Cinder A/A and etcd not working with TLS-everywhere
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Alan Bishop |
Bug Description
When configured to run in active/active mode, cinder uses etcd for its distributed lock manager. Unfortunately, several aspects of the deployment are broken when internal TLS is enabled. Extensive debugging uncovered a number of issues, some within tripleo (tht or puppet-tripleo), and some outside tripleo. This bug report covers the tripleo issues, and they are:
1) The tripleo:
- The $postsave_cmd isn't valid now that etcd runs in a container
- The cert and key files on the host cannot by chown'ed to "etcd:etcd" as those are not a valid user/group name on the host
- The module needs a $dnsnames input parameter to allow inclusion of additional names in the certificate
2) The tripleo:
3) The cert and key files need to be accessible to the cinder and etcd services running inside their respective containers. This means the files need to be bind mounted into the containers, along with an ACL rule that lets the cinder and etcd processes have read access to the files.
4) The etcd certificate specs, configured by THT, have to include a subject alternative name (SAN) entry for the etcd node's internal API address.
Currently, with cinder A/A and TLS-everywhere, the deployment will fail when tripleo:
tags: | added: train-backport-potential |
Changed in tripleo: | |
milestone: | ussuri-3 → ussuri-rc3 |
Related fix proposed to branch: master /review. opendev. org/716432
Review: https:/