tripleo

Bug #1887801
Comment #1

Comment 1 for bug 1887801

Revision history for this message

Courtney Oakley (courts3003) wrote on 2020-07-22:

Okay, I have workarounds for all the bugs that stopped Octavia (Openstack Loadbalancer) coming up for TripleO 16.1 Beta - Train on CentOS7 production capable installation. I hate having to answer all my own questions.

OCTAVIA BUGS OR MISCONFIGURATIONS

1. /var/run/octavia has incorrect ownership of root.root. It needs to be oactavia.octavia it prevents the new driver_agent from running, so nothing runs then.

WORKAROUND
Go to the Docker Container octavia_driver_agent and change the ownership to octavia.octavia then restart all octavia Docker Containers. Notice, we are all Docker here because Podman does not work with Pacemaker HA on CentOS7.

You have to execute these on all controllers.

-----------------COMMANDS
sudo docker exec -ti --user root octavia_driver_agent /bin/bash # Root on the container
chown octavi.octavia /var/run/octavia
exit

sudo docker restart octavia_driver_agent
sudo docker restart octavia_worker
sudo docker restart octavia_housekeeping
sudo docker restart octavia_health_manager
------------------

I did try changing the docker image in the container-image-prepare command, but somewhere in the YAML deployment scripts /var/run/octavia gets reset to root.root ownership.

2. No Octavia certs get generated automatically.

The logic within the deployment jinga2 script /usr/share/openstack-tripleo-heat-templates/deployment/octavia/octavia-deployment-config.j2.yaml means that Octavia Certs are only generated if OctaviaGenerateCerts is true and IMPORTANTLY the Stack is at state CREATE.

WORKAROUND
So it only works if your TripleO deploys completely the first time round. If you are looking at multiple Controllers and Computes the share number of moving parts makes this highly unlikely. I think the logic should be changed so that generate_certs is true when OctaviaGenerateCerts is true and Stack is CREATE or STACK is UPDATE.

Is there a problem with regenerating the certs each time you deploy??? (it's better than not creating them at all)

My TripleO never deploys completely each time, I always have at least one restart even just owing to docker.io pull bandwidth issues. So I changed Stack - CREATE to UPDATE. I'll change it to CREATE or UPDATE (the best option) on my next redeployment.

-------------------------------- /usr/share/openstack-tripleo-heat-templates/deployment/octavia/octavia-deployment-config.j2.yaml

  generate_certs:
      and:
      - get_param: OctaviaGenerateCerts
      - equals:
        - get_param: StackAction
# - CREATE
        - UPDATE

3. No Octavia roles are generated by deployment scripts. This is a strange one. The Policy file is generated and in place but no roles are set. Octavia cannot work without the 'load-balancer_member' and 'load-balancer_admin' roles being set for users. So we might as well generate the roles then.

This was an abandoned update (shown below possible fix).

WORKAROUND
------------------------------COMMANDS
source overcloudrc
openstack role create load-balancer_member
openstack role create load-balancer_admin
openstack role create load-balancer_observer
openstack role create load-balancer_global_observer
openstack role create load-balancer_quota_admin

For USER and PROJECT
openstack role add --user USER --project PROJECT load-balancer_admin
openstack role add --user USER --project PROJECT load-balancer_member

POSSIBLE FIX
Increase the ansible install Steps to 6 and add the following to /usr/share/openstack-tripleo-heat-templates/deployment/octavia/octavia-api-container-puppet.yaml after Step 5 or add it to the end of Step 5. I'll see if this works on my next redeploy.

        step_6: # If you chose to add ansible Step_6
          config_volume: octavia
          puppet_tags: keystone_role
          step_config: |
            include ::octavia::roles
          config_image: {get_param: ContainerOctaviaConfigImage}
          volumes:
            - /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia:ro

Okay so my Octavia Loadbalancer service at the latest version is working beautifully for a 3 Controller, 3 Compute, 3 Ceph - TripleO Train CentOS7 environment now.

OCTAVIA BUGS OR MISCONFIGURATIONS

1. /var/run/octavia has incorrect ownership of root.root. It needs to be oactavia.octavia it prevents the new driver_agent from running, so nothing runs then.

WORKAROUND 
Go to the Docker Container octavia_driver_agent and change the ownership to octavia.octavia then restart all octavia Docker Containers. Notice, we are all Docker here because Podman does not work with Pacemaker HA on CentOS7.

You have to execute these on all controllers.

-----------------COMMANDS
sudo docker exec -ti --user root octavia_driver_agent /bin/bash   # Root on the container
chown octavi.octavia /var/run/octavia
exit

sudo docker restart octavia_driver_agent
sudo docker restart octavia_worker
sudo docker restart octavia_housekeeping
sudo docker restart octavia_health_manager
------------------

I did try changing the docker image in the container-image-prepare command, but somewhere in the YAML deployment scripts /var/run/octavia gets reset to root.root ownership.

2. No Octavia certs get generated automatically.

The logic within the deployment jinga2 script  /usr/share/openstack-tripleo-heat-templates/deployment/octavia/octavia-deployment-config.j2.yaml means that Octavia Certs are only generated if OctaviaGenerateCerts is true and IMPORTANTLY the Stack is at state CREATE.

Is there a problem with regenerating the certs each time you deploy??? (it's better than not creating them at all)

-------------------------------- /usr/share/openstack-tripleo-heat-templates/deployment/octavia/octavia-deployment-config.j2.yaml

generate_certs:
      and:
      - get_param: OctaviaGenerateCerts
      - equals:
        - get_param: StackAction
#        - CREATE
        - UPDATE

This was an abandoned update (shown below possible fix).

For USER and PROJECT
openstack role add --user USER --project PROJECT load-balancer_admin
openstack role add --user USER --project PROJECT load-balancer_member

step_6:     # If you chose to add ansible Step_6
          config_volume: octavia
          puppet_tags: keystone_role
          step_config: |
            include ::octavia::roles
          config_image: {get_param: ContainerOctaviaConfigImage}
          volumes:
            - /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia:ro

Okay so my Octavia Loadbalancer service at the latest version is working beautifully for a 3 Controller, 3 Compute, 3 Ceph - TripleO Train CentOS7 environment now.