Adding TLS external endpoint during a stack update breaks with HA overcloud
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Damien Ciabrini |
Bug Description
When one deploys a HA overclouds without any TLS, and one runs a stack update afterwards to enable TLS for external endpoints, the HAProxy service may fails to be restarted.
In such case, the VIPs will also be stopped by pacemaker automatically due to collocation constraints, and the stack update will finish in error.
This is due to the way the HAProxy container is restarted on update:
. The haproxy pacemaker service file is designed to restart HAProxy when either the haproxy configuration changes, or when the pacemaker bundle configuration changes.
. when the TLS endpoints are added, the haproxy config is regenerated and the pacemaker bundle needs to bind-mount a new pem file in the haproxy container.
. so this triggers two restarts of the haproxy containers.
. however the first restart is triggered by the config change.
. when the haproxy container is restarted, haproxy reads the new config, tries to load the certificates and keys for the TLS endpoints, but the pem file is not bind-monted yet because the bundle configuration hasn't been updated yet.
. so all haproxy containers fail to start
Changed in tripleo: | |
assignee: | Damien Ciabrini (dciabrin) → Michele Baldessari (michele) |
Changed in tripleo: | |
milestone: | train-3 → ussuri-1 |
Changed in tripleo: | |
assignee: | Michele Baldessari (michele) → Damien Ciabrini (dciabrin) |
Changed in tripleo: | |
milestone: | ussuri-1 → ussuri-2 |
Changed in tripleo: | |
importance: | Medium → High |
tags: | added: idempotency queens-backport-potential train-backport-potential |
Fix proposed to branch: master /review. opendev. org/675993
Review: https:/