Bug 1756507

Summary: [Docs][OSP 13] Octavia Documentation should contain warning about not setting OctaviaCaCertFile, OctaviaCaKeyFile, OctaviaClientCertFile to a read-only location in the container
Product: Red Hat OpenStack Reporter: Matt Flusche <mflusche>
Component: documentationAssignee: Greg Rakauskas <gregraka>
Status: CLOSED NOTABUG QA Contact: RHOS Documentation Team <rhos-docs>
Severity: medium Docs Contact:
Priority: medium    
Version: 13.0 (Queens)CC: beagles, ccopello, cgoncalves, dcadzow, gregraka, michjohn
Target Milestone: asyncKeywords: Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: x86_64   
OS: Linux   
Whiteboard: docs-accepted
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1810231 1810232 (view as bug list) Environment:
Last Closed: 2020-03-09 14:52:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1810231, 1810232    

Description Matt Flusche 2019-09-27 19:29:53 UTC 
Description of problem:

Octavia Documentation should contain warning about not setting OctaviaCaCertFile, OctaviaCaKeyFile, OctaviaClientCertFile to a read-only location in the container.

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/networking_guide/sec-octavia

If the following is set in the deployment environment:

  OctaviaCaCertFile: "/etc/pki/ca-trust/extracted/octavia/ca_02.pem"
  OctaviaCaKeyFile: "/etc/pki/ca-trust/extracted/octavia/cakey02.pem"
  OctaviaClientCertFile: "/etc/pki/ca-trust/extracted/octavia/client.pem"

The octavia continers will fail to startup with the following error in the `docker logs` output:

docker logs octavia_api
[...]
ERROR:__main__:Unexpected error:
Traceback (most recent call last):
  File "/usr/local/bin/kolla_set_configs", line 411, in main
    execute_config_strategy(config)
  File "/usr/local/bin/kolla_set_configs", line 377, in execute_config_strategy
    copy_config(config)
  File "/usr/local/bin/kolla_set_configs", line 306, in copy_config
    config_file.copy()
  File "/usr/local/bin/kolla_set_configs", line 150, in copy
    self._merge_directories(source, dest)
  File "/usr/local/bin/kolla_set_configs", line 97, in _merge_directories
    os.path.join(dest, to_copy))
  File "/usr/local/bin/kolla_set_configs", line 97, in _merge_directories
    os.path.join(dest, to_copy))
  File "/usr/local/bin/kolla_set_configs", line 97, in _merge_directories
    os.path.join(dest, to_copy))
  File "/usr/local/bin/kolla_set_configs", line 92, in _merge_directories
    self._set_properties(source, dest)
  File "/usr/local/bin/kolla_set_configs", line 117, in _set_properties
    self._set_properties_from_file(source, dest)
  File "/usr/local/bin/kolla_set_configs", line 122, in _set_properties_from_file
    shutil.copystat(source, dest)
  File "/usr/lib64/python2.7/shutil.py", line 98, in copystat
    os.utime(dst, (st.st_atime, st.st_mtime))
OSError: [Errno 30] Read-only file system: '/etc/pki/ca-trust/extracted'
Comment 3 Brent Eagles 2019-10-02 15:13:39 UTC 
In an abundance of caution, I verified that this is just a documentation issue and not an actual bug. 

I think a simple warning to the effect that the OctaviaCaCertFile, OctaviaCaKeyFile, OctaviaClientCertFile variables specify locations in the container that should not be read-only as the deployment needs to be able access them to initialize configuration when starting the container.