Bug 1199519

Summary: Packstack install AMQP with SSL, fails to start rabbitmq service
Product: Red Hat OpenStack Reporter: Lukas Bezdicka <lbezdick>
Component: openstack-packstackAssignee: Martin Magr <mmagr>
Status: CLOSED ERRATA QA Contact: Ido Ovadia <iovadia>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0 (Juno)CC: aberezin, ajeain, aortega, derekh, gdubreui, tshefi, yeylon
Target Milestone: z2Keywords: ZStream
Target Release: 6.0 (Juno)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-packstack-2014.2-0.17.dev1462.gbb05296.el7ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1147224 Environment:
Last Closed: 2015-04-07 15:10:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1147224    
Bug Blocks:    

Description Lukas Bezdicka 2015-03-06 14:44:00 UTC 
+++ This bug was initially created as a clone of Bug #1147224 +++

Description of problem: When using Packstack to install RHOS5 AIO over RHEL7 with SSL enabled Horizon and AMQP, rabbitmq service fails to start. 

10.35.160.137_amqp.pp:                            [ ERROR ]
Applying Puppet manifests                         [ ERROR ]

ERROR : Error appeared during Puppet run: 10.35.160.137_amqp.pp
Error: Could not start Service[rabbitmq-server]: Execution of '/usr/bin/systemctl start rabbitmq-server' returned 1: Job for rabbitmq-server.service failed. See 'systemctl status rabbitmq-server.service' and 'journalctl -xn' for details.

Version-Release number of selected component (if applicable):
RHEL7
openstack-packstack-2014.1.1-0.41.dev1251.el7ost.noarch
openstack-packstack-puppet-2014.1.1-0.41.dev1251.el7ost.noarch
RHOS5 repo from  17-Sep-2014 

How reproducible:
Every time happened on three setups.

Steps to Reproduce:
1. Generate answer file, other than usual setting (attached answer file) set these two:
CONFIG_HORIZON_SSL=y
CONFIG_AMQP_ENABLE_SSL=y

2. Run packstack with answer file
3. Fails to start rabbitmq.service. 
4. Manual restart doesn't help, for debugging disabled firewall / selinux still can't start service. 

Actual results:
Failed to start rabbitmq service, packstack run failed, see attached logs.

See attached rabbit
 {rabbit,failure_during_boot,
                    {case_clause,{error,{already_started,<0.275.0>}}}}}}}}

Not sure this is OK or wrong, but under /etc/rabbitmq/ssl   there are no files. 

Expected results:
Packstack should manage to start rabbtimq service, plus complete SSL based AIO deployment successfully. 

Additional info:
lbezdick (thanks) pointed me to an upstream puppet problem:
https://bugs.launchpad.net/puppet-neutron/+bug/1356083

Also suggested using new amqp.pp from https://review.openstack.org/#/c/99649/ deployment passed amqp step but failed later on, this time on _nova.pp:  
AMQP server on 10.35.160.137:5671 is unreachableAdd 
Nova logs under folder called nova.pp  

Added both original amqp.pp.org and new version amqp.pp.

--- Additional comment from Gilles Dubreuil on 2014-09-28 07:33:59 EDT ---

Hi Tzach,

Could you please provide rabbitmq logs?

Regards,
Gilles

--- Additional comment from Gilles Dubreuil on 2014-09-28 09:18:48 EDT ---

It seems, although the CONFIG_AMQP_SSL_SELF_SIGNED option is present in the answer file, that certificate file is missing.

The default self-signed certificate and key files are supposed to be:
/etc/pki/tls/certs/amqp_selfcert.pem
/etc/pki/tls/private/amqp_selfkey.pem

Could you please verify and provide files content if existing?

--- Additional comment from Tzach Shefi on 2014-09-29 02:25:06 EDT ---

Certificate files were created, attaching them again plus rabbitmq logs.

--- Additional comment from Tzach Shefi on 2014-09-29 02:25:36 EDT ---



--- Additional comment from Tzach Shefi on 2014-09-29 02:26:24 EDT ---



--- Additional comment from Tzach Shefi on 2014-09-29 02:27:40 EDT ---



--- Additional comment from Gilles Dubreuil on 2014-09-29 03:18:46 EDT ---

Hi Tzach,

Thanks for the update.

Could you please confirm following:
After using the new manifest amqp.pp mentioned by Lukas,
Rabbitmq service installs correctly and is up and running?

If that the case then it's a different issue and I believe we need to track it down separately.

Regards

--- Additional comment from Tzach Shefi on 2014-09-29 04:35:48 EDT ---

Hi Gilles, 

Confirm after using new manifest amqp.pp service looks up and running. 

Service is up and running:
[root@cougar08 rabbitmq]# systemctl -t service -a | grep rabbit
rabbitmq-server.service                                                                   loaded active     running       RabbitMQ broker

Port is open and listening:
Rabbitmq ssl port 5671 looks OK

[root@cougar08 rabbitmq]#  netstat -lnp | grep 5671
tcp6       0      0 :::5671                 :::*                    LISTEN      13589/beam.smp
[root@cougar08 rabbitmq]#

firewall rule added:
-A INPUT -s 10.35.160.137/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_10.35.160.137" -j ACCEPT

Yet I still can't explain how then Nova can't reach rabbitmq
Notice Nova's journalctl -xn error ->

2014-09-28 11:20:20.967 17723 ERROR oslo.messaging._drivers.impl_rabbit [req-0e21fb20-fbc0-47bd-851f-172210e65d63 - - - - -] AMQP server on 10.35.160.137:5671 is unreachable: Socket closed. Trying again in 30 seconds.
Sep 28 11:20:21 cougar08.scl.lab.tlv.redhat.com cinder-backup[17630]: 2014-09-28 11:20:21.066 17630 ERROR oslo.messaging._drivers.impl_rabbit [-] AMQP server on 10.35.160.137:5671 is unreachable: Socket closed. Trying again in 30 seconds.

