Description of problem: When deploying OSP13 with TLS everywhere and RGW instead of swift, all swift commands fail. Version-Release number of selected component (if applicable): 13 How reproducible: Always Steps to Reproduce: 1. Deploy OSP13 with TLS everywhere (w/ IDM) and RGW 2. openstack container list 3. Actual results: [stack@undercloud ~]$ source overcloudrc (overcloud) [stack@undercloud ~]$ openstack container list Unauthorized (HTTP 401) (Request-ID: tx0000000000000000018b9-005c7540b7-10b1-default) (overcloud) [stack@undercloud ~]$ swift list Account GET failed: https://overcloud.redhat.local:13808/swift/v1?format=json 401 Unauthorized [first 60 chars of response] {"Code":"AccessDenied","RequestId":"tx0000000000000000018c5- Failed Transaction ID: tx0000000000000000018c5-005c7540be-109a-default Expected results: Ability to perform object operations Additional info: The /etc/pki directory is not mounted into the container therefore the certificate cannot be verfied. RGW logs show: 2019-02-26 13:46:21.042100 7fd839cfe700 0 curl_easy_perform returned status 60 error: Peer's Certificate issuer is not recognized. 2019-02-26 13:46:21.042266 7fd839cfe700 1 ====== req done req=0x7fd839cf7f90 op status=0 http_status=401 ====== 2019-02-26 13:46:21.042328 7fd839cfe700 1 civetweb: 0x55624e82e000: 172.17.3.202 - - [26/Feb/2019:13:46:21 +0000] "GET /swift/v1?format=json HTTP/1.1" 401 0 - osc-lib/1.9.0 keystoneauth1/3.4.0 python-requests/2.14.2 CPython/2.7.5 The following steps solve the issue, proper automation work is required to fix this. On the system(s) hosting the RGW: Add -v /etc/pki:/etc/pki:ro \ In /etc/systemd/system/ceph-radosgw\@.service systemctl daemon-reload systemctl restart ceph-radosgw.service
For security reasons you may not want to bind the entire /etc/pki directory
Could you specify the ceph-ansible version used ? (3.2 I suppose) While adding the /etc/pki directory seems to resolves the issue we might be more specific on the file/dir path like other OpenStack containers (because we only need the CA) https://github.com/openstack/tripleo-heat-templates/blob/stable/queens/docker/services/containers-common.yaml#L94-L98
rpm -qa | grep ceph-an ceph-ansible-3.2.7-1.el7cp.noarch As for /etc/pki yes agreed, I did mount the entire directory just to find to root cause and as mentioned in my previous comment we should only mount what is actually needed.
*** Bug 1683930 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0475