tripleo

Bug #1927201
Comment #6

Comment 6 for bug 1927201

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-06-22: Fix merged to tripleo-heat-templates (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/796651
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/58e6913751c88595d997c99cb6d218f07939c7c6
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit 58e6913751c88595d997c99cb6d218f07939c7c6
Author: Martin Schuppert <email address hidden>
Date: Tue Jun 1 12:14:13 2021 +0200

[victoria/ussuri/train] Change nbd, vnc and qemu default cacert file

    InternalTLSNbdCAFile, InternalTLSVncCAFile and InternalTLSQemuCAFile
    do not point to the default IPA ca.crt file and instead are requested
    to be loaded to component specific CA files (even if they are the same).
    This can lead to a race where the CA cert is not being written by
    certmonger in time and the following issue is seen after the 60s timeout:

    May 1 16:47:39 puppet-user: Notice: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Libvirt_vnc[libvirt-vnc-server-cert]/Certmonger_certificate[libvirt-vnc-server-cert]/ensure: created
    May 1 16:48:40 puppet-user: Error: 'test -f /etc/pki/CA/certs/vnc.crt' returned 1 instead of one of [0]
    May 1 16:48:40 puppet-user: Error: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Libvirt_vnc[libvirt-vnc-server-cert]/Exec[/etc/pki/CA/certs/vnc.crt]/returns: change from 'notrun' to ['0'] failed: 'test -f /etc/pki/CA/certs/vnc.crt' returned 1 instead of one of [0]

    The problem here is that certmonger doesn't behave in the way that we
    expect it to do. When we make the cert request and ask for the ca cert to
    be retrieved, it issues the cert and schedules the cert to be returned
    asynchronously, even if you specify -w to wait for the cert. -w will block
    pending the cert being retrieved, but not for the CA cert.

    You can always force the retrieval to happen by restarting certmonger, and
    this has helped in some cases in the past, but is a less than ideal
    solution.

This is a bug in certmonger IMHO, in that we should expect the CA cert to
be returned synchronously along with the cert if we specify -w.

The BZ for certmonger is unlikely to be fixed anytime soon though, so we
need to look at other options.

    Ib868465c20d97c62cbcb214bfc62d949bd6efc62 already changed the default to
    use the IPA system cacert file '/etc/ipa/ca.crt' per default starting with
    the wallaby release using the ansible role. This change backports to also
    use the IPA system cacert file '/etc/ipa/ca.crt' to previous release when
    managing the certs via puppet-tripleo.

Conflicts:
deployment/nova/nova-vnc-proxy-container-puppet.yaml

    Change-Id: I8a00ab81c16b21c9b1f703015a2a2eaa66fd556f
    Closes-Bug: #1927201
    (cherry picked from commit d54d63285db71cdca4da943094b219bc560286ab)

Reviewed:  https://review.opendev.org/c/openstack/tripleo-heat-templates/+/796651
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/58e6913751c88595d997c99cb6d218f07939c7c6
Submitter: "Zuul (22348)"
Branch:    stable/ussuri

commit 58e6913751c88595d997c99cb6d218f07939c7c6
Author: Martin Schuppert <mschuppert@redhat.com>
Date:   Tue Jun 1 12:14:13 2021 +0200

[victoria/ussuri/train] Change nbd, vnc and qemu default cacert file
    
    InternalTLSNbdCAFile, InternalTLSVncCAFile and InternalTLSQemuCAFile
    do not point to the default IPA ca.crt file and instead are requested
    to be loaded to component specific CA files (even if they are the same).
    This can lead to a race where the CA cert is not being written by
    certmonger in time and the following issue is seen after the 60s timeout:
    
    May  1 16:47:39 puppet-user: Notice: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Libvirt_vnc[libvirt-vnc-server-cert]/Certmonger_certificate[libvirt-vnc-server-cert]/ensure: created
    May  1 16:48:40 puppet-user: Error: 'test -f /etc/pki/CA/certs/vnc.crt' returned 1 instead of one of [0]
    May  1 16:48:40 puppet-user: Error: /Stage[main]/Tripleo::Profile::Base::Certmonger_user/Tripleo::Certmonger::Libvirt_vnc[libvirt-vnc-server-cert]/Exec[/etc/pki/CA/certs/vnc.crt]/returns: change from 'notrun' to ['0'] failed: 'test -f /etc/pki/CA/certs/vnc.crt' returned 1 instead of one of [0]
    
    The problem here is that certmonger doesn't behave in the way that we
    expect it to do. When we make the cert request and ask for the ca cert to
    be retrieved, it issues the cert and schedules the cert to be returned
    asynchronously, even if you specify -w to wait for the cert.  -w will block
    pending the cert being retrieved, but not for the CA cert.
    
    You can always force the retrieval to happen by restarting certmonger, and
    this has helped in some cases in the past, but is a less than ideal
    solution.
    
    This is a bug in certmonger IMHO, in that we should expect the CA cert to
    be returned synchronously along with the cert if we specify -w.
    
    The BZ for certmonger is unlikely to be fixed anytime soon though, so we
    need to look at other options.
    
    Ib868465c20d97c62cbcb214bfc62d949bd6efc62 already changed the default to
    use the IPA system cacert file '/etc/ipa/ca.crt' per default starting with
    the wallaby release using the ansible role. This change backports to also
    use the IPA system cacert file '/etc/ipa/ca.crt' to previous release when
    managing the certs via puppet-tripleo.
    
    Conflicts:
    deployment/nova/nova-vnc-proxy-container-puppet.yaml
    
    Change-Id: I8a00ab81c16b21c9b1f703015a2a2eaa66fd556f
    Closes-Bug: #1927201
    (cherry picked from commit d54d63285db71cdca4da943094b219bc560286ab)