tripleo

Undercloud install fails with SSL and proxy

Bug #1759317 reported by Ben Nemec
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tripleo
Invalid
High
Unassigned
tripleo rocky-1

Bug Description

For the past couple of days, all of my undercloud installs are failing with the following output:

#############################################################################
Undercloud install failed.

Reason: Service Unavailable (HTTP 503)

See the previous output for details about what went wrong. The full install
log can be found at /home/centos/.instack/install-undercloud.log.

#############################################################################

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 2293, in install
    _post_config(instack_env, upgrade)
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 2011, in _post_config
    _member_role_exists()
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 1134, in _member_role_exists
    member_role = [r for r in c.roles.list() if r.name == '_member_'][0]
  File "/usr/lib/python2.7/site-packages/keystoneclient/v3/roles.py", line 203, in list
    return super(RoleManager, self).list(**kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 75, in func
    return f(*args, **new_kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 397, in list
    self.collection_key)
  File "/usr/lib/python2.7/site-packages/keystoneclient/base.py", line 125, in _list
    resp, body = self.client.get(url, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 304, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 463, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 189, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 737, in request
    raise exceptions.from_response(resp, method, url)
keystoneauth1.exceptions.http.ServiceUnavailable: Service Unavailable (HTTP 503)

Looking at the keystone logs, I see a request for an invalid address:

2018-03-27 15:45:15.580 23661 INFO keystone.common.wsgi [req-0c5e76bb-1a5b-41df-a5f5-d1bb09c2126b 3e5c3f08b93a4700979176b06fcb75be a2360552a9b64505a959d7e0cec063b5 - default default] GET http://192.168.24.2:13000/

That should be an https address.

It appears this is working in ci because the generate_service_certificate option is being explicitly set to false, so we aren't actually testing with ssl. Because ssl is the default setting since https://github.com/openstack/instack-undercloud/commit/41f2694d13386a2c533ca300f109afc2fc2f0595 this is a significant problem for all non-ci users.

Tags: ci
Revision history for this message
Ben Nemec (bnemec) wrote :

Dropping from critical as this only appears to affect deployments using the default network cidr and ranges. That's not a common real-world use case so I don't think this is as serious as I initially thought.

Changed in tripleo:
importance: Critical → High
Revision history for this message
Ben Nemec (bnemec) wrote :

Okay, it's not defaults either. I believe it has something to do with my proxy settings. Will update the title to reflect that.

summary: - Undercloud install fails with new default SSL setting
+ Undercloud install fails with SSL and proxy
Revision history for this message
Ben Nemec (bnemec) wrote :

Okay, I'm not sure what changed but apparently now you need to no_proxy all three endpoints. Previously you only needed the public and local_ip. Now the admin vip needs to be included as well. So my no_proxy setting now looks like this:

export no_proxy=192.168.24.1,192.168.24.2,192.168.24.3

Changed in tripleo:
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.