Bug 1954374 - [OSP16.1] Keystone healthcheck script fail when we enable Federate as authentication provider
Summary: [OSP16.1] Keystone healthcheck script fail when we enable Federate as authent...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-common
Version: 16.1 (Train)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: zstream
: ---
Assignee: Grzegorz Grasza
QA Contact: Jeremy Agee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-28 03:35 UTC by Khomesh Thakre
Modified: 2023-08-07 13:53 UTC (History)
5 users (show)

Fixed In Version: openstack-tripleo-common-11.4.1-1.20211013133417.75bd92a
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-24 10:59:23 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1942057 0 None None None 2021-08-30 08:07:59 UTC
OpenStack gerrit 806549 0 None MERGED Fix awk expression 2021-10-13 08:56:30 UTC
OpenStack gerrit 812372 0 None MERGED Fix awk expression 2021-10-13 08:56:39 UTC
Red Hat Issue Tracker OSP-3388 0 None None None 2022-01-24 09:36:10 UTC
Red Hat Product Errata RHBA-2022:0986 0 None None None 2022-03-24 10:59:50 UTC

Description Khomesh Thakre 2021-04-28 03:35:01 UTC
Description of problem:

For keystone, healthcheck script is failing with below error

~~~
[root@ctl01 conf.d]# /usr/bin/podman exec --user root keystone /openstack/healthcheck
+ . /usr/share/openstack-tripleo-common/healthcheck/common.sh
++ set -x
++ set -euo pipefail
++ : 0
++ '[' 0 -ne 0 ']'
++ exec
++ : 10
++ : curl-healthcheck
++ : '\n%{http_code}' '%{remote_ip}:%{remote_port}' '%{time_total}' 'seconds\n'
++ : /dev/null
++ get_url_from_vhost /etc/httpd/conf.d/10-keystone_wsgi.conf
++ vhost_file=/etc/httpd/conf.d/10-keystone_wsgi.conf
++ test -n /etc/httpd/conf.d/10-keystone_wsgi.conf
++ test -r /etc/httpd/conf.d/10-keystone_wsgi.conf
+++ awk '/ServerName/ {print $2}' /etc/httpd/conf.d/10-keystone_wsgi.conf
++ server_name=overcloud.example.com
+++ awk '/SSLEngine/ {print $2}' /etc/httpd/conf.d/10-keystone_wsgi.conf
++ ssl_enabled=on
+++ grep -h '<VirtualHost .*>' /etc/httpd/conf.d/10-keystone_wsgi.conf
+++ sed 's/<VirtualHost .*:\(.*\)>/\1/'
++ bind_port=35357
+++ awk '/WSGIScriptAlias/ {print $2}' /etc/httpd/conf.d/10-keystone_wsgi.conf
++ wsgi_alias='/
^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$'
++ proto=http
++ [[ on == \o\n ]]
++ proto=https
++ [[ /
^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ != \/ ]]
++ wsgi_alias='/
^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$/'
++ echo https://overcloud.example.com:35357/ '^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$/'
+ check_url='https://overcloud.example.com:35357/ ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$/'
+ healthcheck_curl https://overcloud.example.com:35357/ '^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$/'
+ '[' 2 == 0 ']'
+ export NSS_SDB_USE_CACHE=no
+ NSS_SDB_USE_CACHE=no
+ curl -g -k -q -s -S --fail -o /dev/null --max-time 10 --user-agent curl-healthcheck --write-out '\n%{http_code} %{remote_ip}:%{remote_port} %{time_total} seconds\n' https://overcloud.example.com:35357/ '^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$/'

curl: (6) Could not resolve host: ^(
~~~

The issue is with /usr/share/openstack-tripleo-common/healthcheck/common.sh script in below function

~~~
# apachectl -S is slightly harder to parse and doesn't say if the vhost is serving SSL
get_url_from_vhost () {
    vhost_file=$1
    if test -n "${vhost_file}" && test -r "${vhost_file}" ; then
        server_name=$(awk '/ServerName/ {print $2}' $vhost_file)
        ssl_enabled=$(awk '/SSLEngine/ {print $2}' $vhost_file)
        bind_port=$(grep -h "<VirtualHost .*>" $vhost_file | sed 's/<VirtualHost .*:\(.*\)>/\1/')
        wsgi_alias=$(awk '/WSGIScriptAlias/ {print $2}' $vhost_file)                                   <<<<< 
        proto=http
        if [[ $ssl_enabled == "on" ]]; then
            proto=https
        fi
        if [[ $wsgi_alias != "/" ]]; then
            wsgi_alias="${wsgi_alias}/"
        fi
        echo ${proto}://${server_name}:${bind_port}${wsgi_alias}
    else
        exit 1
    fi
}
~~~

Awk is getting to matched instead of one 

~~~
[root@ctl01 conf.d]# awk '/WSGIScriptAlias/ {print $2}' 10-keystone_wsgi.conf
/
^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$
~~~

In working(non federate) environment, we only get `/` as output.

~~~
[stack@undercloud-0 ~]$ awk '/WSGIScriptAlias/ {print $2}' /var/lib/config-data/puppet-generated/keystone/etc/httpd/conf.d/10-keystone_wsgi.conf 
/
~~~


Version-Release number of selected component (if applicable):
Red Hat Openstack release 16.1 Train

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 4 Grzegorz Grasza 2021-05-17 14:19:16 UTC
I was able to reproduce it on OSP 16.1

Comment 15 errata-xmlrpc 2022-03-24 10:59:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1.8 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:0986


Note You need to log in before you can comment on or make changes to this bug.