Merge "Fix keystone fernet bootstrap"

36c2201a · Zuul · Gerrit Code Review · ac876459 · 0799782c · 36c2201a
Commit 36c2201a authored 5 years ago by Zuul Committed by Gerrit Code Review 5 years ago
--- a/ansible/roles/keystone/tasks/bootstrap_service.yml
+++ b/ansible/roles/keystone/tasks/bootstrap_service.yml
 ---
+- name: Checking for any running keystone_fernet containers
+  become: true
+  kolla_container_facts:
+    name:
+      - keystone_fernet
+  register: container_facts
+- name: Group nodes where keystone_fernet is running
+  group_by:
+    key: keystone_fernet_{{ container_facts['keystone_fernet'].State | default('bootstrap') }}
 - name: Running Keystone bootstrap container
  vars:
    keystone: "{{ keystone_services.keystone }}"
@@ -17,4 +28,29 @@
    restart_policy: no
    volumes: "{{ keystone.volumes|reject('equalto', '')|list }}"
  run_once: True
-  delegate_to: "{{ groups['keystone'][0] }}"
+- name: Running Keystone fernet bootstrap container
+  vars:
+    keystone_fernet: "{{ keystone_services['keystone-fernet'] }}"
+  become: true
+  kolla_docker:
+    action: "start_container"
+    common_options: "{{ docker_common_options }}"
+    detach: False
+    environment:
+      KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
+    image: "{{ keystone_fernet.image }}"
+    labels:
+      BOOTSTRAP:
+    command: >
+      bash -c 'sudo -E kolla_set_configs &&
+      keystone-manage --config-file /etc/keystone/keystone.conf
+      fernet_setup --keystone-user {{ keystone_username }} --keystone-group {{ keystone_groupname }} && ls -l /etc/keystone/fernet-keys/'
+    name: "bootstrap_keystone_fernet"
+    restart_policy: no
+    volumes: "{{ keystone_fernet.volumes|reject('equalto', '')|list }}"
+  run_once: True
+  delegate_to: "{{ groups['keystone_fernet_bootstrap'][0] }}"
+  when:
+    - keystone_token_provider == 'fernet'
+    - groups['keystone_fernet_running'] is not defined
--- a/ansible/roles/keystone/tasks/deploy.yml
+++ b/ansible/roles/keystone/tasks/deploy.yml
@@ -10,7 +10,7 @@
 - name: Flush handlers
  meta: flush_handlers
- include_tasks: init_fernet.yml
+- include_tasks: distribute_fernet.yml
  when:
    - keystone_token_provider == 'fernet'

--- a/ansible/roles/keystone/tasks/init_fernet.yml
+++ b/ansible/roles/keystone/tasks/init_fernet.yml
@@ -9,19 +9,11 @@
  retries: 10
  delay: 5
- name: Initialise fernet key authentication
-  become: true
-  command: "docker exec -t keystone_fernet kolla_keystone_bootstrap {{ keystone_username }} {{ keystone_groupname }}"
-  register: fernet_create
-  changed_when: fernet_create.stdout.find('localhost | SUCCESS => ') != -1 and (fernet_create.stdout.split('localhost | SUCCESS => ')[1]|from_json).changed
-  until: fernet_create.stdout.split()[2] == 'SUCCESS' or fernet_create.stdout.find('Key repository is already initialized') != -1
-  retries: 10
-  delay: 5
-  run_once: True
-  delegate_to: "{{ groups['keystone'][0] }}"
 - name: Run key distribution
  become: true
  command: docker exec -t keystone_fernet /usr/bin/fernet-push.sh
  run_once: True
-  delegate_to: "{{ groups['keystone'][0] }}"
+  delegate_to: >-
+    {% if groups['keystone_fernet_running'] is defined -%}
+    {{ groups['keystone_fernet_running'][0] }}
+    {%- else -%}{{ groups['keystone'][0] }}{%- endif %}
--- a/ansible/roles/keystone/templates/fernet-node-sync.sh.j2
+++ b/ansible/roles/keystone/templates/fernet-node-sync.sh.j2
@@ -4,10 +4,26 @@ set -o errexit
 set -o pipefail
 # Get data on the fernet tokens
-TOKEN_CHECK=$(/usr/bin/python{{ distro_python_version }} /usr/bin/fetch_fernet_tokens.py -t {{ fernet_token_expiry }} -n {{ (groups['keystone'] | length) + 1 }})
+# NOTE(mnasiadka): Check for existence of at least two tokens (should exist after bootstrap)
+TOKEN_CHECK=$(/usr/bin/python{{ distro_python_version }} /usr/bin/fetch_fernet_tokens.py -t {{ fernet_token_expiry }} -n 2)
+# Ensure tokens are populated
+n=0
+while /usr/bin/python{{ distro_python_version }} /usr/bin/fetch_fernet_tokens.py -t 86400 -n 1 | grep -q '"populated": false'; do
+    if [ $n -lt 10 ]; then
+        n=$(( n + 1 ))
+        echo "ERROR: Fernet tokens have not been populated, rechecking in 1 minute"
+        echo "DEBUG: /etc/keystone/fernet-keys contents:"
+        ls -l /etc/keystone/fernet-keys/
+        sleep 60
+    else
+        echo "CRITICAL: Waited for 10 minutes - failing"
+        exit 1
+    fi
+done
 # Ensure the primary token exists and is not stale
-if $(echo "$TOKEN_CHECK" | grep -q '"update_required":"false"'); then
+if $(echo "$TOKEN_CHECK" | grep -q '"update_required": false'); then
    exit 0;
 fi

--- a/ansible/roles/keystone/templates/fernet-push.sh.j2
+++ b/ansible/roles/keystone/templates/fernet-push.sh.j2
 #!/bin/bash
+set -o errexit
+set -o pipefail
 {% for host in groups['keystone'] %}
 {% if inventory_hostname != host %}
 /usr/bin/rsync -az -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ hostvars[host]['keystone_ssh_port'] }} -F /var/lib/keystone/.ssh/config' --delete /etc/keystone/fernet-keys/ keystone@{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:/etc/keystone/fernet-keys

--- a/ansible/roles/keystone/templates/fernet-rotate.sh.j2
+++ b/ansible/roles/keystone/templates/fernet-rotate.sh.j2
 #!/bin/bash
+set -o errexit
+set -o pipefail
 keystone-manage --config-file /etc/keystone/keystone.conf fernet_rotate --keystone-user {{ keystone_username }} --keystone-group {{ keystone_groupname }}
 /usr/bin/fernet-push.sh
--- a/releasenotes/notes/bug-1846789-fix-fernet-bootstrap-36f87e36e4dc6ec9.yaml
+++ b/releasenotes/notes/bug-1846789-fix-fernet-bootstrap-36f87e36e4dc6ec9.yaml
+---
+fixes:
+  - |
+    Rework keystone fernet bootstrap which had tendencies to fail on multinode
+    setups. See `bug 1846789 <https://launchpad.net/bugs/1846789>`__ for
+    details.