Bug 1814373 - OCPRHV-60: Installer should validate inputs and prevent or correct invalid inputs from causing install failure.
Summary: OCPRHV-60: Installer should validate inputs and prevent or correct invalid in...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
: 4.6.0
Assignee: Douglas Schilling Landgraf
QA Contact: Jan Zmeskal
URL: https://issues.redhat.com/browse/OCPR...
Whiteboard:
Depends On: OCPRHV-176 1850723
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-17 17:43 UTC by Rolfe Dlugy-Hegwer
Modified: 2020-10-27 15:57 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 15:57:26 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 3692 0 None closed BUG 1839896: ovirt: General Improvements 2020-12-17 08:49:02 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 15:57:28 UTC

Description Rolfe Dlugy-Hegwer 2020-03-17 17:43:35 UTC
Description of problem:

Vishal encountered this issue: 

I copy-pasted the API IP from a file and it had an extra space. install-config saved it as string and installation was failing with an error.

"failed to fetch dependency of "Terraform Variables": failed to fetch dependency of "Bootstrap Ignition Config": failed to fetch dependency of "Common Manifests": failed to generate asset "Certificate (mcs)": failed to generate signed cert/key pair: error parsing x509 certificate request: x509: cannot parse IP address of length 0"

removing the quotes and extra space in install-config, fixed the issue

Version-Release number of the following components:
rpm -q openshift-ansible
rpm -q ansible
ansible --version

How reproducible:

Steps to Reproduce:
1. Run the installer.
2. Paste in the IP address of the API with an extra space.

Actual results:
Installation fails with:

```
"failed to fetch dependency of "Terraform Variables": failed to fetch dependency of "Bootstrap Ignition Config": failed to fetch dependency of "Common Manifests": failed to generate asset "Certificate (mcs)": failed to generate signed cert/key pair: error parsing x509 certificate request: x509: cannot parse IP address of length 0"
```

Expected results:
The installer should validate inputs and prevent or correct invalid inputs that cause the installation to fail later on.

Additional info:
Please attach logs from ansible-playbook with the -vvv flag

Comment 2 Sandro Bonazzola 2020-05-18 13:11:30 UTC
Jan this should be already in 4.5. Can you please check?

Comment 3 Sandro Bonazzola 2020-05-18 13:11:49 UTC
It was part of the PR merged last week

Comment 4 Sandro Bonazzola 2020-05-18 13:12:21 UTC
Douglas will pre-check before moving to QE

Comment 5 Sandro Bonazzola 2020-05-18 13:15:17 UTC
Tracked in Jira here: https://issues.redhat.com/browse/OCPRHV-60

Comment 6 Douglas Schilling Landgraf 2020-05-18 14:10:20 UTC
Moving to ASSIGNED to show in my list of bugs to work. I will move to MODIFIED as soon I confirm the issue is gone.

Comment 7 Douglas Schilling Landgraf 2020-05-21 01:47:32 UTC
Works for me, moving to ON_QA.

? oVirt API endpoint URL http://192.168.1.68 <---- space added
? oVirt engine username admin@internal
? oVirt engine password ******
X Sorry, your reply was invalid: failed to construct connection to oVirt platform parse "http://192.168.1.68 ": invalid character " " in host name

Comment 8 Jan Zmeskal 2020-05-25 12:41:03 UTC
Verification attempted with: openshift-install-linux-4.5.0-0.nightly-2020-05-25-012559

I cannot confirm that the issue described by Rolfe has been solved. See here:

[root@ocp-qe-1 secondary]# rm -rf ~/.ovirt/
[root@ocp-qe-1 secondary]# ./openshift-install create install-config
? SSH Public Key /root/.ssh/id_rsa.pub
? Platform ovirt
? oVirt API endpoint URL https://<censored>/ovirt-engine/api <-- Additional space here
? Is the oVirt CA trusted locally? No
WARNING Communication with the oVirt engine will be insecure. 
? oVirt engine username admin@internal
? oVirt engine password ******
FATAL failed to fetch Install Config: failed to fetch dependency of "Install Config": failed to fetch dependency of "Base Domain": failed to generate asset "Platform": Tag not matched: expect <fault> but got <html> 

