search

redhat-openstack / infrared

Plugin based framework that aims to provide an easy-to-use CLI for Ansible based projects
https://infrared.readthedocs.io/en/latest/index.html
Apache License 2.0
100 stars 96 forks source link

tripleo undercloud failing when tls-everywhere is set to true #363

Open asyedham opened 5 years ago

asyedham commented 5 years ago

(.venv)[stack@gprfs013infrared]$TOPOLOGY_NODES=undercloud:1,controller:1,compute:1,freeipa:1 (.venv)[stack@gprfs013infrared]$infrared virsh -v --topology-nodes $TOPOLOGY_NODES --host-address $HOST --host-key ~/.ssh/id_rsa --host-user root --host-memory-overcommit True (.venv)[stack@gprfs013infrared]$infrared tripleo-undercloud --version 13 --images-task rpm --tls-everywhere true

fatal: [undercloud-0 -> 172.16.0.83]: FAILED! => {"changed": true, "cmd": "/tmp/freeipa_setup.sh", "delta": "0:13:24.470238", "end": "2019-08-07 14:17:44.601697", "msg": "non-zero return code", "rc": 1, "start": "2019-08-07 14:04:20.131459", "stderr": "+ '[' -f '~/freeipa-setup.env' ']'\n+ '[' -f /tmp/freeipa-setup.env ']'\n+ source /tmp/freeipa-setup.env\n++ export UndercloudFQ
DN=undercloud-0.redhat.local\n++ UndercloudFQDN=undercloud-0.redhat.local\n++ export UsingNovajoin=true\n++ UsingNovajoin=true\n++ export UsingNovajoin=TRUE\n++ UsingNovajoin=TRUE\n++ export Hostname=freeipa-0.redhat.local\n++ Hostname=freeipa-0.redhat.local\n++ export FreeIPAIP=10.0.0.22\n++ FreeIPAIP=10.0.0.22\n++ export AdminPassword=12345678\n++ AdminPassword=12345678\n++ ex
port HostsSecret=redhat\n++ HostsSecret=redhat\n++ export DirectoryManagerPassword=redhat_01\n++ DirectoryManagerPassword=redhat_01\n++ export FreeIPAExtraArgs=--no-dnssec-validation\n++ FreeIPAExtraArgs=--no-dnssec-validation\n+ export Hostname=freeipa-0.redhat.local\n+ Hostname=freeipa-0.redhat.local\n+ export FreeIPAIP=10.0.0.22\n+ FreeIPAIP=10.0.0.22\n+ export DirectoryManag
erPassword=redhat_01\n+ DirectoryManagerPassword=redhat_01\n+ export AdminPassword=12345678\n+ AdminPassword=12345678\n+ export UndercloudFQDN=undercloud-0.redhat.local\n+ UndercloudFQDN=undercloud-0.redhat.local\n+ export HostsSecret=redhat\n+ HostsSecret=redhat\n+ export ProvisioningCIDR=\n+ ProvisioningCIDR=\n+ export FreeIPAExtraArgs=--no-dnssec-validation\n+ FreeIPAExtraArg
s=--no-dnssec-validation\n+ '[' -n '' ']'\n+ echo 'nameserver 8.8.8.8'\n+ echo 'nameserver 8.8.4.4'\n+ rpm -q openstack-dashboard\n+ source /etc/os-release\n++ NAME='Red Hat Enterprise Linux Server'\n++ VERSION='7.6 (Maipo)'\n++ ID=rhel\n++ ID_LIKE=fedora\n++ VARIANT=Server\n++ VARIANT_ID=server\n++ VERSION_ID=7.6\n++ PRETTY_NAME='Red Hat Enterprise Linux Server 7.6 (Maipo)'\n++
 ANSI_COLOR='0;31'\n++ CPE_NAME=cpe:/o:redhat:enterprise_linux:7.6:GA:server\n++ HOME_URL=https://www.redhat.com/\n++ BUG_REPORT_URL=https://bugzilla.redhat.com/\n++ REDHAT_BUGZILLA_PRODUCT='Red Hat Enterprise Linux 7'\n++ REDHAT_BUGZILLA_PRODUCT_VERSION=7.6\n++ REDHAT_SUPPORT_PRODUCT='Red Hat Enterprise Linux'\n++ REDHAT_SUPPORT_PRODUCT_VERSION=7.6\n+ [[ 7.6 == 8* ]]\n+ PKGS='i
pa-server ipa-server-dns epel-release rng-tools mod_nss git haveged'\n+ yum -q install -y ipa-server ipa-server-dns epel-release rng-tools mod_nss git haveged\nwarning: /var/cache/yum/x86_64/7Server/epel/packages/haveged-1.9.1-1.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY\nImporting GPG key 0x352C64E5:\n Userid     : \"Fedora EPEL (7) <epel@fedoraproje
ct.org>\"\n Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5\n Package    : epel-release-7-11.noarch (installed)\n From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7\n+ hostnamectl set-hostname --static freeipa-0.redhat.local\n+ tee -a /etc/hosts\n++ hostname\n+ echo 10.0.0.22 freeipa-0.redhat.local\n+ cat\n+ iptables-restore\n+ [[ 7.6 != 8* ]]\n+ chkconfig haveged o
n\nNote: Forwarding request to 'systemctl enable haveged.service'.\nCreated symlink from /etc/systemd/system/multi-user.target.wants/haveged.service to /usr/lib/systemd/system/haveged.service.\n+ systemctl start haveged\n+ rm -f /etc/httpd/conf.d/ssl.conf\n+ sed -i '/^nameserver fe80:.*./d' /etc/resolv.conf\n++ hostname -d\n++ tr '[a-z]' '[A-Z]'\n++ hostname -f\n+ ipa-server-ins
tall -U -r REDHAT.LOCAL -p redhat_01 -a 12345678 --hostname freeipa-0.redhat.local --ip-address=10.0.0.22 --setup-dns --auto-forwarders --auto-reverse --no-dnssec-validation\nipapython.admintool: ERROR    CA did not start in 300.0s\nipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information", "stderr_lines": ["+ '
[' -f '~/freeipa-setup.env' ']'", "+ '[' -f /tmp/freeipa-setup.env ']'", "+ source /tmp/freeipa-setup.env", "++ export UndercloudFQDN=undercloud-0.redhat.local", "++ UndercloudFQDN=undercloud-0.redhat.local", "++ export UsingNovajoin=true", "++ UsingNovajoin=true", "++ export UsingNovajoin=TRUE", "++ UsingNovajoin=TRUE", "++ export Hostname=freeipa-0.redhat.local", "++ Hostname=
freeipa-0.redhat.local", "++ export FreeIPAIP=10.0.0.22", "++ FreeIPAIP=10.0.0.22", "++ export AdminPassword=12345678", "++ AdminPassword=12345678", "++ export HostsSecret=redhat", "++ HostsSecret=redhat", "++ export DirectoryManagerPassword=redhat_01", "++ DirectoryManagerPassword=redhat_01", "++ export FreeIPAExtraArgs=--no-dnssec-validation", "++ FreeIPAExtraArgs=--no-dnssec-
validation", "+ export Hostname=freeipa-0.redhat.local", "+ Hostname=freeipa-0.redhat.local", "+ export FreeIPAIP=10.0.0.22", "+ FreeIPAIP=10.0.0.22", "+ export DirectoryManagerPassword=redhat_01", "+ DirectoryManagerPassword=redhat_01", "+ export AdminPassword=12345678", "+ AdminPassword=12345678", "+ export UndercloudFQDN=undercloud-0.redhat.local", "+ UndercloudFQDN=underclou
d-0.redhat.local", "+ export HostsSecret=redhat", "+ HostsSecret=redhat", "+ export ProvisioningCIDR=", "+ ProvisioningCIDR=", "+ export FreeIPAExtraArgs=--no-dnssec-validation", "+ FreeIPAExtraArgs=--no-dnssec-validation", "+ '[' -n '' ']'", "+ echo 'nameserver 8.8.8.8'", "+ echo 'nameserver 8.8.4.4'", "+ rpm -q openstack-dashboard", "+ source /etc/os-release", "++ NAME='Red Ha
t Enterprise Linux Server'", "++ VERSION='7.6 (Maipo)'", "++ ID=rhel", "++ ID_LIKE=fedora", "++ VARIANT=Server", "++ VARIANT_ID=server", "++ VERSION_ID=7.6", "++ PRETTY_NAME='Red Hat Enterprise Linux Server 7.6 (Maipo)'", "++ ANSI_COLOR='0;31'", "++ CPE_NAME=cpe:/o:redhat:enterprise_linux:7.6:GA:server", "++ HOME_URL=https://www.redhat.com/", "++ BUG_REPORT_URL=https://bugzilla.
