Bug 1608450 - TLS everywhere deployment fails - missing TLS bits in T-H-T
Summary: TLS everywhere deployment fails - missing TLS bits in T-H-T
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: z3
: 12.0 (Pike)
Assignee: Damien Ciabrini
QA Contact: Marian Krcmarik
URL:
Whiteboard:
Keywords: Triaged, ZStream
Depends On:
Blocks: 1566598 1513502 1573583 1579023
TreeView+ depends on / blocked
 
Reported: 2018-07-25 14:45 UTC by Pavan
Modified: 2018-08-20 13:04 UTC (History)
6 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-08-20 13:02:42 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2331 None None None 2018-08-20 13:04 UTC
OpenStack gerrit 586862 None None None 2018-07-29 07:41 UTC
OpenStack gerrit 586863 None None None 2018-07-29 07:42 UTC
Launchpad 1784205 None None None 2018-07-29 07:39 UTC

Description Pavan 2018-07-25 14:45:15 UTC
Description of problem:

Version-Release number of selected component (if applicable):
RHOSP-12 with TLS everywhere enabled
Topology: Compute:1,Controller:1,freeipa:1

Additional info:

The puppet code has TLS Bits, however the TripleO-Heat-Templates(T-H-T) does not have TLS bits

Debugging logs:
[root@controller-0 heat-admin]# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
[root@controller-0 heat-admin]# docker ps -a
CONTAINER ID        IMAGE                                                    COMMAND                  CREATED             STATUS                      PORTS               NAMES
8ac903f6903a        192.168.24.1:8787/rhosp12/openstack-redis:2018-07-19.1   "/var/lib/docker-p..."   17 minutes ago      Exited (1) 17 minutes ago                       docker-puppet-redis
[root@controller-0 heat-admin]# docker logs -f docker-puppet-redis
+ mkdir -p /etc/puppet
+ cp -a /tmp/puppet-etc/auth.conf /tmp/puppet-etc/hiera.yaml /tmp/puppet-etc/hieradata /tmp/puppet-etc/modules /tmp/puppet-etc/puppet.conf /tmp/puppet-etc/ssl /etc/puppet
+ rm -Rf /etc/puppet/ssl
+ echo '{"step": 6}'
+ TAGS=
+ '[' -n file,file_line,concat,augeas,cron,exec ']'
+ TAGS='--tags file,file_line,concat,augeas,cron,exec'
+ origin_of_time=/var/lib/config-data/redis.origin_of_time
+ touch /var/lib/config-data/redis.origin_of_time
+ sync
+ set +e
+ FACTER_hostname=controller-0
+ FACTER_uuid=docker
+ /usr/bin/puppet apply --detailed-exitcodes --color=false --logdest syslog --logdest console --modulepath=/etc/puppet/modules:/usr/share/openstack-puppet/modules --tags file,file_line,concat,augeas,cron,exec /etc/config.pp
Failed to get D-Bus connection: Operation not permitted
Notice: hiera(): Cannot load backend module_data: cannot load such file -- hiera/backend/module_data_backend
Warning: Undefined variable 'deploy_config_name';
   (file & line not available)
Notice: hiera(): Cannot load backend module_data: cannot load such file -- hiera/backend/module_data_backend
Error: Evaluation Error: Error while evaluating a Function Call, tls_proxy_bind_ip is not set in the hieradata. at /etc/puppet/modules/tripleo/manifests/profile/base/database/redis.pp:86:9 on node controller-0.redhat.local
+ rc=1
+ set -e
+ '[' 1 -ne 2 -a 1 -ne 0 ']'
+ exit 1

Comment 2 Damien Ciabrini 2018-07-25 14:50:12 UTC
Is this a failure introduced in recent puddles? I remember we explicitely disabled TLS for Redis in OSP12, so we need to figure out what triggers the TLS path in the puppet-code for redis.

Comment 8 Damien Ciabrini 2018-07-29 07:42:37 UTC
Proposed patches upstream in puppet-tripleo and tripleo-heat-templates

Comment 16 errata-xmlrpc 2018-08-20 13:02:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2331


Note You need to log in before you can comment on or make changes to this bug.