1954374 – [OSP16.1] Keystone healthcheck script fail when we enable Federate as authentication provider

Bug 1954374 - [OSP16.1] Keystone healthcheck script fail when we enable Federate as authentication provider

Summary: [OSP16.1] Keystone healthcheck script fail when we enable Federate as authent...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-common
Sub Component:
Version:	16.1 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	zstream
Target Release:	---
Assignee:	Grzegorz Grasza
QA Contact:	Jeremy Agee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-04-28 03:35 UTC by Khomesh Thakre
Modified:	2023-08-07 13:53 UTC (History)
CC List:	5 users (show)
Fixed In Version:	openstack-tripleo-common-11.4.1-1.20211013133417.75bd92a
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-03-24 10:59:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1942057	None	None	None	2021-08-30 08:07:59 UTC
OpenStack gerrit	806549	None	MERGED	Fix awk expression	2021-10-13 08:56:30 UTC
OpenStack gerrit	812372	None	MERGED	Fix awk expression	2021-10-13 08:56:39 UTC
Red Hat Issue Tracker	OSP-3388	None	None	None	2022-01-24 09:36:10 UTC
Red Hat Product Errata	RHBA-2022:0986	None	None	None	2022-03-24 10:59:50 UTC

Description Khomesh Thakre 2021-04-28 03:35:01 UTC

Description of problem:

For keystone, healthcheck script is failing with below error

~~~
[root@ctl01 conf.d]# /usr/bin/podman exec --user root keystone /openstack/healthcheck
+ . /usr/share/openstack-tripleo-common/healthcheck/common.sh
++ set -x
++ set -euo pipefail
++ : 0
++ '[' 0 -ne 0 ']'
++ exec
++ : 10
++ : curl-healthcheck
++ : '\n%{http_code}' '%{remote_ip}:%{remote_port}' '%{time_total}' 'seconds\n'
++ : /dev/null
++ get_url_from_vhost /etc/httpd/conf.d/10-keystone_wsgi.conf
++ vhost_file=/etc/httpd/conf.d/10-keystone_wsgi.conf
++ test -n /etc/httpd/conf.d/10-keystone_wsgi.conf
++ test -r /etc/httpd/conf.d/10-keystone_wsgi.conf
+++ awk '/ServerName/ {print $2}' /etc/httpd/conf.d/10-keystone_wsgi.conf
++ server_name=overcloud.example.com
+++ awk '/SSLEngine/ {print $2}' /etc/httpd/conf.d/10-keystone_wsgi.conf
++ ssl_enabled=on
+++ grep -h '<VirtualHost .*>' /etc/httpd/conf.d/10-keystone_wsgi.conf
+++ sed 's/<VirtualHost .*:\(.*\)>/\1/'
++ bind_port=35357
+++ awk '/WSGIScriptAlias/ {print $2}' /etc/httpd/conf.d/10-keystone_wsgi.conf
++ wsgi_alias='/
^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$'
++ proto=http
++ [[ on == \o\n ]]
++ proto=https
++ [[ /
^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ != \/ ]]
++ wsgi_alias='/
^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$/'
++ echo https://overcloud.example.com:35357/ '^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$/'
+ check_url='https://overcloud.example.com:35357/ ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$/'
+ healthcheck_curl https://overcloud.example.com:35357/ '^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$/'
+ '[' 2 == 0 ']'
+ export NSS_SDB_USE_CACHE=no
+ NSS_SDB_USE_CACHE=no
+ curl -g -k -q -s -S --fail -o /dev/null --max-time 10 --user-agent curl-healthcheck --write-out '\n%{http_code} %{remote_ip}:%{remote_port} %{time_total} seconds\n' https://overcloud.example.com:35357/ '^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$/'

curl: (6) Could not resolve host: ^(
~~~

The issue is with /usr/share/openstack-tripleo-common/healthcheck/common.sh script in below function

~~~
# apachectl -S is slightly harder to parse and doesn't say if the vhost is serving SSL
get_url_from_vhost () {
    vhost_file=$1
    if test -n "${vhost_file}" && test -r "${vhost_file}" ; then
        server_name=$(awk '/ServerName/ {print $2}' $vhost_file)
        ssl_enabled=$(awk '/SSLEngine/ {print $2}' $vhost_file)
        bind_port=$(grep -h "<VirtualHost .*>" $vhost_file | sed 's/<VirtualHost .*:\(.*\)>/\1/')
        wsgi_alias=$(awk '/WSGIScriptAlias/ {print $2}' $vhost_file)                                   <<<<< 
        proto=http
        if [[ $ssl_enabled == "on" ]]; then
            proto=https
        fi
        if [[ $wsgi_alias != "/" ]]; then
            wsgi_alias="${wsgi_alias}/"
        fi
        echo ${proto}://${server_name}:${bind_port}${wsgi_alias}
    else
        exit 1
    fi
}
~~~

Awk is getting to matched instead of one 

~~~
[root@ctl01 conf.d]# awk '/WSGIScriptAlias/ {print $2}' 10-keystone_wsgi.conf
/
^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$
~~~

In working(non federate) environment, we only get `/` as output.

~~~
[stack@undercloud-0 ~]$ awk '/WSGIScriptAlias/ {print $2}' /var/lib/config-data/puppet-generated/keystone/etc/httpd/conf.d/10-keystone_wsgi.conf 
/
~~~


Version-Release number of selected component (if applicable):
Red Hat Openstack release 16.1 Train

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 4 Grzegorz Grasza 2021-05-17 14:19:16 UTC

I was able to reproduce it on OSP 16.1

Comment 15 errata-xmlrpc 2022-03-24 10:59:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1.8 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:0986

Note You need to log in before you can comment on or make changes to this bug.