MAAS rDNS returns two hostnames that lead to Services not running that should be: apache2, SSLCertificateFile: file '/etc/apache2/ssl/*/cert_* does not exist or is empty
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Charm Helpers |
Triaged
|
High
|
Unassigned | ||
MAAS |
Fix Released
|
High
|
Christian Grabowski | ||
3.3 |
Fix Released
|
High
|
Christian Grabowski | ||
3.4 |
Fix Released
|
High
|
Christian Grabowski | ||
3.5 |
Fix Released
|
High
|
Christian Grabowski | ||
OpenStack Keystone Charm |
Invalid
|
Undecided
|
Unassigned | ||
charm-magpie |
Fix Committed
|
Undecided
|
Adam Collard |
Bug Description
maas: 1:3.3.2-
juju: 2.9.42-ubuntu-amd64
charm-keystone: lastest/edge 9bdc837
charm-vault: latest/edge d8f0840
MAAS 3.3.2 (and 3.3.1 at least) returns PTR records in an inconsistent way for LXD containers created by Juju. Those LXD interfaces are managed as "devices" in MAAAS.
This behavior doesn't happen with 3.2.7.
$ juju run --all 'hostname -I'
- MachineId: "0"
Stdout: "10.206.50.1 192.168.151.120 \n"
- MachineId: 0/lxd/0
Stdout: "192.168.151.121 \n"
- MachineId: 0/lxd/1
Stdout: "192.168.151.123 \n"
- MachineId: 0/lxd/2
Stdout: "192.168.151.122 \n"
$ juju run --all 'dig +short -x $(hostname -I)'
- MachineId: "0"
Stdout: |
large-wolf.
large-
- MachineId: 0/lxd/0
Stdout: |
juju-
- MachineId: 0/lxd/1
Stdout: |
juju-
eth0.
- MachineId: 0/lxd/2
Stdout: |
juju-
eth0.
^^^ MAAS DNS returns two PTR records with and without "eth0" for one IP address for some LXD containers (not all).
How to reproduce:
1. prepare MAAS provider for Juju
2. prepare 3 machines for workload (enlisting VMs as if bare metal or using Pod VMs are fine)
3. deploy a test bundle
https:/
4. unlock vault
5. repeat deployment and destroy-model until "Services not running that should be: apache2" shows up in juju status
[original description]
There are multiple reasons ending up with "Services not running that should be: apache2". However, this bug report focuses on the following condition:
- MAAS provider
- OpenStack API services are deployed in LXD containers on top of bare metal
- one certificate is written as /etc/apache2/
- symlink creation fails from /etc/apache2/
- apache2 fails to start because of missing /etc/apache2/
> $ sudo systemctl status apache2
> × apache2.service - The Apache HTTP Server
> Loaded: loaded (/lib/systemd/
> Active: failed (Result: exit-code) since Sat 2023-03-25 12:50:59 UTC; 13h ago
> Docs: https:/
> CPU: 53ms
>
> Mar 25 12:50:59 juju-043209-2-lxd-0 systemd[1]: Starting The Apache HTTP Server...
> Mar 25 12:50:59 juju-043209-2-lxd-0 apachectl[43820]: AH00526: Syntax error on line 14 of /etc/apache2/
> Mar 25 12:50:59 juju-043209-2-lxd-0 apachectl[43820]: SSLCertificateFile: file '/etc/apache2/
> Mar 25 12:50:59 juju-043209-2-lxd-0 apachectl[43817]: Action 'start' failed.
> Mar 25 12:50:59 juju-043209-2-lxd-0 apachectl[43817]: The Apache error log may have more information.
> Mar 25 12:50:59 juju-043209-2-lxd-0 systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE
> Mar 25 12:50:59 juju-043209-2-lxd-0 systemd[1]: apache2.service: Failed with result 'exit-code'.
> Mar 25 12:50:59 juju-043209-2-lxd-0 systemd[1]: Failed to start The Apache HTTP Server.
Long story short, this issue happens when responses of reverse DNS lookup to an IP address are inconsistent in get_hostname().
https:/
In this case, keystone charm uses the initial get_request() call to request a certificate and write the cert based on the output. Then, the charm uses the second get_request() call to get a path to create a symlink to then ends up with no such file.
https:/
[requested and written cert]
/etc/apache2/
-> exists
[the patch trying to create a symlink to]
/etc/apache2/
-> does not exist
unit-keystone-2: 12:45:41 WARNING unit.keystone/
unit-keystone-2: 12:50:54 WARNING unit.keystone/
This is due to how MAAS DNS works.
$ dig +short @192.168.151.1 -x 192.168.151.131
eth0.juju-
juju-043209-
$ grep -I -C1 -r juju-043209-2-lxd-0 /var/lib/bind/maas/
/var/lib/
/var/lib/
/var/lib/
/var/lib/
--
/var/lib/
/var/lib/
/var/lib/
/var/lib/
>>> str(dns.
'juju-043209-
>>> str(dns.
'eth0.juju-
>>> str(dns.
'juju-043209-
>>> str(dns.
'eth0.juju-
>>> str(dns.
'juju-043209-
Related branches
- MAAS Lander: Approve
- Christian Grabowski: Approve
-
Diff: 399 lines (+291/-36)2 files modifiedsrc/maasserver/triggers/system.py (+78/-20)
src/maasserver/triggers/tests/test_system.py (+213/-16)
- Thorsten Merten: Approve
-
Diff: 211 lines (+170/-9)2 files modifiedsrc/maasserver/triggers/system.py (+28/-9)
src/maasserver/triggers/tests/test_system.py (+142/-0)
- MAAS Lander: Approve
- Alberto Donato (community): Approve
-
Diff: 211 lines (+170/-9)2 files modifiedsrc/maasserver/triggers/system.py (+28/-9)
src/maasserver/triggers/tests/test_system.py (+142/-0)
- Adam Collard (community): Approve
- MAAS Lander: Approve
-
Diff: 209 lines (+122/-28)2 files modifiedsrc/maasserver/triggers/system.py (+51/-12)
src/maasserver/triggers/tests/test_system.py (+71/-16)
summary: |
- Services not running that should be: apache2, SSLCertificateFile: file - '/etc/apache2/ssl/*/cert_* does not exist or is empty + MAAS rDNS returns two hostnames that lead to Services not running that + should be: apache2, SSLCertificateFile: file '/etc/apache2/ssl/*/cert_* + does not exist or is empty |
Changed in maas: | |
status: | Triaged → New |
milestone: | 3.4.0 → none |
Changed in maas: | |
status: | New → In Progress |
milestone: | none → 3.4.0 |
Changed in maas: | |
status: | In Progress → Fix Committed |
Changed in maas: | |
status: | Fix Committed → In Progress |
Changed in maas: | |
status: | In Progress → Fix Committed |
Changed in maas: | |
status: | Confirmed → Triaged |
Changed in maas: | |
status: | Triaged → In Progress |
Changed in charm-magpie: | |
status: | New → Incomplete |
status: | Incomplete → In Progress |
Changed in charm-magpie: | |
status: | In Progress → Fix Committed |
assignee: | nobody → Adam Collard (adam-collard) |
Changed in maas: | |
milestone: | 3.5.0 → 3.5.0-beta1 |
status: | Fix Committed → Fix Released |
The step 3&4 can be unattended as follows. ha_vault_ edge.yaml && time juju-wait -w --exclude vault
====
juju destroy-model keystone-test --no-wait --force -y; \
juju add-model keystone-test maas && \
juju deploy ./keystone-
VAULT_ADDR="http:// $(juju run --unit vault/leader -- network-get certificates --ingress- address) :8200"
export VAULT_ADDR
vault_init_ output= "$(vault operator init -key-shares=1 -key-threshold=1 -format json)" init_output" | jq -r .unseal_ keys_b64[ ])"
vault operator unseal "$(echo "$vault_
VAULT_TOKEN="$(echo "$vault_ init_output" | jq -r .root_token)"
export VAULT_TOKEN
juju run-action --wait vault/leader authorize-charm \ token)"
token="$(vault token create -ttl=10m -format json | jq -r .auth.client_
juju run-action vault/leader --wait generate-root-ca
====