tripleo

Upgrade to Stein fails because of new OctaviaServerCertsKeyPassphrase parameter length restrictions

Bug #1844438 reported by Anton Antonov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
New
Undecided
Unassigned

Bug Description

Description:

  As a part of https://bugs.launchpad.net/tripleo/+bug/1833942 we now validate that Octavia certificate passphrase length is exactly 32. The deployment procedure was also updated to generate such passphrase.
  But, it looks like the upgrade procedure wasn't updated. As a result upgrade of previously delpoyed opentsack fails because the passhprase was generated with 25 length before the fix.

Step to reproduce:

  Run "openstack overcloud update prepare" command:

```
openstack overcloud update prepare --templates \
-e ~/vxrdo/templates/node-info.yaml \
-e /usr/share/openstack-tripleo-heat-templates/environments/disable-telemetry.yaml \
-n ~/vxrdo/templates/network_data.yaml \
-e ~/vxrdo/templates/network-isolation.yaml \
-e ~/vxrdo/templates/scheduler_hints_env.yaml \
-e ~/vxrdo/templates/network-environment.yaml \
-e ~/vxrdo/templates/ips-from-pool-all.yaml \
-e ~/vxrdo/templates/ceph-ansible.yaml \
-e /usr/share/openstack-tripleo-heat-templates/environments/services/neutron-ovs.yaml \
-e /usr/share/openstack-tripleo-heat-templates/environments/docker-ha.yaml \
-e /usr/share/openstack-tripleo-heat-templates/environments/services/octavia.yaml \
-e ~/vxrdo/templates/firstboot/firstboot.yaml \
--ntp-server 10.35.10.2 \
-e ~/vxrdo/templates/init-repo.yaml \
-e ~/vxrdo/templates/containers-prepare-parameter.yaml \
 2>&1 | tee prepare.log
```

Expected result:

  The "update prepare" command finishes succesfully.

Actual result:

```
 ERROR: InvalidSchemaError: : resources.ControllerServiceChain<https://10.35.5.2:13808/v1/A
UTH_0d06a24bb33c4b9ebf922cb7c3bcf118/overcloud/common/services/controller-role.yaml>.resources.ServiceChain<nested_stack>.resources.118<https://10.35.5.2:13808/v1/AUTH_0d06a24bb33c4b9ebf922cb7c3bcf118/overcloud/deployment/octavia/octavia-health-manager-container-puppet.yaml>.resources.OctaviaBase<https://10.35.5.2:13808/v1/AUTH_0d06a24bb33c4b9ebf922cb7c3bcf118/overcloud/deployment/octavia/octavia-base.yaml>: : Parameter 'OctaviaServerCertsKeyPassphrase' is invalid: Invalid default dDaWz3eP15hzRVjtk4r8xrPnw (length (25) is out of range (min: 32, max: 32))
```

The full log is attached.

Environment:

```
[stack@undercloud vxrdo]$ rpm -qa|grep tripleo
openstack-tripleo-image-elements-10.4.2-0.20190911230353.1ebd7af.el7.noarch
python2-tripleoclient-heat-installer-11.5.2-0.20190913025826.00fe507.el7.noarch
python2-tripleo-repos-0.0.1-0.20190724014728.1cf6e0b.el7.noarch
puppet-tripleo-10.5.2-0.20190916101755.2784518.el7.noarch
ansible-tripleo-ipsec-9.1.1-0.20190513182453.ffe104c.el7.noarch
openstack-tripleo-common-10.8.2-0.20190916095827.337dda3.el7.noarch
python2-tripleoclient-11.5.2-0.20190913025826.00fe507.el7.noarch
openstack-tripleo-validations-10.5.2-0.20190911232331.8ad7db7.el7.noarch
ansible-role-tripleo-modify-image-1.1.1-0.20190913191844.92f4052.el7.noarch
python2-tripleo-common-10.8.2-0.20190916095827.337dda3.el7.noarch
openstack-tripleo-common-containers-10.8.2-0.20190916095827.337dda3.el7.noarch
openstack-tripleo-puppet-elements-10.3.2-0.20190911230046.5453b89.el7.noarch
openstack-tripleo-heat-templates-10.6.2-0.20190916165638.7db107a.el7.noarch
```

Revision history for this message
Anton Antonov (anta-nok) wrote :
summary: - Upgrade to STein fails because of new OctaviaServerCertsKeyPassphrase
- Octavia parameter length restrictions
+ Upgrade to Stein fails because of new OctaviaServerCertsKeyPassphrase
+ parameter length restrictions
Revision history for this message
Brent Eagles (beagles) wrote :

What is the proper course of action in this case? Was this a production octavia enabled system or an update/upgrade test environment? The shorter passphrase was actually invalid so in a production system, remediation would've been twofold: guide the user through establishing a passphrase of proper length and distributing through the system so Octavia functions properly; and require minor updates to include the fixed packages.

Revision history for this message
Anton Antonov (anta-nok) wrote :

I don't know what the proper course of action is.

Octavia was added to a previously deployed RDO (March 2019 version of Rocky) by adding "-e /usr/share/openstack-tripleo-heat-templates/environments/services/octavia.yaml" parameter to "openstack overcloud deploy" command as explained here: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/14/html/networking_guide/sec-octavia

AFAIU because OctaviaGenerateCerts is "true" some certificates with shorter passphrase were generated.

  So, it would be useful if someone either
- would guide the user through establishing a passphrase of proper length and distributing through the system so Octavia functions properly or
- fix the upgrade procedure so the above is done automatically.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.