redhat.com/", "++ REDHAT_BUGZILLA_PRODUCT='Red Hat Enterprise Linux 7'", "++ REDHAT_BUGZILLA_PRODUCT_VERSION=7.6", "++ REDHAT_SUPPORT_PRODUCT='Red Hat Enterprise Linux'", "++ REDHAT_SUPPORT_PRODUCT_VERSION=7.6", "+ [[ 7.6 == 8* ]]", "+ PKGS='ipa-server ipa-server-dns epel-release rng-tools mod_nss git haveged'", "+ yum -q install -y ipa-server ipa-server-dns epel-release rng-too
ls mod_nss git haveged", "warning: /var/cache/yum/x86_64/7Server/epel/packages/haveged-1.9.1-1.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY", "Importing GPG key 0x352C64E5:", " Userid     : \"Fedora EPEL (7) <epel@fedoraproject.org>\"", " Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5", " Package    : epel-release-7-11.noarch (installed)
", " From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7", "+ hostnamectl set-hostname --static freeipa-0.redhat.local", "+ tee -a /etc/hosts", "++ hostname", "+ echo 10.0.0.22 freeipa-0.redhat.local", "+ cat", "+ iptables-restore", "+ [[ 7.6 != 8* ]]", "+ chkconfig haveged on", "Note: Forwarding request to 'systemctl enable haveged.service'.", "Created symlink from /etc/systemd/sy
stem/multi-user.target.wants/haveged.service to /usr/lib/systemd/system/haveged.service.", "+ systemctl start haveged", "+ rm -f /etc/httpd/conf.d/ssl.conf", "+ sed -i '/^nameserver fe80:.*./d' /etc/resolv.conf", "++ hostname -d", "++ tr '[a-z]' '[A-Z]'", "++ hostname -f", "+ ipa-server-install -U -r REDHAT.LOCAL -p redhat_01 -a 12345678 --hostname freeipa-0.redhat.local --ip-ad
dress=10.0.0.22 --setup-dns --auto-forwarders --auto-reverse --no-dnssec-validation", "ipapython.admintool: ERROR    CA did not start in 300.0s", "ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information"], "stdout": "package openstack-dashboard is not installed\nPackage epel-release-7-11.noarch already installe
d and latest version\nNo Presto metadata available for rhelosp-rhel-7.6-server\nPublic key for haveged-1.9.1-1.el7.x86_64.rpm is not installed\n\nmod_nss certificate database generated.\n\n10.0.0.22 freeipa-0.redhat.local\n\nThe log file for this installation can be found in /var/log/ipaserver-install.log\n=========================================================================
=====\nThis program will set up the IPA Server.\n\nThis includes:\n  * Configure a stand-alone CA (dogtag) for certificate management\n  * Configure the Network Time Daemon (ntpd)\n  * Create and configure an instance of Directory Server\n  * Create and configure a Kerberos Key Distribution Center (KDC)\n  * Configure Apache (httpd)\n  * Configure DNS (bind)\n  * Configure the K
DC to enable PKINIT\n\nWARNING: conflicting time&date synchronization service 'chronyd' will be disabled\nin favor of ntpd\n\nWarning: skipping DNS resolution of host freeipa-0.redhat.local\nThe domain name has been determined based on the host name.\n\nChecking DNS domain redhat.local., please wait ...\n\nThe IPA Master Server will be configured with:\nHostname:       freeipa-0
.redhat.local\nIP address(es): 10.0.0.22\nDomain name:    redhat.local\nRealm name:     REDHAT.LOCAL\n\nBIND DNS server will be configured to serve IPA domain with:\nForwarders:       172.16.0.1, 10.0.0.1, 2620:52:0:13b8::fe\nForward policy:   only\nReverse zone(s):  No reverse zone\n\nConfiguring NTP daemon (ntpd)\n  [1/4]: stopping ntpd\n  [2/4]: writing configuration\n  [3/4]
: configuring ntpd to start on boot\n  [4/4]: starting ntpd\nDone configuring NTP daemon (ntpd).\nConfiguring directory server (dirsrv). Estimated time: 30 seconds\n  [1/44]: creating directory server instance\n  [2/44]: enabling ldapi\n  [3/44]: configure autobind for root\n  [4/44]: stopping directory server\n  [5/44]: updating configuration in dse.ldif\n  [6/44]: starting dir
ectory server\n  [7/44]: adding default schema\n  [8/44]: enabling memberof plugin\n  [9/44]: enabling winsync plugin\n  [10/44]: configuring replication version plugin\n  [11/44]: enabling IPA enrollment plugin\n  [12/44]: configuring uniqueness plugin\n  [13/44]: configuring uuid plugin\n  [14/44]: configuring modrdn plugin\n  [15/44]: configuring DNS plugin\n  [16/44]: enabli
ng entryUSN plugin\n  [17/44]: configuring lockout plugin\n  [18/44]: configuring topology plugin\n  [19/44]: creating indices\n  [20/44]: enabling referential integrity plugin\n  [21/44]: configuring certmap.conf\n  [22/44]: configure new location for managed entries\n  [23/44]: configure dirsrv ccache\n  [24/44]: enabling SASL mapping fallback\n  [25/44]: restarting directory 
server\n  [26/44]: adding sasl mappings to the directory\n  [27/44]: adding default layout\n  [28/44]: adding delegation layout\n  [29/44]: creating container for managed entries\n  [30/44]: configuring user private groups\n  [31/44]: configuring netgroups from hostgroups\n  [32/44]: creating default Sudo bind user\n  [33/44]: creating default Auto Member layout\n  [34/44]: addi
ng range check plugin\n  [35/44]: creating default HBAC rule allow_all\n  [36/44]: adding entries for topology management\n  [37/44]: initializing group membership\n  [38/44]: adding master entry\n  [39/44]: initializing domain level\n  [40/44]: configuring Posix uid/gid generation\n  [41/44]: adding replication acis\n  [42/44]: activating sidgen plugin\n  [43/44]: activating ex
tdom plugin\n  [44/44]: configuring directory to start on boot\nDone configuring directory server (dirsrv).\nConfiguring Kerberos KDC (krb5kdc)\n  [1/10]: adding kerberos container to the directory\n  [2/10]: configuring KDC\n  [3/10]: initialize kerberos container\n  [4/10]: adding default ACIs\n  [5/10]: creating a keytab for the directory\n  [6/10]: creating a keytab for the 
machine\n  [7/10]: adding the password extension to the directory\n  [8/10]: creating anonymous principal\n  [9/10]: starting the KDC\n  [10/10]: configuring KDC to start on boot\nDone configuring Kerberos KDC (krb5kdc).\nConfiguring kadmin\n  [1/2]: starting kadmin \n  [2/2]: configuring kadmin to start on boot\nDone configuring kadmin.\nConfiguring ipa-custodia\n  [1/5]: Makin
g sure custodia container exists\n  [2/5]: Generating ipa-custodia config file\n  [3/5]: Generating ipa-custodia keys\n  [4/5]: starting ipa-custodia \n  [5/5]: configuring ipa-custodia to start on boot\nDone configuring ipa-custodia.\nConfiguring certificate server (pki-tomcatd). Estimated time: 3 minutes\n  [1/29]: configuring certificate server instance\n  [2/29]: reindex att
ributes\n  [3/29]: exporting Dogtag certificate store pin\n  [4/29]: stopping certificate server instance to update CS.cfg\n  [5/29]: backing up CS.cfg\n  [6/29]: disabling nonces\n  [7/29]: set up CRL publishing\n  [8/29]: enable PKIX certificate path discovery and validation\n  [9/29]: starting certificate server instance\n  [10/29]: configure certmonger for renewals\n  [11/29
]: requesting RA certificate from CA\n  [12/29]: setting audit signing renewal to 2 years\n  [13/29]: restarting certificate server\n  [14/29]: publishing the CA certificate\n  [15/29]: adding RA agent as a trusted user\n  [16/29]: authorizing RA to modify profiles\n  [17/29]: authorizing RA to manage lightweight CAs\n  [18/29]: Ensure lightweight CAs container exists\n  [19/29]
