Bug 1285551
Summary: | [Director] rhel-osp-director: failing to replace controller on HA deployment. | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Alexander Chuzhoy <sasha> |
Component: | documentation | Assignee: | Dan Macpherson <dmacpher> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | RHOS Documentation Team <rhos-docs> |
Severity: | high | Docs Contact: | |
Priority: | urgent | ||
Version: | 7.0 (Kilo) | CC: | dmacpher, fdinitto, jcoufal, jstransk, mburns, rhel-osp-director-maint, sclewis, srevivo |
Target Milestone: | ga | Keywords: | Documentation |
Target Release: | 8.0 (Liberty) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-06-23 05:29:40 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Alexander Chuzhoy
2015-11-25 23:09:52 UTC
The logs on other controllers are too big to attach. We investigated the environment with Marios, the root cause of Step 6 failing is: Notice: /Stage[main]/Heat::Keystone::Domain/Exec[heat_domain_create]/returns: keystoneclient.openstack.common.apiclient.exceptions.InternalServerError: An unexpected error prevented the server from fulfilling your request: [Errno 13] Permission denied: '/etc/keystone/policy.json' (Disable debug mode to suppress these details.) (HTTP 500) (Request-ID: req-b314b043-211b-48ff-8590-c5446abb359d) The cause of this is wrong ownership of the config files on the newly added controller node (controller-0 correct, controller-3 incorrect): [root@overcloud-controller-0 keystone]# ll total 84 -rw-r-----. 1 root keystone 1504 Apr 30 2015 default_catalog.templates -rw-------. 1 keystone keystone 58431 Nov 25 11:40 keystone.conf -rw-r-----. 1 root keystone 1046 Apr 30 2015 logging.conf -rw-r-----. 1 keystone keystone 8755 Apr 30 2015 policy.json drwxr-xr-x. 4 keystone keystone 32 Nov 25 11:40 ssl -rw-r-----. 1 keystone keystone 665 Apr 30 2015 sso_callback_template.html [root@overcloud-controller-3 keystone]# ll total 84 -rw-r-----. 1 root root 1504 Nov 25 16:22 default_catalog.templates -rw-------. 1 keystone keystone 58431 Nov 25 16:23 keystone.conf -rw-r-----. 1 root root 1046 Nov 25 16:22 logging.conf -rw-r-----. 1 root root 8755 Nov 25 16:22 policy.json drwxr-xr-x. 4 keystone keystone 32 Nov 25 16:22 ssl -rw-r-----. 1 root root 665 Nov 25 16:22 sso_callback_template.html Solution would be to add additional chown commands to the instructions about replacing a new controller node. After the `scp -r stack.0.1:~/keystone /etc/.` there should be this to fix up the ownerships: chown -R keystone: /etc/keystone chown root /etc/keystone/logging.conf /etc/keystone/default_catalog.templates This should result in the same file ownerships as on the original controller nodes. This appears to have been fixed a while ago: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_openstack_platform/7/html/director_installation_and_usage/sect-replacing_controller_nodes#sect-Replacing_Controller_Nodes-Manual_Intervention (see Step 12) |