Bug 1954374

Summary: [OSP16.1] Keystone healthcheck script fail when we enable Federate as authentication provider
Product: Red Hat OpenStack Reporter: Khomesh Thakre <kthakre>
Component: openstack-tripleo-commonAssignee: Grzegorz Grasza <ggrasza>
Status: CLOSED ERRATA QA Contact: Jeremy Agee <jagee>
Severity: medium Docs Contact:
Priority: medium    
Version: 16.1 (Train)CC: dwilde, ggrasza, mburns, oblaut, slinaber
Target Milestone: zstreamKeywords: TestOnly, Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-common-11.4.1-1.20211013133417.75bd92a Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-24 10:59:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Khomesh Thakre 2021-04-28 03:35:01 UTC 
Description of problem:

For keystone, healthcheck script is failing with below error

~~~
[root@ctl01 conf.d]# /usr/bin/podman exec --user root keystone /openstack/healthcheck
+ . /usr/share/openstack-tripleo-common/healthcheck/common.sh
++ set -x
++ set -euo pipefail
++ : 0
++ '[' 0 -ne 0 ']'
++ exec
++ : 10
++ : curl-healthcheck
++ : '\n%{http_code}' '%{remote_ip}:%{remote_port}' '%{time_total}' 'seconds\n'
++ : /dev/null
++ get_url_from_vhost /etc/httpd/conf.d/10-keystone_wsgi.conf
++ vhost_file=/etc/httpd/conf.d/10-keystone_wsgi.conf
++ test -n /etc/httpd/conf.d/10-keystone_wsgi.conf
++ test -r /etc/httpd/conf.d/10-keystone_wsgi.conf
+++ awk '/ServerName/ {print $2}' /etc/httpd/conf.d/10-keystone_wsgi.conf
++ server_name=overcloud.example.com
+++ awk '/SSLEngine/ {print $2}' /etc/httpd/conf.d/10-keystone_wsgi.conf
++ ssl_enabled=on
+++ grep -h '<VirtualHost .*>' /etc/httpd/conf.d/10-keystone_wsgi.conf
+++ sed 's/<VirtualHost .*:\(.*\)>/\1/'
++ bind_port=35357
+++ awk '/WSGIScriptAlias/ {print $2}' /etc/httpd/conf.d/10-keystone_wsgi.conf
++ wsgi_alias='/
^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$'
++ proto=http
++ [[ on == \o\n ]]
++ proto=https
++ [[ /
^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ != \/ ]]
++ wsgi_alias='/
^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$/'
++ echo https://overcloud.example.com:35357/ '^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$/'
+ check_url='https://overcloud.example.com:35357/ ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$/'
+ healthcheck_curl https://overcloud.example.com:35357/ '^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$/'
+ '[' 2 == 0 ']'
+ export NSS_SDB_USE_CACHE=no
+ NSS_SDB_USE_CACHE=no
+ curl -g -k -q -s -S --fail -o /dev/null --max-time 10 --user-agent curl-healthcheck --write-out '\n%{http_code} %{remote_ip}:%{remote_port} %{time_total} seconds\n' https://overcloud.example.com:35357/ '^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$/'

curl: (6) Could not resolve host: ^(
~~~

The issue is with /usr/share/openstack-tripleo-common/healthcheck/common.sh script in below function

~~~
# apachectl -S is slightly harder to parse and doesn't say if the vhost is serving SSL
get_url_from_vhost () {
    vhost_file=$1
    if test -n "${vhost_file}" && test -r "${vhost_file}" ; then
        server_name=$(awk '/ServerName/ {print $2}' $vhost_file)
        ssl_enabled=$(awk '/SSLEngine/ {print $2}' $vhost_file)
        bind_port=$(grep -h "<VirtualHost .*>" $vhost_file | sed 's/<VirtualHost .*:\(.*\)>/\1/')
        wsgi_alias=$(awk '/WSGIScriptAlias/ {print $2}' $vhost_file)                                   <<<<< 
        proto=http
        if [[ $ssl_enabled == "on" ]]; then
            proto=https
        fi
        if [[ $wsgi_alias != "/" ]]; then
            wsgi_alias="${wsgi_alias}/"
        fi
        echo ${proto}://${server_name}:${bind_port}${wsgi_alias}
    else
        exit 1
    fi
}
~~~

Awk is getting to matched instead of one 

~~~
[root@ctl01 conf.d]# awk '/WSGIScriptAlias/ {print $2}' 10-keystone_wsgi.conf
/
^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$
~~~

In working(non federate) environment, we only get `/` as output.

~~~
[stack@undercloud-0 ~]$ awk '/WSGIScriptAlias/ {print $2}' /var/lib/config-data/puppet-generated/keystone/etc/httpd/conf.d/10-keystone_wsgi.conf 
/
~~~


Version-Release number of selected component (if applicable):
Red Hat Openstack release 16.1 Train

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 4 Grzegorz Grasza 2021-05-17 14:19:16 UTC 
I was able to reproduce it on OSP 16.1
Comment 15 errata-xmlrpc 2022-03-24 10:59:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1.8 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:0986