Bug 2234820
Summary: | [hackfest] After deploying the OSP Director, the ironic_pxe_http container is in unhealthy state | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Darin Sorrentino <dsorrent> |
Component: | openstack-tripleo-common | Assignee: | Nobody <nobody> |
Status: | CLOSED ERRATA | QA Contact: | David Rosenfeld <drosenfe> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 17.1 (Wallaby) | CC: | cory.bannister, gregraka, jschluet, mburns, mlaniel, morazi, sbaker, slinaber |
Target Milestone: | z2 | Keywords: | Triaged |
Target Release: | 17.1 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openstack-tripleo-common-15.4.1-17.1.20230919180810.df8edc6.el9ost puppet-tripleo-14.2.3-17.1.20230919150819.82aeae3.el9ost | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2024-01-16 14:32:52 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Darin Sorrentino
2023-08-25 14:35:11 UTC
The change https://review.opendev.org/c/openstack/tripleo-heat-templates/+/855562 we recently backported to stable/wallaby disabled autoindex. We can probably enable it back again for ironic pxe though I don't think exposing that default index is a good idea, because we have seen several users who prefer limiting contents accessible in any apache server for "security hardening". Rather than change the apache config, puppet-ironic could touch an /var/lib/ironic/httpboot/index.html file so the response for this request is a 200 instead of a 403. Setting NEEDINFO for Takashi's opinion on this approach That would be a reasonable approach but I may have a few suggestions. 1. I think it's better that we create the file in puppet-tripleo instead if puppet-ironic, because the requirement of an accessible file is specific to TripleO (specifically speaking its healthcheck implementation). 2. We can create index.html or we may probably want to use a more specific path. I've drafted the changes needed to implement the ideas above https://review.opendev.org/q/topic:pxe-healthcheck I attempted to verify it in CI but it seems upstream CI does not pull the change in puppet-ironic in testing, for some reason. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Red Hat OpenStack Platform 17.1 (openstack-tripleo-common) security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:0216 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |