StarlingX

active controller swacted unexpected upon installed password protected private key into TPM

Bug #1810329 reported by mhg
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
StarlingX
Invalid
Medium
Andy

Bug Description

Brief Description
-----------------
After installing password protected private key using CLI, controllers was swacted automatically, and alarms 'Configuration is out-of-date' and others were raised for both controllers.

Severity
--------
Minor

Steps to Reproduce
------------------
1 enable https using CLI
2 attempt to install a password protected private certificate to TPM
    system certificate-install -p serverpass -m tpm_mode tpm-test-files/server-with-key-and-password.pem

Expected Behavior
------------------
- the system continued to work without issue after the CLI executed

Actual Behavior
----------------
the CLI ran successfully but
    - alarms 'Configuration is out-of-date' and others were raised for both controllers
    - existing ssh sessions to the active controller were broken from server side
    - active controller was swacting automatically
    - host key of the floating IP was changed
After a 5+ minutes later, the previous standby controller became newly active controller, all alarms were automatically cleared, and no further findings observed.

Reproducibility
---------------
Reproducible

System Configuration
--------------------
Multi-node system

Branch/Pull Time/Commit
-----------------------
master as of build-date-time
StarlingX Upstream as of 2018-12-27_20-18-00

Timestamp/Logs
--------------
Dec. 31, 2018, 10:07 p.m

Revision history for this message
Ghada Khalil (gkhalil) wrote :

Marking as release gating - issue is reproducible and results in an unexpected system swact

Changed in starlingx:
assignee: nobody → Paul-Emile Element (paul-emileelement)
importance: Undecided → Medium
tags: added: stx.2019.03 stx.security
Changed in starlingx:
status: New → Triaged
Revision history for this message
Paul-Emile Element (paul-emileelement) wrote :

Please note that the alarms are expected in that case. The swact, however is not necessary.

Ken Young (kenyis)
tags: added: stx.2019.05
removed: stx.2019.03
Ken Young (kenyis)
Changed in starlingx:
assignee: Paul-Emile Element (paul-emileelement) → Andy (andy.wrs)
Revision history for this message
Andy (andy.wrs) wrote :

This issue is observed with load from "StarlingX Upstream as of 2018-12-27_20-18-00". It will happen when HTTPS is enabled. But based on "https://wiki.openstack.org/wiki/StarlingX/Containers/Limitations", HTTPS configrations are not supported yet in containerized Openstack Services. So probably we have to wait until HTTPS is supported.

Ken Young (kenyis)
tags: added: stx.2.0
removed: stx.2019.05
Ghada Khalil (gkhalil)
tags: added: stx.retestneeded
Revision history for this message
Andy (andy.wrs) wrote :

The swact after passphrase protected certificate is installed as tpm mode is no longer seen as tested in load:

BUILD_ID="20190503T013000Z"

Platform Horizon is working properly with the installed tpm mode certificate.

Suggest the issue to be closed.

Andy (andy.wrs)
Changed in starlingx:
status: Triaged → In Progress
status: In Progress → Invalid
mhg (marvinhg)
tags: added: stx.stx.security
removed: stx.retestneeded stx.security
tags: added: stx.security
removed: stx.stx.security
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.