Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-7108

alias command for OVN commands doesn't work in TLS-e environment

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhos-17.1.3
    • rhos-17.1.0
    • documentation
    • None
    • 3
    • False
    • Hide

      None

      Show
      None
    • False
    • ?
    • ?
    • ?
    • ?
    • None
    • Moderate

      Description of problem:

      The following document instructs us to run the following script to use ovn-nbctl/ovn-sbctl/ovn-trace commands:
      https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/17.1/html/configuring_red_hat_openstack_platform_networking/neutron-troubleshoot_rhosp-network#ovn-db-aliases-creating_neutron-troubleshoot
      ~~~
      REMOTE_IP=$(sudo ovs-vsctl get open . external_ids:ovn-remote)
      NBDB=$(echo $REMOTE_IP | sed 's/6642/6641/g')
      SBDB=$REMOTE_IP
      alias ovn-sbctl="sudo podman exec ovn_controller ovn-sbctl --db=$SBDB"
      alias ovn-nbctl="sudo podman exec ovn_controller ovn-nbctl --db=$NBDB"
      alias ovn-trace="sudo podman exec ovn_controller ovn-trace --db=$SBDB"
      ~~~

      However, the above script doesn't work in TLS-e environments because of the following TLS error.

      ~~~
      [root@central-controller-0 ~]# REMOTE_IP=$(sudo ovs-vsctl get open . external_ids:ovn-remote)
      [root@central-controller-0 ~]# NBDB=$(echo $REMOTE_IP | sed 's/6642/6641/g')
      [root@central-controller-0 ~]# SBDB=$REMOTE_IP
      [root@central-controller-0 ~]# alias ovn-sbctl="sudo podman exec ovn_controller ovn-sbctl --db=$SBDB"
      [root@central-controller-0 ~]# alias ovn-nbctl="sudo podman exec ovn_controller ovn-nbctl --db=$NBDB"
      [root@central-controller-0 ~]# alias ovn-trace="sudo podman exec ovn_controller ovn-trace --db=$SBDB"

      [root@central-controller-0 ~]# ovn-nbctl show
      2024-05-15T09:20:52Z|00001|stream_ssl|ERR|Private key must be configured to use SSL
      2024-05-15T09:20:52Z|00002|stream_ssl|ERR|Certificate must be configured to use SSL
      2024-05-15T09:20:52Z|00003|stream_ssl|ERR|CA certificate must be configured to use SSL
      2024-05-15T09:20:52Z|00004|stream_ssl|ERR|Private key must be configured to use SSL
      2024-05-15T09:20:52Z|00005|stream_ssl|ERR|Certificate must be configured to use SSL
      2024-05-15T09:20:52Z|00006|stream_ssl|ERR|CA certificate must be configured to use SSL
      2024-05-15T09:20:52Z|00007|stream_ssl|ERR|Private key must be configured to use SSL
      2024-05-15T09:20:52Z|00008|stream_ssl|ERR|Certificate must be configured to use SSL
      2024-05-15T09:20:52Z|00009|stream_ssl|ERR|CA certificate must be configured to use SSL
      ovn-nbctl: ssl:172.16.2.72:6641,ssl:172.16.2.49:6641,ssl:172.16.2.117:6641: database connection failed (Protocol not available)
      ~~~

      On my RHOSP 17.1 + TLS-e lab, I confirmed that I can use the following script instead.

      ~~~
      [root@central-controller-0 ~]# REMOTE_IP=$(sudo ovs-vsctl get open . external_ids:ovn-remote)
      [root@central-controller-0 ~]# NBDB=$(echo $REMOTE_IP | sed 's/6642/6641/g')
      [root@central-controller-0 ~]# SBDB=$REMOTE_IP
      [root@central-controller-0 ~]# alias ovn-nbctl="sudo podman exec ovn_controller ovn-nbctl --db=$NBDB --private-key=/etc/pki/tls/private/ovn_controller.key --certificate=/etc/pki/tls/certs/ovn_controller.crt --ca-cert=/etc/ipa/ca.crt"
      [root@central-controller-0 ~]# alias ovn-sbctl="sudo podman exec ovn_controller ovn-sbctl --db=$SBDB --private-key=/etc/pki/tls/private/ovn_controller.key --certificate=/etc/pki/tls/certs/ovn_controller.crt --ca-cert=/etc/ipa/ca.crt"
      [root@central-controller-0 ~]# alias ovn-trace="sudo podman exec ovn_controller ovn-trace --db=$SBDB --private-key=/etc/pki/tls/private/ovn_controller.key --certificate=/etc/pki/tls/certs/ovn_controller.crt --ca-cert=/etc/ipa/ca.crt"

      [root@central-controller-0 ~]# ovn-nbctl show|head -n 10
      switch bd2dac50-7c98-418a-8f04-cc4a021211ae (neutron-ae186e9d-ea63-448c-ad0b-8cb6338446d5) (aka yatanaka_network1)
      port 85fec054-7084-43ff-891e-3d2a7c9aaedc
      type: router
      router-port: lrp-85fec054-7084-43ff-891e-3d2a7c9aaedc
      port bbcce1ea-642f-47c4-bd08-b1e588238c70
      type: localport
      addresses: ["fa:16:3e:6d:92:cd 192.168.1.2"]
      switch 9cc58962-120c-4834-b5f2-c10de77d00b3 (neutron-38be6d06-cb1a-47be-83c6-4b47a733acad) (aka yatanaka_network0)
      port 3fd1f818-b2cd-4ed6-af03-76e52edad453
      type: localport
      ~~~

      Version-Release number of selected component (if applicable):
      I confirmed that this issue occurs on RHOSP 17.1.

      How reproducible:
      Steps to Reproduce:
      1. Deploy overcloud with TLS-e
      2. Follow the document

      Actual results:
      ovn-nbctl/ovn-sbctl/ovn-trace doesn't work due to TLS error

      Expected results:
      ovn-nbctl/ovn-sbctl/ovn-trace works

      Additional info:
      Documents of other versions have the same instruction:

              jamsmith@redhat.com James Smith
              rhn-support-yatanaka Yamato Tanaka
              rhos-dfg-networking-squad-neutron
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: