Minor update fails because haproxy can't start

Bug #1682448 reported by Marios Andreou on 2017-04-13
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tripleo
High
Unassigned

Bug Description

As first discussed in https://bugzilla.redhat.com/show_bug.cgi?id=1441977 the stable/ocata minor update fails as haproxy can't setup the horizon proxy

Apr 13 08:27:26 controller-0.localdomain haproxy-systemd-wrapper[168082]: [ALERT] 102/082726 (168083) : Starting proxy horizon: cannot bind socket [2620:52:0:13b8:5054:ff:fe3e:1:443]
Apr 13 08:27:26 controller-0.localdomain haproxy-systemd-wrapper[168082]: [ALERT] 102/082726 (168083) : Starting proxy horizon: cannot bind socket [fd00:fd00:fd00:2000::16:443]
...
Apr 13 08:27:26 controller-0.localdomain systemd[1]: haproxy.service: main process exited, code=exited, status=1/FAILURE
Apr 13 08:27:26 controller-0.localdomain systemd[1]: Unit haproxy.service entered failed state.

Further investigation suggests this may be related to the update of the mod_ssl package but the root cause/issue is still TBD.

Fix proposed to branch: master
Review: https://review.openstack.org/456715

Changed in tripleo:
assignee: Marios Andreou (marios-b) → Lukas Bezdicka (social-b)
status: Triaged → In Progress

Change abandoned by Lukas Bezdicka (<email address hidden>) on branch: master
Review: https://review.openstack.org/456715
Reason: https://review.openstack.org/457688

Reviewed: https://review.openstack.org/456712
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=9e729c0db22865d036860346eb6b81c4c2108719
Submitter: Jenkins
Branch: master

commit 9e729c0db22865d036860346eb6b81c4c2108719
Author: Lukas Bezdicka <email address hidden>
Date: Thu Apr 13 19:21:45 2017 +0200

    Ensure we configure ssl.conf

    Every time we call apache module regardless of using SSL we have to
    configure mod_ssl from puppet-apache or we'll hit issue during package
    update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains
    Listen 443 while apache::mod::ssl just configures SSL bits but does not
    add Listen. If the apache::mod::ssl is not included the ssl.conf file is
    removed and recreated during mod_ssl package update. This causes
    conflict on port 443.

    Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8
    Related-Bug: 1682448
    Resolves: rhbz#1441977

Reviewed: https://review.openstack.org/458033
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=ef4a1da270f92aaf0c4fdb06fadaaec932149d49
Submitter: Jenkins
Branch: stable/ocata

commit ef4a1da270f92aaf0c4fdb06fadaaec932149d49
Author: Lukas Bezdicka <email address hidden>
Date: Thu Apr 13 19:21:45 2017 +0200

    Ensure we configure ssl.conf

    Every time we call apache module regardless of using SSL we have to
    configure mod_ssl from puppet-apache or we'll hit issue during package
    update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains
    Listen 443 while apache::mod::ssl just configures SSL bits but does not
    add Listen. If the apache::mod::ssl is not included the ssl.conf file is
    removed and recreated during mod_ssl package update. This causes
    conflict on port 443.

    Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8
    Related-Bug: 1682448
    Resolves: rhbz#1441977
    (cherry picked from commit 9e729c0db22865d036860346eb6b81c4c2108719)

tags: added: in-stable-ocata

Reviewed: https://review.openstack.org/457688
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=a2cf2d469f28a176cd405015921b2a5d43445c02
Submitter: Jenkins
Branch: stable/ocata

commit a2cf2d469f28a176cd405015921b2a5d43445c02
Author: Lukas Bezdicka <email address hidden>
Date: Thu Apr 13 19:31:29 2017 +0200

    Touch /etc/httpd/conf.d/ssl.conf

    To ensure that yum update passes without issues we touch ssl.conf.
    Proper fix is https://review.openstack.org/#/c/456712/

    Depends-On: Ic5a0719f67d3795a9edca25284d1cf6f088073e8
    Closes-Bug: #1682448
    Resolves: rhbz#1441977
    Change-Id: I73e5272c64df4aa5900f544a5d9f0670544ca679

This issue was fixed in the openstack/tripleo-heat-templates 6.1.0 release.

