[4.0] rabbitmq: Fix ACL of SSL key after uid/gid change + keystone: Use correct paths when syncing certs#2146
Conversation
In shared storage based HA setup, rabbitmq uses fixed uid/gid=91. This user/group modification was done after (optional) SSL certificate generation. The ACLs on the SSL key were incorrect making rabbitmq unable to start because with EACCESS errors.
|
This will hopefully fix the HA gating failures we have in stable/4.0 branch. In later branches rabbitmq uses native clustering by default and this mode doesn't use the static uid/gid code so the problem doesn't show there. |
JanZerebecki
left a comment
JanZerebecki
left a comment
There was a problem hiding this comment.
Looks good to forward-port (if that applies) once it passes CI.
JanZerebecki
changed the title
![hound[bot]](https://avatars.githubusercontent.com/in/3598?s=60&v=4){kind=small}
|
Temporarily added this fix #2145 as both are probably needed to have the gating pass. |
|
Can you clarify more what the issue was that the commit "keystone: Use correct paths when syncing certs" is fixing? That part of the code isn't doing HTTPS but actually configuration needed for PKI token signing. I think we're also supposed to fix in master first and then backport? |
|
@cmurphy adding to Jan's comment, the problem is that gating jobs have (recently) enabled As for the porting strategy... note that we have two sets of labels (forward/back ports). IMO the bugs should be fixed where it's mostly relevant and then ported wherever suitable. This approach was used especially in upgrade related work where we were doing lots of changes in the stable branches. |
The sync failed when certs and/or keys were located in non-default paths.
skazi0
force-pushed
the
rabbitmq-ssl-group-fix
branch
from
68aead3 to
375f8a8
Compare
|
Replaced cherry-picked commit with updated one. |
skazi0
changed the title
skazi0
changed the title
|
@skazi0 related issue: SOC-9026 |
3 participants
In shared storage based HA setup, rabbitmq uses fixed uid/gid=91.
This user/group modification was done after (optional) SSL certificate
generation. The ACLs on the SSL key were incorrect making rabbitmq
unable to start because with EACCESS errors.
Second commit is taken from #2145 to avoid cross-PR dependencies in gating.
The sync failed when certs and/or keys were located in non-default paths.
Note: forward ports need to include only the rabbitmq part as the keystone change is not relevant for newer versions.