tripleo

undercloud masquerade_networks is now silently ignored

Bug #1794038 reported by Steven Hardy on 2018-09-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Harald Jensås	tripleo stein-2

Bug Description

The masquerade_networks option for undercloud.conf was deprecated some time ago:

https://github.com/openstack/instack-undercloud/blob/master/instack_undercloud/undercloud.py#L237

However in the switch to containerized undercloud we lost that deprecation (and all support for interpreting the value), so anyone using the old undercloud.conf syntax will get surprised as the nat rules for nodes to access the external network will be missing when using the containerized undercloud.

https://github.com/openstack/instack-undercloud/blob/master/instack_undercloud/undercloud.py#L237

[stack@undercloud ~]$ grep -R Masquerade ./*
./tripleo-config-generated-env-files/undercloud_parameters.yaml: MasqueradeNetworks: {}
[stack@undercloud ~]$ cat undercloud.conf | grep masquerade
# Network that will be masqueraded for external access, if required.
masquerade_network = 192.168.24.0/24
[stack@undercloud ~]$ sudo hiera -c /etc/puppet/hiera.yaml masquerade_networks
nil

Related to this, we're using the old format in quickstart, so by default now the masquerade rules are missing, so overcloud nodes can't reach the external network anymore:

https://github.com/openstack/tripleo-quickstart-extras/blob/master/roles/undercloud-deploy/templates/undercloud.conf.j2#L150

This has now become a hard failure though, since we landed this:

https://github.com/openstack/python-tripleoclient/commit/e202bdb01f0cd770629723e0e79fbdeafe88102b

Which means a default quickstart setup will fail to deploy when doing the ntpdate sync:

TASK [Ensure system is NTP time synced] ****************************************
Monday 24 September 2018 08:41:10 +0000 (0:00:00.104) 0:04:45.759 ******
skipping: [overcloud-novacompute-0] => {"changed": false, "skip_reason": "Conditional result was False"}
fatal: [overcloud-controller-0]: FAILED! => {"changed": true, "cmd": ["ntpdate", "-u", "pool.ntp.org"], "delta": "0:00:40.038461", "end": "2018-09-24 08:41:49.845916", "msg": "non-zero return code", "rc": 1, "start": "2018-09-24 08:41:09.807455", "stderr": "Error resolving pool.ntp.org: Name or service not known (-2)\n24 Sep 08:41:49 ntpdate[14729]: Can't find host pool.ntp.org: Name or service not known (-2)\n24 Sep 08:41:49 ntpdate[14729]: no servers can be used, exiting", "stderr_lines": ["Error resolving pool.ntp.org: Name or service not known (-2)", "24 Sep 08:41:49 ntpdate[14729]: Can't find host pool.ntp.org: Name or service not known (-2)", "24 Sep 08:41:49 ntpdate[14729]: no servers can be used, exiting"], "stdout": "", "stdout_lines": []}

Having discussed with hjensas on IRC, I think we need two fixes:

1. Some pre-flight validation so that the old/deprecated masquerade_networks option fails with a helpful message to show the new syntax

2. Rebase the quickstart undercloud.conf template to reflect the new/supported syntax

Having this covered in CI would be good too, since it seems we somehow don't fail in any of the CI jobs despite the now-bad quickstart generated undercloud.conf?

Tags:

Steven Hardy (shardy) on 2018-09-24

Changed in tripleo:
status:	New → Triaged
importance:	Undecided → High
milestone:	none → stein-2
tags:	added: quickstart undercloud

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-09-24: Related fix proposed to tripleo-quickstart-extras (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/604922

Changed in tripleo:
assignee:	nobody → Harald Jensås (harald-jensas)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-09-24: Fix proposed to python-tripleoclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/604923

Revision history for this message

Steven Hardy (shardy) wrote on 2018-09-25:

Note that a workaround is to set this in your quickstart config:

network_isolation: false
ctlplane_masquerade: true

The important part is the ctlplane_masquerade, which is needed when you don't have any real external network to connect to.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-06: Related fix merged to tripleo-quickstart-extras (master)

Reviewed: https://review.openstack.org/604922
Committed: https://git.openstack.org/cgit/openstack/tripleo-quickstart-extras/commit/?id=52db4aefb747552c507f5473390eaeb18fab6ab2
Submitter: Zuul
Branch: master

commit 52db4aefb747552c507f5473390eaeb18fab6ab2
Author: Harald Jensås <email address hidden>
Date: Tue Sep 25 00:07:25 2018 +0200

Rebase undercloud.conf template

    With the changes to undercloud for routed networks support
    the configuration file structure was changed. This updates
    the undercloud.conf template in quickstart to reflect these
    changes.

Related-Bug: #1794038
Change-Id: Ia29a3aaeb23e63d68cfe4891436446093016ea3c

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-14: Fix merged to python-tripleoclient (master)

Reviewed: https://review.openstack.org/604923
Committed: https://git.openstack.org/cgit/openstack/python-tripleoclient/commit/?id=cf5371ede76084593a4d3961a111ca37df7b544c
Submitter: Zuul
Branch: master

commit cf5371ede76084593a4d3961a111ca37df7b544c
Author: Harald Jensås <email address hidden>
Date: Mon Sep 24 23:37:53 2018 +0200

Undercloud Validations - Deprecated (replaced/removed) opts

    Add a validation method to check for invalid (replaced/removed)
    configuration options. Fail the validations if any such options
    are detected in the configuration.

    After the deprecation period is over and options are removed we
    can add options to 'invalid_opts' to make sure users update
    their configuration.

    Closes-Bug: #1794038
    Depends-On: Ia29a3aaeb23e63d68cfe4891436446093016ea3c
    Change-Id: I26a1626aac9178ed87176b6577fcca970dfc182b