tripleo

Compute node deployment fails in OVB all TLS job

Bug #1816465 reported by Sagi (Sergey) Shnaidman
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Juan Antonio Osorio Robles
tripleo stein-3

Bug Description

when running OVB all TLS job (featureset039) compute node deployment fails:

Warning: Could not get certificate: Execution of '/usr/bin/getcert request -I neutron -f /etc/pki/tls/certs/neutron.crt -c IPA -N CN=overcloud-novacompute-0.internalapi.ooo.test -K neutron/overcloud-novacompute-0.internalapi.ooo.test -D overcloud-novacompute-0.internalapi.ooo.test -C /usr/bin/certmonger-neutron-dhcpd-refresh.sh -w -k /etc/pki/tls/private/neutron.key' returned 2: New signing request \"neutron\" added.",
        "Error: /Stage[main]/Tripleo::Certmonger::Neutron/Certmonger_certificate[neutron]: Could not evaluate: Could not get certificate: Server at https://ipa.ooo.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname<email address hidden>,cn=services,cn=accounts,dc=ooo,dc=test'.).",

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/637584

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/637584
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=44245d19dd2ac8ebb8b0c0096c4c318381424add
Submitter: Zuul
Branch: master

commit 44245d19dd2ac8ebb8b0c0096c4c318381424add
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Feb 18 18:35:46 2019 +0200

    Only request neutron certificate from neutron dhcp service

    The certificate request for the "neutron" certificate was set in the
    neutron base template. This had the secondary effect of causing every
    node that has a neutron service to try to request the certificate.

    This fixes that issue by moving those bits to where the certificate is
    actually used (which is only by the dhcp agent).

    Change-Id: I10ade8a4b5ec30872210c633d35273309ae20377
    Closes-Bug: #1816465

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 10.4.0

This issue was fixed in the openstack/tripleo-heat-templates 10.4.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/663948

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/663952

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/rocky)

Reviewed: https://review.opendev.org/663948
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=97eb154e913514b15cc2ef9776875fbd6f90559d
Submitter: Zuul
Branch: stable/rocky

commit 97eb154e913514b15cc2ef9776875fbd6f90559d
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Feb 18 18:35:46 2019 +0200

    Only request neutron certificate from neutron dhcp service

    The certificate request for the "neutron" certificate was set in the
    neutron base template. This had the secondary effect of causing every
    node that has a neutron service to try to request the certificate.

    This fixes that issue by moving those bits to where the certificate is
    actually used (which is only by the dhcp agent).

    Change-Id: I10ade8a4b5ec30872210c633d35273309ae20377
    Closes-Bug: #1816465
    (cherry picked from commit 44245d19dd2ac8ebb8b0c0096c4c318381424add)

tags: added: in-stable-rocky
tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/queens)

Reviewed: https://review.opendev.org/663952
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=68dfc3006490db60915fd74853fe49b82204a1e4
Submitter: Zuul
Branch: stable/queens

commit 68dfc3006490db60915fd74853fe49b82204a1e4
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Mon Feb 18 18:35:46 2019 +0200

    Only request neutron certificate from neutron dhcp service

    The certificate request for the "neutron" certificate was set in the
    neutron base template. This had the secondary effect of causing every
    node that has a neutron service to try to request the certificate.

    This fixes that issue by moving those bits to where the certificate is
    actually used (which is only by the dhcp agent).

    Change-Id: I10ade8a4b5ec30872210c633d35273309ae20377
    Closes-Bug: #1816465
    (cherry picked from commit 44245d19dd2ac8ebb8b0c0096c4c318381424add)
    (cherry picked from commit 97eb154e913514b15cc2ef9776875fbd6f90559d)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 9.4.0

This issue was fixed in the openstack/tripleo-heat-templates 9.4.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 8.4.0

This issue was fixed in the openstack/tripleo-heat-templates 8.4.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.