StarlingX

ssl_ca_certificate_file not working remotely when on_box_data=true

Bug #1988204 reported by Virginia Martins Perozim
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Virginia Martins Perozim

Bug Description

Brief Description
-----------------
During restore playbook, ssl_ca_certificate_file was defined in the command line to use a ssl_ca certificate chosen by the user to be installed instead of the one from the backup file. Restore can be performed locally or remotely, what is defined by parameter on_box_data. The problem occurred in remote mode, when on-box_data =true (target is on-box). Then, the ssl_ca certificate file must be in the host, but the restore playbook is looking for the file on local machine, what is returning an error.

Severity
--------
Minor

Steps to Reproduce
------------------
copy backup file to /opt/platform-backup in the host

copy ssl_ca certificate to /home/sysadmin in the host

perform the restore playbook remotely setting:
-e "on_box_data=true"
-e "ssl_ca_certificate_file=/home/sysadmin/<ssl_ca certificate file>"

Expected Behavior
------------------
ssl_ca certificate is found during restore playbook and no error is returned.

Actual Behavior
----------------
ssl_ca certificate is not found during restore playbook and an error is returned.

Reproducibility
---------------
100%

System Configuration
--------------------
AIO-SX

Branch/Pull Time/Commit
-----------------------
Branch master

Last Pass
---------
-

Timestamp/Logs
--------------
-

Test Activity
-------------
-

Workaround
----------
-

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-playbooks (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/ansible-playbooks/+/855362

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-playbooks (master)
Download full text (7.0 KiB)

Reviewed: https://review.opendev.org/c/starlingx/ansible-playbooks/+/855362
Committed: https://opendev.org/starlingx/ansible-playbooks/commit/7e0d83ce9fd05bfa0e3afae01e599748637e38d1
Submitter: "Zuul (22348)"
Branch: master

commit 7e0d83ce9fd05bfa0e3afae01e599748637e38d1
Author: Virginia Martins Perozim <email address hidden>
Date: Wed Aug 31 08:33:39 2022 -0400

    transfer ssl_ca file to destiny in remote play

    Background:
    The new parameter ssl_ca_certificate_file was introduced as an option
    in the restore playbook so that the user can indicate which ssl_ca
    certificate file will be installed during restore. This certificate
    will replace the certificate that is in the backup file. This is
    because the certificate in the backup file can be expired.

    Problem:
    But, when the certificate file is on the target host and we are
    running the Ansible playbook remotely with the option
    on_box_data=true, the playbook was not finding the file because
    it was looking for it on the wrong place.

    Solution:
    So, the solution was to set remote mode (remote_src: yes) during
    the file transfering to destiny when on_box_data=true. In addition,
    a validation of file existence is being done according to the
    value of on_box_data and the path indicated in the
    ssl_ca_certificate_file parameter.

    Test Plan:

    PASSED: Ansible control on host (locally)
            ssl_ca certificate file on host under /home/sysadmin
            on_box_data=true or none
            ssl_ca_certificate_file=/home/sysadmin/<ssl_ca cert. file>
            --> Check if ssl_ca certificate file exists
            --> When target is on-box, transfer ssl_ca certificate
                file to /tmp/ca-cert.pem
            --> /tmp/ca_cert.pem updated

    PASSED: Ansible control on host (locally)
            ssl_ca certificate file on host under /home/sysadmin
            on_box_data=false
            ssl_ca_certificate_file=/home/sysadmin/<ssl_ca cert. file>
            --> Check if ssl_ca certificate file exists
            --> When target is off-box, transfer ssl_ca certificate
                file to /tmp/ca-cert.pem
            --> /tmp/ca_cert.pem updated

    PASSED: Ansible control on host (locally)
            ssl_ca certificate file on host under /home/sysadmin
            on_box_data=true or none
            ssl_ca_certificate_file=$HOME/<ssl_ca certificate file>
            --> Check if ssl_ca certificate file exists
            --> Fail if ssl_ca certificate file does not exist on
                the target

    PASSED: Ansible control on host (locally)
            ssl_ca certificate file on host under /home/sysadmin
            on_box_data=false
            ssl_ca_certificate_file=$HOME/<ssl_ca certificate file>
            --> Check if ssl_ca certificate file exists
            --> Fail if ssl_ca certificate file does not exist locally

    PASSED: Ansible control on host (locally)
            ssl_ca certificate file on host under /home/sysadmin
            on_box_data=false
            ssl_ca_certificate_file=
            --> Check if ssl_ca certificate file exists
    ...

Read more...

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
assignee: nobody → Virginia Martins Perozim (vmperozim)
importance: Undecided → Medium
tags: added: stx.8.0 stx.update
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.