kolla-ansible

influxdb refused connection when haproxy configured with SSL

Bug #1896719 reported by afei coach
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
kolla-ansible
Triaged
Medium
Unassigned

Bug Description

Hi, dear maintainer:
   I deploy my openstack cluster with kolla-ansible, and I use the command "kolla-ansible certifiactes" to generate certificates for my cluster. But in the cluster deployment, the monasca component report an error below:

fatal: [controller1 -> controller1]: FAILED! => {"changed": false, "cmd":
["docker", "exec", "influxdb", "influx", "-host", "control", "-port",
"8086", "-execute", "show databases"], "delta": "0:00:00.545854", "end":
"2020-09-23 11:21:57.603626", "msg": "non-zero return code", "rc": 1,
"start": "2020-09-23 11:21:57.057772", "stderr": "Failed to connect to
http://control:8086: Get http://control:8086/ping: EOF\nPlease check your
connection settings and ensure 'influxd' is running.", "stderr_lines":
["Failed to connect to http://control:8086: Get http://control:8086/ping:
EOF", "Please check your connection settings and ensure 'influxd' is
running."], "stdout": "", "stdout_lines": []}

After search this error in google, I found the reason was haproxy configured with SSL, but the monasca component bootstrap task didn't use -unsafeSsl and -ssl arguments. Its bootstrap command in tasks/bootstrap.yml was:

"docker exec influxdb influx -host {{ monasca_influxdb_address }} -port {{ monasca_influxdb_http_port }} -execute 'show databases'"

and

docker exec influxdb influx -host {{ monasca_influxdb_address }} -port {{ monasca_influxdb_http_port }} -execute
    'CREATE DATABASE {{ monasca_influxdb_name }} WITH DURATION {{ monasca_influxdb_retention_policy.duration }}
    REPLICATION {{ monasca_influxdb_retention_policy.replication_count }} NAME {{ monasca_influxdb_retention_policy.name }}'

Then in the depolyment process it reported the error.

* OS (e.g. from /etc/os-release): CentOS 8.2.2004
* Kernel (e.g. `uname -a`):4.18.0-193.el8.x86_64 #1 SMP Fri May 8 10:59:10 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
* Docker version if applicable (e.g. `docker version`):19.03.12
* Kolla-Ansible version (e.g. `git head or tag or stable branch` or pip package version if using release):10.1.1.dev80
* Docker image Install type (source/binary):source
* Docker image distribution:
* Are you using official images from Docker Hub or self built? yes
* If self built - Kolla version and environment used to build:
* Share your inventory file, globals.yml and other configuration files if relevant

Revision history for this message
Mark Goddard (mgoddard) wrote :

You analysis is correct - we need the -ssl argument. Ideally we would not use -unsafeSsl.

Changed in kolla-ansible:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Mark Goddard (mgoddard) wrote :

Is this something you can provide a fix for?

Revision history for this message
Leandro Pantoja (lpantojaa) wrote :

Hi, I am having the same problem, did you find a temporary or permanent fix?

Thank you

Revision history for this message
Oliver Nixon (onixon) wrote :

Hi, I'm also having this problem. Is anyone aware of a workaround?

Thanks

Revision history for this message
Oliver Nixon (onixon) wrote :

I have found a workaround for this bug.

You need to disable SSL on the influxdb frontend by modifying the HAProxy config on your controllers in /etc/kolla/haproxy/services.d/influxdb.cfg

On the line that starts with 'bind', remove everything after the ':8086'

Also modify the http-request set-header rule to look like this: http-request set-header X-Forwarded-Proto https

Once you've done the above your configuration should look like below:

frontend influxdb_http_front
    mode http
    http-request del-header X-Forwarded-Proto
    option httplog
    option forwardfor
    http-request set-header X-Forwarded-Proto https
    bind VIP-IP-HERE:8086
    default_backend influxdb_http_back

backend influxdb_http_back
    mode http
    server control-server-1 control-ip-1:8086 check inter 2000 rise 2 fall 5
    server control-server-2-ip-2:8086 check inter 2000 rise 2 fall 5
    server control-server-3 control-server-ip-34:8086 check inter 2000 rise 2 fall 5
    server monitoring-server-1 monitoring-server-ip-:8086 check inter 2000 rise 2 fall 5

To ensure this configuration persists on any subsequent kolla-ansible actions, be sure to place it on your kolla-ansible server in /etc/kolla/config/haproxy/services.d/influxdb.cfg (you'll need to create this directory first)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.