Juniper Openstack

heat fails with SSL enabled contrail cluster

Series r3.0
Bug #1612826

Bug #1612826 reported by Ignatious Johnson Christopher on 2016-08-12

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R3.0	Fix Committed	Medium	Ignatious Johnson Christopher	Juniper Openstack r3.0.3.0
R3.1	Fix Committed	Medium	Ignatious Johnson Christopher	Juniper Openstack r3.1.1.0
Trunk	Fix Committed	Medium	Ignatious Johnson Christopher	Juniper Openstack r3.2.0.0-fcs "r3.2.0.0"

Bug Description

Heat fails when SSL is enabled for api-server, keystone and neutron.

Analysis:
----------
1. keystone_authtoken, clients_neutron, clients_keystone sections are not populated with insecure flag.
2. clients_contrail section is not populated with use_ssl.

Heat uses vnc_api library and so need to access vnc_api_lib.ini in /etc/contrail/. However the permission for /etc/contrail is not allowing only users in 'contrail' group to access the etc/contrail dir.

3. If config and openstack(heat) are in same node, 'heat' user needs to be added to 'contrail' group

4. If config and openstack(heat) are in different node, /etc/contrail/vnc_api_lib.ini and /etc/contrail/ssl/certs/* needs to be copied to openstack node at /etc/contrail dir and change the ownership of /etc/contrail to heat:heat

Tags:

Revision history for this message

Ignatious Johnson Christopher (ijohnson-x) wrote on 2016-08-12:

workaround with fab commands to be executed post 'fab setup_all'

FAB_NODE # fab -R openstack -- "openstack-config --set keystone_authtoken insecure True"
FAB_NODE # fab -R openstack -- "openstack-config --set clients_keystone insecure True"
FAB_NODE # fab -R openstack -- "openstack-config --set clients_neutron insecure True"
FAB_NODE # fab -R openstack -- "openstack-config --set clients_contrail use_ssl True"

followed by,

If config and openstack are same nodes:
FAB_NODE # fab -R openstack -- "usermod -a -G contrail heat"

If config and openstack are different nodes:
FAB_NODE # fab -R openstack -- "mkdir -p /etc/contrail/ssl/certs"
FAB_NODE # fab -R openstack tasks.helpers.copy:/etc/contrail/vnc_api_lib.ini,/etc/contrail/
FAB_NODE # fab -R openstack tasks.helpers.copy:/etc/contrail/ssl/certs,/etc/contrail/sslFAB_NODE FAB_NODE # fab -R openstack -- "chown -R heat:heat /etc/contrail"

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-08-25: [Review update] master

Review in progress for https://review.opencontrail.org/23590
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-08-25:

Review in progress for https://review.opencontrail.org/23591
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-08-26: A change has been merged

Reviewed: https://review.opencontrail.org/23590
Committed: http://github.org/Juniper/contrail-provisioning/commit/3038283980d8f4ce3d3fffe9b105d7a74d044aaf
Submitter: Zuul
Branch: master

commit 3038283980d8f4ce3d3fffe9b105d7a74d044aaf
Author: Ignatious Johnson Christopher <email address hidden>
Date: Thu Aug 25 12:18:08 2016 -0700

Provisioning ssl parameters in heat conifg files.

Change-Id: I982b74ea9c760d8679aedf0cb2902a72f457efed
Closes-Bug: 1612826

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-08-26: [Review update] master

Review in progress for https://review.opencontrail.org/23591
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-08-30: A change has been merged

#11

Reviewed: https://review.opencontrail.org/23591
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/c184b2fe5f31ee1f475d4f51657e8b5f9ecaf624
Submitter: Zuul
Branch: master

commit c184b2fe5f31ee1f475d4f51657e8b5f9ecaf624
Author: Ignatious Johnson Christopher <email address hidden>
Date: Thu Aug 25 11:51:33 2016 -0700

copying the api server certs to openstack node for the heat to connect
to api-server.

Change-Id: Ib49b0cb139d6940e1985197693a6b48b221ccb86
Closes-Bug: 1613178
Closes-Bug: 1612826

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-09-01: [Review update] R3.0

#12

Review in progress for https://review.opencontrail.org/23795
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-09-01: [Review update] R3.1

#14

Review in progress for https://review.opencontrail.org/23796
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-09-01: [Review update] master

#16

Review in progress for https://review.opencontrail.org/23797
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-09-01: A change has been merged

#18

Reviewed: https://review.opencontrail.org/23797
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/5a1bd5d7efa8f16b3a4bd6e8fc2cd66f1ad7e2d0
Submitter: Zuul
Branch: master

commit 5a1bd5d7efa8f16b3a4bd6e8fc2cd66f1ad7e2d0
Author: Ignatious Johnson Christopher <email address hidden>
Date: Wed Aug 31 20:37:50 2016 -0700

Ignore chown error in openstack node, as contrail user
will not be present.

Change-Id: Ibcd2b009cd4c3759a681a31915192f687797a423
Closes-Bug: 1612826

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-09-01:

#19

Reviewed: https://review.opencontrail.org/23795
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/d1a4e1d8f08ce9d2898db5fac019400e238f33e8
Submitter: Zuul
Branch: R3.0

commit d1a4e1d8f08ce9d2898db5fac019400e238f33e8
Author: Ignatious Johnson Christopher <email address hidden>
Date: Wed Aug 31 20:37:50 2016 -0700

Ignore chown error in openstack node, as contrail user
will not be present.

Change-Id: Ibcd2b009cd4c3759a681a31915192f687797a423
Closes-Bug: 1612826

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-09-01:

#20

Reviewed: https://review.opencontrail.org/23796
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/044d81af278ce4acd7b19db55ec0dfa01f18ea7c
Submitter: Zuul
Branch: R3.1

commit 044d81af278ce4acd7b19db55ec0dfa01f18ea7c
Author: Ignatious Johnson Christopher <email address hidden>
Date: Wed Aug 31 20:37:50 2016 -0700

Ignore chown error in openstack node, as contrail user
will not be present.

Change-Id: Ibcd2b009cd4c3759a681a31915192f687797a423
Closes-Bug: 1612826

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-11-14: [Review update] R3.1

#21

Review in progress for https://review.opencontrail.org/26057
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-11-15: A change has been merged

#23

Reviewed: https://review.opencontrail.org/26057
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/9fafa7d4c32260532a6b991c2684134d1f9dff4c
Submitter: Zuul
Branch: R3.1

commit 9fafa7d4c32260532a6b991c2684134d1f9dff4c
Author: Ignatious Johnson Christopher <email address hidden>
Date: Thu Aug 25 11:51:33 2016 -0700

copying the api server certs to openstack node for the heat to connect
to api-server.

Change-Id: Ib49b0cb139d6940e1985197693a6b48b221ccb86
Closes-Bug: 1613178
Closes-Bug: 1612826
(cherry picked from commit c184b2fe5f31ee1f475d4f51657e8b5f9ecaf624)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.