tripleo

Keystone in container: missing trusted CA

Bug #1766178 reported by Cédric Jeanneret deactivated on 2018-04-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Cédric Jeanneret deactivated	tripleo rocky-2

Bug Description

Dear Stackers,

While migrating my pike BM to pike Containers, keystone had some issues validating authentication against our freeIPA.

The reason was the lack of the following file in the keystone container:
/etc/pki/ca-trust/source/anchors/ca.crt.pem

The error message in the logs:
2018-04-23 06:09:33.543 22 ERROR keystone.common.wsgi IOError: tls_cacertfile /etc/pki/ca-trust/source/anchors/ca.crt.pem not found or is not a file

Inspecting the container showed multiple mounts related to the pki content, but apparently this precise location was overlooked:
                "/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro",
                "/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro",
                "/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro",
                "/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro",

Missing:
"/etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro"

Container version:
<satellite>/default_organization-stable-centos-7-pike-docker-tripleopike-centos-binary-keystone current-tripleo 382e3c19a174 2 months ago 831 MB

Note: we consolidate images in our local satellite. We use the "current-tripleo" tag.

Cheers,

Tags:

Juan Antonio Osorio Robles (juan-osorio-robles) on 2018-04-23

Changed in tripleo:
status:	New → Triaged
milestone:	none → rocky-2
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-23: Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/563525

Changed in tripleo:
assignee:	nobody → Cédric Jeanneret (cjeanneret-c2c)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-24: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/563525
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=3637f0325fa9aea4a511d8f73ece4cb88a30f9f7
Submitter: Zuul
Branch: master

commit 3637f0325fa9aea4a511d8f73ece4cb88a30f9f7
Author: Cédric Jeanneret <email address hidden>
Date: Mon Apr 23 10:39:05 2018 +0200

Added missing pki volume for custom CA.

Some services want the CA to be in the anchors directory. Just mount it
everywhere.

Change-Id: I5cf028d9424a253f8b5d66d818a091508b9486d7
Closes-Bug: #1766178

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-25: Fix proposed to tripleo-heat-templates (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/564105

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-26: Fix merged to tripleo-heat-templates (stable/queens)

Reviewed: https://review.openstack.org/564105
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=a4db817ab6cb3b3ec96daa81af0a3f1d14da7a3b
Submitter: Zuul
Branch: stable/queens

commit a4db817ab6cb3b3ec96daa81af0a3f1d14da7a3b
Author: Cédric Jeanneret <email address hidden>
Date: Mon Apr 23 10:39:05 2018 +0200

Added missing pki volume for custom CA.

Some services want the CA to be in the anchors directory. Just mount it
everywhere.

    Change-Id: I5cf028d9424a253f8b5d66d818a091508b9486d7
    Closes-Bug: #1766178
    (cherry picked from commit 3637f0325fa9aea4a511d8f73ece4cb88a30f9f7)

tags:	added: in-stable-queens
tags:	added: in-stable-pike

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-26: Fix merged to tripleo-heat-templates (stable/pike)

Reviewed: https://review.openstack.org/564107
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=637f9972a70b9fed3dd6cf15f120340f450bf59f
Submitter: Zuul
Branch: stable/pike

commit 637f9972a70b9fed3dd6cf15f120340f450bf59f
Author: Cédric Jeanneret <email address hidden>
Date: Mon Apr 23 10:39:05 2018 +0200

Added missing pki volume for custom CA.

Some services want the CA to be in the anchors directory. Just mount it
everywhere.

    Change-Id: I5cf028d9424a253f8b5d66d818a091508b9486d7
    Closes-Bug: #1766178
    (cherry picked from commit 3637f0325fa9aea4a511d8f73ece4cb88a30f9f7)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-05-29: Fix included in openstack/tripleo-heat-templates 7.0.13

This issue was fixed in the openstack/tripleo-heat-templates 7.0.13 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-04: Fix included in openstack/tripleo-heat-templates 8.0.3

This issue was fixed in the openstack/tripleo-heat-templates 8.0.3 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-05: Fix included in openstack/tripleo-heat-templates 9.0.0.0b3

This issue was fixed in the openstack/tripleo-heat-templates 9.0.0.0b3 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.