Juniper Openstack

SMlite: Providing env.ca_cert_file in testbed file should take care of entire provisioning for tor agent nodes

Bug #1716393 reported by Shashikiran H
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R4.0
Fix Committed
High
Nitish Krishna Kaveri
Juniper Openstack r4.0.3.0
R4.1
Fix Committed
High
Nitish Krishna Kaveri
Juniper Openstack r4.1.0.0-fcs "r4.1"
Trunk
Fix Committed
High
Nitish Krishna Kaveri
Juniper Openstack r5.0.0

Bug Description

Version: 4.0.1
I have a env variable env.ca_cert_file set in testbed file.
The provisioning for tor agent nodes fails with error: "msg": "Unable to find '/etc/contrail_smgr/puppet/ssl/tor/ca-cert.pem' in expected paths."}

Please make changes to take the ca file from env.ca_cert_file in testbed file and use the same location/cacert file from there in the puppet location/wherever applicable.

Topo:
host1='root@10.204.217.7'
#host3='root@10.204.217.54'
host2='root@10.204.217.50'
#host5='root@10.204.216.16'
host3='root@10.204.216.68'
host4='root@10.204.216.72'
host5='root@10.204.217.68'
host6='root@10.204.217.54'
host7='root@10.204.217.63'
host8='root@10.204.217.69'
host9='root@10.204.217.16'
host10='root@10.204.216.10'
host11='root@10.204.216.11'
host12='root@10.204.216.13'
host13='root@10.204.216.14'
host14='root@10.204.217.70'

env.roledefs = {
    'all': [host1, host2, host3, host4, host5, host6, host7, host8, host9, host10, host11, host12, host13, host14],
    'contrail-controller': [host1, host2, host5],
    'openstack': [host1],
    'contrail-compute': [host3, host4, host5, host6, host7, host8, host9, host10, host11, host12, host13, host14],
    'contrail-analytics': [host1],
    'tsn': [host3, host4],
    'contrail-analyticsdb': [host1],
    'build': [host_build],
    }

Nitish Krishna Kaveri (nitishk)
Changed in juniperopenstack:
assignee: Abhay Joshi (abhayj) → Nitish Krishna Kaveri (nitishk)
Revision history for this message
Nitish Krishna Kaveri (nitishk) wrote :

I was not able to re-create this issue on a two node setup:

As you can see below, the ca-cert specified in testbed.py got copied to this location correctly.

root@nk-vm1:/etc/contrail_smgr/puppet/ssl/tor# ls
ca-cert.pem

root@nk-vm1:/etc/contrail_smgr/puppet/ssl/tor# md5sum ca-cert.pem /root/cacert.pem
bef902e0e7e6a8f28a58e969f537f55e ca-cert.pem
bef902e0e7e6a8f28a58e969f537f55e /root/cacert.pem

The setup specified in the bug ID isn't in the broken state. Please give a setup with the error seen and I will debug it.

Changed in juniperopenstack:
assignee: Nitish Krishna Kaveri (nitishk) → Shashikiran H (skiranh)
status: New → Incomplete
Revision history for this message
Shashikiran H (skiranh) wrote :

Jayaram and Nitish to work on this. Hari, Jayaram and Nitish are aware of the requirements.

Changed in juniperopenstack:
assignee: Shashikiran H (skiranh) → jayaramsatya (jayaramsatya)
Nitish Krishna Kaveri (nitishk)
Changed in juniperopenstack:
assignee: jayaramsatya (jayaramsatya) → Nitish Krishna Kaveri (nitishk)
status: Incomplete → Triaged
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/36498
Submitter: Nitish Krishna Kaveri (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.1

Review in progress for https://review.opencontrail.org/36499
Submitter: Nitish Krishna Kaveri (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/36499
Committed: http://github.com/Juniper/contrail-server-manager/commit/83ab2141c44714a57bca08dcb1e04b1e5d24317c
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit 83ab2141c44714a57bca08dcb1e04b1e5d24317c
Author: nitishkrishna <email address hidden>
Date: Fri Oct 13 00:10:28 2017 -0700

Closes-Bug: #1716393 - Set tor_ca_cert_file as SM ca-cert by default

User can over-ride both tor_ca_cert_file and tor_ssl_cert_src_dir values
These values have to be validating before ca_cert is copied into that src location for ansible to use
With this change, ansible code change is NOT needed.
Ansible always expects ca-cert in location tor_ssl_cert_src_dir

Change-Id: I863a53df2ca30dfe5a7b4639ac06711952ec663f

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/36498
Committed: http://github.com/Juniper/contrail-server-manager/commit/93a442d86d3f4fbff6d6f9ac5047cea63ee62728
Submitter: Zuul (<email address hidden>)
Branch: master

commit 93a442d86d3f4fbff6d6f9ac5047cea63ee62728
Author: nitishkrishna <email address hidden>
Date: Fri Oct 13 00:10:28 2017 -0700

Closes-Bug: #1716393 - Set tor_ca_cert_file as SM ca-cert by default

User can over-ride both tor_ca_cert_file and tor_ssl_cert_src_dir values
These values have to be validating before ca_cert is copied into that src location for ansible to use
With this change, ansible code change is NOT needed.
Ansible always expects ca-cert in location tor_ssl_cert_src_dir

Change-Id: I863a53df2ca30dfe5a7b4639ac06711952ec663f

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/36569
Submitter: Nitish Krishna Kaveri (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/36569
Committed: http://github.com/Juniper/contrail-server-manager/commit/ee5901f3d7fdb360025fc55ff7c3f04a7564664d
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit ee5901f3d7fdb360025fc55ff7c3f04a7564664d
Author: nitishkrishna <email address hidden>
Date: Fri Oct 13 00:10:28 2017 -0700

Closes-Bug: #1716393 - Set tor_ca_cert_file as SM ca-cert by default

User can over-ride both tor_ca_cert_file and tor_ssl_cert_src_dir values
These values have to be validating before ca_cert is copied into that src location for ansible to use
With this change, ansible code change is NOT needed.
Ansible always expects ca-cert in location tor_ssl_cert_src_dir

Change-Id: I863a53df2ca30dfe5a7b4639ac06711952ec663f
(cherry picked from commit 93a442d86d3f4fbff6d6f9ac5047cea63ee62728)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.