can't set a hostname as undercloud_public_host any longer

Bug #1763776 reported by James Slagle
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Emilien Macchi

Bug Description

It seems you can no longer set a hostname as undercloud_public_host in undercloud.conf. It fails with:

2018-04-13 16:48:19,650 INFO: + puppet apply --summarize --detailed-exitcodes /etc/puppet/manifests/puppet-stack-config.pp
2018-04-13 16:48:27,026 INFO: Notice: hiera(): Cannot load backend module_data: cannot load such file -- hiera/backend/module_data_backend
2018-04-13 16:48:27,230 INFO: Warning: ModuleLoader: module 'openstacklib' has unresolved dependencies - it will only see those that are resolved. Use 'puppet module list --tree' to see information about modules
2018-04-13 16:48:27,230 INFO: (file & line not available)
2018-04-13 16:48:27,585 INFO: Notice: hiera(): Cannot load backend module_data: cannot load such file -- hiera/backend/module_data_backend
2018-04-13 16:48:27,663 INFO: Warning: ModuleLoader: module 'rabbitmq' has unresolved dependencies - it will only see those that are resolved. Use 'puppet module list --tree' to see information about modules
2018-04-13 16:48:27,663 INFO: (file & line not available)
2018-04-13 16:48:27,917 INFO: Warning: This method is deprecated, please use match expressions with Stdlib::Compat::Ipv6 instead. They are described at https://docs.puppet.com/puppet/latest/reference/lang_data_type.html#match-expressions. at ["/etc/puppet/modules/rabbitmq/manifests/install/rabbitmqadmin.pp", 37]:["/etc/puppet/modules/rabbitmq/manifests/init.pp", 318]
2018-04-13 16:48:27,918 INFO: (at /etc/puppet/modules/stdlib/lib/puppet/functions/deprecation.rb:28:in `deprecation')
2018-04-13 16:48:28,186 INFO: Notice: Scope(Class[Tripleo::Firewall::Post]): At this stage, all network traffic is blocked.
2018-04-13 16:48:28,896 INFO: Error: Evaluation Error: Error while evaluating a Function Call, public_virtual_ip: undercloud.localdomain, is not a proper IP address. at /etc/puppet/modules/tripleo/manifests/haproxy.pp:772:5 on node undercloud.localdomain

This is required as it is our documented way of binding undercloud API services on routable hostnames/IP addresses:

https://docs.openstack.org/tripleo-docs/latest/install/advanced_deployment/deployed_server.html#undercloud

It's also required for the UI so that the UI can be accessed externally by hostname.

Changed in tripleo:
status: New → In Progress
importance: Undecided → High
assignee: nobody → James Slagle (james-slagle)
milestone: none → rocky-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/561273

Changed in tripleo:
assignee: James Slagle (james-slagle) → Michele Baldessari (michele)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/561273
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=6d510547965350338d0d11c4114f67bc6c3d9702
Submitter: Zuul
Branch: master

commit 6d510547965350338d0d11c4114f67bc6c3d9702
Author: Michele Baldessari <email address hidden>
Date: Sun Apr 15 19:49:49 2018 +0200

    Partially revert "Fail more gracefully when passed an empty ip"

    This reverts the manifests/haproxy.pp parts of
    commit 4c7ca4cbc385fa70438015ebc91b8692c00d46e7.

    The reverted commit made it such that you can not set a
    hostname as undercloud_public_host in undercloud.conf. This
    is required so that the UI can be accessed by hostname
    externally as well as to make the Undercloud API accessible
    externally. We keep the parts of that change that verify if
    the haproxy VIP for pacemaker is a proper IP as it can
    happen that a misconfigured network template causes empty
    strings and the deploy will fail in a very odd way.

    Change-Id: I57eeb2dd26336465627593d633c63b92da42e71d
    Closes-Bug: #1763776

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 9.0.0

This issue was fixed in the openstack/puppet-tripleo 9.0.0 release.

Revision history for this message
Emilien Macchi (emilienm) wrote :

I'm recycling this bug as we still can't use a hostname for undercloud_*_host parameters.

See Jame's bz: https://bugzilla.redhat.com/show_bug.cgi?id=1702814

~~~~~~~~~
If you try and use a hostname for undercloud_admin_host or undercloud_public_host in undercloud.conf it fails with:

[stack@tripleo-08 ~]$ openstack undercloud install
/usr/lib/python2.7/site-packages/requests/__init__.py:91: RequestsDependencyWarning: urllib3 (1.24.1) or chardet (2.2.1) doesn't match a supported version!
  RequestsDependencyWarning)
Exception occured while running the command
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/tripleoclient/command.py", line 30, in run
    super(Command, self).run(parsed_args)
  File "/usr/lib/python2.7/site-packages/osc_lib/command/command.py", line 41, in run
    return super(Command, self).run(parsed_args)
  File "/usr/lib/python2.7/site-packages/cliff/command.py", line 184, in run
    return_code = self.take_action(parsed_args) or 0
  File "/usr/lib/python2.7/site-packages/tripleoclient/v1/undercloud.py", line 128, in take_action
    dry_run=parsed_args.dry_run)
  File "/usr/lib/python2.7/site-packages/tripleoclient/v1/undercloud_config.py", line 392, in prepare_undercloud_deploy
    _process_network_args(env_data)
  File "/usr/lib/python2.7/site-packages/tripleoclient/v1/undercloud_config.py", line 336, in _process_network_args
    'AllocationPools': _calculate_allocation_pools(s)
  File "/usr/lib/python2.7/site-packages/tripleoclient/v1/undercloud_config.py", line 310, in _calculate_allocation_pools
    ip_set.remove(netaddr.IPNetwork(CONF.undercloud_public_host))
  File "/usr/lib/python2.7/site-packages/netaddr/ip/__init__.py", line 938, in __init__
    raise AddrFormatError('invalid IPNetwork %s' % addr)
AddrFormatError: invalid IPNetwork tripleo-08-undercloud
invalid IPNetwork tripleo-08-undercloud

Many (most?) customers use hostnames for these values, especially when using SSL.
~~~~~~~~~

Changed in tripleo:
status: Fix Released → In Progress
milestone: rocky-1 → train-1
assignee: Michele Baldessari (michele) → Emilien Macchi (emilienm)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/655822

tags: added: stein-backport-potential
tags: added: rocky-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-quickstart (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/656398

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-quickstart-extras (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/657959

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to python-tripleoclient (master)

Reviewed: https://review.opendev.org/655777
Committed: https://git.openstack.org/cgit/openstack/python-tripleoclient/commit/?id=c925c3b93bf02538c9308baf91aa0c7cc6dd20e9
Submitter: Zuul
Branch: master

commit c925c3b93bf02538c9308baf91aa0c7cc6dd20e9
Author: Emilien Macchi <email address hidden>
Date: Thu Apr 25 15:38:41 2019 -0400

    undercloud: resolve undercloud_*_host

    The problem we're solving here is that our operators using SSL + FQDN
    based endpoints will have failures during the deployment because we
    don't lookup the FQDN into IP addresses, needed later in the deployment
    for proper binding.

    This patch transforms undercloud_*_host parameters into IP addresses:

    - We raise if lookup returns nothing.
    - We raise if lookup returns more than one IP.
    - We support both IPv4 and IPv6.
    - We raise if the IP is a loopback.
    - We raise if the returned IP is invalid.

    Utils changes:

    * Introduce utils.is_valid_ip.
      Return True if the IP is either v4 or v6. Return False otherwise.

    * Introduce utils.is_loopback.
      Return True if the given host is a loopback. Return False otherwise.

    * Introduce utils.get_host_ips.
      Returns a list of IPs for a host to lookup.

    * Introduce utils.get_single_ip.
      Translate an hostname or FQDN into an IP address if it is valid IP.
      Return it unchanged if it is an IPv4 or IPv6 address.
      If the host is not reachable, it'll raise an exception.
      By default it excludes the loopbacks but it can be allowed by setting
      allow_loopback = True.

    * Use utils.get_single_ip to translate undercloud_admin_host and
      undercloud_public_host to IP addresses.

    Related-Bug: #1763776
    Change-Id: Ic008cc758493aa95e8aa237d23c2f66c0a930509

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to python-tripleoclient (stable/stein)

Related fix proposed to branch: stable/stein
Review: https://review.opendev.org/658278

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to python-tripleoclient (stable/rocky)

Related fix proposed to branch: stable/rocky
Review: https://review.opendev.org/658280

Revision history for this message
Bogdan Dobrelya (bogdando) wrote :

For local UC docker registries resolvable into an IPv6 address, we should consider backporting that into instack for Queens.

tags: added: queens-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to python-tripleoclient (stable/stein)

Reviewed: https://review.opendev.org/658278
Committed: https://git.openstack.org/cgit/openstack/python-tripleoclient/commit/?id=098fdb2cd912dabeeb40161edc6dd5df98940c31
Submitter: Zuul
Branch: stable/stein

commit 098fdb2cd912dabeeb40161edc6dd5df98940c31
Author: Emilien Macchi <email address hidden>
Date: Thu Apr 25 15:38:41 2019 -0400

    undercloud: resolve undercloud_*_host

    The problem we're solving here is that our operators using SSL + FQDN
    based endpoints will have failures during the deployment because we
    don't lookup the FQDN into IP addresses, needed later in the deployment
    for proper binding.

    This patch transforms undercloud_*_host parameters into IP addresses:

    - We raise if lookup returns nothing.
    - We raise if lookup returns more than one IP.
    - We support both IPv4 and IPv6.
    - We raise if the IP is a loopback.
    - We raise if the returned IP is invalid.

    Utils changes:

    * Introduce utils.is_valid_ip.
      Return True if the IP is either v4 or v6. Return False otherwise.

    * Introduce utils.is_loopback.
      Return True if the given host is a loopback. Return False otherwise.

    * Introduce utils.get_host_ips.
      Returns a list of IPs for a host to lookup.

    * Introduce utils.get_single_ip.
      Translate an hostname or FQDN into an IP address if it is valid IP.
      Return it unchanged if it is an IPv4 or IPv6 address.
      If the host is not reachable, it'll raise an exception.
      By default it excludes the loopbacks but it can be allowed by setting
      allow_loopback = True.

    * Use utils.get_single_ip to translate undercloud_admin_host and
      undercloud_public_host to IP addresses.

    Related-Bug: #1763776
    Change-Id: Ic008cc758493aa95e8aa237d23c2f66c0a930509
    (cherry picked from commit c925c3b93bf02538c9308baf91aa0c7cc6dd20e9)

tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to python-tripleoclient (stable/rocky)

Reviewed: https://review.opendev.org/658280
Committed: https://git.openstack.org/cgit/openstack/python-tripleoclient/commit/?id=6b0bf9098e5c6d3bc6677e39406a397bb4e50527
Submitter: Zuul
Branch: stable/rocky

commit 6b0bf9098e5c6d3bc6677e39406a397bb4e50527
Author: Emilien Macchi <email address hidden>
Date: Thu Apr 25 15:38:41 2019 -0400

    undercloud: resolve undercloud_*_host

    The problem we're solving here is that our operators using SSL + FQDN
    based endpoints will have failures during the deployment because we
    don't lookup the FQDN into IP addresses, needed later in the deployment
    for proper binding.

    This patch transforms undercloud_*_host parameters into IP addresses:

    - We raise if lookup returns nothing.
    - We raise if lookup returns more than one IP.
    - We support both IPv4 and IPv6.
    - We raise if the IP is a loopback.
    - We raise if the returned IP is invalid.

    Utils changes:

    * Introduce utils.is_valid_ip.
      Return True if the IP is either v4 or v6. Return False otherwise.

    * Introduce utils.is_loopback.
      Return True if the given host is a loopback. Return False otherwise.

    * Introduce utils.get_host_ips.
      Returns a list of IPs for a host to lookup.

    * Introduce utils.get_single_ip.
      Translate an hostname or FQDN into an IP address if it is valid IP.
      Return it unchanged if it is an IPv4 or IPv6 address.
      If the host is not reachable, it'll raise an exception.
      By default it excludes the loopbacks but it can be allowed by setting
      allow_loopback = True.

