Fuel for OpenStack

decomposed neutron node does not support SSL

Bug #1665353 reported by Lukasz Pelczyk on 2017-02-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Fix Committed	High	Vladimir Khlyunev	Fuel for OpenStack 11.0
Nominated for Ocata by Vladimir Khlyunev
	Newton	In Progress	High	Vladimir Khlyunev	Fuel for OpenStack 10.1

Bug Description

Detailed bug description:
Fuel deployment crashes on Neutron node on openstack-network-networks task. TLS and HTTPS with self-signed certs are used.

Steps to reproduce:
According to: https://docs.openstack.org/developer/fuel-docs/userdocs/fuel-user-guide/configure-environment/decompose-services.html
1) Redefine controller (remove neutron tag)
2) Define neutron node from below yaml:
[root@fuel roles_plugin]# cat roles_definition/neutron.yaml
meta:
  conflicts:
    - compute
  description: >
    Neutron node, with separated DHCP, L3, and metadata Agents.
  group: base
  has_primary: true
  limits:
    min: 1
    overrides:
      - condition: settings:neutron_advanced_configuration.neutron_l3_ha.value == true
        message: >
          Neutron L3 HA requires at least 2 Netnodes to function
          properly.
        min: 2
    recommended: 3
  name: Neutron
  public_for_dvr_required: true
  public_ip_required: true
  tags:
    - neutron
  update_required:
  - compute
  - cinder
  - controller
  - neutron
  - rabbitmq
name: neutron
volumes_roles_mapping:
  - allocate_size: min
    id: os
  - allocate_size: all
    id: logs

3) In webui enable:
TLS for OpenStack public endpoints
Enable TLS termination on HAProxy for OpenStack services
HTTPS for Horizon
Secure access to Horizon enabling HTTPS instead of HTTP
4) Start deployment

Expected results:
Successful deployment

Actual result:
Notice: Puppet::Type::Neutron_network::ProviderNeutron: Unable to complete neutron request due to non-fatal error: "Execution of '/usr/bin/neutron net-list --format=csv --column=id --quote=none' returned 1: Unable to establish connection to https://public.fuel.local:9696/v2.0/networks.json". Retrying for 9 sec.

Reproducibility:
See description.

Workaround:
Check: /etc/puppet/mitaka-9.0/modules/osnailyfacter/modular/ssl/tasks.yaml
Below tasks were defined in plugin, to be performed on neutron nodes:
ssl-keys-saving
ssl-add-trust-chain
ssl-dns-setup

Impact:
Critical - it will affect all production deployments of MOS9.2 with decomposed neutron nodes.

Description of the environment:
System: Standard fuel 9.2 / MOS 9.2 upgraded according to https://docs.mirantis.com/openstack/fuel/fuel-9.2/release-notes/update-product.html
Reference architecture: -
Network model: Neutron with tunneling segmentation

Tags:

Nadezhda Kabanova (nkabanova) on 2017-02-16

tags:	added: ct1 customer-found
tags:	added: st1 removed: ct1

Revision history for this message

Oleksiy Molchanov (omolchanov) wrote on 2017-02-20:

Marking as Incomplete, please attach diagnostic snapshot.

Changed in fuel:
status:	New → Incomplete

Revision history for this message

Stanislaw Bogatkin (sbogatkin) wrote on 2017-02-27:

Problem is that there is not enough to just include ssl-related tasks to the plugins. All the ssl-related tasks have running scope with role tags, like (excerpt from ssl-keys-saving):

tags: [primary-controller, controller, compute, compute-vmware, cinder, cinder-vmware, primary-mongo, mongo, ceph-osd, virt, primary-keystone, keystone]

So, if you have a node with new role (like decomposed neutron one), you need to change the ssl tasks scope to ran on that node. There is nothing to change in Fuel itself in this case as we cannot magically predict new roles names (and we also cannot run ssl-related tasks on all nodes, like computes, cause of security matters) that will be used by plugins. Therefore, plugin maker must be personally assured that needed tasks are changed for sake of his plugin.

Because of aforementioned I close this bug as invalid.

Changed in fuel:
status:	Incomplete → Invalid
milestone:	none → 11.0
assignee:	nobody → Stanislaw Bogatkin (sbogatkin)
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-22: Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/448422

Changed in fuel:
assignee:	Stanislaw Bogatkin (sbogatkin) → Vladimir Khlyunev (vkhlyunev)
status:	Invalid → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-22: Fix proposed to fuel-library (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/448423

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-23: Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/448422
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=22d5c26b3b48fd051c553b0d2b55b9d28d96e0d1
Submitter: Jenkins
Branch: master

commit 22d5c26b3b48fd051c553b0d2b55b9d28d96e0d1
Author: Vladimir Khlyunev <email address hidden>
Date: Wed Mar 22 11:23:42 2017 +0400

Execute ssl-dns-setup task on all pre-defined tags

    As we have pre-defined tags inside fuel we should ensure
    that all of tags are able to be deployed properly.
    ssl-dns-setup task was skipped for all non-controller tags which
    leads to not configured dns server on these nodes (and as result -
    failed upload_cirros task).

Change-Id: I045bb7e709d6e18e2beb934b42094cbb4bc61f00
Closes-bug: 1665353

Changed in fuel:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-23: Fix proposed to fuel-library (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/449017

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-16: Change abandoned on fuel-library (stable/ocata)

Change abandoned by Fuel DevOps Robot (<email address hidden>) on branch: stable/ocata
Review: https://review.openstack.org/449017
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-18: Change abandoned on fuel-library (stable/newton)

Change abandoned by Andreas Jaeger (<email address hidden>) on branch: stable/newton
Review: https://review.opendev.org/448423
Reason: This repo is retired now, no further work will get merged.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.