Furthermore, I found some additional issues. They are not connected to Rolfe's original complaint. However, summary of this bug is "Installer should validate inputs and prevent or correct invalid inputs from causing install failure". If that should be the case, following problems need to be tackled as well:
- Incomplete oVirt API URL causes installer to panic: http://pastebin.test.redhat.com/868309
- Valid link that is not pointing to oVirt API is accepted and subsequently throws terraform error: http://pastebin.test.redhat.com/868310
- I also found an issue with CA bundle. However, that one is potentially much more problematic, therefore it's tracked in separate BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1839742. No need to do anything with it in scope of this bug.
- Installer accepts obviously invalid user (e.g. admin@internal@superinternal). This leads to this: https://bugzilla.redhat.com/show_bug.cgi?id=1839746 In scope of this bug, we should check if the user-provided username is at all legit (e.g. complies with format <user>@<profile>).

There's also one more bug about input validation, see here: https://bugzilla.redhat.com/show_bug.cgi?id=1837239 No action required here, this is just FYI.

Comment 9 Douglas Schilling Landgraf 2020-05-26 02:08:25 UTC
Hi Jan,

(In reply to Jan Zmeskal from comment #8)
> Verification attempted with:
> openshift-install-linux-4.5.0-0.nightly-2020-05-25-012559
> 
> I cannot confirm that the issue described by Rolfe has been solved. See here:
> 
> [root@ocp-qe-1 secondary]# rm -rf ~/.ovirt/
> [root@ocp-qe-1 secondary]# ./openshift-install create install-config
> ? SSH Public Key /root/.ssh/id_rsa.pub
> ? Platform ovirt
> ? oVirt API endpoint URL https://<censored>/ovirt-engine/api <-- Additional
> space here
> ? Is the oVirt CA trusted locally? No
> WARNING Communication with the oVirt engine will be insecure. 
> ? oVirt engine username admin@internal
> ? oVirt engine password ******
> FATAL failed to fetch Install Config: failed to fetch dependency of "Install
> Config": failed to fetch dependency of "Base Domain": failed to generate
> asset "Platform": Tag not matched: expect <fault> but got <html> 

Interesting, I cannot see this. I see:

FATAL failed to fetch Metadata: failed to fetch dependency of "Metadata": failed to fetch dependency of "Cluster ID": failed to fetch dependency of "Install Config": failed to fetch dependency of "Base Domain": failed to generate asset "Platform": parse "https://engine.medogz.home ": invalid character " " in host name 


> 
> Furthermore, I found some additional issues. They are not connected to
> Rolfe's original complaint. However, summary of this bug is "Installer
> should validate inputs and prevent or correct invalid inputs from causing
> install failure". If that should be the case, following problems need to be
> tackled as well:
> - Incomplete oVirt API URL causes installer to panic:
> http://pastebin.test.redhat.com/868309
> - Valid link that is not pointing to oVirt API is accepted and subsequently
> throws terraform error: http://pastebin.test.redhat.com/868310
> - I also found an issue with CA bundle. However, that one is potentially
> much more problematic, therefore it's tracked in separate BZ:
> https://bugzilla.redhat.com/show_bug.cgi?id=1839742. No need to do anything
> with it in scope of this bug.
> - Installer accepts obviously invalid user (e.g.
> admin@internal@superinternal). This leads to this:
> https://bugzilla.redhat.com/show_bug.cgi?id=1839746 In scope of this bug, we
> should check if the user-provided username is at all legit (e.g. complies
> with format <user>@<profile>).
> 
> There's also one more bug about input validation, see here:
> https://bugzilla.redhat.com/show_bug.cgi?id=1837239 No action required here,
> this is just FYI.


