Created attachment 823253 [details] Config and error Description of problem: I have configure packstack to support QPID with SSL. Connections to QPID failed since nova.conf & cinder.conf are not configured with qpid_protocol=ssl , and connections are TCP only. Logs and answer file attached. Neutron was not configure also not sure about the rest . Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1.use packstack answer file and enable QPID SSL 2.try to operate system and check /var/log/messages 3. Actual results: Expected results: Additional info:
Extending the scope of this bug to: heat, ceilometer and neutron.
please take a look on glance as well
The problem seems to be related to the Puppet's firewall module. It cannot handle the replacement of previously set iptables entries. Instead of reimplementing all that in the firewall module, we'll split the Qpid iptable entries in two so we avoid this problem. We'll update the firewall module soon though. In case this problem weren't still fixed there, we'd have to do so.
https://review.openstack.org/#/c/57148/ : Merged https://review.openstack.org/#/c/58059/ : Review in Progress
58059 must be worked out (reimplemented)
The patch is ok, is needed that way because the way the firewall puppet module works
Adding OtherQA for bugs in MODIFIED
Created attachment 837615 [details] horizon log file
I started with a clean server, and ran packstack with the default answers file except that I changed: CONFIG_QPID_ENABLE_SSL=y Insstallation ran without errors. When I logged in to horizon for the first time I got a "Something went wrong!" message. See also attachment 837615 [details] (horizon log file).
We encountered this issue today during a POC. We had to manually change these files: /etc/heat/heat.conf /etc/nova/nova.conf /etc/cinder/cinder.conf /etc/glance/glance-api.conf /etc/ceilometer/ceilometer.conf /etc/neutron/neutron.conf The changes were: Original settings: qpid_protocol = tcp qpid_port = 5672 Changed to: qpid_protocol = ssl qpid_port = 5671 After applying these changes and restarting services, then allowing port 5671 everything worked as expected.
Which version of packstack did you use??
We used the latest available from RHN beta channel rhel-x86_64-server-6-ost-beta: openstack-packstack-2013.2.1-0.11.dev847.el6ost.noarch
can you try openstack-packstack-2013.2.1-0.18.dev934.el6ost.noarch?? that's the latest package
Unfortunately this POC is already deployed and we have manually adjusted what we need, and I do not see this version in RHN or Satellite. I do see openstack-packstack-2013.2.1-0.20.dev936.el6ost in the latest puddle internally, so I can try this in my lab and report here.
I just retested it with openstack-packstack-2013.2.1-0.20.dev936.el6ost.noarch. All the conf files have the correct qpid_protocol = ssl and qpid_port = 5671 settings, so from that perspective the bug may be fixed. However, horizon fails to connect to neutron as the log shows (see attachment in the bug), and it doesn't happen when not using SSL.
QPID SSL is working on current version.
The latest development package succesfully configures SSL in all the services configuration files.
Works in: openstack-packstack-2013.2.1-0.22.dev956.el6ost.noarch
Doc text set to '-'
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2014-0046.html