| 2020-06-19 04:29:37 |
Vern Hart |
description |
The charm correctly surmised that 80+ checks of openstack services were https and thus required the -S argument but three services, barbican, designate, and gnocchi are failing because the endpoint is https but the check_http command doesn't have -S.
If I check the endpoint list from keystone, I see all of these services have https schema:
$ openstack endpoint list | grep -e barbican -e gnocchi -e designate
| 3142eda4d15d47279b89760d5dea984c | Liberty_Mutual_PDC2 | barbican | key-manager | True | admin | https://barbican-internal.openstack-pdc-2.lmig.com:9312 |
| 3a91c5ac34fb4772a09edd16dd978ed5 | Liberty_Mutual_PDC2 | designate | dns | True | public | https://designate.openstack-pdc-2.lmig.com:9001 |
| 3c09135964aa48b8a436a6d65cf63868 | Liberty_Mutual_PDC2 | designate | dns | True | internal | https://designate-internal.openstack-pdc-2.lmig.com:9001 |
| 444cea388ab94ea595e99fc8e4b0b507 | Liberty_Mutual_PDC2 | gnocchi | metric | True | internal | https://gnocchi-internal.openstack-pdc-2.lmig.com:8041 |
| a53cbb734c8042bca108c1ce914352f6 | Liberty_Mutual_PDC2 | barbican | key-manager | True | internal | https://barbican-internal.openstack-pdc-2.lmig.com:9311 |
| b15be86e0b0c4a63919e8b6aa1ccbc08 | Liberty_Mutual_PDC2 | designate | dns | True | admin | https://designate-internal.openstack-pdc-2.lmig.com:9001 |
| c7e1a26378ab4d9fa53689f5613b1d0e | Liberty_Mutual_PDC2 | barbican | key-manager | True | public | https://barbican.openstack-pdc-2.lmig.com:9311 |
| d3fd5b8a8de4422b8e5fd484a07f1d79 | Liberty_Mutual_PDC2 | gnocchi | metric | True | admin | https://gnocchi-internal.openstack-pdc-2.lmig.com:8041 |
| de97d85443214ec6973d2b55509c660a | Liberty_Mutual_PDC2 | gnocchi | metric | True | public | https://gnocchi.openstack-pdc-2.lmig.com:8041 |
These services were configured with ssl from the beginning but perhaps there is a race condition where a non-https endpoint exists in keystone before it's correctly configured?
I fixed this by going into the debug-hooks environment (it was wanting to run the update-status hook) and clearing the openstack-service-checks.endpoints.configured flag before running the hook:
root@juju-c1611f-28-lxd-4:/var/lib/juju/agents/unit-openstack-service-checks-0/charm# charms.reactive clear_flag openstack-service-checks.endpoints.configured
root@juju-c1611f-28-lxd-4:/var/lib/juju/agents/unit-openstack-service-checks-0/charm# hooks/update-status
lxc
All snaps up to date.
/usr/lib/python3/dist-packages/keystoneauth1/adapter.py:179: UserWarning: Using keystoneclient sessions has been deprecated. Please update your software to use keystoneauth1.
warnings.warn('Using keystoneclient sessions has been deprecated. '
root@juju-c1611f-28-lxd-4:/var/lib/juju/agents/unit-openstack-service-checks-0/charm#
Is there a better way to regenerate the service checks from the current keystone endpoints? |
The charm correctly surmised that 80+ checks of openstack services were https and thus required the -S argument but three services, barbican, designate, and gnocchi are failing because the endpoint is https but the check_http command doesn't have -S.
If I check the endpoint list from keystone, I see all of these services have https schema:
$ openstack endpoint list | grep -e barbican -e gnocchi -e designate
| 3142eda4d15d47279b89760d5dea984c | XX_PDC2 | barbican | key-manager | True | admin | https://barbican-internal.openstack-pdc-2.xx.com:9312 |
| 3a91c5ac34fb4772a09edd16dd978ed5 | XX_PDC2 | designate | dns | True | public | https://designate.openstack-pdc-2.xx.com:9001 |
| 3c09135964aa48b8a436a6d65cf63868 | XX_PDC2 | designate | dns | True | internal | https://designate-internal.openstack-pdc-2.xx.com:9001 |
| 444cea388ab94ea595e99fc8e4b0b507 | XX_PDC2 | gnocchi | metric | True | internal | https://gnocchi-internal.openstack-pdc-2.xx.com:8041 |
| a53cbb734c8042bca108c1ce914352f6 | XX_PDC2 | barbican | key-manager | True | internal | https://barbican-internal.openstack-pdc-2.xx.com:9311 |
| b15be86e0b0c4a63919e8b6aa1ccbc08 | XX_PDC2 | designate | dns | True | admin | https://designate-internal.openstack-pdc-2.xx.com:9001 |
| c7e1a26378ab4d9fa53689f5613b1d0e | XX_PDC2 | barbican | key-manager | True | public | https://barbican.openstack-pdc-2.xx.com:9311 |
| d3fd5b8a8de4422b8e5fd484a07f1d79 | XX_PDC2 | gnocchi | metric | True | admin | https://gnocchi-internal.openstack-pdc-2.xx.com:8041 |
| de97d85443214ec6973d2b55509c660a | XX_PDC2 | gnocchi | metric | True | public | https://gnocchi.openstack-pdc-2.xx.com:8041 |
These services were configured with ssl from the beginning but perhaps there is a race condition where a non-https endpoint exists in keystone before it's correctly configured?
I fixed this by going into the debug-hooks environment (it was wanting to run the update-status hook) and clearing the openstack-service-checks.endpoints.configured flag before running the hook:
root@juju-c1611f-28-lxd-4:/var/lib/juju/agents/unit-openstack-service-checks-0/charm# charms.reactive clear_flag openstack-service-checks.endpoints.configured
root@juju-c1611f-28-lxd-4:/var/lib/juju/agents/unit-openstack-service-checks-0/charm# hooks/update-status
lxc
All snaps up to date.
/usr/lib/python3/dist-packages/keystoneauth1/adapter.py:179: UserWarning: Using keystoneclient sessions has been deprecated. Please update your software to use keystoneauth1.
warnings.warn('Using keystoneclient sessions has been deprecated. '
root@juju-c1611f-28-lxd-4:/var/lib/juju/agents/unit-openstack-service-checks-0/charm#
Is there a better way to regenerate the service checks from the current keystone endpoints? |
|
