Juniper Openstack

fab setup_all fails while setting up ceilometer if we enabled SSL in the setup

Series r3.2
Bug #1645570

Bug #1645570 reported by musharani on 2016-11-29

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R3.0	Fix Committed	Critical	Ignatious Johnson Christopher
R3.0.3.x	Fix Committed	Critical	Ignatious Johnson Christopher
R3.1	Fix Committed	Critical	Ignatious Johnson Christopher	Juniper Openstack r3.1.2.0
R3.1.1.x	Fix Committed	Critical	Ignatious Johnson Christopher
R3.2	Fix Committed	Critical	Ignatious Johnson Christopher	Juniper Openstack r3.2.0.0-fcs "r3.2.0.0"
Trunk	Fix Committed	Critical	Ignatious Johnson Christopher	Juniper Openstack r4.0.0.0-fcs "r4.0.0.0"

Bug Description

The setup_all fails while setting up ceilometer and errors out with following error:
This is seen on single/multi-node and HA setup, sometimes the problem is not seen after re-running setup_all from target.

2016-11-28 16:48:53:486516: [root@10.204.217.133] out: InsecurePlatformWarning
2016-11-28 16:48:53:486635: [root@10.204.217.133] out: Authorization Failed: SSL exception connecting to https://10.204.217.170:5000/v2.0/tokens: [Errno 1] _ssl.c:510: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
2016-11-28 16:48:53:494515: [root@10.204.217.133] out:
2016-11-28 16:48:53:526349:

2016-11-28 16:48:53:542907: Fatal error: sudo() received nonzero return code 1 while executing!
2016-11-28 16:48:53:542907:
2016-11-28 16:48:53:542907: Requested: source /etc/contrail/openstackrc;keystone --insecure user-create --name=ceilometer --pass=CEILOMETER_PASS --tenant=service --<email address hidden>
2016-11-28 16:48:53:542907: Executed: sudo -S -p 'sudo password:' /bin/bash -l -c "source /etc/contrail/openstackrc;keystone --insecure user-create --name=ceilometer --pass=CEILOMETER_PASS --tenant=service --<email address hidden>"
2016-11-28 16:48:53:542907:
2016-11-28 16:48:53:542993: Aborting.

Observing following stack trace in ceilometer-agent-central.log:

2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client [req-f123f7f0-20a2-4051-b2ab-0fbf213d0c3d admin - - - -] Unable to establish connection to http://localhost:5000/v2.0/tokens
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client Traceback (most recent call last):
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client File "/usr/lib/python2.7/dist-packages/ceilometer/nova_client.p
y", line 52, in with_logging2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client return func(*args, **kwargs)
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client File "/usr/lib/python2.7/dist-packages/ceilometer/nova_client.p
y", line 171, in instance_get_all2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client search_opts=search_opts)
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client File "/usr/lib/python2.7/dist-packages/novaclient/v2/servers.py
", line 749, in list2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client "servers")
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client File "/usr/lib/python2.7/dist-packages/novaclient/base.py", lin
e 242, in _list2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client resp, body = self.api.client.get(url)
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client File "/usr/lib/python2.7/dist-packages/keystoneauth1/adapter.py
", line 173, in get2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client return self.request(url, 'GET', **kwargs)
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client return self.request(url, 'GET', **kwargs)
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 89, in request
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client **kwargs)
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client File "/usr/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 331, in request
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client File "/usr/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 98, in request
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client return self.session.request(url, method, **kwargs)
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client File "/usr/lib/python2.7/dist-packages/positional/__init__.py", line 94, in inner
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client return func(*args, **kwargs)
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client File "/usr/lib/python2.7/dist-packages/keystoneauth1/session.py", line 370, in request
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client auth_headers = self.get_auth_headers(auth)
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client File "/usr/lib/python2.7/dist-packages/keystoneauth1/session.py", line 624, in get_auth_headers
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client return auth.get_headers(self, **kwargs)
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client File "/usr/lib/python2.7/dist-packages/keystoneauth1/plugin.py", line 84, in get_headers
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client token = self.get_token(session)
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client File "/usr/lib/python2.7/dist-packages/keystoneauth1/identity/base.py", line 90, in get_token
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client return self.get_access(session).auth_token
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client File "/usr/lib/python2.7/dist-packages/keystoneauth1/identity/base.py", line 136, in get_access
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client self.auth_ref = self.get_auth_ref(session)
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client File "/usr/lib/python2.7/dist-packages/keystoneauth1/identity/v2.py", line 65, in get_auth_ref
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client authenticated=False, log=False)
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client File "/usr/lib/python2.7/dist-packages/keystoneauth1/session.py", line 572, in post
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client return self.request(url, 'POST', **kwargs)
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client File "/usr/lib/python2.7/dist-packages/positional/__init__.py", line 94, in inner
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client return func(*args, **kwargs)
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client File "/usr/lib/python2.7/dist-packages/keystoneauth1/session.py", line 452, in request
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client resp = send(**kwargs)
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client File "/usr/lib/python2.7/dist-packages/keystoneauth1/session.py", line 496, in _send_request
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client raise exceptions.ConnectFailure(msg)
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client ConnectFailure: Unable to establish connection to http://localhost:5000/v2.0/tokens
2016-11-28 17:05:41.167 7708 ERROR ceilometer.nova_client
2016-11-28 17:05:41.175 7708 INFO ceilometer.agent.manager [req-f123f7f0-20a2-4051-b2ab-0fbf213d0c3d admin - - - -] Skip pollster hardware.network.ip.outgoing.datagrams, no resources found this cycle