: configure certificate renewals\n  [20/29]: configure Server-Cert certificate renewal\n  [21/29]: Configure HTTP to proxy connections\n  [22/29]: restarting certificate server\n  [23/29]: updating IPA configuration\n  [24/29]: enabling CA instance\n  [25/29]: migrating certificate profiles to LDAP\n  [26/29]: importing IPA certificate profiles\n  [27/29]: adding default CA ACL\
n  [28/29]: adding 'ipa' CA entry\n  [29/29]: configuring certmonger renewal for lightweight CAs\nDone configuring certificate server (pki-tomcatd).\nConfiguring directory server (dirsrv)\n  [1/3]: configuring TLS for DS instance\n  [2/3]: adding CA certificate entry\n  [3/3]: restarting directory server\nDone configuring directory server (dirsrv).", "stdout_lines": ["package op
enstack-dashboard is not installed", "Package epel-release-7-11.noarch already installed and latest version", "No Presto metadata available for rhelosp-rhel-7.6-server", "Public key for haveged-1.9.1-1.el7.x86_64.rpm is not installed", "", "mod_nss certificate database generated.", "", "10.0.0.22 freeipa-0.redhat.local", "", "The log file for this installation can be found in /v
ar/log/ipaserver-install.log", "==============================================================================", "This program will set up the IPA Server.", "", "This includes:", "  * Configure a stand-alone CA (dogtag) for certificate management", "  * Configure the Network Time Daemon (ntpd)", "  * Create and configure an instance of Directory Server", "  * Create and configur
e a Kerberos Key Distribution Center (KDC)", "  * Configure Apache (httpd)", "  * Configure DNS (bind)", "  * Configure the KDC to enable PKINIT", "", "WARNING: conflicting time&date synchronization service 'chronyd' will be disabled", "in favor of ntpd", "", "Warning: skipping DNS resolution of host freeipa-0.redhat.local", "The domain name has been determined based on the host
 name.", "", "Checking DNS domain redhat.local., please wait ...", "", "The IPA Master Server will be configured with:", "Hostname:       freeipa-0.redhat.local", "IP address(es): 10.0.0.22", "Domain name:    redhat.local", "Realm name:     REDHAT.LOCAL", "", "BIND DNS server will be configured to serve IPA domain with:", "Forwarders:       172.16.0.1, 10.0.0.1, 2620:52:0:13b8::
fe", "Forward policy:   only", "Reverse zone(s):  No reverse zone", "", "Configuring NTP daemon (ntpd)", "  [1/4]: stopping ntpd", "  [2/4]: writing configuration", "  [3/4]: configuring ntpd to start on boot", "  [4/4]: starting ntpd", "Done configuring NTP daemon (ntpd).", "Configuring directory server (dirsrv). Estimated time: 30 seconds", "  [1/44]: creating directory server
 instance", "  [2/44]: enabling ldapi", "  [3/44]: configure autobind for root", "  [4/44]: stopping directory server", "  [5/44]: updating configuration in dse.ldif", "  [6/44]: starting directory server", "  [7/44]: adding default schema", "  [8/44]: enabling memberof plugin", "  [9/44]: enabling winsync plugin", "  [10/44]: configuring replication version plugin", "  [11/44]:
 enabling IPA enrollment plugin", "  [12/44]: configuring uniqueness plugin", "  [13/44]: configuring uuid plugin", "  [14/44]: configuring modrdn plugin", "  [15/44]: configuring DNS plugin", "  [16/44]: enabling entryUSN plugin", "  [17/44]: configuring lockout plugin", "  [18/44]: configuring topology plugin", "  [19/44]: creating indices", "  [20/44]: enabling referential in
tegrity plugin", "  [21/44]: configuring certmap.conf", "  [22/44]: configure new location for managed entries", "  [23/44]: configure dirsrv ccache", "  [24/44]: enabling SASL mapping fallback", "  [25/44]: restarting directory server", "  [26/44]: adding sasl mappings to the directory", "  [27/44]: adding default layout", "  [28/44]: adding delegation layout", "  [29/44]: crea
ting container for managed entries", "  [30/44]: configuring user private groups", "  [31/44]: configuring netgroups from hostgroups", "  [32/44]: creating default Sudo bind user", "  [33/44]: creating default Auto Member layout", "  [34/44]: adding range check plugin", "  [35/44]: creating default HBAC rule allow_all", "  [36/44]: adding entries for topology management", "  [37
/44]: initializing group membership", "  [38/44]: adding master entry", "  [39/44]: initializing domain level", "  [40/44]: configuring Posix uid/gid generation", "  [41/44]: adding replication acis", "  [42/44]: activating sidgen plugin", "  [43/44]: activating extdom plugin", "  [44/44]: configuring directory to start on boot", "Done configuring directory server (dirsrv).", "C
onfiguring Kerberos KDC (krb5kdc)", "  [1/10]: adding kerberos container to the directory", "  [2/10]: configuring KDC", "  [3/10]: initialize kerberos container", "  [4/10]: adding default ACIs", "  [5/10]: creating a keytab for the directory", "  [6/10]: creating a keytab for the machine", "  [7/10]: adding the password extension to the directory", "  [8/10]: creating anonymou
s principal", "  [9/10]: starting the KDC", "  [10/10]: configuring KDC to start on boot", "Done configuring Kerberos KDC (krb5kdc).", "Configuring kadmin", "  [1/2]: starting kadmin ", "  [2/2]: configuring kadmin to start on boot", "Done configuring kadmin.", "Configuring ipa-custodia", "  [1/5]: Making sure custodia container exists", "  [2/5]: Generating ipa-custodia config 
file", "  [3/5]: Generating ipa-custodia keys", "  [4/5]: starting ipa-custodia ", "  [5/5]: configuring ipa-custodia to start on boot", "Done configuring ipa-custodia.", "Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes", "  [1/29]: configuring certificate server instance", "  [2/29]: reindex attributes", "  [3/29]: exporting Dogtag certificate store pin"
, "  [4/29]: stopping certificate server instance to update CS.cfg", "  [5/29]: backing up CS.cfg", "  [6/29]: disabling nonces", "  [7/29]: set up CRL publishing", "  [8/29]: enable PKIX certificate path discovery and validation", "  [9/29]: starting certificate server instance", "  [10/29]: configure certmonger for renewals", "  [11/29]: requesting RA certificate from CA", "  
[12/29]: setting audit signing renewal to 2 years", "  [13/29]: restarting certificate server", "  [14/29]: publishing the CA certificate", "  [15/29]: adding RA agent as a trusted user", "  [16/29]: authorizing RA to modify profiles", "  [17/29]: authorizing RA to manage lightweight CAs", "  [18/29]: Ensure lightweight CAs container exists", "  [19/29]: configure certificate re
newals", "  [20/29]: configure Server-Cert certificate renewal", "  [21/29]: Configure HTTP to proxy connections", "  [22/29]: restarting certificate server", "  [23/29]: updating IPA configuration", "  [24/29]: enabling CA instance", "  [25/29]: migrating certificate profiles to LDAP", "  [26/29]: importing IPA certificate profiles", "  [27/29]: adding default CA ACL", "  [28/2
9]: adding 'ipa' CA entry", "  [29/29]: configuring certmonger renewal for lightweight CAs", "Done configuring certificate server (pki-tomcatd).", "Configuring directory server (dirsrv)", "  [1/3]: configuring TLS for DS instance", "  [2/3]: adding CA certificate entry", "  [3/3]: restarting directory server", "Done configuring directory server (dirsrv)."]}

After Debugging I had to manually upgrade the nss package on the freeipa node and then I was able to deploy the undercloud successfully.