OpenStack Keystone Charm

  1. Bug #1827668
  2. Comment #1

Comment 1 for bug 1827668

Revision history for this message
Dmitrii Shcherbakov (dmitriis) wrote : Re: [19.04] a keystone unit may end up using an incorrect localhost port after certificates relation is added

Reproduced it on a clean 19.04+Queens deployment without totally-insecure-unlock (did a manual unlocking procedure by hand):

VAULT_UNIT_IP=$(juju run --unit vault/0 "network-get access --ingress-address=true"); export VAULT_ADDR="http://$VAULT_UNIT_IP:8200"

vault operator init -key-shares=1 -key-threshold=1 > bundles/vault.txt
vault operator unseal <key-from-vault-txt>

VAULT_UNIT_IP=$(juju run --unit vault/1 "network-get access --ingress-address=true"); export VAULT_ADDR="http://$VAULT_UNIT_IP:8200"
vault operator unseal <key>

export VAULT_TOKEN=<initial-root-token-from-vault.txt>
vault token create --ttl=10m

juju export-bundle
https://pastebin.canonical.com/p/cCBN5PnYRx/

juju show-status-log keystone/0 --days 1
https://paste.ubuntu.com/p/36fJJpXJ4Q/

keystone/0* error idle 0/lxd/5 10.232.46.164 5000/tcp hook failed: "identity-service-relation-changed"
  hacluster-keystone/1 active idle 10.232.46.164 Unit is ready and clustered
  keystone-saml-mellon/1 active idle 10.232.46.164 Unit is ready
keystone/1 active idle 1/lxd/5 10.232.46.157 5000/tcp Unit is ready
  hacluster-keystone/0* active idle 10.232.46.157 Unit is ready and clustered
  keystone-saml-mellon/0* active idle 10.232.46.157 Unit is ready

https://private-fileshare.canonical.com/~dima/charm-dumps/10-05-2019-keystone-0-var-log-etc.tar.gz

https://private-fileshare.canonical.com/~dima/charm-dumps/10-05-2019-var-lib-juju-agents-keystone-0-hacluster.tar.gz

sqlite3 /var/lib/juju/agents/unit-keystone-0/charm/.unit-state.db
SQLite version 3.22.0 2018-01-22 18:45:57
Enter ".help" for usage hints.
sqlite> select * from kv;
charm_revisions|["0"]
env|{"CHARM_DIR": "/var/lib/juju/agents/unit-keystone-0/charm", "JUJU_CHARM_DIR": "/var/lib/juju/agents/unit-keystone-0/charm", "JUJU_CONTEXT_ID": "keystone/0-identity-service-relation-changed-866489089749738405", "JUJU_AGENT_SOCKET": "@/var/lib/juju/agents/unit-keystone-0/agent.socket", "JUJU_UNIT_NAME": "keystone/0", "JUJU_MODEL_UUID": "bfd89e39-f481-4e7f-8a1c-fd9f4a35b898", "JUJU_MODEL_NAME": "openstack", "JUJU_API_ADDRESSES": "10.232.1.60:17070", "JUJU_SLA": "unsupported", "JUJU_MACHINE_ID": "0/lxd/5", "JUJU_PRINCIPAL_UNIT": "", "JUJU_AVAILABILITY_ZONE": "default", "JUJU_VERSION": "2.6-rc2", "CLOUD_API_VERSION": "", "JUJU_CHARM_HTTP_PROXY": "http://10.232.0.1:3128", "JUJU_CHARM_HTTPS_PROXY": "http://10.232.0.1:3128", "JUJU_CHARM_FTP_PROXY": "", "JUJU_CHARM_NO_PROXY": "10.0.0.0/8,192.168.0.0/16,172.16.0.0/12", "JUJU_METER_STATUS": "AMBER", "JUJU_METER_INFO": "not set", "JUJU_RELATION": "identity-service", "JUJU_RELATION_ID": "identity-service:38", "JUJU_REMOTE_UNIT": "cinder/1", "APT_LISTCHANGES_FRONTEND": "none", "DEBIAN_FRONTEND": "noninteractive", "PATH": "/var/lib/juju/tools/unit-keystone-0:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"}
unit|"keystone/0"
relid|"identity-service:38"
stat-password|"<redacted>"
fid-restart-nonce-keystone-fid-service-provider:92|"6298cfc9-404f-42d4-aa53-991e58a18151"