Bug 966094
Summary: | Openstack Installer: packstack fail to configure horizon to work with SSL | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Nir Magnezi <nmagnezi> | ||||||
Component: | openstack-packstack | Assignee: | Ivan Chavero <ichavero> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Nir Magnezi <nmagnezi> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | 3.0 | CC: | aortega, apevec, derekh, ichavero, jkt, mlopes, mmagr | ||||||
Target Milestone: | z1 | Keywords: | Regression, TestOnly, ZStream | ||||||
Target Release: | 4.0 | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | openstack-packstack-2013.2.1-0.14.dev919.el6ost | Doc Type: | Known Issue | ||||||
Doc Text: |
Dashboard SSL configuration is not applied when specified in the Packstack answer file. This behaviour is due to Nagios deleting Apache's SSL configuration.
The workaround is to disable Nagios at installation time:
"packstack --os-horizon-ssl=y --nagios-install=n --allinone"
|
Story Points: | --- | ||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2014-01-23 14:21:15 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 955316, 1054498, 1061689 | ||||||||
Attachments: |
|
Description
Nir Magnezi
2013-05-22 13:05:39 UTC
Tested NVR: openstack-packstack-2013.2.1-0.9.dev840.el6ost.noarch Followed Comment #0 Result: ======= httpd listen both to port 80 and 443 # netstat -ntpl | grep httpd tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3362/httpd tcp 0 0 :::443 :::* LISTEN 3362/httpd SSL is not enabled by default in horizon, you have to set CONFIG_HORIZON_SSL=y or --os-horizon-ssl=y (In reply to Ivan Chavero from comment #7) > SSL is not enabled by default in horizon, you have to set > CONFIG_HORIZON_SSL=y or --os-horizon-ssl=y I did. I found the problem, fixing it right now Tested with this command line: '--allinone --use-epel=y --os-horizon-ssl=y' twice and everything works fine. did you try to enter the dashboard via web browser? an nmap scan gives me this: nmap 192.168.100.197 Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-12 11:16 MST Nmap scan report for 192.168.100.197 Host is up (0.71s latency). Not shown: 997 filtered ports PORT STATE SERVICE 22/tcp open ssh 443/tcp open https 8080/tcp closed http-proxy (In reply to Ivan Chavero from comment #10) > Tested with this command line: '--allinone --use-epel=y --os-horizon-ssl=y' > twice and everything works fine. > > did you try to enter the dashboard via web browser? yup. > > an nmap scan gives me this: > > nmap 192.168.100.197 > > Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-12 11:16 MST > Nmap scan report for 192.168.100.197 > Host is up (0.71s latency). > Not shown: 997 filtered ports > PORT STATE SERVICE > 22/tcp open ssh > 443/tcp open https > 8080/tcp closed http-proxy This is different from what I saw. I tried to reproduce this once again (with the same packstack version) and now I see httpd only listen to port 80 How I installed it: packstack --allinone --os-horizon-ssl=y -d I did not use EPEL since I installed RHOS. I ran packstack for the second time, using the same answer file as a used in Comment #11 (allinone) only this time i changed to IP of horizon to a different node. Results are the same as in Comment #6 # netstat -ntpl | grep httpd tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4782/httpd tcp 0 0 :::443 :::* LISTEN 4782/httpd both http and https are available via browser. The 443 port seems to have been bound only to the IPv6 interface. yes, the netstat command gives me just the ipv6 address also, but all my tests tell me that the server is listening on port 443 on ipv4. can you try this command? openssl s_client -connect 192.168.100.165:443 you should get an output like this: CONNECTED(00000003) depth=0 C = --, ST = State, L = City, O = openstack, OU = packstack, CN = rhel6.5, emailAddress = admin verify error:num=18:self signed certificate verify return:1 depth=0 C = --, ST = State, L = City, O = openstack, OU = packstack, CN = rhel6.5, emailAddress = admin verify return:1 --- Certificate chain I noticed that the generated configuration in /etc/httpd/conf.d/ssl.conf is this SSLCertificateKeyFile /etc/pki/tls/private/ssl_ps_server.key Listen 443 SSLEngine on SSLCertificateFile /etc/pki/tls/certs/ssl_ps_server.crt The server will listen in all interfaces so that's why it could be showing the ipv6 interface. I can change the Listen line to: Listen 0.0.0.0:443 to make it just listen to ipv4. The puppet horizon package is adding a Listen 0.0.0.0:80 that's why it's appearing in the netstat even through we're commenting a Listen 80 line in packstack's manifests. I'm correcting this behaviour. Letting the Listen 443 so it listens in all interfaces Merged Tested NVR: openstack-packstack-2013.2.1-0.20.dev936.el6ost.noarch Configured CONFIG_HORIZON_SSL=y , yet I ended up with httpd that listens to port 80 [root@puma03 ~]# netstat -ntpl | grep httpd tcp 0 0 :::80 :::* LISTEN 7074/httpd Created attachment 837613 [details]
packstack logs (DEBUG)
packstack logs
Succesfully tested with openstack-packstack-2013.2.1-0.18.dev934.el6ost.noarch.rpm testing again with: openstack-packstack-2013.2.1-0.20.dev936.el6ost.noarch re-opening. Tested NVR: openstack-packstack-2013.2.1-0.22.dev956.el6ost.noarch Puddle: 2014-01-13.5 Test Steps: =========== 1. Configured packstack answer file to enable horizon SSL # grep -i HORIZON_SSL ANSWER_FILE CONFIG_HORIZON_SSL=y 2. ran packstack using that answer file Result: ======= # netstat -ntpl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 :::80 :::* LISTEN 6912/httpd Created attachment 850336 [details]
ssl dashboard screenshot
Installed: openstack-packstack-2013.2.1-0.22.dev956.el6ost created answer file: packstack --gen-answer-file edit and set: CONFIG_HORIZON_SSL=y run packstack -d --answer-file=ans.txt after a succesful installation check: $ curl --insecure https://192.168.100.169 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://192.168.100.169/dashboard/">here</a>.</p> <hr> <address>Apache/2.2.15 (Red Hat) Server at 192.168.100.169 Port 443</address> </body></html> [ichavero@cloud qpid]$ curl --insecure https://192.168.100.169/dashboard <!DOCTYPE html> <html lang="en" xml:lang="en"> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <title>Login - OpenStack Dashboard</title> <link rel="stylesheet" href="/static/dashboard/css/291184af72d2.css" type="text/css" media="screen" /> <link rel="shortcut icon" href="/static/dashboard/img/favicon.ico"/> </head> <body id="splash"> <div class="container"> <div class="row large-rounded"> <div id="" class="login "> <div class="modal-header"> <h3>Log In</h3> </div> <form id="" autocomplete="on" class="" action="/dashboard/auth/login/" method="POST" ><div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='ItVQzMDqRVeS55fPCHy6Sk6iQmeE5BW5' /></div> <div class="modal-body clearfix"> <fieldset> <input type="hidden" name="region" value="http://192.168.100.169:5000/v2.0" id="id_region" /> <div class="control-group form-field clearfix "> <label for="id_username">User Name</label> <span class="help-block"></span> <div class="input"> <input type="text" name="username" id="id_username" /> </div> </div> <div class="control-group form-field clearfix "> <label for="id_password">Password</label> <span class="help-block"></span> <div class="input"> <input type="password" name="password" id="id_password" /> </div> </div> </fieldset> </div> <div class="modal-footer"> <button type="submit" class="btn btn-primary pull-right">Sign In</button> </div> </form> </div> </div> </div> </body> </html> re-opening. Tested NVR: openstack-packstack-2013.2.1-0.22.dev956.el6ost.noarch RHOS Puddle: 2014-01-13.5 Tested as follows: 1. packstack --os-horizon-ssl=y --allinone -d 2. post installation, Verified the created answer file: # grep HORIZON_SSL packstack-answers-20140116-130956.txt CONFIG_HORIZON_SSL=y 3. check the port that httpd listens to: (should be 443) # netstat -ntpl | grep httpd tcp 0 0 :::80 :::* LISTEN 23468/httpd 4. Followed a step from comment #30: checked https (failed): [root@nmagnezi-os-allinone ~]# curl --insecure https://<IP_ADDRESS> curl: (7) couldn't connect to host checked http: [root@nmagnezi-os-allinone ~]# curl --insecure http://<IP_ADDRESS> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://<IP_ADDRESS>/dashboard/">here</a>.