Bug 1683930
| Summary: | ceph-rgw containers do not bind mount /etc/pki/ca-trust/source/anchors causing SSL handshake failures | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Punit Kundal <pkundal> |
| Component: | ceph-ansible | Assignee: | Sébastien Han <shan> |
| Status: | CLOSED DUPLICATE | QA Contact: | Yogev Rabl <yrabl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 13.0 (Queens) | CC: | gfidente |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-02-28 09:10:30 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of bug 1683290 *** |
Description of problem: when deploying overcloud with self signed certs; the ceph-rgw containers do not bind mount the /etc/pki/ca-trust/source/anchors directory so when we try to curl the keystone public endpoint from inside the ceph-rgw container, the curl will fail with SSL handshake failures. This has been observed when using self signed certs as it requires injecting root CA certificate with the help of templates. [root@overcloud-controller-0 ~]# ceph -s cluster: id: 160e41d2-1cbb-11e9-a165-525400b8391a health: HEALTH_WARN too many PGs per OSD (288 > max 250) services: mon: 3 daemons, quorum overcloud-controller-1,overcloud-controller-0,overcloud-controller-2 mgr: overcloud-controller-2(active), standbys: overcloud-controller-1, overcloud-controller-0 osd: 3 osds: 3 up, 3 in rgw: 3 daemons active data: pools: 9 pools, 288 pgs objects: 191 objects, 3.08KiB usage: 374MiB used, 135GiB / 135GiB avail pgs: 288 active+clean io: client: 1.03MiB/s rd, 0B/s wr, 1.55kop/s rd, 34op/s wr [root@overcloud-controller-0 ~]# docker ps | grep -i ceph 4b5bbbd1c84b 192.168.24.131:8787/rhceph/rhceph-3-rhel7:3-20 "/entrypoint.sh" 19 seconds ago Up 18 seconds ceph-rgw-overcloud-controller-0 976cf7bedf63 192.168.24.131:8787/rhceph/rhceph-3-rhel7:3-20 "/entrypoint.sh" 2 hours ago Up 2 hours ceph-mgr-overcloud-controller-0 45540b18ab90 192.168.24.131:8787/rhceph/rhceph-3-rhel7:3-20 "/entrypoint.sh" 2 hours ago Up 2 hours ceph-mon-overcloud-controller-0 [root@overcloud-controller-0 ~]# docker inspect -f '{{ .Mounts }}' 4b5bbbd1c84b [{bind /var/lib/ceph /var/lib/ceph z true rprivate} {bind /etc/ceph /etc/ceph z true rprivate} {bind /var/run/ceph /var/run/ceph z true rprivate} {bind /etc/localtime /etc/localtime ro false rprivate}] [root@overcloud-controller-0 ~]# docker inspect -f '{{ .Mounts }}' 976cf7bedf63 [{bind /var/lib/ceph /var/lib/ceph z true rprivate} {bind /etc/ceph /etc/ceph z true rprivate} {bind /var/run/ceph /var/run/ceph z true rprivate} {bind /etc/localtime /etc/localtime ro false rprivate}] [root@overcloud-controller-0 ~]# docker inspect -f '{{ .Mounts }}' 45540b18ab90 [{bind /etc/localtime /etc/localtime ro false rprivate} {bind /var/lib/ceph /var/lib/ceph z true rprivate} {bind /etc/ceph /etc/ceph z true rprivate} {bind /var/run/ceph /var/run/ceph z true rprivate}] The instructions that have been followed to deploy the environment are at [1] and [2]. [1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/advanced_overcloud_customization/sect-enabling_ssltls_on_the_overcloud [2] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/deploying_an_overcloud_with_containerized_red_hat_ceph/enable-ceph-overcloud#ceph-rgw Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: Please let me know if any additional data is required. This can be reproduced on demand.