Bug 1318298

Summary: undercloud install fails
Product: Red Hat OpenStack Reporter: Dan Yocum <dyocum>
Component: documentationAssignee: Dan Macpherson <dmacpher>
Status: CLOSED CURRENTRELEASE QA Contact: RHOS Documentation Team <rhos-docs>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.0 (Kilo)CC: dbecker, dmacpher, dyocum, mburns, morazi, rhel-osp-director-maint, srevivo
Target Milestone: ---Keywords: Documentation, ZStream
Target Release: 7.0 (Kilo)   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-03 16:53:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
undercloud install stdout none

Description Dan Yocum 2016-03-16 13:19:09 UTC 
Created attachment 1137018 [details]
undercloud install stdout

Description of problem:

openstack undercloud install fails.

Version-Release number of selected component (if applicable):

python-rdomanager-oscplugin-0.0.10-28.el7ost.noarch

How reproducible:

every

Steps to Reproduce:
1. openstack undercloud install
2.
3.

Actual results:

The following cert files already exist, use --rebuild to remove the existing files before regenerating:
/etc/keystone/ssl/certs/ca.pem already exists
/etc/keystone/ssl/private/signing_key.pem already exists
/etc/keystone/ssl/certs/signing_cert.pem already exists
Connection to 10.3.3.1 closed.
PKI initialization in init-keystone is deprecated and will be removed.
+ openstack role show ResellerAdmin
WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
ERROR: openstack Unable to establish connection to https://10.3.3.2:13000/v2.0/tokens
+ openstack role create ResellerAdmin
WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
ERROR: openstack Unable to establish connection to https://10.3.3.2:13000/v2.0/tokens
[2016-03-15 12:51:20,711] (os-refresh-config) [ERROR] during post-configure phase. [Command '['dib-run-parts', '/usr/libexec/os-refresh-config/post-configure.d']' returned non-zero exit status 1]

[2016-03-15 12:51:20,712] (os-refresh-config) [ERROR] Aborting...
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 526, in install
    _run_orc(instack_env)
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 461, in _run_orc
    _run_live_command(args, instack_env, 'os-refresh-config')
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 297, in _run_live_command
    raise RuntimeError('%s failed. See log for details.', name)
RuntimeError: ('%s failed. See log for details.', 'os-refresh-config')
ERROR: openstack Command 'instack-install-undercloud' returned non-zero exit status 1


Expected results:

success!

Additional info:
Comment 1 Bernie Hoefer 2016-03-17 02:47:13 UTC 
I note a similarity between this case and:

  BZ 1242660, "[Docs] [Director] Undercloud deployment with SSL
  fails over SELinux enforcing ( ssl cert needs to be readable by
  haproxy.)
  <https://bugzilla.redhat.com/show_bug.cgi?id=1242660>
Comment 2 Dan Yocum 2016-03-17 20:49:50 UTC 
This is a documentation bug in section Appendix B of the Director Install & Config guide.  In that section it states the following under the "For the Undercloud" section:

$ openssl genrsa -out privkey.pem 2048
$ openssl req -new -x509 -key privkey.pem -out cacert.pem -days 365 -config ~/openssl.cnf

and

$ cat cacert.pem privkey.pem > undercloud.pem


This is misleading.  Anyone familiar with CA root certificates will think that they are supposed to cat the CA root cert with the server private key, which makes no sense.  

Please change this to the following:

$ openssl genrsa -out server-key.pem 2048
$ openssl req -new -x509 -key server-key.pem -out server-cert.pem -days 3650 -config ~/openssl.cnf

and

$ cat server-cert.pem server-key.pem > undercloud.pem


(NB: I changed the number of days to 3650, 10 years.)
Comment 6 Dan Macpherson 2016-05-03 03:28:17 UTC 
Hi Dan,

The fix should be implemented:

https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/director-installation-and-usage/appendix-a-ssl-tls-certificate-configuration

Any further changes required for this section?
Comment 7 Dan Yocum 2016-05-03 16:16:29 UTC 
+1 lgtm