Bug 2234820

Summary: [hackfest] After deploying the OSP Director, the ironic_pxe_http container is in unhealthy state
Product: Red Hat OpenStack Reporter: Darin Sorrentino <dsorrent>
Component: openstack-tripleo-commonAssignee: Nobody <nobody>
Status: CLOSED ERRATA QA Contact: David Rosenfeld <drosenfe>
Severity: medium Docs Contact:
Priority: medium    
Version: 17.1 (Wallaby)CC: cory.bannister, gregraka, jschluet, mburns, mlaniel, morazi, sbaker, slinaber
Target Milestone: z2Keywords: Triaged
Target Release: 17.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-common-15.4.1-17.1.20230919180810.df8edc6.el9ost puppet-tripleo-14.2.3-17.1.20230919150819.82aeae3.el9ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-01-16 14:32:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Darin Sorrentino 2023-08-25 14:35:11 UTC 
Description of problem:

After deploying, the ironic_pxe_http container is unhealthy.  Looking into the issue, it looks like the problem stems from the healthcheck script not being able to get a directory listing on /var/lib/ironic/httpboot because the autoindex module is not loaded.

I was able to work around this by:

cat <<EOF>>/var/lib/config-data/puppet-generated/ironic/etc/httpd/conf.modules.d/autoindex.conf
IndexOptions FancyIndexing VersionSort HTMLTable NameWidth=* DescriptionWidth=* Charset=UTF-8
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip x-bzip2

AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*

AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif /core
AddIcon (SND,/icons/sound2.gif) .ogg
AddIcon (VID,/icons/movie.gif) .ogm

AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^

AddIcon /icons/odf6odt.png .odt
AddIcon /icons/odf6ods.png .ods
AddIcon /icons/odf6odp.png .odp
AddIcon /icons/odf6odg.png .odg
AddIcon /icons/odf6odc.png .odc
AddIcon /icons/odf6odf.png .odf
AddIcon /icons/odf6odb.png .odb
AddIcon /icons/odf6odi.png .odi
AddIcon /icons/odf6odm.png .odm


AddIcon /icons/odf6ott.png .ott
AddIcon /icons/odf6ots.png .ots
AddIcon /icons/odf6otp.png .otp
AddIcon /icons/odf6otg.png .otg
IndexIgnore .??* *~ *# HEADER.html README.html RCS CVS *,v *,t
EOF

cat <<EOF>>/var/lib/config-data/puppet-generated/ironic/etc/httpd/conf.modules.d/autoindex.load
LoadModule autoindex_module modules/mod_autoindex.so
EOF

podman restart ironic_pxe_http

The container remains healthy.

Version-Release number of selected component (if applicable):
17.1

How reproducible:
100%

Steps to Reproduce:
1. podman ps | grep ironic_pxe_http # Notice unhealthy container
2. Perform steps above
3. podman ps | grep ironic_pxe_http # Notice healthy container

Actual results:


Expected results:


Additional info:
Comment 1 Takashi Kajinami 2023-08-25 15:01:17 UTC 
The change https://review.opendev.org/c/openstack/tripleo-heat-templates/+/855562 we recently backported to stable/wallaby disabled autoindex.

We can probably enable it back again for ironic pxe though I don't think exposing that default index is a good idea,
because we have seen several users who prefer limiting contents accessible in any apache server for "security hardening".
Comment 2 Steve Baker 2023-09-05 02:54:04 UTC 
Rather than change the apache config, puppet-ironic could touch an /var/lib/ironic/httpboot/index.html file so the response for this request is a 200 instead of a 403.

Setting NEEDINFO for Takashi's opinion on this approach
Comment 3 Takashi Kajinami 2023-09-05 03:41:22 UTC 
That would be a reasonable approach but I may have a few suggestions.

1.
I think it's better that we create the file in puppet-tripleo instead if puppet-ironic,
because the requirement of an accessible file is specific to TripleO
(specifically speaking its healthcheck implementation).

2.
We can create index.html or we may probably want to use a more specific path.
Comment 4 Takashi Kajinami 2023-09-06 04:28:42 UTC 
I've drafted the changes needed to implement the ideas above https://review.opendev.org/q/topic:pxe-healthcheck

I attempted to verify it in CI but it seems upstream CI does not pull the change in puppet-ironic in testing, for some reason.
Comment 24 errata-xmlrpc 2024-01-16 14:32:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat OpenStack Platform 17.1 (openstack-tripleo-common) security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2024:0216
Comment 25 Red Hat Bugzilla 2024-05-16 04:25:19 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days