neutron

[CentOS] Periodic job "neutron-ovs-tempest-fips" failing since May 18 2023

Bug #2020661 reported by Rodolfo Alonso
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
devstack
Fix Released
Undecided
Unassigned
neutron
Invalid
High
Rodolfo Alonso
Rodolfo Alonso (rodolfo-alonso-hernandez)
Changed in neutron:
assignee: nobody → Rodolfo Alonso (rodolfo-alonso-hernandez)
Revision history for this message
yatin (yatinkarel) wrote :

Actual issue is repos are not getting setup due to an Error, It's impacting other projects too https://bugs.launchpad.net/octavia/+bug/2020434

Changed in neutron:
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

This bug was also reported in Octavia project: https://bugs.launchpad.net/octavia/+bug/2020434

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

Patch proposed: https://review.opendev.org/c/openstack/devstack/+/884247

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/884248

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/884279

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

As reported in [1], FIPS 140-3 requires that only EMS KDF is in use for TLS 1.2, after May 2023. The certificate for "trunk.rdoproject.org" does not support EMS but "trunk-centos8.rdoproject.org" does. The content of both files is the same.

[1]https://bugzilla.redhat.com/show_bug.cgi?id=2157951

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

There is a bugzilla [1] created in order to provide EMS support for httpd/mod_ssl/openssl in CentOS7. After that, the certificate for "trunk.rdoproject.org" could support EMS too.

[1]https://bugzilla.redhat.com/show_bug.cgi?id=2209766

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by "Rodolfo Alonso <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/884248

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by "Rodolfo Alonso <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/884279
Reason: The devstack patch is fixing the FIPS CI issue.

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

The issue has been solved in devstack [1]. Now we are using the CentOS official mirrors, that support EMS. This patch has been tested in the Neutron CI [2][3].

[1]https://review.opendev.org/c/openstack/devstack/+/884277
[2]https://review.opendev.org/c/openstack/neutron/+/884279
[3]https://zuul.opendev.org/t/openstack/build/606ed89810f34b6ba1a35c4c3d597e02/logs

Changed in neutron:
status: In Progress → Invalid
Changed in devstack:
status: New → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to devstack (master)

Reviewed: https://review.opendev.org/c/openstack/devstack/+/884277
Committed: https://opendev.org/openstack/devstack/commit/b2ad00cb66bd38ec6179d3bd1bf41556b966dc8c
Submitter: "Zuul (22348)"
Branch: master

commit b2ad00cb66bd38ec6179d3bd1bf41556b966dc8c
Author: Alfredo Moralejo <email address hidden>
Date: Wed May 24 21:03:28 2023 +0200

    Use RDO official CloudSIG mirrors for C9S deployments

    Instead of using RDO Trunk repo server, CentOS official mirrors provide
    a most reliable infrastructure and supports EMS which is required when
    enabling FIPS in C9S.

    In order to install the rdo-release rpm from repo.fedoraproject.org,
    which does not support EMS, I'm using a workaround to wget, which works
    with non-EMS servers because it uses gnutls instead of openssl, and
    install it locally with rpm.

    This is also consistent to CentOS 8 implementatioin.

    Closes-Bug: #2020661
    Closes-Bug: #2020434
    Change-Id: Icd99f467d47aaafaaf3ee8f2a3c4da08842cb672

Changed in devstack:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to devstack (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/devstack/+/890120
Committed: https://opendev.org/openstack/devstack/commit/b07c9b8cea0fc893162dae8c18adaaa066e47d14
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit b07c9b8cea0fc893162dae8c18adaaa066e47d14
Author: Alfredo Moralejo <email address hidden>
Date: Wed May 24 21:03:28 2023 +0200

    Use RDO official CloudSIG mirrors for C9S deployments

    Instead of using RDO Trunk repo server, CentOS official mirrors provide
    a most reliable infrastructure and supports EMS which is required when
    enabling FIPS in C9S.

    In order to install the rdo-release rpm from repo.fedoraproject.org,
    which does not support EMS, I'm using a workaround to wget, which works
    with non-EMS servers because it uses gnutls instead of openssl, and
    install it locally with rpm.

    This is also consistent to CentOS 8 implementatioin.

    Closes-Bug: #2020661
    Closes-Bug: #2020434
    Change-Id: Icd99f467d47aaafaaf3ee8f2a3c4da08842cb672
    (cherry picked from commit b2ad00cb66bd38ec6179d3bd1bf41556b966dc8c)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to devstack (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/devstack/+/890221
Committed: https://opendev.org/openstack/devstack/commit/e62f4f25f30267fb6f1b23ee598be6760a8b9fba
Submitter: "Zuul (22348)"
Branch: stable/zed

commit e62f4f25f30267fb6f1b23ee598be6760a8b9fba
Author: Alfredo Moralejo <email address hidden>
Date: Wed May 24 21:03:28 2023 +0200

    Use RDO official CloudSIG mirrors for C9S deployments

    Instead of using RDO Trunk repo server, CentOS official mirrors provide
    a most reliable infrastructure and supports EMS which is required when
    enabling FIPS in C9S.

    In order to install the rdo-release rpm from repo.fedoraproject.org,
    which does not support EMS, I'm using a workaround to wget, which works
    with non-EMS servers because it uses gnutls instead of openssl, and
    install it locally with rpm.

    This is also consistent to CentOS 8 implementatioin.

    Closes-Bug: #2020661
    Closes-Bug: #2020434
    Change-Id: Icd99f467d47aaafaaf3ee8f2a3c4da08842cb672
    (cherry picked from commit b2ad00cb66bd38ec6179d3bd1bf41556b966dc8c)

tags: added: in-stable-zed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to devstack (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/devstack/+/890222
Committed: https://opendev.org/openstack/devstack/commit/4062cc0f85d6e865db2cc20f635a3942d4cc4dfc
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit 4062cc0f85d6e865db2cc20f635a3942d4cc4dfc
Author: Alfredo Moralejo <email address hidden>
Date: Wed May 24 21:03:28 2023 +0200

    Use RDO official CloudSIG mirrors for C9S deployments

    Instead of using RDO Trunk repo server, CentOS official mirrors provide
    a most reliable infrastructure and supports EMS which is required when
    enabling FIPS in C9S.

    In order to install the rdo-release rpm from repo.fedoraproject.org,
    which does not support EMS, I'm using a workaround to wget, which works
    with non-EMS servers because it uses gnutls instead of openssl, and
    install it locally with rpm.

    This is also consistent to CentOS 8 implementatioin.

    Closes-Bug: #2020661
    Closes-Bug: #2020434
    Change-Id: Icd99f467d47aaafaaf3ee8f2a3c4da08842cb672
    (cherry picked from commit b2ad00cb66bd38ec6179d3bd1bf41556b966dc8c)

tags: added: in-stable-yoga
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to devstack (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/devstack/+/896215

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to devstack (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/devstack/+/896762

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to devstack (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/devstack/+/896215
Committed: https://opendev.org/openstack/devstack/commit/b050ce825328d895bc3fbb35475bbf7b6ddee81b
Submitter: "Zuul (22348)"
Branch: stable/xena

commit b050ce825328d895bc3fbb35475bbf7b6ddee81b
Author: Alfredo Moralejo <email address hidden>
Date: Wed May 24 21:03:28 2023 +0200

    Use RDO official CloudSIG mirrors for C9S deployments

    Instead of using RDO Trunk repo server, CentOS official mirrors provide
    a most reliable infrastructure and supports EMS which is required when
    enabling FIPS in C9S.

    RDO didn't publish official release rpms for Xena and Wallaby, install
    "rdo-release-yoga" release rpm for Xena. Devstack only uses RDO repository for binary dependencies such as rabbitmq, openvswitch.

    Change 0da88c4af096ab95ccf438960433bb113278181e is squashed in this
    commit.

    Closes-Bug: #2020661
    Closes-Bug: #2020434
    Change-Id: Icd99f467d47aaafaaf3ee8f2a3c4da08842cb672
    (cherry picked from commit b2ad00cb66bd38ec6179d3bd1bf41556b966dc8c)
    (cherry picked from commit 4062cc0f85d6e865db2cc20f635a3942d4cc4dfc)

tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to devstack (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/devstack/+/896762
Committed: https://opendev.org/openstack/devstack/commit/e11905a6470df34637fa71a51e6ed446aab7df50
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit e11905a6470df34637fa71a51e6ed446aab7df50
Author: Alfredo Moralejo <email address hidden>
Date: Wed May 24 21:03:28 2023 +0200

    Use RDO official CloudSIG mirrors for C9S deployments

    Instead of using RDO Trunk repo server, CentOS official mirrors provide
    a most reliable infrastructure and supports EMS which is required when
    enabling FIPS in C9S.

    RDO didn't publish official release rpms for Xena and Wallaby, install
    "rdo-release-yoga" release rpm for Xena. Devstack only uses RDO repository for binary dependencies such as rabbitmq, openvswitch.

    Change 0da88c4af096ab95ccf438960433bb113278181e is squashed in this
    commit.

    Closes-Bug: #2020661
    Closes-Bug: #2020434
    Change-Id: Icd99f467d47aaafaaf3ee8f2a3c4da08842cb672
    (cherry picked from commit b2ad00cb66bd38ec6179d3bd1bf41556b966dc8c)
    (cherry picked from commit 4062cc0f85d6e865db2cc20f635a3942d4cc4dfc)

tags: added: in-stable-wallaby
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.