Bug 1266565 – [RFE] We should not require SSH access from the Undercloud on the Overcloud nodes to complete Keystone initialization

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1266565 - [RFE] We should not require SSH access from the Undercloud on the Overcloud nodes to complete Keystone initialization [NEEDINFO]

Summary:	[RFE] We should not require SSH access from the Undercloud on the Overcloud n...

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates (Show other bugs)
Sub Component:
Version:	7.0 (Kilo)
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	---
Target Release:	8.0 (Liberty)
Assigned To:	Giulio Fidente
QA Contact:	Shai Revivo
Docs Contact:

URL:
Whiteboard:
Keywords:	AutomationBlocker, FutureFeature, Triaged

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2015-09-25 11:58 EDT by Giulio Fidente
Modified:	2016-09-30 04:48 EDT (History)
CC List:	8 users (show)

See Also:
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	Currently, certain setup steps require a SSH connection to the overcloud controllers, and will need to traverse VIPs to reach the Overcloud nodes. If your environment is using an external load balancer, then these steps are not likely to successfully connect. You can work around this issue by configuring the external load balancer to forward port 22. As a result, the SSH connection to the VIP will succeed.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-09-30 04:48:37 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Flags:	mburns: needinfo? (dmacpher)

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	250268	None	None	None	2016-01-14 03:21 EST

Groups: None (edit)

Description Giulio Fidente 2015-09-25 11:58:39 EDT

Description of problem:

_perform_pki_initialization from os-cloud-config:

https://github.com/openstack/os-cloud-config/blob/master/os_cloud_config/keystone.py#L484

requires SSH on the Overcloud nodes.

We should avoid that instead and (probably) do it from puppet. This is problematic especially when using an external load balancer because in such a scenario the VIP (which is currently used to SSH on one of the Overcloud nodes) is not hosted by any of the controllers and the post-deployment initialization fails unless appropriate port forwarding is configured on the external balancer.

Comment 2 Giulio Fidente 2015-09-25 12:01:36 EDT

I have assigned it against THT because there it goes if we decide to do pki_setup via puppet ... this requires updates into os-cloud-config as well though.

Comment 6 Adriano Petrich 2016-02-23 11:48:58 EST

Hi,

This problem is hitting me now on CI.

So when you have a patch I can test it.

Cheers!


log:

Warning: Permanently added '192.0.2.6' (ECDSA) to the list of known hosts.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Command '['ssh', '-oStrictHostKeyChecking=no', '-t', '-l', 'heat-admin', u'192.0.2.6', 'sudo', 'keystone-manage', 'pki_setup', '--keystone-user', "$(getent passwd | grep '^keystone' | cut -d: -f1)", '--keystone-group', "$(getent group | grep '^keystone' | cut -d: -f1)"]' returned non-zero exit status 255
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 374, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python2.7/site-packages/cliff/command.py", line 54, in run
    self.take_action(parsed_args)
  File "/usr/lib/python2.7/site-packages/tripleoclient/v1/overcloud_deploy.py", line 893, in take_action
    self._deploy_postconfig(stack, parsed_args)
  File "/usr/lib/python2.7/site-packages/tripleoclient/v1/overcloud_deploy.py", line 458, in _deploy_postconfig
    internal=keystone_internal_ip)
  File "/usr/lib/python2.7/site-packages/os_cloud_config/keystone.py", line 178, in initialize
    _perform_pki_initialization(host, user)
  File "/usr/lib/python2.7/site-packages/os_cloud_config/keystone.py", line 553, in _perform_pki_initialization
    "$(getent group | grep '^keystone' | cut -d: -f1)"])
  File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
    raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '['ssh', '-oStrictHostKeyChecking=no', '-t', '-l', 'heat-admin', u'192.0.2.6', 'sudo', 'keystone-manage', 'pki_setup', '--keystone-user', "$(getent passwd | grep '^keystone' | cut -d: -f1)", '--keystone-group', "$(getent group | grep '^keystone' | cut -d: -f1)"]' returned non-zero exit status 255
clean_up DeployOvercloud: Command '['ssh', '-oStrictHostKeyChecking=no', '-t', '-l', 'heat-admin', u'192.0.2.6', 'sudo', 'keystone-manage', 'pki_setup', '--keystone-user', "$(getent passwd | grep '^keystone' | cut -d: -f1)", '--keystone-group', "$(getent group | grep '^keystone' | cut -d: -f1)"]' returned non-zero exit status 255
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/openstackclient/shell.py", line 112, in run
    ret_val = super(OpenStackShell, self).run(argv)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 255, in run
    result = self.run_subcommand(remainder)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 374, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python2.7/site-packages/cliff/command.py", line 54, in run
    self.take_action(parsed_args)
  File "/usr/lib/python2.7/site-packages/tripleoclient/v1/overcloud_deploy.py", line 893, in take_action
    self._deploy_postconfig(stack, parsed_args)
  File "/usr/lib/python2.7/site-packages/tripleoclient/v1/overcloud_deploy.py", line 458, in _deploy_postconfig
    internal=keystone_internal_ip)
  File "/usr/lib/python2.7/site-packages/os_cloud_config/keystone.py", line 178, in initialize
    _perform_pki_initialization(host, user)
  File "/usr/lib/python2.7/site-packages/os_cloud_config/keystone.py", line 553, in _perform_pki_initialization
    "$(getent group | grep '^keystone' | cut -d: -f1)"])
  File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
    raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '['ssh', '-oStrictHostKeyChecking=no', '-t', '-l', 'heat-admin', u'192.0.2.6', 'sudo', 'keystone-manage', 'pki_setup', '--keystone-user', "$(getent passwd | grep '^keystone' | cut -d: -f1)", '--keystone-group', "$(getent group | grep '^keystone' | cut -d: -f1)"]' returned non-zero exit status 255

END return value: 1

Comment 7 Mike Burns 2016-04-07 16:50:54 EDT

This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.

Note You need to log in before you can comment on or make changes to this bug.