Bug 1756507 - [Docs][OSP 13] Octavia Documentation should contain warning about not setting OctaviaCaCertFile, OctaviaCaKeyFile, OctaviaClientCertFile to a read-only location in the container
Summary: [Docs][OSP 13] Octavia Documentation should contain warning about not setting...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation
Version: 13.0 (Queens)
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: async
: 13.0 (Queens)
Assignee: Greg Rakauskas
QA Contact: RHOS Documentation Team
URL:
Whiteboard: docs-accepted
Depends On:
Blocks: 1810231 1810232
TreeView+ depends on / blocked
 
Reported: 2019-09-27 19:29 UTC by Matt Flusche
Modified: 2023-09-07 20:42 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1810231 1810232 (view as bug list)
Environment:
Last Closed: 2020-03-09 14:52:05 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-28270 0 None None None 2023-09-07 20:42:07 UTC

Description Matt Flusche 2019-09-27 19:29:53 UTC 
Description of problem:

Octavia Documentation should contain warning about not setting OctaviaCaCertFile, OctaviaCaKeyFile, OctaviaClientCertFile to a read-only location in the container.

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/networking_guide/sec-octavia

If the following is set in the deployment environment:

  OctaviaCaCertFile: "/etc/pki/ca-trust/extracted/octavia/ca_02.pem"
  OctaviaCaKeyFile: "/etc/pki/ca-trust/extracted/octavia/cakey02.pem"
  OctaviaClientCertFile: "/etc/pki/ca-trust/extracted/octavia/client.pem"

The octavia continers will fail to startup with the following error in the `docker logs` output:

docker logs octavia_api
[...]
ERROR:__main__:Unexpected error:
Traceback (most recent call last):
  File "/usr/local/bin/kolla_set_configs", line 411, in main
    execute_config_strategy(config)
  File "/usr/local/bin/kolla_set_configs", line 377, in execute_config_strategy
    copy_config(config)
  File "/usr/local/bin/kolla_set_configs", line 306, in copy_config
    config_file.copy()
  File "/usr/local/bin/kolla_set_configs", line 150, in copy
    self._merge_directories(source, dest)
  File "/usr/local/bin/kolla_set_configs", line 97, in _merge_directories
    os.path.join(dest, to_copy))
  File "/usr/local/bin/kolla_set_configs", line 97, in _merge_directories
    os.path.join(dest, to_copy))
  File "/usr/local/bin/kolla_set_configs", line 97, in _merge_directories
    os.path.join(dest, to_copy))
  File "/usr/local/bin/kolla_set_configs", line 92, in _merge_directories
    self._set_properties(source, dest)
  File "/usr/local/bin/kolla_set_configs", line 117, in _set_properties
    self._set_properties_from_file(source, dest)
  File "/usr/local/bin/kolla_set_configs", line 122, in _set_properties_from_file
    shutil.copystat(source, dest)
  File "/usr/lib64/python2.7/shutil.py", line 98, in copystat
    os.utime(dst, (st.st_atime, st.st_mtime))
OSError: [Errno 30] Read-only file system: '/etc/pki/ca-trust/extracted'
Comment 3 Brent Eagles 2019-10-02 15:13:39 UTC 
In an abundance of caution, I verified that this is just a documentation issue and not an actual bug. 

I think a simple warning to the effect that the OctaviaCaCertFile, OctaviaCaKeyFile, OctaviaClientCertFile variables specify locations in the container that should not be read-only as the deployment needs to be able access them to initialize configuration when starting the container.
Note You need to log in before you can comment on or make changes to this bug.