Adding TLS Connection String To Database Connection Causes malformed URL in cell_mappings DB
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Confirmed
|
High
|
Unassigned | ||
Ocata |
Confirmed
|
High
|
Unassigned |
Bug Description
Description
===========
Fresh Install
Ubuntu 16.04
I followed Ubuntu install guide up to Install Nova on Controller, I configured Nova.conf and specified api_database and database connection string with SSL/TLS Parameters, then ran the DB commands. The following are successful.
su -s /bin/sh -c "nova-manage api_db sync" nova
su -s /bin/sh -c "nova-manage cell_v2 map_cell0" nova
su -s /bin/sh -c "nova-manage cell_v2 create_cell --name=cell1 --verbose" nova
The following command fails with error
su -s /bin/sh -c "nova-manage db sync" nova
ERROR: could not access cell mapping database - has api db been created?
My connection string is as follows
connection = mysql+pymysql:
The following connection string is what appears in the database table
mysql+pymysql:
<mriedem> on #openstack-nova suggests that this is a string substitution bug.
Steps to reproduce
===============
1. Install Ubuntu 16.04
2. Install Keystone
3. Configure Database connection string with TLS/SSL Parameters
4. Install Glance
5. Configure Database connection string with TLS/SSL Parameters
6. Install Nova
7. Configure Database connection string with TLS/SSL Parameters
8. Run the DB sync commands in order from the Docs
Failure at > su -s /bin/sh -c "nova-manage db sync" nova
Expected result
===============
Nova database Populates without error
Actual result
=============
Nova database does not populate and following error thrown
ERROR: could not access cell mapping database - has api db been created?
Environment
===========
Ocata
Ubuntu cloud Archive
nova-api 2:15.0.
nova-common 2:15.0.
nova-conductor 2:15.0.
nova-consoleauth 2:15.0.
nova-novncproxy 2:15.0.
nova-placement-api 2:15.0.
nova-scheduler 2:15.0.
python-nova 2:15.0.
python-novaclient 2:7.1.0-
OpenVSwitch
KVM
Logs & Configs
==============
[DEFAULT]
#debug = true
#######
#dhcpbridge_
#dhcpbridge=
#force_
#######
my_ip = my_ip
state_path = /var/lib/nova
####
enabled_apis = osapi_compute,
enabled_ssl_apis = osapi_compute,
####
osapi_compute_
osapi_compute_
####
metadata_host = $my_ip
metadata_listen = my_ip
metadata_
metadata_port = 8775
#####
rootwrap_config = /etc/nova/
api_paste_config = /etc/nova/
log_dir = /var/log/nova
use_neutron = True
firewall_driver = nova.virt.
######
cert = /etc/nova/
key = /etc/nova/
ssl_only = True
transport_url = rabbit:
compute_
[api]
auth_strategy = keystone
[api_database]
connection = mysql+pymysql:
#connection_debug = 1
[barbican]
[cache]
[cells]
enable=True
cell_type = api
[cinder]
[cloudpipe]
[conductor]
[console]
[consoleauth]
[cors]
[cors.subdomain]
[crypto]
##
cert_file = /etc/nova/
key_file = /etc/nova/
ca_file = /etc/nova/
##
[database]
connection = mysql+pymysql:
#connection_debug = 1
[ephemeral_
[filter_scheduler]
[glance]
api_servers = https:/
api_insecure = False
[guestfs]
[healthcheck]
[hyperv]
[image_file_url]
[ironic]
[key_manager]
[keystone_
auth_uri = https:/
auth_url = https:/
memcached_servers = my_ip:11211
auth_type = password
project_domain_name = default
user_domain_name = default
project_name = service
username = nova
password = my_password
###
certfile = /etc/nova/
keyfile = /etc/nova/
cafile = /etc/nova/
service_
###
[libvirt]
[matchmaker_redis]
[metrics]
[mks]
[neutron]
[notifications]
[osapi_v21]
[oslo_concurrency]
lock_path=
[oslo_messaging
[oslo_messaging
[oslo_messaging
[oslo_messaging
rabbit_use_ssl = True
kombu_ssl_keyfile = /etc/nova/
kombu_ssl_certfile = /etc/nova/
kombu_ssl_ca_certs = /etc/nova/
kombu_ssl_version = TLSv1_2
rpc_reply_
rpc_retry_delay = 10.0
socket_timeout = 0.25
tcp_user_timeout = 10.0
[oslo_messaging
[oslo_middleware]
[oslo_policy]
[pci]
[placement]
os_region_name = RegionOne
project_domain_name = Default
project_name = service
user_domain_name = Default
username = placement
password = my_password
auth_url = https:/
auth_type = password
certfile = /etc/nova/
keyfile = /etc/nova/
cafile = /etc/nova/
insecure = False
[quota]
[rdp]
[remote_debug]
[scheduler]
[serial_console]
[service_user]
[spice]
[ssl]
cert_file = /etc/nova/
key_file = /etc/nova/
ca_file = /etc/nova/
ciphers = AES256-GCM-SHA384
version = TLSv1_2
[trusted_computing]
[upgrade_levels]
[vendordata_
[vmware]
[vnc]
enabled = True
vncserver_listen = 0.0.0.0
vncserver_
novncproxy_base_url = https:/
[workarounds]
[wsgi]
api_paste_
secure_
ssl_key_file = /etc/nova/
ssl_cert_file = /etc/nova/
ssl_ca_file = /etc/nova/
[xenserver]
[xvp]
As noted in IRC, it sounds like another variant of bug 1673613 which was fixed in Ocata 15.0.5:
https:/ /docs.openstack .org/releasenot es/nova/ ocata.html# id1
Which is what's being used here, so probably another case we need to handle in this code:
https:/ /github. com/openstack/ nova/blob/ 321f426c30f8f4f 6e3dcafbbc7e5d8 7560b58c82/ nova/cmd/ manage. py#L1190- L1204
And that's parsed from the nova (cell1) database connection string, which from above is this:
"mysql+ pymysql: //nova: my_password@ my_ip/nova? charset= utf8&ssl_ ca=/etc/ nova/tls/ mysql/ca- cert.pem& ssl_cert= /etc/nova/ tls/mysql/ server- cert.pem& ssl_key= /etc/nova/ tls/mysql/ server- key.pem"