StarlingX

Debian: DC subcloud deploy fail: system-openldap-local-certificate

Bug #1988601 reported by Andy on 2022-09-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Medium	Andy

Bug Description

Brief Description
-----------------
DC subclouds fail to deploy in latest load due to:

"failed to create certificate: {\"mode\":\"docker_registry\"}: certificate install error: Invalid secret deployment
system-openldap-local-certificate"

Severity
--------
Critical: System/Feature is not usable due to the defect

Steps to Reproduce
------------------
Deploy subcloud using "dcmanager subcloud add"

Expected Behavior
------------------
subcloud successfully deployed.

Actual Behavior
----------------
subcloud unlock failed.

Reproducibility
---------------
100% reproducible

System Configuration
--------------------
DC system.

Branch/Pull Time/Commit
-----------------------
STX master latest.

Last Pass
---------
Before "Replace nslcd with sssd" commits.

Timestamp/Logs
--------------
sysinv.log:
"failed to create certificate: {\"mode\":\"docker_registry\"}: certificate install error: Invalid secret deployment
system-openldap-local-certificate"

Test Activity
-------------
Developer Testing

Workaround
----------
N/A

Tags:

Revision history for this message

Andy (andy.wrs) wrote on 2022-09-02:

This issue is introduced by the recent "replace nslcd with sssd" commits for https://storyboard.openstack.org/#!/story/2009834.

openldap certificate secret is not created by bootstrap on subcloud, but ldap sysinv plugin tries to retrieve the certificate from k8s, and the retrieval failed.

Changed in starlingx:
assignee:	nobody → Andy (andy.wrs)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-09-02: Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/config/+/855699

Changed in starlingx:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-09-07: Fix merged to config (master)

Reviewed: https://review.opendev.org/c/starlingx/config/+/855699
Committed: https://opendev.org/starlingx/config/commit/a3650cef1327ef9cb796910aed690fca63c44798
Submitter: "Zuul (22348)"
Branch: master

commit a3650cef1327ef9cb796910aed690fca63c44798
Author: Andy Ning <email address hidden>
Date: Fri Sep 2 17:09:01 2022 -0400

Update sysinv to not create openldap cert on subcloud

    Openldap is not running on subcloud so no openldap certificate
    is created as k8s secret during bootstrap. But current sysinv ldap
    plugin still tries to retrieve the certificate from k8s, causing
    subcloud unlock to fail.

This change updated sysinv ldap plugin to not retrieve openldap
certificate for subcloud.

Test Plan:
PASS: subcloud deployment by "dcmanager subcloud add"

    Closes-Bug: 1988601
    Signed-off-by: Andy Ning <email address hidden>
    Change-Id: Iafbc5d6ff90735c07ac6850d2f76e9a6230a7a41

Changed in starlingx:
status:	In Progress → Fix Released

Ghada Khalil (gkhalil) on 2022-09-10

Changed in starlingx:
importance:	Undecided → Medium
tags:	added: stx.8.0 stx.distcloud stx.security
tags:	added: stx.debian

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.