infrared
infrared copied to clipboard
Published
20 hours ago •
redhat-openstack
redhat-openstack
tripleo undercloud failing when tls-everywhere is set to true
(.venv)[stack@gprfs013infrared]$TOPOLOGY_NODES=undercloud:1,controller:1,compute:1,freeipa:1 (.venv)[stack@gprfs013infrared]$infrared virsh -v --topology-nodes $TOPOLOGY_NODES --host-address $HOST --host-key ~/.ssh/id_rsa --host-user root --host-memory-overcommit True (.venv)[stack@gprfs013infrared]$infrared tripleo-undercloud --version 13 --images-task rpm --tls-everywhere true
fatal: [undercloud-0 -> 172.16.0.83]: FAILED! => {"changed": true, "cmd": "/tmp/freeipa_setup.sh", "delta": "0:13:24.470238", "end": "2019-08-07 14:17:44.601697", "msg": "non-zero return code", "rc": 1, "start": "2019-08-07 14:04:20.131459", "stderr": "+ '[' -f '~/freeipa-setup.env' ']'\n+ '[' -f /tmp/freeipa-setup.env ']'\n+ source /tmp/freeipa-setup.env\n++ export UndercloudFQ
DN=undercloud-0.redhat.local\n++ UndercloudFQDN=undercloud-0.redhat.local\n++ export UsingNovajoin=true\n++ UsingNovajoin=true\n++ export UsingNovajoin=TRUE\n++ UsingNovajoin=TRUE\n++ export Hostname=freeipa-0.redhat.local\n++ Hostname=freeipa-0.redhat.local\n++ export FreeIPAIP=10.0.0.22\n++ FreeIPAIP=10.0.0.22\n++ export AdminPassword=12345678\n++ AdminPassword=12345678\n++ ex
port HostsSecret=redhat\n++ HostsSecret=redhat\n++ export DirectoryManagerPassword=redhat_01\n++ DirectoryManagerPassword=redhat_01\n++ export FreeIPAExtraArgs=--no-dnssec-validation\n++ FreeIPAExtraArgs=--no-dnssec-validation\n+ export Hostname=freeipa-0.redhat.local\n+ Hostname=freeipa-0.redhat.local\n+ export FreeIPAIP=10.0.0.22\n+ FreeIPAIP=10.0.0.22\n+ export DirectoryManag
erPassword=redhat_01\n+ DirectoryManagerPassword=redhat_01\n+ export AdminPassword=12345678\n+ AdminPassword=12345678\n+ export UndercloudFQDN=undercloud-0.redhat.local\n+ UndercloudFQDN=undercloud-0.redhat.local\n+ export HostsSecret=redhat\n+ HostsSecret=redhat\n+ export ProvisioningCIDR=\n+ ProvisioningCIDR=\n+ export FreeIPAExtraArgs=--no-dnssec-validation\n+ FreeIPAExtraArg
s=--no-dnssec-validation\n+ '[' -n '' ']'\n+ echo 'nameserver 8.8.8.8'\n+ echo 'nameserver 8.8.4.4'\n+ rpm -q openstack-dashboard\n+ source /etc/os-release\n++ NAME='Red Hat Enterprise Linux Server'\n++ VERSION='7.6 (Maipo)'\n++ ID=rhel\n++ ID_LIKE=fedora\n++ VARIANT=Server\n++ VARIANT_ID=server\n++ VERSION_ID=7.6\n++ PRETTY_NAME='Red Hat Enterprise Linux Server 7.6 (Maipo)'\n++
ANSI_COLOR='0;31'\n++ CPE_NAME=cpe:/o:redhat:enterprise_linux:7.6:GA:server\n++ HOME_URL=https://www.redhat.com/\n++ BUG_REPORT_URL=https://bugzilla.redhat.com/\n++ REDHAT_BUGZILLA_PRODUCT='Red Hat Enterprise Linux 7'\n++ REDHAT_BUGZILLA_PRODUCT_VERSION=7.6\n++ REDHAT_SUPPORT_PRODUCT='Red Hat Enterprise Linux'\n++ REDHAT_SUPPORT_PRODUCT_VERSION=7.6\n+ [[ 7.6 == 8* ]]\n+ PKGS='i
pa-server ipa-server-dns epel-release rng-tools mod_nss git haveged'\n+ yum -q install -y ipa-server ipa-server-dns epel-release rng-tools mod_nss git haveged\nwarning: /var/cache/yum/x86_64/7Server/epel/packages/haveged-1.9.1-1.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY\nImporting GPG key 0x352C64E5:\n Userid : \"Fedora EPEL (7) <epel@fedoraproje
ct.org>\"\n Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5\n Package : epel-release-7-11.noarch (installed)\n From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7\n+ hostnamectl set-hostname --static freeipa-0.redhat.local\n+ tee -a /etc/hosts\n++ hostname\n+ echo 10.0.0.22 freeipa-0.redhat.local\n+ cat\n+ iptables-restore\n+ [[ 7.6 != 8* ]]\n+ chkconfig haveged o
n\nNote: Forwarding request to 'systemctl enable haveged.service'.\nCreated symlink from /etc/systemd/system/multi-user.target.wants/haveged.service to /usr/lib/systemd/system/haveged.service.\n+ systemctl start haveged\n+ rm -f /etc/httpd/conf.d/ssl.conf\n+ sed -i '/^nameserver fe80:.*./d' /etc/resolv.conf\n++ hostname -d\n++ tr '[a-z]' '[A-Z]'\n++ hostname -f\n+ ipa-server-ins
tall -U -r REDHAT.LOCAL -p redhat_01 -a 12345678 --hostname freeipa-0.redhat.local --ip-address=10.0.0.22 --setup-dns --auto-forwarders --auto-reverse --no-dnssec-validation\nipapython.admintool: ERROR CA did not start in 300.0s\nipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information", "stderr_lines": ["+ '
[' -f '~/freeipa-setup.env' ']'", "+ '[' -f /tmp/freeipa-setup.env ']'", "+ source /tmp/freeipa-setup.env", "++ export UndercloudFQDN=undercloud-0.redhat.local", "++ UndercloudFQDN=undercloud-0.redhat.local", "++ export UsingNovajoin=true", "++ UsingNovajoin=true", "++ export UsingNovajoin=TRUE", "++ UsingNovajoin=TRUE", "++ export Hostname=freeipa-0.redhat.local", "++ Hostname=
freeipa-0.redhat.local", "++ export FreeIPAIP=10.0.0.22", "++ FreeIPAIP=10.0.0.22", "++ export AdminPassword=12345678", "++ AdminPassword=12345678", "++ export HostsSecret=redhat", "++ HostsSecret=redhat", "++ export DirectoryManagerPassword=redhat_01", "++ DirectoryManagerPassword=redhat_01", "++ export FreeIPAExtraArgs=--no-dnssec-validation", "++ FreeIPAExtraArgs=--no-dnssec-
validation", "+ export Hostname=freeipa-0.redhat.local", "+ Hostname=freeipa-0.redhat.local", "+ export FreeIPAIP=10.0.0.22", "+ FreeIPAIP=10.0.0.22", "+ export DirectoryManagerPassword=redhat_01", "+ DirectoryManagerPassword=redhat_01", "+ export AdminPassword=12345678", "+ AdminPassword=12345678", "+ export UndercloudFQDN=undercloud-0.redhat.local", "+ UndercloudFQDN=underclou
d-0.redhat.local", "+ export HostsSecret=redhat", "+ HostsSecret=redhat", "+ export ProvisioningCIDR=", "+ ProvisioningCIDR=", "+ export FreeIPAExtraArgs=--no-dnssec-validation", "+ FreeIPAExtraArgs=--no-dnssec-validation", "+ '[' -n '' ']'", "+ echo 'nameserver 8.8.8.8'", "+ echo 'nameserver 8.8.4.4'", "+ rpm -q openstack-dashboard", "+ source /etc/os-release", "++ NAME='Red Ha
t Enterprise Linux Server'", "++ VERSION='7.6 (Maipo)'", "++ ID=rhel", "++ ID_LIKE=fedora", "++ VARIANT=Server", "++ VARIANT_ID=server", "++ VERSION_ID=7.6", "++ PRETTY_NAME='Red Hat Enterprise Linux Server 7.6 (Maipo)'", "++ ANSI_COLOR='0;31'", "++ CPE_NAME=cpe:/o:redhat:enterprise_linux:7.6:GA:server", "++ HOME_URL=https://www.redhat.com/", "++ BUG_REPORT_URL=https://bugzilla.
redhat.com/", "++ REDHAT_BUGZILLA_PRODUCT='Red Hat Enterprise Linux 7'", "++ REDHAT_BUGZILLA_PRODUCT_VERSION=7.6", "++ REDHAT_SUPPORT_PRODUCT='Red Hat Enterprise Linux'", "++ REDHAT_SUPPORT_PRODUCT_VERSION=7.6", "+ [[ 7.6 == 8* ]]", "+ PKGS='ipa-server ipa-server-dns epel-release rng-tools mod_nss git haveged'", "+ yum -q install -y ipa-server ipa-server-dns epel-release rng-too
ls mod_nss git haveged", "warning: /var/cache/yum/x86_64/7Server/epel/packages/haveged-1.9.1-1.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY", "Importing GPG key 0x352C64E5:", " Userid : \"Fedora EPEL (7) <[email protected]>\"", " Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5", " Package : epel-release-7-11.noarch (installed)
", " From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7", "+ hostnamectl set-hostname --static freeipa-0.redhat.local", "+ tee -a /etc/hosts", "++ hostname", "+ echo 10.0.0.22 freeipa-0.redhat.local", "+ cat", "+ iptables-restore", "+ [[ 7.6 != 8* ]]", "+ chkconfig haveged on", "Note: Forwarding request to 'systemctl enable haveged.service'.", "Created symlink from /etc/systemd/sy
stem/multi-user.target.wants/haveged.service to /usr/lib/systemd/system/haveged.service.", "+ systemctl start haveged", "+ rm -f /etc/httpd/conf.d/ssl.conf", "+ sed -i '/^nameserver fe80:.*./d' /etc/resolv.conf", "++ hostname -d", "++ tr '[a-z]' '[A-Z]'", "++ hostname -f", "+ ipa-server-install -U -r REDHAT.LOCAL -p redhat_01 -a 12345678 --hostname freeipa-0.redhat.local --ip-ad
dress=10.0.0.22 --setup-dns --auto-forwarders --auto-reverse --no-dnssec-validation", "ipapython.admintool: ERROR CA did not start in 300.0s", "ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information"], "stdout": "package openstack-dashboard is not installed\nPackage epel-release-7-11.noarch already installe
d and latest version\nNo Presto metadata available for rhelosp-rhel-7.6-server\nPublic key for haveged-1.9.1-1.el7.x86_64.rpm is not installed\n\nmod_nss certificate database generated.\n\n10.0.0.22 freeipa-0.redhat.local\n\nThe log file for this installation can be found in /var/log/ipaserver-install.log\n=========================================================================
=====\nThis program will set up the IPA Server.\n\nThis includes:\n * Configure a stand-alone CA (dogtag) for certificate management\n * Configure the Network Time Daemon (ntpd)\n * Create and configure an instance of Directory Server\n * Create and configure a Kerberos Key Distribution Center (KDC)\n * Configure Apache (httpd)\n * Configure DNS (bind)\n * Configure the K
DC to enable PKINIT\n\nWARNING: conflicting time&date synchronization service 'chronyd' will be disabled\nin favor of ntpd\n\nWarning: skipping DNS resolution of host freeipa-0.redhat.local\nThe domain name has been determined based on the host name.\n\nChecking DNS domain redhat.local., please wait ...\n\nThe IPA Master Server will be configured with:\nHostname: freeipa-0
.redhat.local\nIP address(es): 10.0.0.22\nDomain name: redhat.local\nRealm name: REDHAT.LOCAL\n\nBIND DNS server will be configured to serve IPA domain with:\nForwarders: 172.16.0.1, 10.0.0.1, 2620:52:0:13b8::fe\nForward policy: only\nReverse zone(s): No reverse zone\n\nConfiguring NTP daemon (ntpd)\n [1/4]: stopping ntpd\n [2/4]: writing configuration\n [3/4]
: configuring ntpd to start on boot\n [4/4]: starting ntpd\nDone configuring NTP daemon (ntpd).\nConfiguring directory server (dirsrv). Estimated time: 30 seconds\n [1/44]: creating directory server instance\n [2/44]: enabling ldapi\n [3/44]: configure autobind for root\n [4/44]: stopping directory server\n [5/44]: updating configuration in dse.ldif\n [6/44]: starting dir
ectory server\n [7/44]: adding default schema\n [8/44]: enabling memberof plugin\n [9/44]: enabling winsync plugin\n [10/44]: configuring replication version plugin\n [11/44]: enabling IPA enrollment plugin\n [12/44]: configuring uniqueness plugin\n [13/44]: configuring uuid plugin\n [14/44]: configuring modrdn plugin\n [15/44]: configuring DNS plugin\n [16/44]: enabli
ng entryUSN plugin\n [17/44]: configuring lockout plugin\n [18/44]: configuring topology plugin\n [19/44]: creating indices\n [20/44]: enabling referential integrity plugin\n [21/44]: configuring certmap.conf\n [22/44]: configure new location for managed entries\n [23/44]: configure dirsrv ccache\n [24/44]: enabling SASL mapping fallback\n [25/44]: restarting directory
server\n [26/44]: adding sasl mappings to the directory\n [27/44]: adding default layout\n [28/44]: adding delegation layout\n [29/44]: creating container for managed entries\n [30/44]: configuring user private groups\n [31/44]: configuring netgroups from hostgroups\n [32/44]: creating default Sudo bind user\n [33/44]: creating default Auto Member layout\n [34/44]: addi
ng range check plugin\n [35/44]: creating default HBAC rule allow_all\n [36/44]: adding entries for topology management\n [37/44]: initializing group membership\n [38/44]: adding master entry\n [39/44]: initializing domain level\n [40/44]: configuring Posix uid/gid generation\n [41/44]: adding replication acis\n [42/44]: activating sidgen plugin\n [43/44]: activating ex
tdom plugin\n [44/44]: configuring directory to start on boot\nDone configuring directory server (dirsrv).\nConfiguring Kerberos KDC (krb5kdc)\n [1/10]: adding kerberos container to the directory\n [2/10]: configuring KDC\n [3/10]: initialize kerberos container\n [4/10]: adding default ACIs\n [5/10]: creating a keytab for the directory\n [6/10]: creating a keytab for the
machine\n [7/10]: adding the password extension to the directory\n [8/10]: creating anonymous principal\n [9/10]: starting the KDC\n [10/10]: configuring KDC to start on boot\nDone configuring Kerberos KDC (krb5kdc).\nConfiguring kadmin\n [1/2]: starting kadmin \n [2/2]: configuring kadmin to start on boot\nDone configuring kadmin.\nConfiguring ipa-custodia\n [1/5]: Makin
g sure custodia container exists\n [2/5]: Generating ipa-custodia config file\n [3/5]: Generating ipa-custodia keys\n [4/5]: starting ipa-custodia \n [5/5]: configuring ipa-custodia to start on boot\nDone configuring ipa-custodia.\nConfiguring certificate server (pki-tomcatd). Estimated time: 3 minutes\n [1/29]: configuring certificate server instance\n [2/29]: reindex att
ributes\n [3/29]: exporting Dogtag certificate store pin\n [4/29]: stopping certificate server instance to update CS.cfg\n [5/29]: backing up CS.cfg\n [6/29]: disabling nonces\n [7/29]: set up CRL publishing\n [8/29]: enable PKIX certificate path discovery and validation\n [9/29]: starting certificate server instance\n [10/29]: configure certmonger for renewals\n [11/29
]: requesting RA certificate from CA\n [12/29]: setting audit signing renewal to 2 years\n [13/29]: restarting certificate server\n [14/29]: publishing the CA certificate\n [15/29]: adding RA agent as a trusted user\n [16/29]: authorizing RA to modify profiles\n [17/29]: authorizing RA to manage lightweight CAs\n [18/29]: Ensure lightweight CAs container exists\n [19/29]
: configure certificate renewals\n [20/29]: configure Server-Cert certificate renewal\n [21/29]: Configure HTTP to proxy connections\n [22/29]: restarting certificate server\n [23/29]: updating IPA configuration\n [24/29]: enabling CA instance\n [25/29]: migrating certificate profiles to LDAP\n [26/29]: importing IPA certificate profiles\n [27/29]: adding default CA ACL\
n [28/29]: adding 'ipa' CA entry\n [29/29]: configuring certmonger renewal for lightweight CAs\nDone configuring certificate server (pki-tomcatd).\nConfiguring directory server (dirsrv)\n [1/3]: configuring TLS for DS instance\n [2/3]: adding CA certificate entry\n [3/3]: restarting directory server\nDone configuring directory server (dirsrv).", "stdout_lines": ["package op
enstack-dashboard is not installed", "Package epel-release-7-11.noarch already installed and latest version", "No Presto metadata available for rhelosp-rhel-7.6-server", "Public key for haveged-1.9.1-1.el7.x86_64.rpm is not installed", "", "mod_nss certificate database generated.", "", "10.0.0.22 freeipa-0.redhat.local", "", "The log file for this installation can be found in /v
ar/log/ipaserver-install.log", "==============================================================================", "This program will set up the IPA Server.", "", "This includes:", " * Configure a stand-alone CA (dogtag) for certificate management", " * Configure the Network Time Daemon (ntpd)", " * Create and configure an instance of Directory Server", " * Create and configur
e a Kerberos Key Distribution Center (KDC)", " * Configure Apache (httpd)", " * Configure DNS (bind)", " * Configure the KDC to enable PKINIT", "", "WARNING: conflicting time&date synchronization service 'chronyd' will be disabled", "in favor of ntpd", "", "Warning: skipping DNS resolution of host freeipa-0.redhat.local", "The domain name has been determined based on the host
name.", "", "Checking DNS domain redhat.local., please wait ...", "", "The IPA Master Server will be configured with:", "Hostname: freeipa-0.redhat.local", "IP address(es): 10.0.0.22", "Domain name: redhat.local", "Realm name: REDHAT.LOCAL", "", "BIND DNS server will be configured to serve IPA domain with:", "Forwarders: 172.16.0.1, 10.0.0.1, 2620:52:0:13b8::
fe", "Forward policy: only", "Reverse zone(s): No reverse zone", "", "Configuring NTP daemon (ntpd)", " [1/4]: stopping ntpd", " [2/4]: writing configuration", " [3/4]: configuring ntpd to start on boot", " [4/4]: starting ntpd", "Done configuring NTP daemon (ntpd).", "Configuring directory server (dirsrv). Estimated time: 30 seconds", " [1/44]: creating directory server
instance", " [2/44]: enabling ldapi", " [3/44]: configure autobind for root", " [4/44]: stopping directory server", " [5/44]: updating configuration in dse.ldif", " [6/44]: starting directory server", " [7/44]: adding default schema", " [8/44]: enabling memberof plugin", " [9/44]: enabling winsync plugin", " [10/44]: configuring replication version plugin", " [11/44]:
enabling IPA enrollment plugin", " [12/44]: configuring uniqueness plugin", " [13/44]: configuring uuid plugin", " [14/44]: configuring modrdn plugin", " [15/44]: configuring DNS plugin", " [16/44]: enabling entryUSN plugin", " [17/44]: configuring lockout plugin", " [18/44]: configuring topology plugin", " [19/44]: creating indices", " [20/44]: enabling referential in
tegrity plugin", " [21/44]: configuring certmap.conf", " [22/44]: configure new location for managed entries", " [23/44]: configure dirsrv ccache", " [24/44]: enabling SASL mapping fallback", " [25/44]: restarting directory server", " [26/44]: adding sasl mappings to the directory", " [27/44]: adding default layout", " [28/44]: adding delegation layout", " [29/44]: crea
ting container for managed entries", " [30/44]: configuring user private groups", " [31/44]: configuring netgroups from hostgroups", " [32/44]: creating default Sudo bind user", " [33/44]: creating default Auto Member layout", " [34/44]: adding range check plugin", " [35/44]: creating default HBAC rule allow_all", " [36/44]: adding entries for topology management", " [37
/44]: initializing group membership", " [38/44]: adding master entry", " [39/44]: initializing domain level", " [40/44]: configuring Posix uid/gid generation", " [41/44]: adding replication acis", " [42/44]: activating sidgen plugin", " [43/44]: activating extdom plugin", " [44/44]: configuring directory to start on boot", "Done configuring directory server (dirsrv).", "C
onfiguring Kerberos KDC (krb5kdc)", " [1/10]: adding kerberos container to the directory", " [2/10]: configuring KDC", " [3/10]: initialize kerberos container", " [4/10]: adding default ACIs", " [5/10]: creating a keytab for the directory", " [6/10]: creating a keytab for the machine", " [7/10]: adding the password extension to the directory", " [8/10]: creating anonymou
s principal", " [9/10]: starting the KDC", " [10/10]: configuring KDC to start on boot", "Done configuring Kerberos KDC (krb5kdc).", "Configuring kadmin", " [1/2]: starting kadmin ", " [2/2]: configuring kadmin to start on boot", "Done configuring kadmin.", "Configuring ipa-custodia", " [1/5]: Making sure custodia container exists", " [2/5]: Generating ipa-custodia config
file", " [3/5]: Generating ipa-custodia keys", " [4/5]: starting ipa-custodia ", " [5/5]: configuring ipa-custodia to start on boot", "Done configuring ipa-custodia.", "Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes", " [1/29]: configuring certificate server instance", " [2/29]: reindex attributes", " [3/29]: exporting Dogtag certificate store pin"
, " [4/29]: stopping certificate server instance to update CS.cfg", " [5/29]: backing up CS.cfg", " [6/29]: disabling nonces", " [7/29]: set up CRL publishing", " [8/29]: enable PKIX certificate path discovery and validation", " [9/29]: starting certificate server instance", " [10/29]: configure certmonger for renewals", " [11/29]: requesting RA certificate from CA", "
[12/29]: setting audit signing renewal to 2 years", " [13/29]: restarting certificate server", " [14/29]: publishing the CA certificate", " [15/29]: adding RA agent as a trusted user", " [16/29]: authorizing RA to modify profiles", " [17/29]: authorizing RA to manage lightweight CAs", " [18/29]: Ensure lightweight CAs container exists", " [19/29]: configure certificate re
newals", " [20/29]: configure Server-Cert certificate renewal", " [21/29]: Configure HTTP to proxy connections", " [22/29]: restarting certificate server", " [23/29]: updating IPA configuration", " [24/29]: enabling CA instance", " [25/29]: migrating certificate profiles to LDAP", " [26/29]: importing IPA certificate profiles", " [27/29]: adding default CA ACL", " [28/2
9]: adding 'ipa' CA entry", " [29/29]: configuring certmonger renewal for lightweight CAs", "Done configuring certificate server (pki-tomcatd).", "Configuring directory server (dirsrv)", " [1/3]: configuring TLS for DS instance", " [2/3]: adding CA certificate entry", " [3/3]: restarting directory server", "Done configuring directory server (dirsrv)."]}
After Debugging I had to manually upgrade the nss package on the freeipa node and then I was able to deploy the undercloud successfully.
