Description of problem: _perform_pki_initialization from os-cloud-config: https://github.com/openstack/os-cloud-config/blob/master/os_cloud_config/keystone.py#L484 requires SSH on the Overcloud nodes. We should avoid that instead and (probably) do it from puppet. This is problematic especially when using an external load balancer because in such a scenario the VIP (which is currently used to SSH on one of the Overcloud nodes) is not hosted by any of the controllers and the post-deployment initialization fails unless appropriate port forwarding is configured on the external balancer.
I have assigned it against THT because there it goes if we decide to do pki_setup via puppet ... this requires updates into os-cloud-config as well though.
Hi, This problem is hitting me now on CI. So when you have a patch I can test it. Cheers! log: Warning: Permanently added '192.0.2.6' (ECDSA) to the list of known hosts. Permission denied (publickey,gssapi-keyex,gssapi-with-mic). Command '['ssh', '-oStrictHostKeyChecking=no', '-t', '-l', 'heat-admin', u'192.0.2.6', 'sudo', 'keystone-manage', 'pki_setup', '--keystone-user', "$(getent passwd | grep '^keystone' | cut -d: -f1)", '--keystone-group', "$(getent group | grep '^keystone' | cut -d: -f1)"]' returned non-zero exit status 255 Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/cliff/app.py", line 374, in run_subcommand result = cmd.run(parsed_args) File "/usr/lib/python2.7/site-packages/cliff/command.py", line 54, in run self.take_action(parsed_args) File "/usr/lib/python2.7/site-packages/tripleoclient/v1/overcloud_deploy.py", line 893, in take_action self._deploy_postconfig(stack, parsed_args) File "/usr/lib/python2.7/site-packages/tripleoclient/v1/overcloud_deploy.py", line 458, in _deploy_postconfig internal=keystone_internal_ip) File "/usr/lib/python2.7/site-packages/os_cloud_config/keystone.py", line 178, in initialize _perform_pki_initialization(host, user) File "/usr/lib/python2.7/site-packages/os_cloud_config/keystone.py", line 553, in _perform_pki_initialization "$(getent group | grep '^keystone' | cut -d: -f1)"]) File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call raise CalledProcessError(retcode, cmd) CalledProcessError: Command '['ssh', '-oStrictHostKeyChecking=no', '-t', '-l', 'heat-admin', u'192.0.2.6', 'sudo', 'keystone-manage', 'pki_setup', '--keystone-user', "$(getent passwd | grep '^keystone' | cut -d: -f1)", '--keystone-group', "$(getent group | grep '^keystone' | cut -d: -f1)"]' returned non-zero exit status 255 clean_up DeployOvercloud: Command '['ssh', '-oStrictHostKeyChecking=no', '-t', '-l', 'heat-admin', u'192.0.2.6', 'sudo', 'keystone-manage', 'pki_setup', '--keystone-user', "$(getent passwd | grep '^keystone' | cut -d: -f1)", '--keystone-group', "$(getent group | grep '^keystone' | cut -d: -f1)"]' returned non-zero exit status 255 Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/openstackclient/shell.py", line 112, in run ret_val = super(OpenStackShell, self).run(argv) File "/usr/lib/python2.7/site-packages/cliff/app.py", line 255, in run result = self.run_subcommand(remainder) File "/usr/lib/python2.7/site-packages/cliff/app.py", line 374, in run_subcommand result = cmd.run(parsed_args) File "/usr/lib/python2.7/site-packages/cliff/command.py", line 54, in run self.take_action(parsed_args) File "/usr/lib/python2.7/site-packages/tripleoclient/v1/overcloud_deploy.py", line 893, in take_action self._deploy_postconfig(stack, parsed_args) File "/usr/lib/python2.7/site-packages/tripleoclient/v1/overcloud_deploy.py", line 458, in _deploy_postconfig internal=keystone_internal_ip) File "/usr/lib/python2.7/site-packages/os_cloud_config/keystone.py", line 178, in initialize _perform_pki_initialization(host, user) File "/usr/lib/python2.7/site-packages/os_cloud_config/keystone.py", line 553, in _perform_pki_initialization "$(getent group | grep '^keystone' | cut -d: -f1)"]) File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call raise CalledProcessError(retcode, cmd) CalledProcessError: Command '['ssh', '-oStrictHostKeyChecking=no', '-t', '-l', 'heat-admin', u'192.0.2.6', 'sudo', 'keystone-manage', 'pki_setup', '--keystone-user', "$(getent passwd | grep '^keystone' | cut -d: -f1)", '--keystone-group', "$(getent group | grep '^keystone' | cut -d: -f1)"]' returned non-zero exit status 255 END return value: 1
This bug did not make the OSP 8.0 release. It is being deferred to OSP 10.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days