Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1357688

Summary: [Docs][Director] The public VIP must now be explicitly set with PublicVirtualFixedIPs
Product: Red Hat OpenStack Reporter: Alexander Chuzhoy <sasha>
Component: documentationAssignee: Dan Macpherson <dmacpher>
Status: CLOSED CURRENTRELEASE QA Contact: RHOS Documentation Team <rhos-docs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 10.0 (Newton)CC: bnemec, dbecker, dmacpher, dyasny, jschluet, jslagle, lbopf, mburns, mcornea, morazi, rhel-osp-director-maint, srevivo
Target Milestone: gaKeywords: Documentation
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-18 08:04:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexander Chuzhoy 2016-07-18 21:44:49 UTC 
rhel-osp-director:  Deployment os overcloud with ssl fails: "SSL exception connecting to https://192.168.200.183:13000/v3/auth/tokens: hostname '192.168.200.183' doesn't match u'192.168.200.180'"


Environment:
instack-undercloud-5.0.0-0.20160701050805.1ffeb4b.el7ost.noarch
openstack-puppet-modules-9.0.0-0.20160630235319.8c758d6.el7ost.noarch
openstack-tripleo-heat-templates-5.0.0-0.20160705210328.0fbe987.el7ost.noarch

Steps to reproduce:

Deploy overcloud with:
openstack overcloud deploy --templates --control-scale 3 --compute-scale 1 --neutron-network-type vxlan --neutron-tunnel-types vxlan --ntp-server clock.redhat.com --timeout 90 -e /usr/share/openstack-tripleo-heat-templates/environments/puppet-pacemaker.yaml -e /usr/share/openstack-tripleo-heat-templates/environments/storage-environment.yaml -e /usr/share/openstack-tripleo-heat-templates/environments/network-isolation.yaml -e network-environment.yaml -e /home/stack/ssl-heat-templates/environments/enable-tls.yaml -e /home/stack/ssl-heat-templates/environments/inject-trust-anchor.yaml --ceph-storage-scale 1

The cert was prepared with:

openssl req -new -x509 -key overcloud-privkey.pem -out overcloud-cacert.pem -days 365 -subj "/C=US/ST=NC/L=Raleigh/O=Red HAt/OU=QE/CN=192.168.200.180"


Result:
Warning: Unexpected line: Ring file /etc/swift/account.ring.gz not found, probably it hasn't been written yet
Error: /Stage[main]/Keystone::Roles::Admin/Keystone_user[admin]: Could not evaluate: Execution of '/usr/bin/openstack token issue --format value' returned 1: WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils
Certificate did not match expected hostname: 192.168.200.183. Certificate: {'notBefore': u'Jul 18 20:34:50 2016 GMT', 'serialNumber': u'C9AD1FD4DF038ED9', 'notAfter': 'Jul 18 20:34:50 2017 GMT', 'version': 3L, 'subject': ((('countryName', u'US'),), (('stateOrProvinceName', u'NC'),), (('localityName', u'Raleigh'),), (('organizationName', u'Red HAt'),), (('organizationalUnitName', u'QE'),), (('commonName', u'192.168.200.180'),)), 'issuer': ((('countryName', u'US'),), (('stateOrProvinceName', u'NC'),), (('localityName', u'Raleigh'),), (('organizationName', u'Red HAt'),), (('organizationalUnitName', u'QE'),), (('commonName', u'192.168.200.180'),))}
SSL exception connecting to https://192.168.200.183:13000/v3/auth/tokens: hostname '192.168.200.183' doesn't match u'192.168.200.180' (tried 43, for a total of 170 seconds)
Comment 2 Alexander Chuzhoy 2016-07-18 22:00:29 UTC 
[stack@instack ~]$ cat network-environment.yaml
resource_registry:
  OS::TripleO::BlockStorage::Net::SoftwareConfig: /home/stack/nic-configs/cinder-storage.yaml
  OS::TripleO::Compute::Net::SoftwareConfig: /home/stack/nic-configs/compute.yaml
  OS::TripleO::Controller::Net::SoftwareConfig: /home/stack/nic-configs/controller.yaml
  OS::TripleO::ObjectStorage::Net::SoftwareConfig: /home/stack/nic-configs/swift-storage.yaml
  OS::TripleO::CephStorage::Net::SoftwareConfig: /home/stack/nic-configs/ceph-storage.yaml


parameter_defaults:
  NeutronExternalNetworkBridge: "''"
  InternalApiNetCidr: 192.168.100.0/24
  StorageNetCidr: 192.168.110.0/24
  StorageMgmtNetCidr: 192.168.120.0/24
  TenantNetCidr: 192.168.150.0/24
  ExternalNetCidr: 192.168.200.0/24
  InternalApiAllocationPools: [{'start': '192.168.100.10', 'end': '192.168.100.200'}]
  StorageAllocationPools: [{'start': '192.168.110.10', 'end': '192.168.110.200'}]
  StorageMgmtAllocationPools: [{'start': '192.168.120.10', 'end': '192.168.120.200'}]
  TenantAllocationPools: [{'start': '192.168.150.10', 'end': '192.168.150.200'}]
  # Use an External allocation pool which will leave room for floating IPs
  ExternalAllocationPools: [{'start': '192.168.200.180', 'end': '192.168.200.200'}]
  # Set to the router gateway on the external network
  ExternalInterfaceDefaultRoute: 192.168.200.1
  DnsServers: ["10.16.36.29"]
  ControlPlaneSubnetCidr: "24"
  ControlPlaneDefaultRoute: 192.0.2.1
  EC2MetadataIp: 192.0.2.1
Comment 3 Ben Nemec 2016-07-20 15:33:11 UTC 
Apparently some things changed in how we allocate ips which has broken the previous process for deploying with ssl.  I've attached an upstream doc patch that should get this working again.
Comment 4 Ben Nemec 2016-09-12 17:46:00 UTC 
Note that this is a doc bug.  There's nothing to do on the development side here.
Comment 5 Alexander Chuzhoy 2016-09-21 21:16:13 UTC 
We also need to add stuff from here:
http://docs.openstack.org/developer/tripleo-docs/advanced_deployment/ssl.html#deploying-an-ssl-environment
Comment 6 Ben Nemec 2016-09-21 21:27:38 UTC 
Specifically the tls-endpoints-* environment files.  Those are new for OSP 10 and must be included in new SSL deployments.
Comment 7 Lucy Bopf 2016-11-02 05:39:41 UTC 
Updating summary and moving to 'NEW' to be triaged as resources allow.
Comment 8 Lucy Bopf 2016-11-02 23:33:51 UTC 
*** Bug 1385906 has been marked as a duplicate of this bug. ***
Comment 9 Ben Nemec 2017-04-10 16:10:04 UTC 
I can confirm that the OSP 10 docs include all of the necessary details mentioned here.