search

F5Networks / f5-openstack-agent

The F5 Agent for OpenStack Neutron allows you to deploy BIG-IP services in an OpenStack environment.
http://clouddocs.f5.com/products/openstack/agent/latest
Apache License 2.0
14 stars 38 forks source link

Error creating SSL profile for TLS listener when re-using existing Barbican container #545

Open jlongstaf opened 7 years ago

jlongstaf commented 7 years ago

OpenStack Release

Liberty, Mitaka

Description

When creating a TLS listener (TERMINATED_HTTPS protocol type) that was previously deleted and re-using the Barbican container reference -- i.e., a container reference with the same UUID -- the SSL profile will fail to be created and added to the virtual server when the BIG-IP version is 11.6.

The virtual server will be created on the BIG-IP but without an SSL profile. The listener will have a provisioning_status of ERROR.

The failure does NOT happen with BIG-IP version 12.1.x, only 11.6.x. Note that re-using a Barbican container reference with a second TLS listener before deleting the first TLS listener succeeds.

Work around: If you need to re-use a Barbican container reference, create a new TLS listener BEFORE deleting the existing listener which uses that container reference.

Agent Version

8.2.0, 9.2.0

Operating System

Centos 7

OpenStack Release

Liberty, Mitaka

Deployment

Important: this error occurs with BIG-IP version 11.6.x and NOT 12.1.x.

To re-create:

  1. Create a TLS listener with a Barbican container reference.
  2. Delete TLS listener.
  3. Create TLS listener with same Barbican container reference in step 1.
  4. Agent log, /var/log/neutron/f5-openstack-agent.log, will show an error similar to this:

2017-01-16 13:51:45.591 24055 ERROR f5_openstack_agent.lbaasv2.drivers.bigip.ssl_profile [req-50828cda-762d-4262-9247-42532fb4609b 0c107725c6ca456bb8f14dfd7ffef196 1750b198f5644d22abedfd2ead251bfb - - -] Error creating SSL profile: 404 Unexpected Error: Not Found for uri: https://10.190.7.122:443/mgmt/tm/sys/crypto/cert/ Text: u'{"code":404,"message":"The requested cert(Project_9542d527-8eb9-4e51-a2c8-17c9ff089b75.crt) already exists in this scope.","errorStack":[]}'

chen23 commented 7 years ago

You can workaround this by ignoring errors if an existing SSL cert/key is on the device. Ideally it should check for the existence of a cert/key. A related issue (not sure if a separate issue is open for this) the clean-up process does not remove the cert/key.

*** ssl_profile.py      2017-02-01 06:09:29.386000000 -0500
--- ssl_profile.py.orig 2017-02-01 06:03:21.974000000 -0500
***************
*** 64,72 ****
              param_set['from-local-file'] = os.path.join(
                  '/var/config/rest/downloads/', keyfilename)
              key_registrar.exec_cmd('install', **param_set)
!         except Exception as err:
!             LOG.error("Error creating SSL cert/key: %s" % err.message)
!         try:
              # create ssl-client profile from cert/key pair
              chain = [{'name': name,
                        'cert': '/Common/' + certfilename,
--- 64,70 ----
              param_set['from-local-file'] = os.path.join(
                  '/var/config/rest/downloads/', keyfilename)
              key_registrar.exec_cmd('install', **param_set)
!
              # create ssl-client profile from cert/key pair
              chain = [{'name': name,
                        'cert': '/Common/' + certfilename,
pjbreaux commented 7 years ago

@dflanigan: Voting to bump this issue, since it is causing the failure of at least 7 tls tests against 11.6.1 in nightly.

pjbreaux commented 7 years ago

And in case anyone is troubleshooting this, the neutron_lbaas tests that are failing are:

../../../../../../../testlab/f5-openstack-lbaasv2-driver/::TLSListenersTestJSON::test_list_tls_listeners_two <- ../../buildbot/neutron-lbaas/neutron_lbaas/tests/tempest/v2/api/test_listeners_tls.py FAILED
../../../../../../../testlab/f5-openstack-lbaasv2-driver/::TLSListenersTestJSON::test_update_listener_empty_tls_container <- ../../buildbot/neutron-lbaas/.tox/apiv2/local/lib/python2.7/site-packages/tempest/lib/decorators.py SKIPPED
../../../../../../../testlab/f5-openstack-lbaasv2-driver/::TLSListenersTestJSON::test_update_listener_empty_uuid_tls_container <- ../../buildbot/neutron-lbaas/neutron_lbaas/tests/tempest/v2/api/test_listeners_tls.py FAILED
../../../../../../../testlab/f5-openstack-lbaasv2-driver/::TLSListenersTestJSON::test_update_listener_invalid_tls_container <- ../../buildbot/neutron-lbaas/neutron_lbaas/tests/tempest/v2/api/test_listeners_tls.py FAILED
../../../../../../../testlab/f5-openstack-lbaasv2-driver/::TLSListenersTestJSON::test_update_listener_none_tls_container <- ../../buildbot/neutron-lbaas/.tox/apiv2/local/lib/python2.7/site-packages/tempest/lib/decorators.py SKIPPED
../../../../../../../testlab/f5-openstack-lbaasv2-driver/::TLSListenersTestJSON::test_update_listener_nonexistent_tls_container <- ../../buildbot/neutron-lbaas/neutron_lbaas/tests/tempest/v2/api/test_listeners_tls.py FAILED
../../../../../../../testlab/f5-openstack-lbaasv2-driver/::TLSListenersTestJSON::test_update_listener_tls_port <- ../../buildbot/neutron-lbaas/neutron_lbaas/tests/tempest/v2/api/test_listeners_tls.py FAILED
../../../../../../../testlab/f5-openstack-lbaasv2-driver/::TLSListenersTestJSON::test_update_listener_tls_protocol <- ../../buildbot/neutron-lbaas/neutron_lbaas/tests/tempest/v2/api/test_listeners_tls.py FAILED
../../../../../../../testlab/f5-openstack-lbaasv2-driver/::TLSListenersTestJSON::test_update_tls_listener <- ../../buildbot/neutron-lbaas/neutron_lbaas/tests/tempest/v2/api/test_listeners_tls.py FAILED
pjbreaux commented 7 years ago

@dflanigan: we should either fix this issue, or we should mark these tests as excludes in the 11.5.4 and 11.6.1 runs in nightly.

dflanigan commented 7 years ago

The PR #780 does not fix this issue, just references it.