tripleo

Services which require DB fail to initialize when deployed with internal TLS

Bug #1710127 reported by Damien Ciabrini on 2017-08-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Juan Antonio Osorio Robles	tripleo pike-rc1

Bug Description

When internal TLS is in use, mysql/galera only accepts incoming TCP connection when they use SSL.

With containerized deployments, various services (e.g. nova, neutron, heat) run initial set up steps via some ephemeral containers. If those containers don't use kolla_start, the necessary mysql configuration will not be copied in /etc/my.cnf.d, and the connection to the DB won't use SSL. This makes the overcloud deployment fail.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-11: Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/492963

Changed in tripleo:
assignee:	nobody → Damien Ciabrini (dciabrin)
status:	Triaged → In Progress

Damien Ciabrini (dciabrin) on 2017-08-11

Changed in tripleo:
milestone:	none → pike-rc1

OpenStack Infra (hudson-openstack) on 2017-08-14

Changed in tripleo:
assignee:	Damien Ciabrini (dciabrin) → Juan Antonio Osorio Robles (juan-osorio-robles)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-16: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/492963
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=5144634d9bc3afd79ff934b9e913f6b9689e374b
Submitter: Jenkins
Branch: master

commit 5144634d9bc3afd79ff934b9e913f6b9689e374b
Author: Damien Ciabrini <email address hidden>
Date: Fri Aug 11 11:24:12 2017 +0000

Bind mount tripleo.cnf in transient bootstrap containers

    Various containerized services (e.g. nova, neutron, heat) run initial set up
    steps with some ephemeral containers that don't use kolla_start. The
    tripleo.cnf file is not copied in /etc/my.cnf.d and this can break some
    deployments (e.g. when using internal TLS, service lack SSL settings).

Fix the configuration of transient containers by bind mounting of the
tripleo.cnf file when kolla_start is not used.

    Change-Id: I5246f9d52fcf8c8af81de7a0dd8281169c971577
    Closes-Bug: #1710127
    Co-Authored-By: Juan Antonio Osorio Robles <email address hidden>

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-24: Fix included in openstack/tripleo-heat-templates 7.0.0.0rc1

This issue was fixed in the openstack/tripleo-heat-templates 7.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.