Bug 1028186 - nova: when attempted 'nova resize' on setup with two compute nodes the instance switched to ERROR state. [NEEDINFO]
nova: when attempted 'nova resize' on setup with two compute nodes the instan...
Status: CLOSED NEXTRELEASE
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova (Show other bugs)
4.0
x86_64 Linux
medium Severity high
: ---
: 6.0 (Juno)
Assigned To: Eoghan Glynn
Shai Revivo
: Triaged, ZStream
: 1033940 (view as bug list)
Depends On: 1267598 1292532 975014
Blocks: 1261979
  Show dependency treegraph
 
Reported: 2013-11-07 15:50 EST by Solly Ross
Modified: 2017-06-05 13:34 EDT (History)
15 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 975014
Environment:
Last Closed: 2017-06-05 12:56:51 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
kasmith: needinfo? (eglynn)


Attachments (Terms of Use)

  None (edit)
Comment 5 Xavier Queralt 2013-11-25 02:50:06 EST
*** Bug 1033940 has been marked as a duplicate of this bug. ***
Comment 6 Solly Ross 2014-04-08 17:33:27 EDT
Blueprint up for review: https://review.openstack.org/#/c/85877/
Comment 12 Mike Orazi 2015-10-01 14:18:58 EDT
eglynn,

Can we get the correct manual steps to follow that will set up passwordless ssh and any corresponding nova conf changes that would be needed to make this work given the current state of affairs?
Comment 13 Matthew Booth 2015-10-29 08:29:32 EDT
Nova rsyncs between compute hosts over ssh as the nova user using the IP address of the destination compute host. This must work without requiring any input. Specifically, this means that:

* The source host must have the host key of the dest host
* The dest host key must be keyed against the dest host ip address
* The source host must have an ssh key in ~nova/.ssh/id_rsa
* The dest host must have the source host's ssh key in ~nova/.ssh/authorized_keys
* The dest host must have enabled the nova account for login

This doesn't work out of the box on my packstack setup, although it has done some of the work already. Already done by packstack:

* /etc/ssh/ssh_known_hosts contains the host keys of all hosts known to packstack on all hosts
* ~nova/.ssh/id_rsa exists [1]
* ~nova/.ssh/authorized_keys exists [1]

Although /etc/ssh/ssh_known_hosts contains all host keys, it is not readable by the nova user. As these are public keys, this file should be world readable. Also, login is not enabled for the nova user. Steps required to fix these:

# chmod 0644 /etc/ssh/ssh_known_hosts
# chsh -s /bin/bash nova

I assume that ssh host keys are collected by puppet. This seems to work well. You could also use something like ssh-keyscan to populate this, but I recommend against it as it has no root of trust, and is therefore insecure.

I'm not going to try to describe every possible way you could achieve the above end goal. Let me know if you need more.

[1] As configured by packstack, id_rsa is common to all compute hosts, so authorized_keys simply contains the public part of this key. Both these files are identical across all compute hosts. I haven't fully considered the implications of this, but it makes me uneasy.
Comment 14 Marko Myllynen 2015-10-29 08:38:44 EDT
There's also an openstack-packstack BZ where there was discussion wrt nova and known_hosts:

https://bugzilla.redhat.com/show_bug.cgi?id=1151126

Thanks.
Comment 16 Karl Hastings 2016-07-22 15:11:00 EDT
Will this get released in an OSP6 z-stream errata, or should this BZ be closed?
Comment 17 Stephen Gordon 2017-06-05 12:56:51 EDT
(In reply to Karl Hastings from comment #16)
> Will this get released in an OSP6 z-stream errata, or should this BZ be
> closed?

Not for 6, there is a separate set of fixes for 7, 8, 9, 10, 11 in the process of being pushed out whereby director will co-ordinate the setup.
Comment 18 arkady kanevsky 2017-06-05 13:34:05 EDT
Agree that OSP6 is long gone.

Do we need to a separate bugs for OSP10, OSP11, and 12?

Mike B., can you notify us which z-stream these fixes are pushed to CDN with?

Note You need to log in before you can comment on or make changes to this bug.