Bug 1683290

Summary: Rados gateway container does not mount TLS directory
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Gregory Charot <gcharot>
Component: Ceph-AnsibleAssignee: Francesco Pantano <fpantano>
Status: CLOSED ERRATA QA Contact: Vasishta <vashastr>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.2CC: aschoen, ceph-eng-bugs, ceph-qe-bugs, fpantano, gabrioux, gcharot, gfidente, gmeno, johfulto, kdreyer, nthomas, pkundal, sankarshan, scohen, tchandra, tserlin
Target Milestone: z1Keywords: Triaged
Target Release: 3.2   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: RHEL: ceph-ansible-3.2.8-1.el7cp Ubuntu: ceph-ansible_3.2.8-2redhat1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-07 15:51:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1578730    

Description Gregory Charot 2019-02-26 14:21:18 UTC 
Description of problem:

When deploying OSP13 with TLS everywhere and RGW instead of swift, all swift commands fail.

Version-Release number of selected component (if applicable):

13

How reproducible:

Always

Steps to Reproduce:
1. Deploy OSP13 with TLS everywhere (w/ IDM) and RGW
2. openstack container list
3.

Actual results:

[stack@undercloud ~]$ source overcloudrc
(overcloud) [stack@undercloud ~]$ openstack container list
Unauthorized (HTTP 401) (Request-ID: tx0000000000000000018b9-005c7540b7-10b1-default)
(overcloud) [stack@undercloud ~]$ swift list
Account GET failed: https://overcloud.redhat.local:13808/swift/v1?format=json 401 Unauthorized  [first 60 chars of response] {"Code":"AccessDenied","RequestId":"tx0000000000000000018c5-
Failed Transaction ID: tx0000000000000000018c5-005c7540be-109a-default

Expected results:

Ability to perform object operations


Additional info:

The /etc/pki directory is not mounted into the container therefore the certificate cannot be verfied. 

RGW logs show:
2019-02-26 13:46:21.042100 7fd839cfe700  0 curl_easy_perform returned status 60 error: Peer's Certificate issuer is not recognized.
2019-02-26 13:46:21.042266 7fd839cfe700  1 ====== req done req=0x7fd839cf7f90 op status=0 http_status=401 ======
2019-02-26 13:46:21.042328 7fd839cfe700  1 civetweb: 0x55624e82e000: 172.17.3.202 - - [26/Feb/2019:13:46:21 +0000] "GET /swift/v1?format=json HTTP/1.1" 401 0 - osc-lib/1.9.0 keystoneauth1/3.4.0 python-requests/2.14.2 CPython/2.7.5

The following steps solve the issue, proper automation work is required to fix this.

On the system(s) hosting the RGW:

Add -v /etc/pki:/etc/pki:ro \
In /etc/systemd/system/ceph-radosgw\@.service

systemctl daemon-reload
systemctl restart ceph-radosgw.service
Comment 2 Gregory Charot 2019-02-26 16:41:11 UTC 
For security reasons you may not want to bind the entire /etc/pki directory
Comment 3 Dimitri Savineau 2019-02-26 16:46:42 UTC 
Could you specify the ceph-ansible version used ? (3.2 I suppose)

While adding the /etc/pki directory seems to resolves the issue we might be more specific on the file/dir path like other OpenStack containers (because we only need the CA)

https://github.com/openstack/tripleo-heat-templates/blob/stable/queens/docker/services/containers-common.yaml#L94-L98
Comment 4 Gregory Charot 2019-02-26 16:50:16 UTC 
 rpm -qa | grep ceph-an
ceph-ansible-3.2.7-1.el7cp.noarch

As for /etc/pki yes agreed, I did mount the entire directory just to find to root cause and as mentioned in my previous comment we should only mount what is actually needed.
Comment 7 Sébastien Han 2019-02-28 09:10:30 UTC 
*** Bug 1683930 has been marked as a duplicate of this bug. ***
Comment 16 errata-xmlrpc 2019-03-07 15:51:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0475