Bug 1361100
| Summary: | SSL enabled undercloud doesn't configure the AODH public VIP in haproxy | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Marius Cornea <mcornea> | ||||
| Component: | instack-undercloud | Assignee: | Emilien Macchi <emilien> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Omri Hochman <ohochman> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | urgent | ||||||
| Version: | 9.0 (Mitaka) | CC: | bperkins, dbecker, emacchi, jason.dobies, jjoyce, mburns, morazi, pkilambi, rhel-osp-director-maint, sasha | ||||
| Target Milestone: | ga | Keywords: | Triaged | ||||
| Target Release: | 9.0 (Mitaka) | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | instack-undercloud-4.0.0-11.el7ost | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-08-11 11:37:05 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Marius Cornea
2016-07-28 10:56:07 UTC
undercloud upgrade 8.0 -> 9.0 with SSL failed. We probably going to have an urgent fix fo it : https://review.openstack.org/348893 the logs : ---------- haproxy failed to start --> and caused httpd to fail to start . [root@undercloud72 ~]# haproxy -f /etc/haproxy/haproxy.cfg [WARNING] 041/010347 (2674) : config : missing timeouts for proxy 'rabbitmq'. | While not properly invalid, you will certainly encounter various problems | with such a configuration. To fix this, please ensure that all following | timeouts are set to a non-zero value: 'client', 'connect', 'server'. [WARNING] 041/010347 (2674) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear. [ALERT] 041/010347 (2674) : Starting proxy aodh: cannot bind socket [192.168.0.3:8042] [ALERT] 041/010347 (2674) : sendto logger #1 failed: Resource temporarily unavailable (errno=11) -------------------------------------------------------------------------- Undercloud upgrade view: 04:53:40 Error: /Stage[main]/Swift::Keystone::Auth/Keystone::Resource::Service_identity[swift]/Keystone_user[swift]: Could not evaluate: Execution of '/bin/openstack domain list --quiet --format csv' returned 1: Unable to establish connection to http://192.168.0.1:35357/v3/domains (tried 37, for a total of 170 seconds) 04:56:19 Error: Could not prefetch keystone_tenant provider 'openstack': Execution of '/bin/openstack project list --quiet --format csv --long' returned 1: Unable to establish connection to http://192.168.0.1:35357/v3/projects (tried 37, for a total of 170 seconds) 04:56:19 Error: Not managing Keystone_tenant[service] due to earlier Keystone API failures. 04:56:19 Error: /Stage[main]/Keystone::Roles::Admin/Keystone_tenant[service]/ensure: change from absent to present failed: Not managing Keystone_tenant[service] due to earlier Keystone API failures. 04:56:19 Error: Not managing Keystone_tenant[admin] due to earlier Keystone API failures. 04:56:19 Error: /Stage[main]/Keystone::Roles::Admin/Keystone_tenant[admin]/ensure: change from absent to present failed: Not managing Keystone_tenant[admin] due to earlier Keystone API failures. 04:56:19 Error: Not managing Keystone_role[admin] due to earlier Keystone API failures. 04:56:19 Error: /Stage[main]/Keystone::Roles::Admin/Keystone_role[admin]/ensure: change from absent to present failed: Not managing Keystone_role[admin] due to earlier Keystone API failures. I'm unable to deploy undercloud with ssl, attaching the install-undercloud.log Created attachment 1185720 [details]
install-undercloud.log
Unable to reproduce with newest poodle. waiting for the fix to be merged in puddle to in order to switch the bug to Verified. Verified with : instack-undercloud-4.0.0-11.el7ost.noarch
[stack@undercloud72 ~]$ aodh alarm list
ohochman : output of the 'aodh alarm list' is empty < > , but the connection seems to works successfully.
[stack@undercloud72 ~]$ cat /etc/haproxy/haproxy.cfg
# This file managed by Puppet
global
daemon
group haproxy
log /dev/log local0
maxconn 20480
pidfile /var/run/haproxy.pid
ssl-default-bind-ciphers !SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES
ssl-default-bind-options no-sslv3
user haproxy
defaults
log global
maxconn 4096
mode tcp
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s
listen aodh
bind 192.168.0.2:13042 transparent ssl crt /etc/pki/instack-certs/undercloud.pem
bind 192.168.0.3:8042 transparent
server 192.168.0.1 192.168.0.1:8042 check fall 5 inter 2000 rise 2
listen ceilometer
bind 192.168.0.2:13777 transparent ssl crt /etc/pki/instack-certs/undercloud.pem
bind 192.168.0.3:8777 transparent
server 192.168.0.1 192.168.0.1:8777 check fall 5 inter 2000 rise 2
listen glance_api
bind 192.168.0.2:13292 transparent ssl crt /etc/pki/instack-certs/undercloud.pem
bind 192.168.0.3:9292 transparent
server 192.168.0.1 192.168.0.1:9292 check fall 5 inter 2000 rise 2
listen glance_registry
bind 192.168.0.3:9191 transparent
server 192.168.0.1 192.168.0.1:9191 check fall 5 inter 2000 rise 2
listen haproxy.stats
bind 192.168.0.3:1993 transparent
mode http
stats enable
stats uri /
stats auth admin:9520b081400d225c5463eefbe051cfc168f528d4
listen heat_api
bind 192.168.0.2:13004 transparent ssl crt /etc/pki/instack-certs/undercloud.pem
bind 192.168.0.3:8004 transparent
mode http
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
rsprep ^Location:\ http://192.168.0.2(.*) Location:\ https://192.168.0.2\1
server 192.168.0.1 192.168.0.1:8004 check fall 5 inter 2000 rise 2
listen ironic
bind 192.168.0.2:13385 transparent ssl crt /etc/pki/instack-certs/undercloud.pem
bind 192.168.0.3:6385 transparent
server 192.168.0.1 192.168.0.1:6385 check fall 5 inter 2000 rise 2
listen keystone_admin
bind 192.168.0.2:13357 transparent ssl crt /etc/pki/instack-certs/undercloud.pem
bind 192.168.0.3:35357 transparent
mode http
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
server 192.168.0.1 192.168.0.1:35357 check fall 5 inter 2000 rise 2
listen keystone_public
bind 192.168.0.2:13000 transparent ssl crt /etc/pki/instack-certs/undercloud.pem
bind 192.168.0.3:5000 transparent
mode http
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
server 192.168.0.1 192.168.0.1:5000 check fall 5 inter 2000 rise 2
listen neutron
bind 192.168.0.2:13696 transparent ssl crt /etc/pki/instack-certs/undercloud.pem
bind 192.168.0.3:9696 transparent
server 192.168.0.1 192.168.0.1:9696 check fall 5 inter 2000 rise 2
listen nova_metadata
bind 192.168.0.3:8775 transparent
server 192.168.0.1 192.168.0.1:8775 check fall 5 inter 2000 rise 2
listen nova_osapi
bind 192.168.0.2:13774 transparent ssl crt /etc/pki/instack-certs/undercloud.pem
bind 192.168.0.3:8774 transparent
mode http
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
server 192.168.0.1 192.168.0.1:8774 check fall 5 inter 2000 rise 2
listen rabbitmq
bind 192.168.0.3:5672 transparent
option tcpka
timeout client 0
timeout server 0
server 192.168.0.1 192.168.0.1:5672 check fall 5 inter 2000 rise 2
listen swift_proxy_server
bind 192.168.0.2:13808 transparent ssl crt /etc/pki/instack-certs/undercloud.pem
bind 192.168.0.3:8080 transparent
server 192.168.0.1 192.168.0.1:8080 check fall 5 inter 2000 rise 2
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-1599.html |