    * Use utils.get_single_ip to translate undercloud_admin_host and
      undercloud_public_host to IP addresses.

    Related-Bug: #1763776
    Change-Id: Ic008cc758493aa95e8aa237d23c2f66c0a930509
    (cherry picked from commit c925c3b93bf02538c9308baf91aa0c7cc6dd20e9)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/655822
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=016279b71e74700c18f2270649cb7567ae94505f
Submitter: Zuul
Branch: master

commit 016279b71e74700c18f2270649cb7567ae94505f
Author: Emilien Macchi <email address hidden>
Date: Thu Apr 25 21:23:57 2019 -0400

    standalone/undercloud - post: use EndpointMap to fetch Keystone URL

    Using EndpointMap to ensure we get the hostname/fqdn if possible
    otherwise it fallbacks to the IP for Keystone public endpoint.

    This is useful when the operator uses a certificate based on
    hostname/fqdn and not an IP address.

    Closes-Bug #1763776
    Change-Id: Ifa9d55cca90caf5be0c83507cb47447e25311fce

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/660991

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/660997

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/stein)

Reviewed: https://review.opendev.org/660991
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=ed5f481aa6b9f19f54a88eb0ff72f9e8ad6bb301
Submitter: Zuul
Branch: stable/stein

commit ed5f481aa6b9f19f54a88eb0ff72f9e8ad6bb301
Author: Emilien Macchi <email address hidden>
Date: Thu Apr 25 21:23:57 2019 -0400

    standalone/undercloud - post: use EndpointMap to fetch Keystone URL

    Using EndpointMap to ensure we get the hostname/fqdn if possible
    otherwise it fallbacks to the IP for Keystone public endpoint.

    This is useful when the operator uses a certificate based on
    hostname/fqdn and not an IP address.

    Closes-Bug #1763776
    Change-Id: Ifa9d55cca90caf5be0c83507cb47447e25311fce
    (cherry picked from commit 016279b71e74700c18f2270649cb7567ae94505f)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-quickstart-extras (master)

Reviewed: https://review.opendev.org/657959
Committed: https://git.openstack.org/cgit/openstack/tripleo-quickstart-extras/commit/?id=9cc7489cca85eee6ce9950c1ee1d5f01c8251efc
Submitter: Zuul
Branch: master

commit 9cc7489cca85eee6ce9950c1ee1d5f01c8251efc
Author: Emilien Macchi <email address hidden>
Date: Thu May 9 10:59:18 2019 +0200

    undercloud-setup: Introduce tripleo_set_unique_hostname variable

    In hostname playbook, add a task to modify /etc/hosts.
    tripleo_set_unique_hostname is a new boolean which if set to true,
    will add a line to /etc/hosts with an unique hostname
    ( {{ ansible_hostname }}-unique ) which will resolve the first IPv4
    address found in the inventory.

    It is useful to reproduce a deployment where the operator is using
    hostnames to create SSL certificates and deploy the undecloud with the
    public host being an hostname/fqdn and not an IP address.

    Related-Bug: #1763776
    Change-Id: I6425499e5d248e6cb2285f14dd9c6e716122b90b

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-quickstart (master)

Reviewed: https://review.opendev.org/656398
Committed: https://git.openstack.org/cgit/openstack/tripleo-quickstart/commit/?id=2816c3da7ba491c8e119c37be00994c10f6ab8a5
Submitter: Zuul
Branch: master

commit 2816c3da7ba491c8e119c37be00994c10f6ab8a5
Author: Emilien Macchi <email address hidden>
Date: Mon Apr 29 14:23:09 2019 -0600

    fs027: test SSL with FQDN based undercloud_public_host

    To provide a preventive action of bug 1763776, we want to test at least
    one scenario where the undercloud_public_host is configured with the
    FQDN and not the IP address.
    This is the case of most of users deplying with SSL, when certificates
    are generated based on the hostname/domain and not the IP.

