Keystone role fails if backend admin or internal uri protocol differs from frontend

Bug #1699191 reported by Jimmy McCrory on 2017-06-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-ansible
Medium
Jimmy McCrory

Bug Description

https://github.com/openstack/openstack-ansible-os_keystone/commit/d13e2ebf77772f86b04447bc643636b25b863095 updated the keystone role to use ansible_host directly for service setup tasks.

If the protocol of either the keystone admin or internal endpoints is 'https' and SSL is being terminated at a load balancer, these tasks will fail with the error below.

'ansible_host' would also not likely contain a valid hostname for a cert if the backends were also 'https' through setting the 'keystone_ssl' variable.

failed: [dal-appblx112-03_keystone_container-c2d67260] (item={u'url': u'https://192.168.53.147:35357', u'validate_certs': False}) => {
    "attempts": 12,
    "content": "",
    "failed": true,
    "invocation": {
        "module_args": {
            "attributes": null,
            "backup": null,
            "body": null,
            "body_format": "raw",
            "content": null,
            "creates": null,
            "delimiter": null,
            "dest": null,
            "directory_mode": null,
            "follow": false,
            "follow_redirects": "safe",
            "force": false,
            "force_basic_auth": false,
            "group": null,
            "headers": {},
            "http_agent": "ansible-httpget",
            "method": "HEAD",
            "mode": null,
            "owner": null,
            "regexp": null,
            "remote_src": null,
            "removes": null,
            "return_content": false,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "src": null,
            "status_code": [
                "300"
            ],
            "timeout": 30,
            "unsafe_writes": null,
            "url": "https://192.168.53.147:35357",
            "url_password": null,
            "url_username": null,
            "use_proxy": true,
            "validate_certs": false
        }
    },
    "item": {
        "url": "https://192.168.53.147:35357",
        "validate_certs": false
    },
    "msg": "Status code was not [300]: Request failed: <urlopen error [SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:590)>",
    "redirected": false,
    "status": -1,
    "url": "https://192.168.53.147:35357"
}

Changed in openstack-ansible:
status: New → Confirmed
importance: Undecided → Medium

Fix proposed to branch: master
Review: https://review.openstack.org/510633

Changed in openstack-ansible:
assignee: nobody → Jimmy McCrory (jimmy-mccrory)
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/510633
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_keystone/commit/?id=cabd7e9cef8c35df08958677892a82551b210c97
Submitter: Zuul
Branch: master

commit cabd7e9cef8c35df08958677892a82551b210c97
Author: Jimmy McCrory <email address hidden>
Date: Mon Oct 9 10:09:24 2017 -0700

    Bypass web server during service setup

    When connecting directly to a keystone host during service setup, use
    the UWSGI ports instead of going through the web server to avoid any
    potential errors with differing URI protocols or SSL certs not including
    the hostnames of individual hosts.

    Change-Id: Ie5b33f9d0210a23badb63cab72c481b027790be3
    Closes-Bug: 1699191

Changed in openstack-ansible:
status: In Progress → Fix Released

This issue was fixed in the openstack/openstack-ansible-os_keystone 17.0.0.0b1 development milestone.

Reviewed: https://review.openstack.org/513969
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_keystone/commit/?id=cf7cef7044a095b3828f925d6703a2d9d6b0490c
Submitter: Zuul
Branch: stable/pike

commit cf7cef7044a095b3828f925d6703a2d9d6b0490c
Author: Jimmy McCrory <email address hidden>
Date: Mon Oct 9 10:09:24 2017 -0700

    Bypass web server during service setup

    When connecting directly to a keystone host during service setup, use
    the UWSGI ports instead of going through the web server to avoid any
    potential errors with differing URI protocols or SSL certs not including
    the hostnames of individual hosts.

    Change-Id: Ie5b33f9d0210a23badb63cab72c481b027790be3
    Closes-Bug: 1699191
    (cherry picked from commit cabd7e9cef8c35df08958677892a82551b210c97)

tags: added: in-stable-pike

Reviewed: https://review.openstack.org/515555
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_keystone/commit/?id=a23292b8ab8b20374e62ad4820656ef8b09c8c07
Submitter: Zuul
Branch: stable/ocata

commit a23292b8ab8b20374e62ad4820656ef8b09c8c07
Author: Jimmy McCrory <email address hidden>
Date: Mon Oct 9 10:09:24 2017 -0700

    Bypass web server during service setup

    When connecting directly to a keystone host during service setup, use
    the UWSGI ports instead of going through the web server to avoid any
    potential errors with differing URI protocols or SSL certs not including
    the hostnames of individual hosts.

    mod_wsgi was the default deployment pre-Pike so that configuration will
    still need to be catered for. A release note has been included for those
    effected by the bug.

     Conflicts:
     tasks/keystone_service_setup.yml

    Change-Id: Ie5b33f9d0210a23badb63cab72c481b027790be3
    Closes-Bug: 1699191
    (cherry picked from commit cabd7e9cef8c35df08958677892a82551b210c97)

tags: added: in-stable-ocata
tags: added: in-stable-newton

Reviewed: https://review.openstack.org/515556
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_keystone/commit/?id=6ceb425f0549b23e07f65b813197a013a3b06708
Submitter: Zuul
Branch: stable/newton

commit 6ceb425f0549b23e07f65b813197a013a3b06708
Author: Jimmy McCrory <email address hidden>
Date: Mon Oct 9 10:09:24 2017 -0700

    Bypass web server during service setup

    When connecting directly to a keystone host during service setup, use
    the UWSGI ports instead of going through the web server to avoid any
    potential errors with differing URI protocols or SSL certs not including
    the hostnames of individual hosts.

    mod_wsgi was the default deployment pre-Pike so that configuration will
    still need to be catered for. A release note has been included for those
    effected by the bug.

     Conflicts:
     tasks/keystone_service_setup.yml

    Change-Id: Ie5b33f9d0210a23badb63cab72c481b027790be3
    Closes-Bug: 1699191
    (cherry picked from commit cabd7e9cef8c35df08958677892a82551b210c97)

This issue was fixed in the openstack/openstack-ansible-os_keystone 15.1.12 release.

This issue was fixed in the openstack/openstack-ansible-os_keystone 14.2.12 release.

This issue was fixed in the openstack/openstack-ansible-os_keystone 16.0.4 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers