Bug 1375088 - SSL enabled undercloud installation fails due to haproxy user and group not existing
Summary: SSL enabled undercloud installation fails due to haproxy user and group not e...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-tripleo
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: rc
: 10.0 (Newton)
Assignee: Juan Antonio Osorio
QA Contact: Marius Cornea
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-12 07:21 UTC by Marius Cornea
Modified: 2016-12-14 16:00 UTC (History)
12 users (show)

Fixed In Version: puppet-tripleo-5.1.0-0.20160928184742.b8f8d0f.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-14 16:00:50 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2948 normal SHIPPED_LIVE Red Hat OpenStack Platform 10 enhancement update 2016-12-14 19:55:27 UTC
OpenStack gerrit 370577 None None None 2016-09-15 07:38:47 UTC

Description Marius Cornea 2016-09-12 07:21:29 UTC
Description of problem:
Deploy SSL enabled undercloud with generate_service_certificate=True in undercloud.conf

Version-Release number of selected component (if applicable):
instack-undercloud-5.0.0-0.20160818065636.41ef775.el7ost.noarch
instack-5.0.0-0.20160802165724.5aabf5c.el7ost.noarch


How reproducible:
100%

Steps to Reproduce:
1. openstack undercloud install


Actual results:

Undercloud installation fails:


2016-09-12 02:47:07 - Notice: /Stage[main]/Glance::Api/Oslo::Middleware[glance_api_config]/Glance_api_config[oslo_middleware/enable_proxy_headers_parsing]/value: value changed 'False' to 'True'
2016-09-12 02:47:07 - Error: Could not find user haproxy
2016-09-12 02:47:07 - Error: /Stage[main]/Tripleo::Profile::Base::Haproxy/Tripleo::Certmonger::Haproxy[undercloud-haproxy-public]/Concat[/etc/pki/tls/certs/undercloud-192.168.0.2.pem]/File[/etc/pki/tls/certs/undercloud-192.168.0.2.pem]/owner: change from root to haproxy failed: Could not find user haproxy
2016-09-12 02:47:07 - Error: Could not find group haproxy
2016-09-12 02:47:07 - Error: /Stage[main]/Tripleo::Profile::Base::Haproxy/Tripleo::Certmonger::Haproxy[undercloud-haproxy-public]/Concat[/etc/pki/tls/certs/undercloud-192.168.0.2.pem]/File[/etc/pki/tls/certs/undercloud-192.168.0.2.pem]/group: change from root to haproxy failed: Could not find group haproxy
2016-09-12 02:47:07 - Notice: /Stage[main]/Tripleo::Profile::Base::Haproxy/Tripleo::Certmonger::Haproxy[undercloud-haproxy-public]/Concat[/etc/pki/tls/certs/undercloud-192.168.0.2.pem]/File[/etc/pki/tls/certs/undercloud-192.168.0.2.pem]/mode: mode changed '0600' to '0640'
2016-09-12 02:47:07 - Notice: /Stage[main]/Zaqar::Keystone::Authtoken/Keystone::Resource::Authtoken[zaqar_config]/Zaqar_config[keystone_authtoken/auth_uri]/value: value changed 'http://192.168.0.1:5000/v3' to 'https://192.168.0.2:13000/v3'
2016-09-12 02:47:15 - Notice: /Stage[main]/Haproxy/Haproxy::Instance[haproxy]/Haproxy::Install[haproxy]/Package[haproxy]/ensure: created


Additional info:

We can see that the haproxy package gets installed in a later step which also creates the haproxy user and group so on a 2nd openstack undercloud install run the installation completes fine.

Comment 2 Juan Antonio Osorio 2016-09-12 08:09:23 UTC
So, there are two ways I can think of for fixing this:

* instack-undercloud should depend on haproxy.
* we should somehow try to fix puppet to make the certs depend on the user and group.

Currently in puppet, the haproxy manifest depends on the certificate creation. So it's a bit problematic since it makes the assumption that the user and group are there already.

Comment 3 Juan Antonio Osorio 2016-09-15 15:08:08 UTC
I set up a patch for this already.

Comment 4 Rob Crittenden 2016-09-19 17:53:49 UTC
Merged upstream.

Comment 9 errata-xmlrpc 2016-12-14 16:00:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html


Note You need to log in before you can comment on or make changes to this bug.