Bug 1029751

Summary: packstack doesn't configure qpid_protocol=ssl in different config files
Product: Red Hat OpenStack Reporter: Ofer Blaut <oblaut>
Component: openstack-packstackAssignee: Ivan Chavero <ichavero>
Status: CLOSED ERRATA QA Contact: Udi Kalifon <ukalifon>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.0CC: aortega, breeler, derekh, ichavero, mlopes, mmagr, oblaut, vvaldez, yeylon
Target Milestone: z1Keywords: OtherQA, Triaged, ZStream
Target Release: 4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-packstack-2013.2.1-0.21.dev948.el6ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-23 14:21:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Config and error
none
horizon log file none

Description Ofer Blaut 2013-11-13 06:17:25 UTC 
Created attachment 823253 [details]
Config and error

Description of problem:

I have configure packstack to support QPID with SSL.
Connections to QPID failed since nova.conf & cinder.conf are not configured 
with qpid_protocol=ssl , and connections are TCP only.

Logs and answer file attached.

Neutron was not configure also not sure about the rest .

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.use packstack answer file and enable QPID SSL 
2.try to operate system and check /var/log/messages 
3.

Actual results:


Expected results:


Additional info:
Comment 1 Ivan Chavero 2013-11-18 19:47:51 UTC 
Extending the scope of this bug to: heat, ceilometer and neutron.
Comment 2 Ofer Blaut 2013-11-20 10:13:50 UTC 
please take a look on glance as well
Comment 4 Alvaro Lopez Ortega 2013-11-22 22:53:53 UTC 
The problem seems to be related to the Puppet's firewall module. It cannot handle the replacement of previously set iptables entries.

Instead of reimplementing all that in the firewall module, we'll split the Qpid iptable entries in two so we avoid this problem.

We'll update the firewall module soon though. In case this problem weren't still  fixed there, we'd have to do so.
Comment 5 Alvaro Lopez Ortega 2013-12-02 17:25:16 UTC 
https://review.openstack.org/#/c/57148/ : Merged
https://review.openstack.org/#/c/58059/ : Review in Progress
Comment 6 Alvaro Lopez Ortega 2013-12-04 17:16:32 UTC 
58059 must be worked out (reimplemented)
Comment 7 Ivan Chavero 2013-12-05 23:22:24 UTC 
The patch is ok, is needed that way because the way the firewall puppet module works
Comment 9 Scott Lewis 2013-12-09 15:30:46 UTC 
Adding OtherQA for bugs in MODIFIED
Comment 12 Udi Kalifon 2013-12-17 09:50:02 UTC 
Created attachment 837615 [details]
horizon log file
Comment 13 Udi Kalifon 2013-12-17 09:52:17 UTC 
I started with a clean server, and ran packstack with the default answers file except that I changed: CONFIG_QPID_ENABLE_SSL=y

Insstallation ran without errors. When I logged in to horizon for the first time I got a "Something went wrong!" message. See also attachment 837615 [details] (horizon log file).
Comment 16 Vinny Valdez 2013-12-18 19:21:11 UTC 
We encountered this issue today during a POC. We had to manually change these files:

/etc/heat/heat.conf
/etc/nova/nova.conf
/etc/cinder/cinder.conf
/etc/glance/glance-api.conf
/etc/ceilometer/ceilometer.conf
/etc/neutron/neutron.conf

The changes were:

Original settings:
qpid_protocol = tcp 
qpid_port = 5672

Changed to:
qpid_protocol = ssl
qpid_port = 5671

After applying these changes and restarting services, then allowing port 5671 everything worked as expected.
Comment 17 Ivan Chavero 2013-12-18 19:45:20 UTC 
Which version of packstack did you use??
Comment 18 Vinny Valdez 2013-12-18 19:59:43 UTC 
We used the latest available from RHN beta channel rhel-x86_64-server-6-ost-beta:
openstack-packstack-2013.2.1-0.11.dev847.el6ost.noarch
Comment 19 Ivan Chavero 2013-12-18 20:04:11 UTC 
can you try openstack-packstack-2013.2.1-0.18.dev934.el6ost.noarch??

that's the latest package
Comment 20 Vinny Valdez 2013-12-18 20:19:29 UTC 
Unfortunately this POC is already deployed and we have manually adjusted what we need, and I do not see this version in RHN or Satellite. I do see openstack-packstack-2013.2.1-0.20.dev936.el6ost in the latest puddle internally, so I can try this in my lab and report here.
Comment 21 Udi Kalifon 2013-12-19 14:56:41 UTC 
I just retested it with openstack-packstack-2013.2.1-0.20.dev936.el6ost.noarch. All the conf files have the correct qpid_protocol = ssl and qpid_port = 5671 settings, so from that perspective the bug may be fixed. However, horizon fails to connect to neutron as the log shows (see attachment in the bug), and it doesn't happen when not using SSL.
Comment 22 Ivan Chavero 2014-01-09 07:33:38 UTC 
QPID SSL is working on current version.
Comment 23 Ivan Chavero 2014-01-10 19:59:28 UTC 
The latest development package succesfully configures SSL in all the services configuration files.
Comment 25 Udi Kalifon 2014-01-16 10:07:42 UTC 
Works in: openstack-packstack-2013.2.1-0.22.dev956.el6ost.noarch
Comment 27 Ivan Chavero 2014-01-17 23:47:08 UTC 
Doc text set to '-'
Comment 30 Lon Hohberger 2014-02-04 17:18:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2014-0046.html