Support for SSL was fixed in packstack and openstack puppet modules and packstack now supports partial SSL deployments where rabbitmq server or qpid server would use certificates but clients aren't using certificates and they aren't verified on server.
Created attachment 942615[details]
answer file packstack and nova logs.
Description of problem: When installing AIO with SSL enabled for Horizon and AMQP, Nova service fails to start, looks like it can't reach rabbitmq SSL port, rabbitmq port is open and listening.
Review related bz 1147224 (installing amqp with SSL issue), used new version from gerrit, got rabbitmq working over ssl, then got stuck on Nova service startup problem.
https://bugzilla.redhat.com/show_bug.cgi?id=1147224
Version-Release number of selected component (if applicable):
RHEL7
openstack-packstack-2014.1.1-0.41.dev1251.el7ost.noarch
openstack-packstack-puppet-2014.1.1-0.41.dev1251.el7ost.noarch
python-nova-2014.1.2-1.el7ost.noarch
openstack-nova-compute-2014.1.2-1.el7ost.noarch
python-novaclient-2.17.0-2.el7ost.noarch
openstack-nova-api-2014.1.2-1.el7ost.noarch
How reproducible:
Not sure only tested this once.
Steps to Reproduce:
1. Install AIO, enabled on answer file:
CONFIG_HORIZON_SSL=y
CONFIG_AMQP_ENABLE_SSL=y
2. See BZ 1147224, use new manifest amqp.pp, else rabbitmq won't start
3. Setup later fails on starting Nova-compute service
Could not start Service[nova-compute]: Execution of '/usr/bin/systemctl start openstack-nova-compute'
4. Verified rabbitmq service up listening on ssl port 5671:
[root@cougar08 rabbitmq]# systemctl -t service -a | grep rabbit
rabbitmq-server.service loaded active running RabbitMQ broker
[root@cougar08 rabbitmq]# netstat -lnp | grep 5671
tcp6 0 0 :::5671 :::* LISTEN 13589/beam.smp
[root@cougar08 rabbitmq]#
firewall rule in place:
-A INPUT -s 10.35.160.137/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_10.35.160.137" -j ACCEPT
Actual results: Failed to start nova service
2014-09-28 11:41:42::DEBUG::sequences::40::root:: Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/packstack/installer/core/sequences.py", line 38, in run
self.function(config, messages)
File "/usr/lib/python2.7/site-packages/packstack/plugins/puppet_950.py", line 216, in apply_puppet_manifest
wait_for_puppet(currently_running, messages)
File "/usr/lib/python2.7/site-packages/packstack/plugins/puppet_950.py", line 112, in wait_for_puppet
validate_logfile(log)
File "/usr/lib/python2.7/site-packages/packstack/modules/puppet.py", line 91, in validate_logfile
raise PuppetError(message)
PuppetError: Error appeared during Puppet run: 10.35.160.137_nova.pp
Error: Could not start Service[nova-compute]: Execution of '/usr/bin/systemctl start openstack-nova-compute' returned 1: Job for openstack-nova-compute.service failed. See 'systemctl status openstack-nova-compute.service' and 'journalctl -xn' for details.
You will find full trace in log /var/tmp/packstack/20140928-113749-okiaSM/manifests/10.35.160.137_nova.pp.log
...
Expected results:
Packstack should successfully install and start Nova compute service, on SSL based deployments.
Sadly ssl with rabbitmq won't work because of two outstanding issues that are being worked on, first one is our own configuration of rabbitmq (BZ 1147224) and the second one is reuqirement of kombu_ssl by puppet modules which is in progress for icehouse https://bugs.launchpad.net/puppet-neutron/+bug/1356083
To verify this bug:
1. Install AIO, enabled on answer file:
CONFIG_HORIZON_SSL=y
CONFIG_AMQP_ENABLE_SSL=y
2. Check if nova starts properly (a succesfull instllation will be enough)
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHSA-2015-0831.html