1441977 – [UPDATES] Update of mod_ssl package prevents haproxy from starting

Bug 1441977 - [UPDATES] Update of mod_ssl package prevents haproxy from starting

Summary: [UPDATES] Update of mod_ssl package prevents haproxy from starting

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	11.0 (Ocata)
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	11.0 (Ocata)
Assignee:	Lukas Bezdicka
QA Contact:	Yurii Prokulevych
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1441982 1446289 1446292 1446293 1450825
TreeView+	depends on / blocked

Reported:	2017-04-13 08:46 UTC by Yurii Prokulevych
Modified:	2017-05-17 20:22 UTC (History)
CC List:	10 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-6.0.0-7.el7ost puppet-tripleo-6.3.0-11.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1441982 (view as bug list)
Environment:
Last Closed:	2017-05-17 20:22:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1682448	None	None	None	2017-04-13 14:25:21 UTC
OpenStack gerrit	457688	None	MERGED	Touch /etc/httpd/conf.d/ssl.conf	2020-05-19 02:16:22 UTC
OpenStack gerrit	458033	None	MERGED	Ensure we configure ssl.conf	2020-05-19 02:16:22 UTC
Red Hat Product Errata	RHEA-2017:1245	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 11.0 Bug Fix and Enhancement Advisory	2017-05-17 23:01:50 UTC

Description Yurii Prokulevych 2017-04-13 08:46:44 UTC

Description of problem:
-----------------------
Minor update of RHOS-11 fails cause haproxy is not running.
Looks like mod_ssl package is updated and pulls in  /etc/httpd/conf.d/ssl.conf, which has 'Listen 443' directive uncommented.
Apache gets restarted, binds to port and causes haproxy to fail:

Apr 13 08:27:26 controller-0.localdomain systemd[1]: Started Cluster Controlled haproxy.
Apr 13 08:27:26 controller-0.localdomain systemd[1]: Starting Cluster Controlled haproxy...
Apr 13 08:27:26 controller-0.localdomain haproxy-systemd-wrapper[168082]: haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds
Apr 13 08:27:26 controller-0.localdomain haproxy-systemd-wrapper[168082]: [WARNING] 102/082726 (168083) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at
Apr 13 08:27:26 controller-0.localdomain haproxy[168083]: Proxy aodh started.
Apr 13 08:27:26 controller-0.localdomain haproxy[168083]: Proxy ceilometer started.
Apr 13 08:27:26 controller-0.localdomain haproxy[168083]: Proxy cinder started.
Apr 13 08:27:26 controller-0.localdomain haproxy-systemd-wrapper[168082]: [ALERT] 102/082726 (168083) : Starting proxy horizon: cannot bind socket [2620:52:0:13b8:5054:ff:fe3e:1:443]
Apr 13 08:27:26 controller-0.localdomain haproxy-systemd-wrapper[168082]: [ALERT] 102/082726 (168083) : Starting proxy horizon: cannot bind socket [fd00:fd00:fd00:2000::16:443]
Apr 13 08:27:26 controller-0.localdomain haproxy[168083]: Proxy glance_api started.
Apr 13 08:27:26 controller-0.localdomain haproxy[168083]: Proxy gnocchi started.
Apr 13 08:27:26 controller-0.localdomain haproxy[168083]: Proxy haproxy.stats started.
Apr 13 08:27:26 controller-0.localdomain haproxy[168083]: Proxy heat_api started.
Apr 13 08:27:26 controller-0.localdomain haproxy[168083]: Proxy heat_cfn started.
Apr 13 08:27:26 controller-0.localdomain haproxy[168083]: Proxy heat_cloudwatch started.
Apr 13 08:27:26 controller-0.localdomain haproxy[168083]: Proxy keystone_admin started.
Apr 13 08:27:26 controller-0.localdomain haproxy[168083]: Proxy keystone_public started.
Apr 13 08:27:26 controller-0.localdomain haproxy[168083]: Proxy mysql started.
Apr 13 08:27:26 controller-0.localdomain haproxy-systemd-wrapper[168082]: haproxy-systemd-wrapper: exit, haproxy RC=1
Apr 13 08:27:26 controller-0.localdomain systemd[1]: haproxy.service: main process exited, code=exited, status=1/FAILURE
Apr 13 08:27:26 controller-0.localdomain systemd[1]: Unit haproxy.service entered failed state.
Apr 13 08:27:26 controller-0.localdomain systemd[1]: haproxy.service failed.

ss -anp | grep 443
u_dgr  UNCONN     0      0      /run/systemd/cgroups-agent 1443                  * 0                   users:(("systemd",pid=1,fd=23))
tcp    LISTEN     0      128      :::443                  :::*                   users:(("httpd",pid=172103,fd=13),("httpd",pid=172102,fd=13),("httpd",pid=172101,fd=13),("httpd",pid=172100,fd=13),("httpd",pid=172099,fd=13),("httpd",pid=172098,fd=13),("httpd",pid=172097,fd=13),("httpd",pid=172096,fd=13),("httpd",pid=172050,fd=13))
tcp    SYN-SENT   0      1       fd00:fd00:fd00:2000::21:44350               fd00:fd00:fd00:2000::16:3306                users:(("neutron-server",pid=140764,fd=41))


Version-Release number of selected component (if applicable):
-------------------------------------------------------------
mod_ssl-2.4.6-45.el7_3.4.x86_64
openstack-tripleo-heat-templates-6.0.0-4.el7ost.noarch

Steps to Reproduce:
-------------------
1. Deploy RHOS-11 (2017-03-30.4)
2. Setup repos(2017-04-12.4)
3. Update UC
4. Try update OC

Comment 2 Lukas Bezdicka 2017-04-13 10:28:53 UTC

mod_ssl should not be present and if yet it should have its ssl.conf file changed but not removed. Most likely image issue.

Comment 3 Marios Andreou 2017-04-13 12:45:52 UTC

o/ folks, fyi my OSP10/11 *upgrade* environment definitely has mod_ssl package on all the overcloud nodes (mod_ssl-2.4.6-45.el7_3.4.x86_64 - which was updated as part of today's upgrade 10->11). Doesn't tell us much but I also tried a pcs resource restart haproxy to see if comment #0 reproduces in this upgraded env and it does not.

So are we sure mod_ssl is the issue here? From comment #0 I see that there was some problem starting the horizon proxy as 443 is occupied. Can we get the journal/logs from the node (assuming this must be one of the controllers, and likely the first controller to be updated)? 

Even if 'yum remove mod_ssl' fixes this are we really sure we don't need that package (do we know enough about what it is what if you *do* have ssl in your env is it not needed?)

Comment 4 Lukas Bezdicka 2017-04-13 14:16:28 UTC

/var/lib/heat-config/deployed/b5c7d010-4a88-43f5-86f2-b9d44f2b9d12.notify.json:\u001b[0;36mDebug: /Stage[main]/Apache/File[/etc/httpd/conf.d/ssl.conf]: Removing existing file for replacement with absent\u001b[0m

Comment 5 Lukas Bezdicka 2017-04-13 17:27:52 UTC

Second commit will be touch in tripleo-heat-templates

Comment 10 Yurii Prokulevych 2017-05-04 11:25:27 UTC

Verified with openstack-tripleo-heat-templates-6.0.0-10.el7ost.noarch and puppet-tripleo-6.3.0-12.el7ost.noarch

Comment 11 errata-xmlrpc 2017-05-17 20:22:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1245

Note You need to log in before you can comment on or make changes to this bug.