Bug 1659078
| Summary: | Octavia with TLS everywhere infrared deployment fails | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Bernard Cafarelli <bcafarel> | ||||||
| Component: | openstack-tripleo | Assignee: | Brent Eagles <beagles> | ||||||
| Status: | CLOSED WORKSFORME | QA Contact: | Arik Chernetsky <achernet> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 14.0 (Rocky) | CC: | abregman, bcafarel, cgoncalves, hrybacki, ihrachys, jagee, josorior, lpeer, majopela, mburns | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2019-02-21 14:44:54 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Bernard Cafarelli
2018-12-13 14:14:25 UTC
Created attachment 1514066 [details]
/var/lib/mistral/overcloud/ansible.log
Created attachment 1514067 [details]
overcloud_install.log
Maybe relevant to this hosts issue, after deployment fails, I created an overcloudrc file: . stackrc; openstack overcloud credentials overcloud It has: export OS_AUTH_URL=https://overcloud.redhat.local:13000/v3 and trying to use this file for CLI commands fails: (overcloud) [stack@undercloud-0 ~]$ openstack server list Failed to discover available identity versions when contacting https://overcloud.redhat.local:13000/v3. Attempting to parse version from URL. Unable to establish connection to https://overcloud.redhat.local:13000/v3/auth/tokens: HTTPSConnectionPool(host='overcloud.redhat.local', port=13000): Max retries exceeded with url: /v3/auth/tokens (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f9e28361710>: Failed to establish a new connection: [Errno -2] Nom ou service inconnu',)) So I guess the hosts are updated later on TLS everywhere deployments? (which may not be enough for Octavia steps, if container uses another hosts file) Moving to DFG:Security as this regards TLS everywhere. For reference, the image upload part here mentioned is run by config-download on step 5. Specifically, https://github.com/openstack/tripleo-common/blob/master/playbooks/octavia-files.yaml and https://github.com/openstack/tripleo-common/blob/master/playbooks/roles/octavia-undercloud/tasks/image_mgmt.yml (In reply to Bernard Cafarelli from comment #3) > Maybe relevant to this hosts issue, after deployment fails, I created an > overcloudrc file: > . stackrc; openstack overcloud credentials overcloud > > It has: > export OS_AUTH_URL=https://overcloud.redhat.local:13000/v3 > > and trying to use this file for CLI commands fails: > (overcloud) [stack@undercloud-0 ~]$ openstack server list > Failed to discover available identity versions when contacting > https://overcloud.redhat.local:13000/v3. Attempting to parse version from > URL. > Unable to establish connection to > https://overcloud.redhat.local:13000/v3/auth/tokens: > HTTPSConnectionPool(host='overcloud.redhat.local', port=13000): Max retries > exceeded with url: /v3/auth/tokens (Caused by > NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at > 0x7f9e28361710>: Failed to establish a new connection: [Errno -2] Nom ou > service inconnu',)) > > So I guess the hosts are updated later on TLS everywhere deployments? (which > may not be enough for Octavia steps, if container uses another hosts file) Hi Bernard it looks like you might want to try and use haproxy-public-tls-certmonger.yaml for your overcloud as well as a public_vip mapping. You will need to add the following dns entrys on the ipa server. adjust the info lab.local to redhat.local for your setup. from the hypervisor you can ssh to the freeipa-0 vm. feel free to let reach out to me if you have questions. https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/integrate_with_identity_service/idm-novajoin#configure_dns_entries_for_novajoin Adding NEEDINFO to raise visibility of comment#5 to Bernard. Did Jeremy's comment address the issue? Hi Juan, yes this outlined procedure sounds like the way to fix this issue, we should also have support for it in infrared |