Bug 1533271 - Running the mistral workflow to rotate Fernet decryption keys in the overcloud Fails
Summary: Running the mistral workflow to rotate Fernet decryption keys in the overclou...
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-common
Version: 12.0 (Pike)
Hardware: All
OS: Linux
Target Milestone: z3
: 12.0 (Pike)
Assignee: Juan Antonio Osorio
QA Contact: Jeremy Agee
Depends On:
TreeView+ depends on / blocked
Reported: 2018-01-10 23:00 UTC by Ken Savich
Modified: 2018-08-20 12:59 UTC (History)
12 users (show)

Fixed In Version: openstack-tripleo-common-7.6.9-4.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-08-20 12:58:39 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Launchpad 1742655 0 None None None 2018-01-11 10:25:25 UTC
OpenStack gerrit 532808 0 None MERGED Always pass the plan name to fernet workbook 2021-01-16 21:47:49 UTC
Red Hat Product Errata RHSA-2018:2331 0 None None None 2018-08-20 12:59:20 UTC

Description Ken Savich 2018-01-10 23:00:44 UTC
Description of problem:

NOTE: my stack is named "sweatpants" here

Running the tripleo.fernet_keys.rotate_fernet_keys workflow from the undercloud as such:

openstack workflow execution create tripleo.fernet_keys.v1.rotate_fernet_keys '{"container": "sweatpants"}'

Will fail if your cloud is not named "overcloud"

Version-Release number of selected component (if applicable):

How reproducible:


Steps to Reproduce:
1.Deploy a cloud named something other than "overcloud" (such as "sweatpants")
2.try rotate your fernet decrypt keys on the controllers with 

openstack workflow execution create tripleo.fernet_keys.v1.rotate_fernet_keys '{"container": "sweatpants"}'

3. look at the output of the workflow after a minute or so

openstack workflow execution output show <workflow id>

Actual results:

Look at your ferent keys in the contain from the controller node, notice that they haven't changed:

docker exec -ti keystone ls -l /etc/keystone/fernet-keys
Check the actual workflow output, you'll see something like the following:

    "status": "SUCCESS",
    "message": {
        "stderr": "\nPLAY [keystone] ****************************************************************\nskipping: no hosts matched\n\nPLAY RECAP *********************************************************************\n\n",
        "stdout": " [WARNING]: Could not match supplied host pattern, ignoring: keystone\n"

The only way to get this working, is the following:

openstack workflow execution create tripleo.fernet_keys.v1.rotate_fernet_keys '{ "container": "sweatpants", "ansible_extra_env_variables": { "TRIPLEO_PLAN_NAME": "sweatpants", "ANSIBLE_HOST_KEY_CHECKING": "False" }}'

Note, additionally, that we have to pass the ANSIBLE_HOST_KEY_CHECKING variable because this gets overwritten by the workflow and isn't picked up if the plan name is the only variable passed into the workflow.

Expected results:

Expect to have rotated keys on all controller nodes

Additional info:

Comment 1 Nathan Kinder 2018-02-05 17:41:14 UTC
This has merged upstream:


Comment 2 Harry Rybacki 2018-04-25 17:46:13 UTC
Patch fixed-in: openstack-tripleo-common-7.6.9-4.el7ost by rebase.

Comment 10 errata-xmlrpc 2018-08-20 12:58:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.