Bug 1227501

Summary: routing-daemon not removing var/tmp/*.key and var/tmp/*.crt
Product: OpenShift Container Platform Reporter: Ryan Howe <rhowe>
Component: NetworkingAssignee: Abhishek Gupta <abhgupta>
Networking sub component: router QA Contact: Anping Li <anli>
Status: CLOSED ERRATA Docs Contact:
Severity: unspecified    
Priority: unspecified CC: adellape, erich, jialiu, mmasters, nicholas_schuetz, pep, tiwillia, xtian
Version: 2.2.0   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rubygem-openshift-origin-routing-daemon-0.25.1.2-1.el6op Doc Type: Bug Fix
Doc Text:
Although the routing daemon's F5 iControl REST API model used the value set for BIGIP_USERNAME in the routing daemon's configuration file for the `scp` command to upload temporary key and certificate files to the F5 BIG-IP host, it used the hard-coded user name "admin" for the `ssh` command to delete these temporary files. If a user name other than "admin" was configured for the F5 BIG-IP host, this caused the routing daemon to leave temporary files on the F5 BIG-IP host. This bug fix updates the F5 iControl REST API model to now consistently uses the value of the BIGIP_USERNAME setting for all `ssh` and `scp` commands. As a result, the routing daemon now deletes the temporary files that it creates on the F5 BIG-IP host.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-30 16:37:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ryan Howe 2015-06-02 20:01:26 UTC 
Description of problem: 
routing-daemon not removing var/tmp/*.key and var/tmp/*.crt when username is not set to admin in etc/openshift/routing-daemon.conf 


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.Set the following in etc/openshift/routing-daemon.conf 

BIGIP_HOST=F5LTM
BIGIP_USERNAME=ose
BIGIP_PASSWORD=xxxxxxx
BIGIP_SSHKEY=/etc/openshift/bigip.key

2. After setting up and installing a custom alias with a certificate and key, the routing daemon reports that it’s removing both temp key and cert:

   D, [2015-05-27T09:32:04.687843 #25771] DEBUG -- : LTM removing temporary alias certificate. rm -f /var/tmp/www.example.com.crt
   D, [2015-05-27T09:32:09.921415 #25771] DEBUG -- : LTM removing temporary alias key. rm -f /var/tmp/www.example.com.key

   However, the removal of the temp key does not work. This is verified by looking in /var/tmp/ on the BigIP F% LTM. 

Actual results:

-Logs say they are deleted but nothing is deleted

Expected results:

-Logs get deleted 

Additional info:

Submitted a pull request to upstream:

https://github.com/openshift/origin-server/pull/6156
Comment 2 openshift-github-bot 2015-08-31 20:47:35 UTC 
Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/3ffc5111d90914a6ee96acb61e6e680eb39abd48
routing-daemon: F5: Use configured SSH user

This commit fixes bug 1227501.
Comment 6 Anping Li 2015-09-22 07:03:00 UTC 
The following error message was reported during testing. The cert can be added. so the further testing was blocked. 

W, [2015-09-21T11:19:55.561163 #12237]  WARN -- : Got an exception: undefined method `wrap_exceptions' for #<Hash:0x00000001a6acd8>
D, [2015-09-21T11:19:55.561250 #12237] DEBUG -- : Backtrace:
/opt/rh/ruby193/root/usr/share/gems/gems/openshift-origin-routing-daemon-0.25.1.1/lib/openshift/routing/models/f5-icontrol-rest.rb:63:in `rescue in rest_request'
/opt/rh/ruby193/root/usr/share/gems/gems/openshift-origin-routing-daemon-0.25.1.1/lib/openshift/routing/models/f5-icontrol-rest.rb:56:in `rest_request'
/opt/rh/ruby193/root/usr/share/gems/gems/openshift-origin-routing-daemon-0.25.1.1/lib/openshift/routing/models/f5-icontrol-rest.rb:87:in `post'
/opt/rh/ruby193/root/usr/share/gems/gems/openshift-origin-routing-daemon-0.25.1.1/lib/openshift/routing/models/f5-icontrol-rest.rb:348:in `update'
/opt/rh/ruby193/root/usr/share/gems/gems/openshift-origin-routing-daemon-0.25.1.1/lib/openshift/routing/controllers/load_balancer.rb:143:in `update'
Comment 9 Anping Li 2015-09-24 05:54:29 UTC 
Verified and pass.
1 Create scaled applications
2 Add alias and add cert key.
   rhc alias add sphp www.appsphpalias.com
   rhc alias update-cert --certificate server.crt --private-key server.key sphp www.appsphpalias.com
3. Check the log, the temp key was removed.
I, [2015-09-24T05:44:31.354568 #2913]  INFO -- : Adding ssl configuration for www.sphp-ose2alias.com in pool pool_ose_sphp_demod1_80
D, [2015-09-24T05:44:31.357219 #2913] DEBUG -- : Copying certificate for alias www.sphp-ose2alias.com for pool pool_ose_sphp_demod1_80 to LTM host
D, [2015-09-24T05:44:31.706527 #2913] DEBUG -- : Copying key for alias www.sphp-ose2alias.com for pool pool_ose_sphp_demod1_80 to LTM host
D, [2015-09-24T05:44:31.962057 #2913] DEBUG -- : LTM cert to be installed /var/tmp/www.sphp-ose2alias.com.crt
D, [2015-09-24T05:44:32.085559 #2913] DEBUG -- : LTM cert to be installed /var/tmp/www.sphp-ose2alias.com.key
D, [2015-09-24T05:44:32.161252 #2913] DEBUG -- : LTM creating client-ssl profile for  www.sphp-ose2alias.com
D, [2015-09-24T05:44:32.240973 #2913] DEBUG -- : LTM adding www.sphp-ose2alias.com-ssl-profile client-ssl to https-ose2-vserver
D, [2015-09-24T05:44:32.323537 #2913] DEBUG -- : LTM removing temporary alias certificate
D, [2015-09-24T05:44:32.487678 #2913] DEBUG -- : LTM removing temporary alias key

4.The key/crt are added to Local Traffic->Profiles->ssl->Client. The key was added in the https vserver.

5. Delete this app, the key was dropped.


#v-I, [2015-09-24T05:17:55.199392 #766]  INFO -- : Deleting alias www.appsphpalias.com from pool pool_ose_sphp_demod1_80
Comment 11 errata-xmlrpc 2015-09-30 16:37:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1844.html