tripleo

ODL with TLS fails to create certificate/key on host due to no 'odl' user

Bug #1757135 reported by Tim Rozet on 2018-03-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Tim Rozet	tripleo rocky-1

Bug Description

In TLS deployments a key and certificate are created for ODL on the host (as owner/group odl/odl). These artifacts are then used to configure TLS for ODL. In containerized deployments these files are still created on the host, and then mounted into the ODL container. However, now that we containerize ODL, it means the RPM is no longer installed on the host, and the 'odl' linux group/user are not created. Thus when deploying with TLS and ODL, there is a puppet error saying:

            "Error: /Stage[main]/Tripleo::Certmonger::Opendaylight/File[/etc/pki/tls/certs/odl.crt]/group: change from root to odl failed: Could not find group odl",
            "Error: /Stage[main]/Tripleo::Certmonger::Opendaylight/File[/etc/pki/tls/private/odl.key]/owner: change from root to odl failed: Could not find user odl",
            "Error: /Stage[main]/Tripleo::Certmonger::Opendaylight/File[/etc/pki/tls/private/odl.key]/group: change from root to odl failed: Could not find group odl"

Tags:

Tim Rozet (trozet) on 2018-03-20

Changed in tripleo:
status:	New → In Progress
assignee:	nobody → Tim Rozet (trozet)
importance:	Undecided → High
milestone:	none → rocky-1
tags:	added: queens-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-20: Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/554537

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-21: Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/554537
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=e11804237e81c8488bd008603638d5f62758acb7
Submitter: Zuul
Branch: master

commit e11804237e81c8488bd008603638d5f62758acb7
Author: Tim Rozet <email address hidden>
Date: Tue Mar 20 09:27:12 2018 -0400

Fixes incorrect ownership of ODL TLS cert/key

    Deployments were failing because the owner/group of the TLS generated
    certificate and key were set to 'odl'. This user and group does not
    exist in a containerized deployment because the ODL RPM is only
    installed in the container.

    This patch leaves the owner as root for the files which works because
    the files are only used to generate a keystore for ODL (which is owned
    by odl), and the cert/key files themselves are never read by ODL.

Closes-Bug: 1757135

Change-Id: Ie5b9e98ea2fc16b820d56272653df4874e81cf68
Signed-off-by: Tim Rozet <email address hidden>

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-21: Fix proposed to puppet-tripleo (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/554909

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-23: Change abandoned on puppet-tripleo (stable/queens)

Change abandoned by Emilien Macchi (<email address hidden>) on branch: stable/queens
Review: https://review.openstack.org/554909
Reason: clear up the gate to merge CI blockers, I'll restore the patches.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-23: Fix merged to puppet-tripleo (stable/queens)

Reviewed: https://review.openstack.org/554909
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=a364a9dce7f92293ef65b8c98b46e5095777b956
Submitter: Zuul
Branch: stable/queens

commit a364a9dce7f92293ef65b8c98b46e5095777b956
Author: Tim Rozet <email address hidden>
Date: Tue Mar 20 09:27:12 2018 -0400

Fixes incorrect ownership of ODL TLS cert/key

Closes-Bug: 1757135

    Change-Id: Ie5b9e98ea2fc16b820d56272653df4874e81cf68
    Signed-off-by: Tim Rozet <email address hidden>
    (cherry picked from commit e11804237e81c8488bd008603638d5f62758acb7)