Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1422036

Summary: The CephClientKey is overwritten when deploying from the GUI
Product: Red Hat OpenStack Reporter: Udi Kalifon <ukalifon>
Component: openstack-tripleo-uiAssignee: Julie Pichon <jpichon>
Status: CLOSED WONTFIX QA Contact: Arik Chernetsky <achernet>
Severity: urgent Docs Contact:
Priority: high    
Version: 10.0 (Newton)CC: apannu, beth.white, jjoyce, jpichon, jrist, jschluet, lruzicka, slinaber, tvignaud
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: 14.0 (Rocky)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Processing parameters, environments and templates is slightly different on the CLI than it is in the UI. Consequently, the passwords generated automatically by the UI cannot be changed from the templates. If you want to use custom passwords, you have to set them manually in the UI as a parameter in the overall deployment configuration or by editing the role card. Alternatively, you can create a plan without auto-generated passwords by entering the '$ openstack overcloud plan create <my_plan> --disable-password-generation' on the CLI. You will have to provide the passwords explicitly by using templates or manually through the UI.
 Story Points: ---
Clone Of:
: 1437566 (view as bug list) Environment:
Last Closed: 2019-05-16 15:57:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Udi Kalifon 2017-02-14 10:53:06 UTC 
Description of problem:
Deployments with external ceph will result with a broken overcloud, because the CephClientKey that the user provides via the customized templates is overwritten by a random one.


Version-Release number of selected component (if applicable):
OSP 10 GA


How reproducible:
100%


Steps to Reproduce:
1. Upload templates with a customized puppet-ceph-external.yaml 
2. Deploy an overcloud with controllers, computes, and the following environment files:
overcloud-resource-registry-puppet.yaml
environments/puppet-pacemaker.yaml
environments/puppet-ceph-external.yaml
3. After deployment succeeds, log in to one of the controllers and check the ceph client key (it is found in /etc/ceph/ceph.client.qe.keyring)

=> The key is wrong. You won't be able to create glance images, for example.
Comment 1 Julie Pichon 2017-02-15 13:04:25 UTC 
Reproduced on my OSP10 environment, using the upstream bug to investigate.
Comment 2 Julie Pichon 2017-03-20 17:32:33 UTC 
Workarounds:

For OSP11: after enabling the "Externally managed Ceph" storage environment, click on the "Parameters" tab (in the same "Deployment Configuration" modal), select "Externally managed Ceph" in the left-side menu and change the value for CephClientKey and other parameters as needed.

For OSP10: after enabling the "Externally managed Ceph" storage environment, return to the main Deployment page, click on the pencil for the Controller card and navigate to the Services Tab. The CephClientKey and other settings are located under OS::TripleO::Services::CephExternal.

I'm still not sure about the actual fix itself, Heat environments are pre-processed by the CLI for legacy reasons and that's causing the discrepancy in behaviours. I think the main issue is that parameters from templates are not explicitly added to the mistral 'parameter_defaults' environment when deploying from the UI, which for some reason causes the values defined in 'passwords' to take precedence. There will be work in Pike (OSP12) to better align how the CLI and UI process templates (e.g. https://bugs.launchpad.net/tripleo/+bug/1635409 ) that will likely help, but that's a larger piece of work.
Comment 3 Julie Pichon 2017-03-27 08:42:51 UTC 
Looking at comment #10 upstream, it is a current limitation. When deploying from the UI either you use all of the generated passwords, or none of them. I don't think it's possible to disable password generation from the UI when creating a new plan at the moment, but it is possible to do so from the CLI:

$ openstack overcloud plan create plan-with-no-passwords --disable-password-generation

I guess that would be a 3rd workaround. The downside however is that you have to make sure every password you need is included somewhere in the templates (cf. https://github.com/openstack/tripleo-common/blob/cb4168/tripleo_common/constants.py#L53 ) or defined manually via the UI.

Fixing this will/would require changing the order in which templates are processed during the deployment, which is very risky and likely would have other side-effects. Although it may be done as part of a larger work during Pike (12) or Queen (13), it's unlikely to be something we can backport.
Comment 6 Julie Pichon 2017-03-29 15:03:13 UTC 
The doc text is for 11, but any fix is likely to only be from 12. Not sure what is the right way to go about this? Clone?
Comment 7 Julie Pichon 2017-04-06 10:49:16 UTC 
The documentation for OSP11 will happen in bug 1437566 (thanks Dan!). I'm adjusting the flags to 12 and will follow up on the progress during Pike.
Comment 9 Julie Pichon 2018-01-25 10:44:20 UTC 
Looking through the comments history, there are multiple workarounds. Resolving the original problem requires aligning the CLI and UI strategies for merging environments, which involves removing the special-casing in the client. This is slowly being fixed (cf. https://bugs.launchpad.net/heat/+bug/1635409 ) but it is difficult and won't be ready in 13.
Comment 13 Beth White 2019-05-16 15:57:33 UTC 
The GUI is no longer supported in OSP14. The last supported release for the GUI is OSP13. Closing as won't fix.