Reviewed: https://review.openstack.org/461060
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=e903efc1adcdb2f21d7a9ded2795417d364c70e0
Submitter: Jenkins
Branch: stable/newton

commit e903efc1adcdb2f21d7a9ded2795417d364c70e0
Author: Sofer Athlan-Guyot <email address hidden>
Date: Fri Apr 28 16:21:31 2017 +0200

    [M->N] Ensure mod_ssl is installed during upgrade.

    In Newton mod_ssl is installed by default. We make sure that during
    upgrade this is done as well to avoid problem with the fix in
    https://bugs.launchpad.net/tripleo/+bug/1682448

    Change-Id: I49bd6f0017048fbab8a4011d5d7c3ffc6cda85b6
    Related-Bug: #1682448

tags: added: in-stable-newton

Reviewed: https://review.openstack.org/460560
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=a70c065aab6e0d84533f9a023994a29857f92370
Submitter: Jenkins
Branch: stable/newton

commit a70c065aab6e0d84533f9a023994a29857f92370
Author: Lukas Bezdicka <email address hidden>
Date: Thu Apr 13 19:21:45 2017 +0200

    Ensure we configure ssl.conf

    Every time we call apache module regardless of using SSL we have to
    configure mod_ssl from puppet-apache or we'll hit issue during package
    update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains
    Listen 443 while apache::mod::ssl just configures SSL bits but does not
    add Listen. If the apache::mod::ssl is not included the ssl.conf file is
    removed and recreated during mod_ssl package update. This causes
    conflict on port 443.

    Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8
    Related-Bug: 1682448
    Resolves: rhbz#1441977
    Depends-On: I49bd6f0017048fbab8a4011d5d7c3ffc6cda85b6
    (cherry picked from commit 9e729c0db22865d036860346eb6b81c4c2108719)

Reviewed: https://review.openstack.org/460555
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=c32505925e151e1654e341b84c2be94ee07989d2
Submitter: Jenkins
Branch: stable/newton

commit c32505925e151e1654e341b84c2be94ee07989d2
Author: Lukas Bezdicka <email address hidden>
Date: Thu Apr 13 19:31:29 2017 +0200

    Touch /etc/httpd/conf.d/ssl.conf

    To ensure that yum update passes without issues we touch ssl.conf.
    Proper fix is https://review.openstack.org/#/c/456712/

    Depends-On: Ic5a0719f67d3795a9edca25284d1cf6f088073e8
    Closes-Bug: #1682448
    Resolves: rhbz#1441977
    Change-Id: I73e5272c64df4aa5900f544a5d9f0670544ca679
    (cherry picked from commit a2cf2d469f28a176cd405015921b2a5d43445c02)

Marios Andreou (marios-b) wrote :

As discussed at https://bugzilla.redhat.com/show_bug.cgi?id=1448420 during mitaka to newton upgrade the installation of mod_ssl causes the same problem with Listen 443 in ssl.conf. Going to post something to stable/newton momentarily

Reviewed: https://review.openstack.org/463529
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=dd42fe9555f2fd7dc772fdca8e834b2b6d73f6f7
Submitter: Jenkins
Branch: stable/newton

commit dd42fe9555f2fd7dc772fdca8e834b2b6d73f6f7
Author: marios <email address hidden>
Date: Tue May 9 14:26:56 2017 +0300

    [Newton only] - Manually touch ssl.conf before installing mod_ssl

    In I49bd6f0017048fbab8a4011d5d7c3ffc6cda85b6 we added manual install
    of mod_ssl during the mitaka to newton upgrade for the related bug
    below. However we also need to prevent that package from creating
    the default ssl.conf with the Listen 443 as discussed in that bug.

    Related-Bug: 1682448
    Depends-On: Ie6e19cc838a3f45100f6c98a350bdf6a37d40590
    Change-Id: I04b8ccf8b8637b7b4fcc0c6182ef6cd3e30a8569

Changed in tripleo:
milestone: pike-2 → pike-3
Emilien Macchi (emilienm) wrote :

There are no currently open reviews on this bug, changing the status back to the previous state and unassigning. If there are active reviews related to this bug, please include links in comments.

Changed in tripleo:
status: In Progress → Triaged
assignee: Lukas Bezdicka (social-b) → nobody
Changed in tripleo:
milestone: pike-3 → pike-rc1
Ben Nemec (bnemec) wrote :

It looks like this was fixed, per https://bugzilla.redhat.com/show_bug.cgi?id=1448420. Feel free to reopen if that's not correct.

Changed in tripleo:
status: Triaged → Fix Released

This issue was fixed in the openstack/tripleo-heat-templates 5.3.1 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.