tripleo

clouds.yaml is inconsistent with stackrc

Bug #1865050 reported by Lance Bragstad
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Incomplete
Medium
Lance Bragstad

Bug Description

I noticed that the undercloud profile in clouds.yaml doesn't contain the cacert when TLS is used in the undercloud (which appears to be on by default?). I compared clouds.yaml to stackrc and noticed stackrc contains the OS_CACERT, allowing me to interact with the undercloud without SSL verification errors. If I attempt the same openstack CLI commands using `export OS_CLOUD=undercloud`, the command will fail SSL verification.

Here is an example comparing the two files:

(undercloud) [stack@undercloud ~]$ sudo cat /etc/openstack/clouds.yaml
clouds:
  overcloud:
    auth:
      auth_url: https://overcloud.ooo.test:13000
      password: mIFntoBkPFNogPvEOEwDWrQzE
      project_domain_name: Default
      project_name: admin
      user_domain_name: Default
      username: admin
    identity_api_version: '3'
    region_name: regionOne
  undercloud:
    auth:
      auth_url: https://192.168.24.2:13000
      password: n7n8jzaehC19Q7JMl9FXd27uS
      project_domain_name: Default
      project_name: admin
      user_domain_name: Default
      username: admin
    identity_api_version: '3'
    region_name: regionOne
(undercloud) [stack@undercloud ~]$ cat /home/stack/.config/openstack/clouds.yaml
clouds:
  undercloud:
    auth:
      auth_url: https://192.168.24.2:13000
      password: n7n8jzaehC19Q7JMl9FXd27uS
      project_domain_name: Default
      project_name: admin
      user_domain_name: Default
      username: admin
    identity_api_version: '3'
    # I needed to add this
    cacert: "/etc/pki/ca-trust/source/anchors/cm-local-ca.pem"
    region_name: regionOne
(undercloud) [stack@undercloud ~]$ cat stackrc
# Clear any old environment that may conflict.
for key in $( set | awk -F= '/^OS_/ {print $1}' ); do unset "${key}" ; done

export OS_AUTH_TYPE=password
export OS_PASSWORD=n7n8jzaehC19Q7JMl9FXd27uS
export OS_AUTH_URL=https://192.168.24.2:13000
export OS_USERNAME=admin
export OS_PROJECT_NAME=admin
export COMPUTE_API_VERSION=1.1
export NOVA_VERSION=1.1
export OS_NO_CACHE=True
export OS_CLOUDNAME=undercloud
export OS_IDENTITY_API_VERSION='3'
export OS_PROJECT_DOMAIN_NAME='Default'
export OS_USER_DOMAIN_NAME='Default'
export OS_CACERT="/etc/pki/ca-trust/source/anchors/cm-local-ca.pem"
# Add OS_CLOUDNAME to PS1
if [ -z "${CLOUDPROMPT_ENABLED:-}" ]; then
    export PS1=${PS1:-""}
    export PS1=\${OS_CLOUDNAME:+"(\$OS_CLOUDNAME)"}\ $PS1
    export CLOUDPROMPT_ENABLED=1
fi

Note, once I added cacert: "/etc/pki/ca-trust/source/anchors/cm-local-ca.pem" to my clouds.yaml file manually, I was able to use the undercloud profile.

Steps to reproduce
==================

1.) Deploy an undercloud
2.) Execute `export OS_CLOUD=undercloud; openstack baremetal node list`

Expected result
===============

I should get back a list of baremetal servers

Actual result
=============

I get an SSL verification issue because python-openstackclient isn't using the certificate configured for the undercloud.

Environment
===========

I was able to reproduce this with master (ussuri).

[stack@undercloud ~]$ rpm -qa | grep tripleo
openstack-tripleo-puppet-elements-12.0.1-0.20200205004227.49e73ee.el7.noarch
openstack-tripleo-validations-12.1.1-0.20200220142835.2a89e16.el7.noarch
python2-tripleo-common-12.1.1-0.20200221134340.bbb3d19.el7.noarch
python2-tripleoclient-heat-installer-13.1.1-0.20200221134532.da4c8b0.el7.noarch
tripleo-ansible-1.2.1-0.20200226195252.8c6d504.el7.noarch
openstack-tripleo-common-containers-12.1.1-0.20200221134340.bbb3d19.el7.noarch
openstack-tripleo-image-elements-11.0.1-0.20200205004752.dc1104e.el7.noarch
python2-tripleo-repos-0.0.1-0.20200206034806.bcbb1ae.el7.noarch
python2-tripleoclient-13.1.1-0.20200221134532.da4c8b0.el7.noarch
openstack-tripleo-heat-templates-12.1.1-0.20200226195458.fa71ac1.el7.noarch
ansible-role-tripleo-modify-image-1.1.1-0.20200204003616.bb6f78d.el7.noarch
openstack-tripleo-common-12.1.1-0.20200221134340.bbb3d19.el7.noarch
puppet-tripleo-12.1.1-0.20200221022524.1015d5a.el7.noarch
ansible-tripleo-ipsec-9.2.1-0.20200127191100.0c8693c.el7.noarch

[DEFAULT]
undercloud_hostname = undercloud.ooo.test
overcloud_domain_name = ooo.test
local_mtu = 1350
local_interface = eth1
container_insecure_registries = 192.168.24.1:8787
undercloud_nameservers = 192.168.1.30 # FreeIPA DNS

[ctlplane-subnet]
masquerade = true

Revision history for this message
Lance Bragstad (lbragstad) wrote :

It doesn't look like tripleo-heat-templates is detecting the certificate and populating it here [0], but it does when generating the stackrc file in post-deployment steps [1].

[0] https://opendev.org/openstack/tripleo-heat-templates/src/commit/b5ef03c9c939db551b03e9490edc6981ff582035/deployment/keystone/keystone-container-puppet.yaml#L711-L720
[1] https://opendev.org/openstack/tripleo-heat-templates/src/commit/b5ef03c9c939db551b03e9490edc6981ff582035/extraconfig/post_deploy/undercloud_post.yaml#L121

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/710304

Changed in tripleo:
assignee: nobody → Lance Bragstad (lbragstad)
status: New → In Progress
Bogdan Dobrelya (bogdando)
Changed in tripleo:
importance: Undecided → Medium
milestone: none → ussuri-3
tags: added: queens-backport-potential train-backport-potential
wes hayutin (weshayutin)
Changed in tripleo:
milestone: ussuri-3 → ussuri-rc3
wes hayutin (weshayutin)
Changed in tripleo:
milestone: ussuri-rc3 → victoria-1
Emilien Macchi (emilienm)
Changed in tripleo:
milestone: victoria-1 → victoria-3
Marios Andreou (marios-b)
Changed in tripleo:
milestone: victoria-3 → wallaby-1
Marios Andreou (marios-b)
Changed in tripleo:
milestone: wallaby-1 → wallaby-2
Marios Andreou (marios-b)
Changed in tripleo:
milestone: wallaby-2 → wallaby-3
Marios Andreou (marios-b)
Changed in tripleo:
milestone: wallaby-3 → wallaby-rc1
Marios Andreou (marios-b)
Changed in tripleo:
milestone: wallaby-rc1 → xena-1
Revision history for this message
Marios Andreou (marios-b) wrote :

This is an automated action. Bug status has been set to 'Incomplete' and target milestone has been removed due to inactivity. If you disagree please re-set these values and reach out to us on freenode #tripleo

Changed in tripleo:
milestone: xena-1 → none
status: In Progress → Incomplete
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-heat-templates (master)

Change abandoned by "Lance Bragstad <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/710304
Reason: Abandoning since I don't have the cycles to pick this back up. If anyone is interested in this work, please feel free to repropose it or have it restored.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.