1375088 – SSL enabled undercloud installation fails due to haproxy user and group not existing

Bug 1375088 - SSL enabled undercloud installation fails due to haproxy user and group not existing

Summary: SSL enabled undercloud installation fails due to haproxy user and group not e...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	puppet-tripleo
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	10.0 (Newton)
Assignee:	Juan Antonio Osorio
QA Contact:	Marius Cornea
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-12 07:21 UTC by Marius Cornea
Modified:	2016-12-14 16:00 UTC (History)
CC List:	12 users (show)
Fixed In Version:	puppet-tripleo-5.1.0-0.20160928184742.b8f8d0f.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-12-14 16:00:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
OpenStack gerrit	370577	0	None	MERGED	Fix dependencies for HAProxy when certmonger is used	2020-08-24 03:42:46 UTC
Red Hat Product Errata	RHEA-2016:2948	0	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 10 enhancement update	2016-12-14 19:55:27 UTC

Description Marius Cornea 2016-09-12 07:21:29 UTC

Description of problem:
Deploy SSL enabled undercloud with generate_service_certificate=True in undercloud.conf

Version-Release number of selected component (if applicable):
instack-undercloud-5.0.0-0.20160818065636.41ef775.el7ost.noarch
instack-5.0.0-0.20160802165724.5aabf5c.el7ost.noarch


How reproducible:
100%

Steps to Reproduce:
1. openstack undercloud install


Actual results:

Undercloud installation fails:


2016-09-12 02:47:07 - Notice: /Stage[main]/Glance::Api/Oslo::Middleware[glance_api_config]/Glance_api_config[oslo_middleware/enable_proxy_headers_parsing]/value: value changed 'False' to 'True'
2016-09-12 02:47:07 - Error: Could not find user haproxy
2016-09-12 02:47:07 - Error: /Stage[main]/Tripleo::Profile::Base::Haproxy/Tripleo::Certmonger::Haproxy[undercloud-haproxy-public]/Concat[/etc/pki/tls/certs/undercloud-192.168.0.2.pem]/File[/etc/pki/tls/certs/undercloud-192.168.0.2.pem]/owner: change from root to haproxy failed: Could not find user haproxy
2016-09-12 02:47:07 - Error: Could not find group haproxy
2016-09-12 02:47:07 - Error: /Stage[main]/Tripleo::Profile::Base::Haproxy/Tripleo::Certmonger::Haproxy[undercloud-haproxy-public]/Concat[/etc/pki/tls/certs/undercloud-192.168.0.2.pem]/File[/etc/pki/tls/certs/undercloud-192.168.0.2.pem]/group: change from root to haproxy failed: Could not find group haproxy
2016-09-12 02:47:07 - Notice: /Stage[main]/Tripleo::Profile::Base::Haproxy/Tripleo::Certmonger::Haproxy[undercloud-haproxy-public]/Concat[/etc/pki/tls/certs/undercloud-192.168.0.2.pem]/File[/etc/pki/tls/certs/undercloud-192.168.0.2.pem]/mode: mode changed '0600' to '0640'
2016-09-12 02:47:07 - Notice: /Stage[main]/Zaqar::Keystone::Authtoken/Keystone::Resource::Authtoken[zaqar_config]/Zaqar_config[keystone_authtoken/auth_uri]/value: value changed 'http://192.168.0.1:5000/v3' to 'https://192.168.0.2:13000/v3'
2016-09-12 02:47:15 - Notice: /Stage[main]/Haproxy/Haproxy::Instance[haproxy]/Haproxy::Install[haproxy]/Package[haproxy]/ensure: created


Additional info:

We can see that the haproxy package gets installed in a later step which also creates the haproxy user and group so on a 2nd openstack undercloud install run the installation completes fine.

Comment 2 Juan Antonio Osorio 2016-09-12 08:09:23 UTC

So, there are two ways I can think of for fixing this:

* instack-undercloud should depend on haproxy.
* we should somehow try to fix puppet to make the certs depend on the user and group.

Currently in puppet, the haproxy manifest depends on the certificate creation. So it's a bit problematic since it makes the assumption that the user and group are there already.

Comment 3 Juan Antonio Osorio 2016-09-15 15:08:08 UTC

I set up a patch for this already.

Comment 4 Rob Crittenden 2016-09-19 17:53:49 UTC

Merged upstream.

Comment 9 errata-xmlrpc 2016-12-14 16:00:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html

Note You need to log in before you can comment on or make changes to this bug.