
Submitter: Andrey Pavlov (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-25: [Review update] master

#46

Review in progress for https://review.opencontrail.org/42483
Submitter: Andrey Pavlov (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-25: [Review update] R5.0

#47

Review in progress for https://review.opencontrail.org/42484
Submitter: Andrey Pavlov (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-25: [Review update] master

#48

Review in progress for https://review.opencontrail.org/42483
Submitter: Andrey Pavlov (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-25: [Review update] contrail/ocata

#49

Review in progress for https://review.opencontrail.org/42476
Submitter: Andrey Pavlov (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-25: [Review update] master

#50

Review in progress for https://review.opencontrail.org/42483
Submitter: Andrey Pavlov (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-25:

#51

Review in progress for https://review.opencontrail.org/42483
Submitter: alexey-mr (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-25: [Review update] R5.0

#52

Review in progress for https://review.opencontrail.org/42484
Submitter: alexey-mr (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-25: [Review update] master

#53

Review in progress for https://review.opencontrail.org/42483
Submitter: Andrey Pavlov (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-25: [Review update] R5.0

#54

Review in progress for https://review.opencontrail.org/42484
Submitter: Andrey Pavlov (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2018-04-25: [Review update] contrail/ocata

#55

Review in progress for https://review.opencontrail.org/42476
Submitter: Andrey Pavlov (<email address hidden>)

Jeba Paulaiyan (jebap) on 2018-04-25

tags:

added: releasenote

Jeba Paulaiyan (jebap) on 2018-05-04

tags:

added: sanity
removed: sanityblocker

Revision history for this message

alexey-mr (alexey-morlang) wrote on 2018-05-16:

#56

We've discussed it yesterday and Michael's position is to wait for RHOSP13 where this feature is supported. Kolla and Helm doesn't support this feature for internal api, so we will not support it too in Kolla/Helm deployments. We agree with Michael.

Rudra, please deal with this bug as you see fit.

Revision history for this message

Sivakumar Ganapathy (hotlava51) wrote on 2018-10-09:

#57

Removed vrouter tag as it is not a vrouter bug.

tags:

removed: vrouter

Revision history for this message

Ritam Gangopadhyay (ritam) wrote on 2018-11-16:

#58

As per comment #56 metadata ssl feature is no longer supported from R5.0 so moving this bug to invalid.

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R5.0	Invalid	Critical	alexey-mr	Juniper Openstack r5.0.2
Trunk	Incomplete	Critical	alexey-mr	Juniper Openstack r5.1.0

Juniper Openstack

R5.0-micro-services provision - metadata ssl support for vrouter.

Bug Description

Other bug subscribers

Remote bug watches