tripleo

/etc/pki/tls/private/overcloud_endpoint.pem is generated at each undercloud/standalone deploy

Bug #1871663 reported by Emilien Macchi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Emilien Macchi
tripleo victoria-1 "tripleo victoria"

Bug Description

/etc/pki/tls/private/overcloud_endpoint.pem is generated at each undercloud/standalone deploy.

How to reproduce:

1) Deploy an undercloud, observe content in /etc/pki/tls/private/overcloud_endpoint.pem

2) run the "openstack undercloud install" again

/etc/pki/tls/private/overcloud_endpoint.pem content changed.
It makes HAproxy container not idempotent and can cause servuce disruptions on the Undercloud.

Emilien Macchi (emilienm)
Changed in tripleo:
status: New → Triaged
importance: Undecided → High
milestone: none → ussuri-rc1
Revision history for this message
Ade Lee (alee-3) wrote :

Yes - this does in fact, happen. puppet-certmonger will do a getcert resubmit if the request already exists. This will generate a new cert with the same key.

We could work around this -- maybe by adding code to puppet-certmonger to not do the resubmit unless explicitly requested -- but maybe what this points to is a bug in the code that restarts/reloads haproxy. After all, haproxy should be restarted if the cert is updated -- for example, if the cert was renewed by certmonger.

The advantage of replacing the cert each time is that the cert doesn't get too old.

David Wilde (dave-wilde)
Changed in tripleo:
assignee: nobody → David Wilde (dave-wilde)
Bogdan Dobrelya (bogdando)
tags: added: train-backport-potential
tags: added: idempotency
Revision history for this message
David Wilde (dave-wilde) wrote :

https://review.opendev.org/#/c/722877/

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/724348

wes hayutin (weshayutin)
Changed in tripleo:
milestone: ussuri-rc1 → ussuri-rc3
wes hayutin (weshayutin)
Changed in tripleo:
milestone: ussuri-rc3 → victoria-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/train)

Reviewed: https://review.opendev.org/724348
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=3b5b944048cdb68bea703cbc68ce3eb9a797b650
Submitter: Zuul
Branch: stable/train

commit 3b5b944048cdb68bea703cbc68ce3eb9a797b650
Author: Dave Wilde (d34dh0r53) <email address hidden>
Date: Fri Apr 24 10:27:06 2020 -0500

    Ensure that the HAProxy certificate is updated

    While doing research for this bugzilla[1] I found that since the
    actual certificate PEM file is being bind mounted the mount is acting
    as a hard link to the inode of the PEM rather than just a pointer to
    it's location in the directory. When the new file is copied over the
    inode is updated but the container still maintains a link to the stale
    inode. This patch copies the contents of the certificate into the
    container so that the HUP of HAProxy will reload the certificate.

    [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1765839

    Change-Id: Idf106c9ffa23ed00c497e1e5014e1b5718254320
    Closes-Bug: 1871663
    (cherry picked from commit 93c6bffb3b06c5978e5f3611e058b4afff08bdb9)

tags: added: in-stable-train
OpenStack Infra (hudson-openstack)
Changed in tripleo:
assignee: David Wilde (dave-wilde) → Emilien Macchi (emilienm)
Emilien Macchi (emilienm)
Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.opendev.org/722877
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=c1e09672a52fea82d853d17145901109291ac1f1
Submitter: Zuul
Branch: master

commit c1e09672a52fea82d853d17145901109291ac1f1
Author: Dave Wilde (d34dh0r53) <email address hidden>
Date: Fri Apr 24 10:27:06 2020 -0500

    Ensure that the HAProxy certificate is updated

    While doing research for this bugzilla[1] I found that since the
    actual certificate PEM file is being bind mounted the mount is acting
    as a hard link to the inode of the PEM rather than just a pointer to
    it's location in the directory. When the new file is copied over the
    inode is updated but the container still maintains a link to the stale
    inode. This patch copies the contents of the certificate into the
    container so that the HUP of HAProxy will reload the certificate.

    [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1765839

    Change-Id: Idf106c9ffa23ed00c497e1e5014e1b5718254320
    Closes-Bug: 1871663

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/739537

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/ussuri)

Reviewed: https://review.opendev.org/739537
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=146674dcea0bca513a6d9ea0087f06c4c300a0bc
Submitter: Zuul
Branch: stable/ussuri

commit 146674dcea0bca513a6d9ea0087f06c4c300a0bc
Author: Dave Wilde (d34dh0r53) <email address hidden>
Date: Fri Apr 24 10:27:06 2020 -0500

    Ensure that the HAProxy certificate is updated

    While doing research for this bugzilla[1] I found that since the
    actual certificate PEM file is being bind mounted the mount is acting
    as a hard link to the inode of the PEM rather than just a pointer to
    it's location in the directory. When the new file is copied over the
    inode is updated but the container still maintains a link to the stale
    inode. This patch copies the contents of the certificate into the
    container so that the HUP of HAProxy will reload the certificate.

    [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1765839

    Change-Id: Idf106c9ffa23ed00c497e1e5014e1b5718254320
    Closes-Bug: 1871663
    (cherry picked from commit c1e09672a52fea82d853d17145901109291ac1f1)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 11.5.0

This issue was fixed in the openstack/puppet-tripleo 11.5.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.