    Related-Bug #1763776
    Depends-On: I6425499e5d248e6cb2285f14dd9c6e716122b90b
    Change-Id: I1c222fce178e164432acbfaeda8695c3cf7a6e98

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/rocky)

Reviewed: https://review.opendev.org/660997
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=74fd3fe5b96b3d7c532b83b327c86d91e5ef6f9a
Submitter: Zuul
Branch: stable/rocky

commit 74fd3fe5b96b3d7c532b83b327c86d91e5ef6f9a
Author: Emilien Macchi <email address hidden>
Date: Thu Apr 25 21:23:57 2019 -0400

    standalone/undercloud - post: use EndpointMap to fetch Keystone URL

    Using EndpointMap to ensure we get the hostname/fqdn if possible
    otherwise it fallbacks to the IP for Keystone public endpoint.

    This is useful when the operator uses a certificate based on
    hostname/fqdn and not an IP address.

    Closes-Bug #1763776

    (cherry picked from commit 016279b71e74700c18f2270649cb7567ae94505f)
    Depends-On: I1c222fce178e164432acbfaeda8695c3cf7a6e98
    Change-Id: Id8e1c6408ee6a322c61de90a52ab1eacaf0dba88

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to python-tripleoclient (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/746656

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to python-tripleoclient (master)

Reviewed: https://review.opendev.org/746656
Committed: https://git.openstack.org/cgit/openstack/python-tripleoclient/commit/?id=1fd42a85da98e356e85146a9afbec528584c600b
Submitter: Zuul
Branch: master

commit 1fd42a85da98e356e85146a9afbec528584c600b
Author: Harald Jensås <email address hidden>
Date: Tue Aug 18 10:03:23 2020 +0200

    Limit ip_version when resolving public_host and admin_host

    Use the the local_ip config option to filter results to a single
    ip version when resolving public_host and admin_host to ip
    addresses.

    When nameservers return result for both IPv4 and IPv6 we currently
    fail, due to multiple IP's for the host.

    Change-Id: Ic86dcea7abb5dbae31aa20fe91957e5e9a07f94e
    Related-Bug: #1763776
    Related: RHBZ#1868910

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to python-tripleoclient (stable/ussuri)

Related fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/746785

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to python-tripleoclient (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/746786

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to python-tripleoclient (stable/ussuri)

Reviewed: https://review.opendev.org/746785
Committed: https://git.openstack.org/cgit/openstack/python-tripleoclient/commit/?id=7fcc694d002e3c163d14698067b6540dd913a324
Submitter: Zuul
Branch: stable/ussuri

commit 7fcc694d002e3c163d14698067b6540dd913a324
Author: Harald Jensås <email address hidden>
Date: Tue Aug 18 10:03:23 2020 +0200

    Limit ip_version when resolving public_host and admin_host

    Use the the local_ip config option to filter results to a single
    ip version when resolving public_host and admin_host to ip
    addresses.

    When nameservers return result for both IPv4 and IPv6 we currently
    fail, due to multiple IP's for the host.

    Change-Id: Ic86dcea7abb5dbae31aa20fe91957e5e9a07f94e
    Related-Bug: #1763776
    Related: RHBZ#1868910
    (cherry picked from commit 1fd42a85da98e356e85146a9afbec528584c600b)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to python-tripleoclient (stable/train)

Reviewed: https://review.opendev.org/746786
Committed: https://git.openstack.org/cgit/openstack/python-tripleoclient/commit/?id=1399785a59a8e08b2228c957e8aeabad104a7101
Submitter: Zuul
Branch: stable/train

commit 1399785a59a8e08b2228c957e8aeabad104a7101
Author: Harald Jensås <email address hidden>
Date: Tue Aug 18 10:03:23 2020 +0200

    Limit ip_version when resolving public_host and admin_host

    Use the the local_ip config option to filter results to a single
    ip version when resolving public_host and admin_host to ip
    addresses.

    When nameservers return result for both IPv4 and IPv6 we currently
    fail, due to multiple IP's for the host.

    Change-Id: Ic86dcea7abb5dbae31aa20fe91957e5e9a07f94e
    Related-Bug: #1763776
    Related: RHBZ#1868910
    (cherry picked from commit 1fd42a85da98e356e85146a9afbec528584c600b)

tags: added: in-stable-train
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.