puppet-nova

novajoin install fails because of missing facts

Bug #1761786 reported by Ade Lee on 2018-04-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	puppet-nova	Fix Released	Undecided	Juan Antonio Osorio Robles

Bug Description

Recently, there was a change to puppet-nova in the novajoin code to extract the ipa_hostname as a fact so that it could be used to generate a basic keytab when novajoin is containerized.

git show 277c4c9f

However, this breaks the non-containerized case because the fact ipa_hostname is determined before the puppet run. At that time, the ipa-client is not yet enrolled, and in fact, it only get enrolled at ..

https://github.com/openstack/puppet-nova/blob/e9aa809dd394b58c96ed8659005f1d295b8119b2/manifests/metadata/novajoin/api.pp#L178

The symptom is this is a failed undercloud install with the following messages:

2018-04-06 07:13:41 | 2018-04-06 07:13:41,977 INFO: ^[[1;31mError: /usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s -p nova/undercloud.tripleodomain.example.com -k /etc/novajoin/krb5.keytab returned 2 instead of one of [0]^[[0m
2018-04-06 07:13:41 | 2018-04-06 07:13:41,977 INFO: ^[[1;31mError: /Stage[main]/Nova::Metadata::Novajoin::Api/Exec[get-service-user-keytab]/returns: change from notrun to 0 failed: /usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s -p nova/undercloud.tripleodomain.example.com -k /etc/novajoin/krb5.keytab returned 2 instead of one of [0]^[[0m

Due to the fact ipa_hostname after the -s option not being added.

We also see the following:

2018-04-06 07:10:55 | 2018-04-06 07:10:55,406 INFO: ^[[1;33mWarning: Unknown variable: '::ipa_hostname'. at /etc/puppet/modules/nova/manifests/metadata/novajoin/api.pp:265:75^
2018-04-06 07:10:56 | 2018-04-06 07:10:56,203 INFO: ^[[1;33mWarning: Unknown variable: 'ca_pem'. at /etc/puppet/modules/tripleo/manifests/certmonger/haproxy.pp

Ade Lee (alee-3) on 2018-04-06

Changed in puppet-nova:
assignee:	nobody → Ade Lee (alee-3)

Juan Antonio Osorio Robles (juan-osorio-robles) on 2018-04-09

Changed in puppet-nova:
status:	New → Confirmed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-09: Fix proposed to puppet-nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/559647

Changed in puppet-nova:
assignee:	Ade Lee (alee-3) → Juan Antonio Osorio Robles (juan-osorio-robles)
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-13: Fix merged to puppet-nova (master)

Reviewed: https://review.openstack.org/559647
Committed: https://git.openstack.org/cgit/openstack/puppet-nova/commit/?id=150bff424fd9f0fa539649733304cad334f42902
Submitter: Zuul
Branch: master

commit 150bff424fd9f0fa539649733304cad334f42902
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Apr 9 07:05:00 2018 +0000

Fix novajoin FreeIPA server parameter

    We need the FreeIPA server hostname in order to request the kerberos
    keytab for the novajoin process. For the containerized case, we
    assume that the node is enrolled to FreeIPA before puppet is ran.
    This, however, is not the case for the baremetal case, since puppet
    calls the FreeIPA enrollment. Thus, we need to handle this case.

Change-Id: If73a7b674536df33c32507977941be784f82e8f4
Closes-Bug: #1761786

Changed in puppet-nova:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-19: Fix included in openstack/puppet-nova 13.0.0

This issue was fixed in the openstack/puppet-nova 13.0.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.