Rebuilding keystone[0] container breaks credential keys
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Critical
|
Logan V |
Bug Description
In the process of rebuilding the keystone[0] container for my env I seem to have ended up in an unrecoverable situation where the credential keys are lost.
What I'm seeing is os-keystone-install failing with:
TASK [os_keystone : include] *******
included: /etc/ansible/
TASK [os_keystone : include] *******
included: /etc/ansible/
TASK [os_keystone : Check if credential keys already exist] *******
ok: [lsn-mc1008_
TASK [os_keystone : Create credential keys for Keystone] *******
TASK [os_keystone : Ensure newest key is used for credential in Keystone] ******
fatal: [lsn-mc1008_
Checking the container's keystone.log, I see:
2017-02-25 12:07:32.951 1866 ERROR keystone.
2017-02-25 12:07:32.952 1866 CRITICAL keystone [-] CredentialEncry
2017-02-25 12:07:32.952 1866 ERROR keystone Traceback (most recent call last):
2017-02-25 12:07:32.952 1866 ERROR keystone File "/openstack/
2017-02-25 12:07:32.952 1866 ERROR keystone sys.exit(main())
2017-02-25 12:07:32.952 1866 ERROR keystone File "/openstack/
2017-02-25 12:07:32.952 1866 ERROR keystone cli.main(
2017-02-25 12:07:32.952 1866 ERROR keystone File "/openstack/
2017-02-25 12:07:32.952 1866 ERROR keystone CONF.command.
2017-02-25 12:07:32.952 1866 ERROR keystone File "/openstack/
2017-02-25 12:07:32.952 1866 ERROR keystone klass.migrate_
2017-02-25 12:07:32.952 1866 ERROR keystone File "/openstack/
2017-02-25 12:07:32.952 1866 ERROR keystone credential[
2017-02-25 12:07:32.952 1866 ERROR keystone File "/openstack/
2017-02-25 12:07:32.952 1866 ERROR keystone raise exception.
2017-02-25 12:07:32.952 1866 ERROR keystone CredentialEncry
All 3 containers in the env appear to have synced up /etc/keystone/
I'm not sure how this situation was reached other than I rebuilt the keystone[0] container, os-keystone-install ran successfully, and now it won't run at all in subsequent runs. Going to work on trying to reproduce this.
Changed in openstack-ansible: | |
status: | New → Confirmed |
importance: | Undecided → Critical |
Changed in openstack-ansible: | |
assignee: | nobody → Logan V (loganv) |
status: | Confirmed → In Progress |
From a backup of the keystone[0] container taken immediately prior to the rebuild, I was able to confirm:
1) The keys in /etc/keystone/ credential- keys on the old container were completely different than the ones on the rebuilt container and running env.
2) By dropping the backed up credential-keys from the old container into the new container I was able to run credential_migrate successfully.