Tags:

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-11-30: [Review update] R3.2

Review in progress for https://review.opencontrail.org/26574
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-02: A change has been merged

Reviewed: https://review.opencontrail.org/26574
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/bb6bd44e59de36ae8dfe5b4c18975bbef53d6a00
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit bb6bd44e59de36ae8dfe5b4c18975bbef53d6a00
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Nov 29 11:24:31 2016 -0800

fix ceilometer.conf to point to https auth uri in a ssl enabled keystone setup.
fix keystone haproxy backend syntax to support ssl.

Change-Id: Ifd49cdff38ec63c5f7a8d9aa25d497f026f19e7b
Closes-Bug: 1645570

Ignatious Johnson Christopher (ijohnson-x) on 2016-12-02

Changed in juniperopenstack:
milestone:	none → r4.0

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-02: [Review update] master

Review in progress for https://review.opencontrail.org/26698
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-04: A change has been merged

#12

Reviewed: https://review.opencontrail.org/26698
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/0ddd551e0952b9336fb48c9ec3a1e783bb1b15e2
Submitter: Zuul (<email address hidden>)
Branch: master

commit 0ddd551e0952b9336fb48c9ec3a1e783bb1b15e2
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Nov 29 11:24:31 2016 -0800

fix ceilometer.conf to point to https auth uri in a ssl enabled keystone setup.
fix keystone haproxy backend syntax to support ssl.

Closes-Bug: 1645570
(cherry picked from commit bb6bd44e59de36ae8dfe5b4c18975bbef53d6a00)

Conflicts:
fabfile/tasks/ssl.py
Change-Id: Ifd49cdff38ec63c5f7a8d9aa25d497f026f19e7b

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-05: [Review update] R3.1

#13

Review in progress for https://review.opencontrail.org/26787
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-06: A change has been merged

#17

Reviewed: https://review.opencontrail.org/26787
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/e122c304093be512057e0ffa1d3d4ffb7e08c926
Submitter: Zuul (<email address hidden>)
Branch: R3.1

commit e122c304093be512057e0ffa1d3d4ffb7e08c926
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Nov 29 11:24:31 2016 -0800

fix ceilometer.conf to point to https auth uri in a ssl enabled keystone setup.
fix keystone haproxy backend syntax to support ssl.

Closes-Bug: 1645570
(cherry picked from commit bb6bd44e59de36ae8dfe5b4c18975bbef53d6a00)

Conflicts:
fabfile/tasks/ssl.py
(cherry picked from commit 0ddd551e0952b9336fb48c9ec3a1e783bb1b15e2)

Conflicts:
fabfile/tasks/provision.py

Closes-Bug: 1647243
Change-Id: I06740c325a3864b122419ebb7fe77b86cefa23b9

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-07: [Review update] master

#19

Review in progress for https://review.opencontrail.org/26922
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-07: [Review update] R3.2

#21

Review in progress for https://review.opencontrail.org/26923
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-07: [Review update] R3.1

#23

Review in progress for https://review.opencontrail.org/26924
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-07: A change has been merged

#25

Reviewed: https://review.opencontrail.org/26922
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/cbf3a617057b648783d72a366509f95d89c7afc1
Submitter: Zuul (<email address hidden>)
Branch: master

commit cbf3a617057b648783d72a366509f95d89c7afc1
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Dec 6 22:21:47 2016 -0800

Ceilometer config file needs to be populated with
keystone certs or insecure flag for it to communicate
with SSL enabled keystone and check for ceilometer support
in respective nodes.

Change-Id: If736de02b73aefeb477cc73a6c9e92cbf2ec8f38
Closes-Bug: 1645570

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-07:

#26

Reviewed: https://review.opencontrail.org/26924
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/9dca170f34951b9dd2c49ec30fcc3c8a01dc978f
Submitter: Zuul (<email address hidden>)
Branch: R3.1

commit 9dca170f34951b9dd2c49ec30fcc3c8a01dc978f
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Dec 6 22:21:47 2016 -0800

Ceilometer config file needs to be populated with
keystone certs or insecure flag for it to communicate
with SSL enabled keystone and check for ceilometer support
in respective nodes.

Change-Id: If736de02b73aefeb477cc73a6c9e92cbf2ec8f38
Closes-Bug: 1645570

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-07:

#28

Reviewed: https://review.opencontrail.org/26923
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/08abf91796f5504259fc9eafbb2ad99b0b02ab0c
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit 08abf91796f5504259fc9eafbb2ad99b0b02ab0c
Author: Ignatious Johnson Christopher <email address hidden>
Date: Tue Dec 6 22:21:47 2016 -0800

Ceilometer config file needs to be populated with
keystone certs or insecure flag for it to communicate
with SSL enabled keystone and check for ceilometer support
in respective nodes.

Change-Id: If736de02b73aefeb477cc73a6c9e92cbf2ec8f38
Closes-Bug: 1645570

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-15: [Review update] R3.0.3.x

#29

Review in progress for https://review.opencontrail.org/27317
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-12-15: A change has been merged

#31

Download full text (3.5 KiB)

Reviewed: https://review.opencontrail.org/27317
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/a592dc662e24bb809e627ffaa4de37de52c3982f
Submitter: Zuul (<email address hidden>)
Branch: R3.0.3.x

commit a592dc662e24bb809e627ffaa4de37de52c3982f
Author: Ignatious Johnson Christopher <email address hidden>
Date: Mon Nov 14 15:13:32 2016 -0800

Identifying rabbit port based on openstack HA or contrail HA
setup.

Change-Id: I0bc98c367ed4a69998626fea12132f9d2a9ce213
Closes-Bug: 1616178
(cherry picked from commit be827302029889299487443020107c38c5b22914)

Make the /etc/contrail/ssl/ directory before copying the ssl certs to the
other cfgm nodes from the first cfgm.

Change-Id: I39022479804f9323b7b5235ce60844d891444dd0
Closes-Bug: 1645433
(cherry picked from commit a2b89e61fa8491ea6c440466b923119523fa6c70)
(cherry picked from commit 08bae9e992d44c70a1580c2e9b8fd593da3d5d73)

fix ceilometer.conf to point to https auth uri in a ssl enabled keystone setup.
fix keystone haproxy backend syntax to support ssl.

(cherry picked from commit bb6bd44e59de36ae8dfe5b4c18975bbef53d6a00)

(cherry picked from commit 0ddd551e0952b9336fb48c9ec3a1e783bb1b15e2)

Closes-Bug: 1647243
Change-Id: I06740c325a3864b122419ebb7fe77b86cefa23b9
(cherry picked from commit e122c304093be512057e0ffa1d3d4ffb7e08c926)

Removing heartbeat parmameter, so that the default value 60 sec will be used.
If we need to override this value in rabbitmq.config, we also need to set
'rabbit_health_check_interval' in the contrail-api.conf to twice the value of
heartbeat set in rabbitmq.config.

Change-Id: I22fab8a3cc7a0b076ae3f642d16029ba5dab8e2f
Partial-Bug: 1639014
(cherry picked from commit 0697528c97e975a4d7498cfb33c5cc5e77801961)

zookeeper is moved to cfgm and cassandra will be running
in both cfgm and database nodes, So making backup_restore
procedure to accomadate this.

Change-Id: I66121bbc28609e8c3d48ba52586580d28606aae9
Closs-Bug: 1636344
(cherry picked from commit 04817d0d1b1772d1782aa4303304aba30716ab5e)

Ceilometer config file needs to be populated with
keystone certs or insecure flag for it to communicate
with SSL enabled keystone and check for ceilometer support
in respective nodes.

Change-Id: If736de02b73aefeb477cc73a6c9e92cbf2ec8f38
Closes-Bug: 1645570
(cherry picked from commit 08abf91796f5504259fc9eafbb2ad99b0b02ab0c)

We have to provison both keystone/config-api as https in contrail-cloud deployment.
In contrail-networking deployments we have option of provisioning config-api
with https and using keystone which is pre provisioned with http.
The deployment of keystone with https and config-api with http is not recommended.

Change-Id: If66b897ba95562150920bcd9843895fb48af743d
Closes-Bug: 639074
(cherry picked from commit 93eccbc57752679a1e4e87654f231b12da84c88b)

SSL copy to other nodes in the HA cluster fails during parallel
execution, Fixing it by creating seperate temp files during copy.

Change-Id: I8f25ebaf5970403950e5966fa04ea09810633dfe
Closes-Bug: 1649470
(cherry picked from commit 09a392800c5bd7bc18915ff8123230a9bab9d3a0)

Do not override the user specified cfgm host.

Change-Id: I68ab3e474cca8053cead501a93e29b80017f317b
Closes-Bug: 1649679
(...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.