docker_config_scripts/nova_cell_v2_discover_host.py breaks with TLS everywhere

Bug #1813148 reported by Juan Antonio Osorio Robles on 2019-01-24
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Critical
Juan Antonio Osorio Robles

Bug Description

With TLS everywhere, access to the database is denied unless TLS is enabled. This seems to be the issue with the aforementioned script. When we enable TLs everywhere, that script fails with the following error:

...
        " File \"/usr/lib64/python2.7/site-packages/sqlalchemy/engine/strategies.py\", line 106, in connect",
        " return dialect.connect(*cargs, **cparams)",
        " File \"/usr/lib64/python2.7/site-packages/sqlalchemy/engine/default.py\", line 410, in connect",
        " return self.dbapi.connect(*cargs, **cparams)",
        " File \"/usr/lib/python2.7/site-packages/pymysql/__init__.py\", line 94, in Connect",
        " return Connection(*args, **kwargs)",
        " File \"/usr/lib/python2.7/site-packages/pymysql/connections.py\", line 327, in __init__",
        " self.connect()",
        " File \"/usr/lib/python2.7/site-packages/pymysql/connections.py\", line 598, in connect",
        " self._request_authentication()",
        " File \"/usr/lib/python2.7/site-packages/pymysql/connections.py\", line 862, in _request_authentication",
        " auth_packet = self._process_auth(plugin_name, auth_packet)",
        " File \"/usr/lib/python2.7/site-packages/pymysql/connections.py\", line 933, in _process_auth",
        " pkt = self._read_packet()",
        " File \"/usr/lib/python2.7/site-packages/pymysql/connections.py\", line 683, in _read_packet",
        " packet.check_error()",
        " File \"/usr/lib/python2.7/site-packages/pymysql/protocol.py\", line 220, in check_error",
        " err.raise_mysql_exception(self._data)",
        " File \"/usr/lib/python2.7/site-packages/pymysql/err.py\", line 109, in raise_mysql_exception",
        " raise errorclass(errno, errval)",
        "OperationalError: (pymysql.err.OperationalError) (1045, u\"Access denied for user 'nova_api'@'172.16.2.152' (using password: YES)\") (Background on this error at: http://sqlalche.me/e/e3q8)",
        "(cellv2) Service registered, running discovery",
        "stderr: + command -v python3",
        "+ command -v python2",
        "+ python2 /docker-config-scripts/nova_cell_v2_discover_host.py"

Changed in tripleo:
importance: Undecided → Critical
status: New → Triaged
milestone: none → stein-3

Fix proposed to branch: master
Review: https://review.openstack.org/632988

Changed in tripleo:
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/632988
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=ad81fba15da5bf6dc07153cc4c49ab48a334ee44
Submitter: Zuul
Branch: master

commit ad81fba15da5bf6dc07153cc4c49ab48a334ee44
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Thu Jan 24 13:14:49 2019 +0200

    Mount mysql client configuration in nova cell discovery container

    Without this it will ignore the TLS options (like the CA), and will fail
    when TLS everywhere is enabled.

    Change-Id: Ic0aa06afc61cf4536d476b429ac6cbf1a05dbfe0
    Closes-Bug: #1813148

Changed in tripleo:
status: In Progress → Fix Released

This issue was fixed in the openstack/tripleo-heat-templates 10.4.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers