Bug 1558058
| Summary: | Barbican not working in OSP13 deployment | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Prasanth Anbalagan <panbalag> |
| Component: | openstack-tripleo-heat-templates | Assignee: | Ade Lee <alee> |
| Status: | CLOSED ERRATA | QA Contact: | Prasanth Anbalagan <panbalag> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 13.0 (Queens) | CC: | alee, aschultz, cschwede, hrybacki, jschluet, kbasil, mburns, rhel-osp-director-maint, tshefi |
| Target Milestone: | beta | Keywords: | Triaged |
| Target Release: | 13.0 (Queens) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-tripleo-heat-templates-8.0.0-0.20180304031150.el7ost | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-06-27 13:47:45 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1365571, 1374375, 1412823, 1419556 | ||
Updating the status - jaosorior observed that the parameter 'BarbicanSimpleCryptoGlobalDefault' in /usr/share/openstack-tripleo-heat-templates/puppet/services/barbican-backend-simple-crypto.yaml was set to 'false'. After changing it to 'true' and redeploying overcloud, the command 'openstack secret list' returns empty output (as expected). But logs still showed "No preferred secret store found for project". jaosorior/alee found that this was due to the https://review.openstack.org/#/c/549852/ missing in downstream puddles. Updating workaround for the bug (until fix is available downstream) ----------------------------------------------------------------------------- sudo docker exec barbican_api /usr/bin/barbican-manage db sync_secret_stores verbose ----------------------------------------------------------------------------- What are we waiting for moving this from PENDING to MODIFIED? Verified on: openstack-tripleo-heat-templates-8.0.2-0.20180327213843.f25e2d8.el7ost.noarch After adding both yamls on overcloud_deploy.sh -e /usr/share/openstack-tripleo-heat-templates/environments/services-docker/barbican.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/barbican-backend-simple-crypto.yaml \ And fetching/uploading Barbican's docker image, needed due to infrared not pulling all images by default. (overcloud) [stack@undercloud-0 ~]$ openstack secret list +------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+---------------------------+ | Secret href | Name | Created | Status | Content types | Algorithm | Bit length | Secret type | Mode | Expiration | +------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+---------------------------+ | http://10.0.0.101:9311/v1/secrets/c0503c63-c097-483d-afa4-7e11090217cf | test | 2018-04-03T06:34:51+00:00 | ACTIVE | {u'default': u'application/octet-stream'} | RSA | 256 | certificate | cbc | 2019-01-31T00:00:00+00:00 | | http://10.0.0.101:9311/v1/secrets/b76330a9-ced4-40d3-81e8-9b5f351c3e8d | None | 2018-04-03T06:00:08+00:00 | ACTIVE | {u'default': u'application/octet-stream'} | aes | 256 | symmetric | None | None | +------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+---------------------------+ This looks OK to verify, Just approve with Prasanth before I actually verify on his behalf. Prasanth said it looks good to verify. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:2086 |
Description of problem: ======================= Barbican tempest tests ("barbican_tempest_plugin.tests.scenario.test_volume_encryption.VolumeEncryptionTest.test_encrypted_cinder_volumes_cryptsetup) fails since barbican is not up on OSP13 deployment. [heat-admin@controller-0 ~]$ source overcloudrc (overcloud) [heat-admin@controller-0 ~]$ openstack secret list Failed to contact the endpoint at http://10.0.0.105:9311 for discovery. Fallback to using that endpoint as the base url. Unable to establish connection to http://10.0.0.105:9311/secrets: ('Connection aborted.', BadStatusLine("''",)) (overcloud) [heat-admin@controller-0 ~]$ Version-Release number of selected component (if applicable): ============================================================== (overcloud) [heat-admin@controller-0 ~]$ yum list installed | grep barbican openstack-barbican-api.noarch 6.0.0-0.20180216020456.5b525f6.el7ost openstack-barbican-common.noarch 6.0.0-0.20180216020456.5b525f6.el7ost puppet-barbican.noarch 12.3.1-0.20180221115057.7067770.el7ost python-barbican.noarch 6.0.0-0.20180216020456.5b525f6.el7ost python2-barbicanclient.noarch 4.6.0-0.20180211180442.262025b.el7ost How reproducible: ================= Always Steps to Reproduce: ==================== 1. Deploy OSP13 w/Barbican enabled (by including the following .yaml) --service-environment-file=/usr/share/openstack-tripleo-heat-templates/environments/services-docker/barbican.yaml \ --service-environment-file=/usr/share/openstack-tripleo-heat-templates/environments/barbican-backend-simple-crypto.yaml \ 2. On the controller, execute 'openstack secret list' 3. Actual results: =============== Failed to contact the endpoint at http://10.0.0.105:9311 for discovery. Fallback to using that endpoint as the base url. Unable to establish connection to http://10.0.0.105:9311/secrets: ('Connection aborted.', BadStatusLine("''",))