tripleo

freeipa cleanup doesn't work anymore

Bug #1946090 reported by Cédric Jeanneret on 2021-10-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Triaged	High	Unassigned	tripleo xena-rc1

Bug Description

Hello,

Apparently, the freeipa cleanup as described in [1] doesn't work anymore. Either with `openstack overcloud delete -y <overcloud>' or calling directly the playbook, we still see the hosts in `ipa host-find', as well as all the services listed in `ipa service-find':

[CentOS-8 - stack@undercloud ~]$ ansible-playbook -i overcloud-deploy/overcloud-0/tripleo-ansible-inventory.yaml /usr/share/ansible/tripleo-playbooks/cli-cleanup-ipa.yml

PLAY [delete ipa entries for overcloud nodes]
TASK [Check if undercloud is an ipa client]
ok: [localhost]

TASK [Get realm and host and keytab]
ok: [localhost

TASK [check if keytab exists]
ok: [localhost]

TASK [initialize the list of hosts to clean up]
ok: [localhost]

TASK [create list of hosts to clean up in IPA]

TASK [import cleanup tasks from the tripleo-ipa role]

TASK [tripleo_ipa_cleanup : delete hosts, subhosts and services from freeIPA]
changed: [localhost]

PLAY RECAP
localhost : ok=5 changed=1 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0

[CentOS-8 - stack@undercloud ~]$ ipa service-find | grep Principal
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>

[CentOS-8 - stack@undercloud ~]$ ipa host-find | grep Principal
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>
  Principal name: <email address hidden>
  Principal alias: <email address hidden>

[1] https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/features/tls-everywhere.html#deleting-overclouds

Revision history for this message

Cédric Jeanneret (cjeanner) wrote on 2021-10-05:

This is due to the un-puppetisation of certmonger service: back in train, a "certmonger_user" service was created here:
https://opendev.org/openstack/tripleo-heat-templates/src/branch/stable/train/deployment/certs/certmonger-user-baremetal-puppet.yaml#L63

Now, it's has been removed, and so the hostgroup as well.

Thanks aschultz and slagle for the digging :)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.