Not all bugs above are covered but most of validations raised here are fixed this PR:
https://github.com/openshift/installer/pull/3637

Comment 10 Jan Zmeskal 2020-05-26 06:31:20 UTC
Hi Douglas,

> FATAL failed to fetch Metadata: failed to fetch dependency of "Metadata": failed to fetch dependency of "Cluster ID": failed to fetch dependency of "Install Config": failed to fetch dependency of "Base Domain": failed to generate asset "Platform": parse "https://engine.medogz.home ": invalid character " " in host name 

Are you sure you're testing on master? I was testing on OCP4.5 nightly build built yesterday, so it's as up-to-date as it gets. I'm pretty sure you thought of that but nothing else that could explain the difference doesn't come to my mind.

Comment 11 Roy Golan 2020-05-26 06:45:17 UTC
Jan and Doug, -please provide `openshift-install version`

Comment 12 Jan Zmeskal 2020-05-26 06:49:43 UTC
Hi Roy,

./openshift-install version
./openshift-install 4.5.0-0.nightly-2020-05-25-012559
built from commit bbb9006efe1f7d289892f33328bc6e43a9ea664e
release image registry.svc.ci.openshift.org/ocp/release@sha256:23e2f96405039788141fc112f99c13fb65a41923a5c5014309314a02b0293159

Comment 13 Douglas Schilling Landgraf 2020-05-27 11:27:20 UTC
Hey Jan,

Found the difference: I was providing https://engine.medogz.home[space] not https://engine.medogz.home/ovirt-engine/api[space]
Reproduced your report. However, still believe https://github.com/openshift/installer/pull/3663 should address this issue. :)

Thanks!

Comment 14 Jan Zmeskal 2020-05-27 14:50:36 UTC
Hi Douglas, unfortunately I don't have the capacity to delve into individual PRs. However, even from cursory glance I can see that https://github.com/openshift/installer/pull/3663 is dealing with raised issue rather than by fixing them by re-working the whole thing. I don't mind this approach. However make sure to address all the issues raised in comment 9.
To re-iterate, I'll consider this verified if following issues are tackled (in whatever way):
- Entering invalid oVirt API address/FQDN
- Entering valid address but not one pointing to oVirt API
- Entering obviously invalid username

Comment 16 Scott Dodson 2020-06-09 14:33:48 UTC
The linked PR is closed. moving back to ASSIGNED.

Comment 19 Jan Zmeskal 2020-06-19 08:44:11 UTC
Verified with: openshift-install-linux-4.6.0-0.nightly-2020-06-19-020835

While the original problems with entering oVirt API address have been pretty much tackled by 

Bug 1838660 - OCPRHV-123: RFE: Installer should check if FQDN resolves before continuing the installation

one can still enter obivously wrong username. See here:

./openshift-install create install-config
? SSH Public Key /root/.ssh/id_rsa.pub
? Platform ovirt
? Engine FQDN[:PORT] ocp-qe-1.qa.lab.tlv.redhat.com
? Engine username homer@simpson@springfield
? Engine password ******
X Sorry, your reply was invalid: failed to connect to Engine platform Error during SSO authentication access_denied : Cannot authenticate user 'homer@simpson@springfield': No valid profile found in credentials..
? Engine password 
? Engine username homer
? Engine password ******
X Sorry, your reply was invalid: failed to connect to Engine platform Error during SSO authentication access_denied : Cannot authenticate user 'homer@N/A': No valid profile found in credentials..
? Engine password 
? Engine username [? for help] (admin@internal) 

I think it would be better to throw obviously wrong username (e.g. without profile being specified) straight away, now the installer enables user to re-enter the username upon pressing Ctrl+C, which is IMO good enough.

Comment 21 errata-xmlrpc 2020-10-27 15:57:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.