1792477 – Cinder fails to run A/A when deployed with TLS-everywhere

Bug 1792477 - Cinder fails to run A/A when deployed with TLS-everywhere

Summary: Cinder fails to run A/A when deployed with TLS-everywhere

Keywords:
Status:	CLOSED DUPLICATE of bug 1804079
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	15.0 (Stein)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	z2
Target Release:	16.1 (Train on RHEL 8.2)
Assignee:	Alan Bishop
QA Contact:	Tzach Shefi
Docs Contact:	Chuck Copello
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-01-17 17:14 UTC by Alan Bishop
Modified:	2022-08-08 13:22 UTC (History)
CC List:	9 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-11.3.2-0.20200608073443.f604618.el8ost
Doc Type:	Bug Fix
Doc Text:	Before this update, the overcloud deployment process did not create the TLS certificate necessary for the Block Storage service (cinder) to run in active/active mode. As a result, cinder services failed during start-up. With this update, the deployment process creates the TLS certificate correctly and the Block Storage service can run in active/active mode with TLS-everywhere.
Clone Of:
Environment:
Last Closed:	2020-07-08 22:38:26 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1869955	None	None	None	2020-06-23 18:53:11 UTC
OpenStack gerrit	726949	None	MERGED	Fix cinder and etcd running with internal TLS enabled	2020-11-03 22:59:51 UTC
Red Hat Issue Tracker	OSP-10393	None	None	None	2022-08-08 12:28:44 UTC

Description Alan Bishop 2020-01-17 17:14:03 UTC

Description of problem:

The Distributed Lock Manager (DLM) that cinder uses when running A/A is broken when deployed with TLS-everywhere. Several problems have been uncovered, and this BZ is intended to be a tracker.

When running A/A, cinder uses etcd (via an etcd HTTP gateway) for its DLM. The following issues have been noted when TLS-everywhere is included in the overcloud deployment:

1. Puppet-tripleo fails when trying to set the permission on etcd’s TLS cert and key files.
2. THT fails to bind etcd’s cert and key files into the etcd container.
3. The DLM (tooz's coordination library) doesn’t have a driver that supports etcd3 with HTTPS (it only supports HTTP).

The first two issues are bugs that warrant their own BZ. However, fixing the third issue will require an enhancement to tooz (not a bug fix).

Version-Release number of selected component (if applicable):


How reproducible: always


Steps to Reproduce:
1. Deploy cinder A/A with TLS-everywhere
2.
3.

Actual results:

Cinder services fail to start.

Expected results:

Things work.

Additional info:

Note You need to log in before you can comment on or make changes to this bug.