</p> <hr> <address>Apache/2.2.15 (Red Hat) Server at <IP_ADDRESS> Port 80</address> </body></html> I installed 4 setups and got the same results (port 80 and not 443) Testing the same way as #31 Finalizing... [ DONE ] **** Installation completed successfully ****** Additional information: * Time synchronization installation was skipped. Please note that unsynchronized time on server instances might be problem for some OpenStack components. * File /root/keystonerc_admin has been created on OpenStack client host 192.168.122.25. To use the command line tools you need to source the file. * Copy of keystonerc_admin file has been created for non-root user in /home/para. * NOTE : A certificate was generated to be used for ssl, You should change the ssl certificate configured in /etc/httpd/conf.d/ssl.conf on 192.168.122.25 to use a CA signed cert. * To access the OpenStack Dashboard browse to https://192.168.122.25/dashboard. Please, find your login credentials stored in the keystonerc_admin in your home directory. * The installation log file is available at: /var/tmp/packstack/20140116-183214-3C8SYf/openstack-setup.log * The generated manifests are available at: /var/tmp/packstack/20140116-183214-3C8SYf/manifests [para@virtual-rhel ~]$ curl --insecure https://192.168.122.25 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://192.168.122.25/dashboard/">here</a>.</p> <hr> <address>Apache/2.2.15 (Red Hat) Server at 192.168.122.25 Port 443</address> </body></html> [para@virtual-rhel ~]$ curl --insecure https://192.168.122.25/dashboard <!DOCTYPE html> <html lang="en" xml:lang="en"> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <title>Login - OpenStack Dashboard</title> <link rel="stylesheet" href="/static/dashboard/css/291184af72d2.css" type="text/css" media="screen" /> <link rel="shortcut icon" href="/static/dashboard/img/favicon.ico"/> .... [para@virtual-rhel ~]$ sudo netstat -ntpl | grep httpd tcp 0 0 :::443 :::* LISTEN 16984/httpd [para@virtual-rhel ~]$ I don't know what you are doing with your VM, but SSL works for me too. Forgot to put version. [para@virtual-rhel ~]$ rpm -q openstack-packstack openstack-packstack-2013.2.1-0.29.dev956.el6.noarch The disconnect with how it's tested. I tested with: packstack --allinone --os-horizon-ssl=y -> failed, as Nir shows. I took the answer-file from the above run, reimaged the VM and ran this after re-imaging: packstack --answer-file=p-a.txt -> worked, as Ivan and Martin show Very peculiar. Actually, I was incorrect. I didn't recheck the initial case (packstack --allinone --os...), but the latter case was back to port 80 and not 443 after reboot. I rechecked the initial case (just packstack --allinone --os-horizon-ssl=y) - definitely only listening on port 80. I'm rechecking using the answer-file now. Found it. It was a disconnect as to how it was tested, but not what I originally thought: * Horizon correctly sets up SSL * Nagios tears it down. Thus, presently, SSL with Horizon is mutually exclusive with enabling Nagios. If you run packstack with Horizon SSL enabled and Nagios disabled, Horizon gets to keep SSL. I filed bug 1054498 to account for the Horizon/Nagios apache configuration conflict. The following should work fine to verify this specific issue: packstack --os-horizon-ssl=y --nagios-install=n --allinone Added doc text as known issue, fixing it in: bug 1054498 (In reply to Lon Hohberger from comment #40) > I filed bug 1054498 to account for the Horizon/Nagios apache configuration > conflict. > > The following should work fine to verify this specific issue: > > packstack --os-horizon-ssl=y --nagios-install=n --allinone Verified with openstack-packstack-2013.2.1-0.22.dev956.el6ost.noarch Followed Lon's steps. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2014-0046.html |