From cc4d71639143aaa2bc3a6f9565eaf5a538dd7f9f Mon Sep 17 00:00:00 2001 From: Mustafa Kemal GILOR Date: Wed, 22 May 2024 12:58:19 +0200 Subject: [PATCH] scenarios/ost/keystone/lp1896125: better detection of the LP#1896125 (#757) the previous revision of the scenario was tied to the specific keystone versions which impedes the scenario's ability to detect the bug in other keystone versions. the new revision will detect the bug regardless of the keystone version. Closes #756 Signed-off-by: Mustafa Kemal Gilor --- .../openstack/keystone/bugs/lp1896125.yaml | 60 ++++++++++--------- .../bugs/lp1896125-16-30-99-should-raise.yaml | 23 +++++++ .../bugs/lp1896125-17-0-0-should-raise.yaml | 23 +++++++ .../lp1896125-17-0-1-should-not-raise.yaml | 13 ++++ .../lp1896125-17-0-2-should-not-raise.yaml | 13 ++++ .../bugs/lp1896125-18-0-0-should-raise.yaml | 23 +++++++ .../lp1896125-18-0-1-should-not-raise.yaml | 13 ++++ .../openstack/keystone/bugs/lp1896125.yaml | 20 ------- 8 files changed, 141 insertions(+), 47 deletions(-) create mode 100644 hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-16-30-99-should-raise.yaml create mode 100644 hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-0-should-raise.yaml create mode 100644 hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-1-should-not-raise.yaml create mode 100644 hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-2-should-not-raise.yaml create mode 100644 hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-18-0-0-should-raise.yaml create mode 100644 hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-18-0-1-should-not-raise.yaml delete mode 100644 hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125.yaml diff --git a/hotsos/defs/scenarios/openstack/keystone/bugs/lp1896125.yaml b/hotsos/defs/scenarios/openstack/keystone/bugs/lp1896125.yaml index 21c07156c..745eed936 100644 --- a/hotsos/defs/scenarios/openstack/keystone/bugs/lp1896125.yaml +++ b/hotsos/defs/scenarios/openstack/keystone/bugs/lp1896125.yaml @@ -3,38 +3,44 @@ checks: apt: keystone: # Train - - min: 2:16.0.0 - max: 2:16.0.1 + - ge: 2:16.0.0 # Ussuri - - min: 2:17.0.0 - max: 2:17.0.0-99 + - ge: 2:17.0.0 + lt: 2:17.0.1 # Victoria - - min: 2:18.0.0 - max: 2:18.0.0-99 - config: - handler: hotsos.core.plugins.openstack.OpenstackConfig - # keystone ldap config be defined globally or per-domain - path: [etc/keystone/keystone.conf, etc/keystone/domains/*] - assertions: - - key: url - section: ldap - ops: [[truth]] # i.e. does the setting have a value - allow-unset: false + - ge: 2:18.0.0 + lt: 2:18.0.1 + # