influxdb refused connection when haproxy configured with SSL
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla-ansible |
Triaged
|
Medium
|
Unassigned |
Bug Description
Hi, dear maintainer:
I deploy my openstack cluster with kolla-ansible, and I use the command "kolla-ansible certifiactes" to generate certificates for my cluster. But in the cluster deployment, the monasca component report an error below:
fatal: [controller1 -> controller1]: FAILED! => {"changed": false, "cmd":
["docker", "exec", "influxdb", "influx", "-host", "control", "-port",
"8086", "-execute", "show databases"], "delta": "0:00:00.545854", "end":
"2020-09-23 11:21:57.603626", "msg": "non-zero return code", "rc": 1,
"start": "2020-09-23 11:21:57.057772", "stderr": "Failed to connect to
http://
connection settings and ensure 'influxd' is running.", "stderr_lines":
["Failed to connect to http://
EOF", "Please check your connection settings and ensure 'influxd' is
running."], "stdout": "", "stdout_lines": []}
After search this error in google, I found the reason was haproxy configured with SSL, but the monasca component bootstrap task didn't use -unsafeSsl and -ssl arguments. Its bootstrap command in tasks/bootstrap.yml was:
"docker exec influxdb influx -host {{ monasca_
and
docker exec influxdb influx -host {{ monasca_
'CREATE DATABASE {{ monasca_
REPLICATION {{ monasca_
Then in the depolyment process it reported the error.
* OS (e.g. from /etc/os-release): CentOS 8.2.2004
* Kernel (e.g. `uname -a`):4.
* Docker version if applicable (e.g. `docker version`):19.03.12
* Kolla-Ansible version (e.g. `git head or tag or stable branch` or pip package version if using release)
* Docker image Install type (source/
* Docker image distribution:
* Are you using official images from Docker Hub or self built? yes
* If self built - Kolla version and environment used to build:
* Share your inventory file, globals.yml and other configuration files if relevant
You analysis is correct - we need the -ssl argument. Ideally we would not use -unsafeSsl.