Do you still recommend following it up as a new bug for Nova?

--- Additional comment from Gilles Dubreuil on 2014-09-29 07:31:27 EDT ---

Yes, it seems the initial issue has been fixed, having Rabbitmq listening on ssl port.

The other openstack services which cannot reach rabbitmq seems to be related to comment#1 mentioning upstream issue, should effectively be followed up separately.

The amqp.pp patch will also make its way to the build.

--- Additional comment from Tzach Shefi on 2014-09-30 03:18:00 EDT ---

Created new Packstack bug for Nova bug described on comment#8 
https://bugzilla.redhat.com/show_bug.cgi?id=1147823
Comment 3 Gilles Dubreuil 2015-03-09 06:50:47 UTC 
Rabbitmq SSL Certificates require specific extensions, which seem to be missing from current sources, see [1].

The result are that even though CA and Server SSL Certificates are valid, no Rabbitmq client can establish a secure connection to Rabbitmq server.
I've tested and confirm that on vanilla Rabbitmq install.

A patch is needed to include the specific options Rabbitmq required in the certificates.

[1] https://github.com/stackforge/packstack/blob/master/packstack/puppet/modules/packstack/templates/ssl/generate_ssl_certs.sh.erb
Comment 4 Gilles Dubreuil 2015-03-09 10:33:51 UTC 
After talking with Lukas,
the issue I faced seems to be impacting Sensu client communicating with Rabbitmq over SSL. Since there is no need for Sensu to be made available via Packstack my previous comment is out of scope, at least until Sensu is needed.
Comment 5 Lukas Bezdicka 2015-03-09 11:06:08 UTC 
This must be issue outside of scope of packstack as for packstack juno (git) it works, installation completes and we can open SSL connection to rabbitmq, even though we don't have client side certs and we don't verify nor require certs :(

[root@controller-c7 ~]# openssl s_client -connect 192.168.122.196:5671
CONNECTED(00000003)
depth=0 C = XX, L = Default City, O = Default Company Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XX, L = Default City, O = Default Company Ltd
verify return:1
---
Certificate chain
 0 s:/C=XX/L=Default City/O=Default Company Ltd
   i:/C=XX/L=Default City/O=Default Company Ltd
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIJAN55ySPT2MhCMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNV
BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
Q29tcGFueSBMdGQwHhcNMTUwMzA5MTAyODQ5WhcNMTgwMzA4MTAyODQ5WjBCMQsw
CQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZh
dWx0IENvbXBhbnkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
vWWbBkeP2rSvUoajdanozXTaMWlAhqhgGXZwDsqeAmH9eeDCCnqYbWuGEM5/4n3a
LbwOjTWDx1x8keQ3dAGXjLMObOX/Si/bE3ggsUZNXeI13fsNu+vVOXe820XboD3j
bm9gef0E7ccBGZHIGnDDNwOqrNYbXrFXIM2NYbbWjsAIc6I56LgieWr4G2PEvyRn
cyp0f4F/tITnEXe46D/NoPUuGm6SlMyo8tPbF5rucpq13ODnTaMdpljWgFNZGIl8
31obaecjy7+zlMnUfzyGzRJ1oBRdIV7AaZuPrzela6V7f/5jT72jNBuft9Iv80t6
HMrDQtOCUmddB34gZHkAowIDAQABo1AwTjAdBgNVHQ4EFgQU9oGXNcJyyxitUPK2
Fdna/WNJN+kwHwYDVR0jBBgwFoAU9oGXNcJyyxitUPK2Fdna/WNJN+kwDAYDVR0T
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAV3QRvS+gsmWSIl5DeHmvzLU2P+zM
qh5N0gXOJMNw6g7s8chfZDI75N0gplexYKAObrI77+/w9EYFs5s2p4JrSggH5Ihr
E50VGuYkexo01kYjKgcyPu5el5GXy2+ihAI8gsP4MJT37cwRraZQT9oS8I6+cc/h
hwCvcq+Yu8DPLGFmkxVKGL3mqiWfaP1/yt2Z+QPBDm0IBg3/MlPn4TLKIcGP42jm
a8axmwkr8oWka/76ZGz+2ThlDtQx+nN9aa88asYovKeVRMx0NGqxbSukqpRe7h7m
56kOdO1GYLrI9MdwXNkNiNQ9TyUBfP/Q8kxC0YR6D6knIYZdIkkiOQsTew==
-----END CERTIFICATE-----
subject=/C=XX/L=Default City/O=Default Company Ltd
issuer=/C=XX/L=Default City/O=Default Company Ltd
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 1592 bytes and written 479 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-SHA256
    Session-ID: DE5A966F1BCF3EFAFB1EDAE260B8857188E0A044718988E422F1EE7977F8A3C8
    Session-ID-ctx: 
    Master-Key: C32FC1FCCB3D84689444B7517815ED8FD673E676F06C1736F86C63E90E5521AA8F89496760650BDC0BAB183D9822A00F
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1425898718
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---


But, some parts of Gilles' issue do apply for packstack and future, we should rework the cert generation and probably switch packstack to use/deploy external CA with api for example IPA.
Comment 7 Ido Ovadia 2015-03-16 12:36:57 UTC 
Verified
========
openstack-packstack-2014.2-0.17.dev1462.gbb05296.el7ost.noarch
Comment 9 errata-xmlrpc 2015-04-07 15:10:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0789.html