kolla-ansible

Scaling out to a new keystone host with --limit overwrites existing fernet keys

Bug #1891364 reported by Mark Goddard on 2020-08-12

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
kolla-ansible	Fix Released	Medium	Mark Goddard	kolla-ansible 11.0.0 "victoria"
Ussuri	Fix Released	Medium	Mark Goddard
Victoria	Fix Released	Medium	Mark Goddard	kolla-ansible 11.0.0 "victoria"

Bug Description

Steps to reproduce:

* Deploy a cloud
* Add another controller to the inventory
* Deploy to the new controller using --limit:

kolla-ansible deploy --limit new-controller

Expected results:

The new controller uses the cluster's existing fernet keys.

Actual results:

New fernet keys are generated on the new controller, and pushed out to the existing controllers. This invalidates tokens created from those keys.

Tags:

Mark Goddard (mgoddard) on 2020-08-12

Changed in kolla-ansible:
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

Mark Goddard (mgoddard) wrote on 2020-08-13:

Related: https://bugs.launchpad.net/kolla-ansible/+bug/1748065

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-08-13: Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/746148

Changed in kolla-ansible:
assignee:	nobody → Mark Goddard (mgoddard)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-08-24: Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/746148
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=8389140f0581b6c32c5ee8c7adb9d9f42bb5e321
Submitter: Zuul
Branch: master

commit 8389140f0581b6c32c5ee8c7adb9d9f42bb5e321
Author: Mark Goddard <email address hidden>
Date: Thu Aug 13 09:57:00 2020 +0100

Prevent overwriting existing Keystone Fernet keys

Steps to reproduce:

    * Deploy a cloud
    * Add another controller to the inventory
    * Deploy to the new controller using --limit:

kolla-ansible deploy --limit new-controller

Expected results:

The new controller uses the cluster's existing fernet keys.

Actual results:

    New fernet keys are generated on the new controller, and pushed out to
    the existing controllers. This invalidates tokens created from those
    keys.

    This change prevents the above scenario from happening, by failing the
    deployment if there are no hosts with existing Ferney keys to
    distribute, and not all Keystone hosts are in the target host list.

Closes-Bug: #1891364

Change-Id: If0c0e038b77fc010a3a017f9841a674d53b16457

Changed in kolla-ansible:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-08-24: Fix proposed to kolla-ansible (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/747786

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-08-24: Fix proposed to kolla-ansible (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/747788

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-08-24: Fix merged to kolla-ansible (stable/ussuri)

Reviewed: https://review.opendev.org/747786
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=15d689044a0c406cf8ddce07f5511e33e3f66073
Submitter: Zuul
Branch: stable/ussuri

commit 15d689044a0c406cf8ddce07f5511e33e3f66073
Author: Mark Goddard <email address hidden>
Date: Thu Aug 13 09:57:00 2020 +0100

Prevent overwriting existing Keystone Fernet keys

Steps to reproduce:

    * Deploy a cloud
    * Add another controller to the inventory
    * Deploy to the new controller using --limit:

kolla-ansible deploy --limit new-controller

Expected results:

The new controller uses the cluster's existing fernet keys.

Actual results:

    New fernet keys are generated on the new controller, and pushed out to
    the existing controllers. This invalidates tokens created from those
    keys.

Closes-Bug: #1891364

Change-Id: If0c0e038b77fc010a3a017f9841a674d53b16457
(cherry picked from commit 8389140f0581b6c32c5ee8c7adb9d9f42bb5e321)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-08-25: Fix merged to kolla-ansible (stable/train)

Reviewed: https://review.opendev.org/747788
Committed: https://git.openstack.org/cgit/openstack/kolla-ansible/commit/?id=2750a08359990afcb9fe5b3c229f775e5a33e86f
Submitter: Zuul
Branch: stable/train

commit 2750a08359990afcb9fe5b3c229f775e5a33e86f
Author: Mark Goddard <email address hidden>
Date: Thu Aug 13 09:57:00 2020 +0100

Prevent overwriting existing Keystone Fernet keys

Backport note: added kolla_container_facts and group_by tasks which did
not exist in Train & earlier.

Steps to reproduce:

    * Deploy a cloud
    * Add another controller to the inventory
    * Deploy to the new controller using --limit:

kolla-ansible deploy --limit new-controller

Expected results:

The new controller uses the cluster's existing fernet keys.

Actual results:

    New fernet keys are generated on the new controller, and pushed out to
    the existing controllers. This invalidates tokens created from those
    keys.

Closes-Bug: #1891364

Change-Id: If0c0e038b77fc010a3a017f9841a674d53b16457
(cherry picked from commit 8389140f0581b6c32c5ee8c7adb9d9f42bb5e321)

tags:

added: in-stable-train

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-01-07: Fix included in openstack/kolla-ansible 10.2.0

This issue was fixed in the openstack/kolla-ansible 10.2.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-01-07: Fix included in openstack/kolla-ansible 9.3.0

This issue was fixed in the openstack/kolla-ansible 9.3.0 release.