Bug 1792477

Summary: Cinder fails to run A/A when deployed with TLS-everywhere
Product: Red Hat OpenStack Reporter: Alan Bishop <abishop>
Component: openstack-tripleo-heat-templatesAssignee: Alan Bishop <abishop>
Status: CLOSED DUPLICATE QA Contact: Tzach Shefi <tshefi>
Severity: high Docs Contact: Chuck Copello <ccopello>
Priority: high    
Version: 15.0 (Stein)CC: amcleod, gcharot, gfidente, jamsmith, jvisser, mburns, pgrist, spower, sputhenp
Target Milestone: z2Keywords: Tracking, Triaged
Target Release: 16.1 (Train on RHEL 8.2)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-11.3.2-0.20200608073443.f604618.el8ost Doc Type: Bug Fix
Doc Text:
Before this update, the overcloud deployment process did not create the TLS certificate necessary for the Block Storage service (cinder) to run in active/active mode. As a result, cinder services failed during start-up. With this update, the deployment process creates the TLS certificate correctly and the Block Storage service can run in active/active mode with TLS-everywhere.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-08 22:38:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alan Bishop 2020-01-17 17:14:03 UTC 
Description of problem:

The Distributed Lock Manager (DLM) that cinder uses when running A/A is broken when deployed with TLS-everywhere. Several problems have been uncovered, and this BZ is intended to be a tracker.

When running A/A, cinder uses etcd (via an etcd HTTP gateway) for its DLM. The following issues have been noted when TLS-everywhere is included in the overcloud deployment:

1. Puppet-tripleo fails when trying to set the permission on etcd’s TLS cert and key files.
2. THT fails to bind etcd’s cert and key files into the etcd container.
3. The DLM (tooz's coordination library) doesn’t have a driver that supports etcd3 with HTTPS (it only supports HTTP).

The first two issues are bugs that warrant their own BZ. However, fixing the third issue will require an enhancement to tooz (not a bug fix).

Version-Release number of selected component (if applicable):


How reproducible: always


Steps to Reproduce:
1. Deploy cinder A/A with TLS-everywhere
2.
3.

Actual results:

Cinder services fail to start.

Expected results:

Things work.

Additional info: