1266565 – [RFE] We should not require SSH access from the Undercloud on the Overcloud nodes to complete Keystone initialization

Bug 1266565 - [RFE] We should not require SSH access from the Undercloud on the Overcloud nodes to complete Keystone initialization

Summary: [RFE] We should not require SSH access from the Undercloud on the Overcloud n...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	7.0 (Kilo)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	8.0 (Liberty)
Assignee:	Giulio Fidente
QA Contact:	Shai Revivo
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-09-25 15:58 UTC by Giulio Fidente
Modified:	2023-09-14 03:05 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	Currently, certain setup steps require a SSH connection to the overcloud controllers, and will need to traverse VIPs to reach the Overcloud nodes. If your environment is using an external load balancer, then these steps are not likely to successfully connect. You can work around this issue by configuring the external load balancer to forward port 22. As a result, the SSH connection to the VIP will succeed.
Clone Of:
Environment:
Last Closed:	2016-09-30 08:48:37 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
OpenStack gerrit	250268	0	None	MERGED	Optionally skip Keystone post-deployment initialization	2020-09-08 04:17:08 UTC

Description Giulio Fidente 2015-09-25 15:58:39 UTC

Description of problem:

_perform_pki_initialization from os-cloud-config:

https://github.com/openstack/os-cloud-config/blob/master/os_cloud_config/keystone.py#L484

requires SSH on the Overcloud nodes.

We should avoid that instead and (probably) do it from puppet. This is problematic especially when using an external load balancer because in such a scenario the VIP (which is currently used to SSH on one of the Overcloud nodes) is not hosted by any of the controllers and the post-deployment initialization fails unless appropriate port forwarding is configured on the external balancer.

Comment 2 Giulio Fidente 2015-09-25 16:01:36 UTC

I have assigned it against THT because there it goes if we decide to do pki_setup via puppet ... this requires updates into os-cloud-config as well though.

Comment 6 Adriano Petrich 2016-02-23 16:48:58 UTC

Hi,

This problem is hitting me now on CI.

So when you have a patch I can test it.

Cheers!


log:

Warning: Permanently added '192.0.2.6' (ECDSA) to the list of known hosts.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Command '['ssh', '-oStrictHostKeyChecking=no', '-t', '-l', 'heat-admin', u'192.0.2.6', 'sudo', 'keystone-manage', 'pki_setup', '--keystone-user', "$(getent passwd | grep '^keystone' | cut -d: -f1)", '--keystone-group', "$(getent group | grep '^keystone' | cut -d: -f1)"]' returned non-zero exit status 255
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 374, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python2.7/site-packages/cliff/command.py", line 54, in run
    self.take_action(parsed_args)
  File "/usr/lib/python2.7/site-packages/tripleoclient/v1/overcloud_deploy.py", line 893, in take_action
    self._deploy_postconfig(stack, parsed_args)
  File "/usr/lib/python2.7/site-packages/tripleoclient/v1/overcloud_deploy.py", line 458, in _deploy_postconfig
    internal=keystone_internal_ip)
  File "/usr/lib/python2.7/site-packages/os_cloud_config/keystone.py", line 178, in initialize
    _perform_pki_initialization(host, user)
  File "/usr/lib/python2.7/site-packages/os_cloud_config/keystone.py", line 553, in _perform_pki_initialization
    "$(getent group | grep '^keystone' | cut -d: -f1)"])
  File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
    raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '['ssh', '-oStrictHostKeyChecking=no', '-t', '-l', 'heat-admin', u'192.0.2.6', 'sudo', 'keystone-manage', 'pki_setup', '--keystone-user', "$(getent passwd | grep '^keystone' | cut -d: -f1)", '--keystone-group', "$(getent group | grep '^keystone' | cut -d: -f1)"]' returned non-zero exit status 255
clean_up DeployOvercloud: Command '['ssh', '-oStrictHostKeyChecking=no', '-t', '-l', 'heat-admin', u'192.0.2.6', 'sudo', 'keystone-manage', 'pki_setup', '--keystone-user', "$(getent passwd | grep '^keystone' | cut -d: -f1)", '--keystone-group', "$(getent group | grep '^keystone' | cut -d: -f1)"]' returned non-zero exit status 255
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/openstackclient/shell.py", line 112, in run
    ret_val = super(OpenStackShell, self).run(argv)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 255, in run
    result = self.run_subcommand(remainder)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 374, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python2.7/site-packages/cliff/command.py", line 54, in run
    self.take_action(parsed_args)
  File "/usr/lib/python2.7/site-packages/tripleoclient/v1/overcloud_deploy.py", line 893, in take_action
    self._deploy_postconfig(stack, parsed_args)
  File "/usr/lib/python2.7/site-packages/tripleoclient/v1/overcloud_deploy.py", line 458, in _deploy_postconfig
    internal=keystone_internal_ip)
  File "/usr/lib/python2.7/site-packages/os_cloud_config/keystone.py", line 178, in initialize
    _perform_pki_initialization(host, user)
  File "/usr/lib/python2.7/site-packages/os_cloud_config/keystone.py", line 553, in _perform_pki_initialization
    "$(getent group | grep '^keystone' | cut -d: -f1)"])
  File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
    raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '['ssh', '-oStrictHostKeyChecking=no', '-t', '-l', 'heat-admin', u'192.0.2.6', 'sudo', 'keystone-manage', 'pki_setup', '--keystone-user', "$(getent passwd | grep '^keystone' | cut -d: -f1)", '--keystone-group', "$(getent group | grep '^keystone' | cut -d: -f1)"]' returned non-zero exit status 255

END return value: 1

Comment 7 Mike Burns 2016-04-07 20:50:54 UTC

This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.

Comment 9 Red Hat Bugzilla 2023-09-14 03:05:53 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.