Certificate update scripts can misbehave on HA control plance

Bug #1885284 reported by Damien Ciabrini
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Medium
Damien Ciabrini

Bug Description

When deploying a TLS-e environment, certmonger tracks the certificates for various services. On certificate update, certmonger calls post-save scripts provided by TripleO. Those script are in charge of notifying containers that they must reload their state to use the newly generated certificates.

HAProxy and RabbitMQ post-save scripts are meant to be used on the HA/non-HA overcloud as well as the undercloud/standalone environment. The container name of those services differ whether the environment uses HA (e.g. haproxy-bundle-podman-0) or not (e.g. haproxy).

In HA overcloud/standalone, several containers share the prefix "haproxy" and "rabbitmq", when the post-save scripts scans containers to signal certificate update, it might happen that some container (e.g. haproxy_init_bundle) confuse the scripts and make the update fail.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.opendev.org/738215

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.opendev.org/738215
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=3e942b7ff5cc91bfee7cc19d31b502548dcf3f57
Submitter: Zuul
Branch: master

commit 3e942b7ff5cc91bfee7cc19d31b502548dcf3f57
Author: Damien Ciabrini <email address hidden>
Date: Fri Jun 26 16:31:11 2020 +0200

    Ensure post-save certmonger scripts target the right HA container

    HAProxy and RabbitMQ can reload their TLS certificate on change,
    without being restarted. To do that, a post-save script scan the
    list of running container, copy the new certs and trigger a reload
    action in the service.

    Make sure that those post-save script only get the right container
    out of the "$container_cli ps" command, i.e. that the scripts Work
    both with HA and non-HA deployments.

    Change-Id: Iaba8da504f9c7a54656cf1abe259dff779ea7125
    Closes-Bug: #1885284

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/742088

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/ussuri)

Reviewed: https://review.opendev.org/742088
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=e0fa5abdf69f4cb7f80bb40c858eef4f7601dea5
Submitter: Zuul
Branch: stable/ussuri

commit e0fa5abdf69f4cb7f80bb40c858eef4f7601dea5
Author: Damien Ciabrini <email address hidden>
Date: Fri Jun 26 16:31:11 2020 +0200

    Ensure post-save certmonger scripts target the right HA container

    HAProxy and RabbitMQ can reload their TLS certificate on change,
    without being restarted. To do that, a post-save script scan the
    list of running container, copy the new certs and trigger a reload
    action in the service.

    Make sure that those post-save script only get the right container
    out of the "$container_cli ps" command, i.e. that the scripts Work
    both with HA and non-HA deployments.

    Change-Id: Iaba8da504f9c7a54656cf1abe259dff779ea7125
    Closes-Bug: #1885284
    (cherry picked from commit 3e942b7ff5cc91bfee7cc19d31b502548dcf3f57)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/742362

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/train)

Reviewed: https://review.opendev.org/742362
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=ddf216332ff9a7e8378c78e3e59271ce21719c62
Submitter: Zuul
Branch: stable/train

commit ddf216332ff9a7e8378c78e3e59271ce21719c62
Author: Damien Ciabrini <email address hidden>
Date: Fri Jun 26 16:31:11 2020 +0200

    Ensure post-save certmonger scripts target the right HA container

    HAProxy and RabbitMQ can reload their TLS certificate on change,
    without being restarted. To do that, a post-save script scan the
    list of running container, copy the new certs and trigger a reload
    action in the service.

    Make sure that those post-save script only get the right container
    out of the "$container_cli ps" command, i.e. that the scripts Work
    both with HA and non-HA deployments.

    Change-Id: Iaba8da504f9c7a54656cf1abe259dff779ea7125
    Closes-Bug: #1885284
    (cherry picked from commit 3e942b7ff5cc91bfee7cc19d31b502548dcf3f57)
    (cherry picked from commit e0fa5abdf69f4cb7f80bb40c858eef4f7601dea5)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 11.5.0

This issue was fixed in the openstack/puppet-tripleo 11.5.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers