RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/
Bug 1326887 - [Mitaka] Packstack fails if --os-horizon-ssl=y
Summary: [Mitaka] Packstack fails if --os-horizon-ssl=y
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: RDO
Classification: Community
Component: openstack-packstack
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: trunk
Assignee: Javier Peña
QA Contact: Shai Revivo
URL:
Whiteboard:
Depends On:
Blocks: 1331847
TreeView+ depends on / blocked
 
Reported: 2016-04-13 16:17 UTC by Alvaro Aleman
Modified: 2016-05-24 15:15 UTC (History)
7 users (show)

Fixed In Version: openstack-packstack-8.0.0-1.el7
Clone Of:
: 1331847 (view as bug list)
Environment:
Last Closed: 2016-05-24 15:15:09 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 305881 0 None MERGED Simplify apache::listen for services relying on httpd 2020-05-25 13:07:22 UTC
OpenStack gerrit 313080 0 None MERGED Simplify apache::listen for services relying on httpd 2020-05-25 13:07:23 UTC

Description Alvaro Aleman 2016-04-13 16:17:25 UTC 
Description of problem:

When SSL for horizon is enabled, the Packstack installation fails, because httpd cant get restarted. 


Version-Release number of selected component (if applicable):

openstack-ceilometer-common.noarch    1:6.0.0-2.el7            @openstack-mitaka
openstack-ceilometer-compute.noarch   1:6.0.0-2.el7            @openstack-mitaka
openstack-ceilometer-polling.noarch   1:6.0.0-2.el7            @openstack-mitaka
openstack-cinder.noarch               1:8.0.0-1.el7            @openstack-mitaka
openstack-dashboard.noarch            1:9.0.0-1.el7            @openstack-mitaka
openstack-glance.noarch               1:12.0.0-1.el7           @openstack-mitaka
openstack-keystone.noarch             1:9.0.0-1.el7            @openstack-mitaka
openstack-neutron.noarch              1:8.0.0-1.el7            @openstack-mitaka
openstack-neutron-common.noarch       1:8.0.0-1.el7            @openstack-mitaka
openstack-neutron-metering-agent.noarch
openstack-neutron-ml2.noarch          1:8.0.0-1.el7            @openstack-mitaka
openstack-neutron-openvswitch.noarch  1:8.0.0-1.el7            @openstack-mitaka
openstack-nova-api.noarch             1:13.0.0-1.el7           @openstack-mitaka
openstack-nova-cert.noarch            1:13.0.0-1.el7           @openstack-mitaka
openstack-nova-common.noarch          1:13.0.0-1.el7           @openstack-mitaka
openstack-nova-compute.noarch         1:13.0.0-1.el7           @openstack-mitaka
openstack-nova-conductor.noarch       1:13.0.0-1.el7           @openstack-mitaka
openstack-nova-console.noarch         1:13.0.0-1.el7           @openstack-mitaka
openstack-nova-novncproxy.noarch      1:13.0.0-1.el7           @openstack-mitaka
openstack-nova-scheduler.noarch       1:13.0.0-1.el7           @openstack-mitaka
openstack-packstack.noarch            8.0.0-0.7.0rc2.el7       @openstack-mitaka
openstack-packstack-puppet.noarch     8.0.0-0.7.0rc2.el7       @openstack-mitaka
openstack-puppet-modules.noarch       1:8.0.0-1.el7            @openstack-mitaka
openstack-selinux.noarch              0.6.58-1.el7             @openstack-mitaka
openstack-utils.noarch                2015.2-1.el7             @openstack-mitaka
How reproducible: 100%


Steps to Reproduce:
1. sudo yum install -y https://www.rdoproject.org/repos/rdo-release.rpm
2. sudo yum install -y openstack-packstack
3. packstack --allinone --os-horizon-ssl=y

Actual results:

ERROR : Error appeared during Puppet run: 10.0.0.3_horizon.pp
Error: /Stage[main]/Apache::Service/Service[httpd]: Failed to call refresh: Could not restart Service[httpd]: Execution of '/usr/bin/systemctl restart httpd' returned 1: Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details

Expected results:

A nice openStack Mitaka.

Additional info:

This is caused by /etc/httpd/conf.d/ssl.conf beeing present:

tail -5 /var/log/httpd/error_log 
[Wed Apr 13 16:04:21.261803 2016] [core:crit] [pid 32000] (22)Invalid argument: AH00069: make_sock: for address [::]:443, apr_socket_opt_set: (IPV6_V6ONLY)
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
[Wed Apr 13 16:04:21.261934 2016] [mpm_prefork:alert] [pid 32000] no listening sockets available, shutting down
[Wed Apr 13 16:04:21.261937 2016] [:emerg] [pid 32000] AH00019: Unable to open logs, exiting

Removing it makes httpd (re-)startable again.
Comment 1 JS 2016-04-14 10:35:50 UTC 
Hi there,

Workaround:
# grep -ir "^listen" /etc/httpd/*

You should see that /etc/httpd/conf.d/ssl.conf has: Listen 443 https

And you also can see that /etc/httpd/conf/ports.conf is managed by Puppet and also add port 443

Comment the line in /etc/httpd/conf.d/ssl.conf and run packstack again

This is a workaround.


Cheers
JS
Comment 2 JS 2016-04-14 10:57:31 UTC 
Forgot to say...

For that workaround add "Listen 443" to /etc/httpd/conf.d/15-horizon_ssl_vhost.conf


Cheers
JS
Comment 4 Mrugesh Raval 2016-04-21 08:11:11 UTC 
Can this be fixed?
Comment 5 Mrugesh Raval 2016-04-22 11:48:25 UTC 
(In reply to Mrugesh Raval from comment #4)
> Can this be fixed?

Work Around
===========
1. Start packstack setup as normal
2. Open Another SSH Session to same server.
3. Once packstack setup moves towards Applying <IP_ADDR>_keystone.pp, httpd packages will be installed
4. From another ssh session to packstack setup server, keep watch of file ssl.conf in /etc/httpd/conf.d using 'watch ls -l"
5. Once packstack setup will move to Applying <IP_ADDR>_horizon.pp, puppet will place ssl.conf under /etc/httpd/conf.d/ directory
5. As soon as ssl.conf is seen under watch - "watch ls -l", CTRL+c and modify ssl.conf to comment out below line -
FROM:

Listen 443 https

TO:

#Listen 443 https

Solves the issue and packstack setup get complete without any further errors.
Comment 6 Martin Magr 2016-04-22 12:44:37 UTC 
The problem here is that puppet-horizon did not enabled 443 port by default, so we created workaround for this [1]. Recent version now uses sets the port correctly [2], so the workaround have to be removed from Packstack.

Note that Packstack is a community project. If some bug resolution is critical for you, the fastest way to fix the bug is to submit a patch yourself. Patches are really welcomed. We use standard OpenStack workflow for patch review process [3].


[1] https://github.com/openstack/packstack/blob/master/packstack/puppet/templates/horizon.pp#L55
[2] https://github.com/puppetlabs/puppetlabs-apache/blob/b14c238eecb4e90d03b3c4cb841fe9b035df80c2/manifests/init.pp#L399
[3] http://docs.openstack.org/infra/manual/developers.html
Comment 7 Javier Peña 2016-05-06 08:51:49 UTC 
The fix is now merged in master, and https://review.openstack.org/313080 is the stable/mitaka backport.
Note You need to log in before you can comment on or make changes to this bug.