Description of problem: ======================= Barbican tempest tests ("barbican_tempest_plugin.tests.scenario.test_volume_encryption.VolumeEncryptionTest.test_encrypted_cinder_volumes_cryptsetup) fails since barbican is not up on OSP13 deployment. [heat-admin@controller-0 ~]$ source overcloudrc (overcloud) [heat-admin@controller-0 ~]$ openstack secret list Failed to contact the endpoint at http://10.0.0.105:9311 for discovery. Fallback to using that endpoint as the base url. Unable to establish connection to http://10.0.0.105:9311/secrets: ('Connection aborted.', BadStatusLine("''",)) (overcloud) [heat-admin@controller-0 ~]$ Version-Release number of selected component (if applicable): ============================================================== (overcloud) [heat-admin@controller-0 ~]$ yum list installed | grep barbican openstack-barbican-api.noarch 6.0.0-0.20180216020456.5b525f6.el7ost openstack-barbican-common.noarch 6.0.0-0.20180216020456.5b525f6.el7ost puppet-barbican.noarch 12.3.1-0.20180221115057.7067770.el7ost python-barbican.noarch 6.0.0-0.20180216020456.5b525f6.el7ost python2-barbicanclient.noarch 4.6.0-0.20180211180442.262025b.el7ost How reproducible: ================= Always Steps to Reproduce: ==================== 1. Deploy OSP13 w/Barbican enabled (by including the following .yaml) --service-environment-file=/usr/share/openstack-tripleo-heat-templates/environments/services-docker/barbican.yaml \ --service-environment-file=/usr/share/openstack-tripleo-heat-templates/environments/barbican-backend-simple-crypto.yaml \ 2. On the controller, execute 'openstack secret list' 3. Actual results: =============== Failed to contact the endpoint at http://10.0.0.105:9311 for discovery. Fallback to using that endpoint as the base url. Unable to establish connection to http://10.0.0.105:9311/secrets: ('Connection aborted.', BadStatusLine("''",))
Updating the status - jaosorior observed that the parameter 'BarbicanSimpleCryptoGlobalDefault' in /usr/share/openstack-tripleo-heat-templates/puppet/services/barbican-backend-simple-crypto.yaml was set to 'false'. After changing it to 'true' and redeploying overcloud, the command 'openstack secret list' returns empty output (as expected). But logs still showed "No preferred secret store found for project". jaosorior/alee found that this was due to the https://review.openstack.org/#/c/549852/ missing in downstream puddles.
Updating workaround for the bug (until fix is available downstream) ----------------------------------------------------------------------------- sudo docker exec barbican_api /usr/bin/barbican-manage db sync_secret_stores verbose -----------------------------------------------------------------------------
What are we waiting for moving this from PENDING to MODIFIED?
Verified on: openstack-tripleo-heat-templates-8.0.2-0.20180327213843.f25e2d8.el7ost.noarch After adding both yamls on overcloud_deploy.sh -e /usr/share/openstack-tripleo-heat-templates/environments/services-docker/barbican.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/barbican-backend-simple-crypto.yaml \ And fetching/uploading Barbican's docker image, needed due to infrared not pulling all images by default. (overcloud) [stack@undercloud-0 ~]$ openstack secret list +------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+---------------------------+ | Secret href | Name | Created | Status | Content types | Algorithm | Bit length | Secret type | Mode | Expiration | +------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+---------------------------+ | http://10.0.0.101:9311/v1/secrets/c0503c63-c097-483d-afa4-7e11090217cf | test | 2018-04-03T06:34:51+00:00 | ACTIVE | {u'default': u'application/octet-stream'} | RSA | 256 | certificate | cbc | 2019-01-31T00:00:00+00:00 | | http://10.0.0.101:9311/v1/secrets/b76330a9-ced4-40d3-81e8-9b5f351c3e8d | None | 2018-04-03T06:00:08+00:00 | ACTIVE | {u'default': u'application/octet-stream'} | aes | 256 | symmetric | None | None | +------------------------------------------------------------------------+------+---------------------------+--------+-------------------------------------------+-----------+------------+-------------+------+---------------------------+ This looks OK to verify, Just approve with Prasanth before I actually verify on his behalf.
Prasanth said it looks good to verify.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:2086