tripleo

ceph-ansible worklow does not honor DeploymentServerBlacklist

Bug #1743046 reported by James Slagle
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Giulio Fidente
tripleo queens-rc1

Bug Description

I believe I've narrowed this down to the interaction between the ceph-ansible.yaml and access.yaml workbooks when ceph-ansible.yaml is triggered by Heat.

First, it does not honor DeploymentServerBlacklist. ceph-ansible.yaml calls:
      enable_ssh_admin:
        workflow: tripleo.access.v1.enable_ssh_admin
which then does:
      get_servers:
        action: nova.servers_list

Not only does that not honor the blacklist, but it will create tripleo-admin on every server, not just the ones where we are installing ceph. Particularly for the ceph-ansible case, I think this ought to be configurable and we only create the user on ceph nodes that are in the inventory for ceph-ansible.

If you made get_servers take an input of server uuids and only call nova.servers_list if the input is not provided, you could then make use of the servers json parameter in deploy-steps.j2 which has already had the blacklisted servers removed.

Further, from what I can tell, this action ends up getting triggered on every stack update. There's nothing to say "don't create tripleo-admin if it's already been done" (that I can find anyway, and based on this bug report that seems to be the case). That should also be fixed.

James Slagle (james-slagle)
Changed in tripleo:
status: New → Confirmed
importance: Undecided → High
milestone: none → queens-rc1
assignee: nobody → James Slagle (james-slagle)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/533315

Changed in tripleo:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/533319

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-common (master)

Fix proposed to branch: master
Review: https://review.openstack.org/533599

Changed in tripleo:
assignee: James Slagle (james-slagle) → Giulio Fidente (gfidente)
OpenStack Infra (hudson-openstack)
Changed in tripleo:
assignee: Giulio Fidente (gfidente) → Jiří Stránský (jistr)
OpenStack Infra (hudson-openstack)
Changed in tripleo:
assignee: Jiří Stránský (jistr) → Giulio Fidente (gfidente)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/533315
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=79570ed2b91dbfc256397f0c64a560e4ea4b7589
Submitter: Zuul
Branch: master

commit 79570ed2b91dbfc256397f0c64a560e4ea4b7589
Author: James Slagle <email address hidden>
Date: Fri Jan 12 17:04:12 2018 -0500

    Workflow execution blacklist support

    Workflows triggered from deploy-steps.j2 were not honoring the
    blacklist, particularly ceph-ansible. This patch starts to address that
    issue by passing in a list of blacklisted ip addresses to the workflow
    execution environment that the workflow can make use of to filter
    against ctlplane_service_ips.

    Change-Id: Ic158171c629e82892e480f1e6903a67457f86064
    Partial-Bug: #1743046

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/533319
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=d4a5876e571056377d6e280b7d3404cf8fe56440
Submitter: Zuul
Branch: master

commit d4a5876e571056377d6e280b7d3404cf8fe56440
Author: James Slagle <email address hidden>
Date: Fri Jan 12 17:17:14 2018 -0500

    Also pass blacklisted hostnames

    Workflows may need access to the list of blacklisted hostnames so they
    can filter on that value. This change adds that input to the workflow
    execution environment.

    Change-Id: I41de32b324a406633699d17933ae05417b28c57b
    Partial-Bug: #1743046

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-common (master)

Reviewed: https://review.openstack.org/533599
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=f98c136078b356446362bf7506bcd708b14473cd
Submitter: Zuul
Branch: master

commit f98c136078b356446362bf7506bcd708b14473cd
Author: Giulio Fidente <email address hidden>
Date: Mon Jan 15 11:31:38 2018 +0100

    Consume blacklisted_ip_addresses in workflows

    The ceph-ansible and skydive workflows now consumes the
    blacklisted_ip_addresses input.

    The enable_ssh_admin workflow is modified to consume a list of
    ip addresses and only enable ssh on the given set of addresses.

    Change-Id: I4255739c852409fb8e170a9913fe7ad810711734
    Depends-On: Ic158171c629e82892e480f1e6903a67457f86064
    Closes-Bug: #1743046

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/535255

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-common (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/535294

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/pike)

Reviewed: https://review.openstack.org/535255
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=b543878b8eda7563023901b36d03691c1138cf6d
Submitter: Zuul
Branch: stable/pike

commit b543878b8eda7563023901b36d03691c1138cf6d
Author: James Slagle <email address hidden>
Date: Fri Jan 12 17:04:12 2018 -0500

    Workflow execution blacklist support

    Workflows triggered from deploy-steps.j2 were not honoring the
    blacklist, particularly ceph-ansible. This patch starts to address that
    issue by passing in a list of blacklisted ip addresses to the workflow
    execution environment that the workflow can make use of to filter
    against ctlplane_service_ips.

    Change-Id: Ic158171c629e82892e480f1e6903a67457f86064
    Partial-Bug: #1743046
    (cherry picked from commit 79570ed2b91dbfc256397f0c64a560e4ea4b7589)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-common (stable/pike)

Reviewed: https://review.openstack.org/535294
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=1fee181844c5d0ec7647a7888902db83c3b80b48
Submitter: Zuul
Branch: stable/pike

commit 1fee181844c5d0ec7647a7888902db83c3b80b48
Author: Giulio Fidente <email address hidden>
Date: Mon Jan 15 11:31:38 2018 +0100

    Consume blacklisted_ip_addresses in workflows

    The ceph-ansible and skydive workflows now consumes the
    blacklisted_ip_addresses input.

    The enable_ssh_admin workflow is modified to consume a list of
    ip addresses and only enable ssh on the given set of addresses.

    Change-Id: I4255739c852409fb8e170a9913fe7ad810711734
    Depends-On: Ic158171c629e82892e480f1e6903a67457f86064
    Closes-Bug: #1743046
    (cherry picked from commit f98c136078b356446362bf7506bcd708b14473cd)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-common 8.4.0

This issue was fixed in the openstack/tripleo-common 8.4.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-common 7.6.9

This issue was fixed in the openstack/tripleo-common 7.6.9 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.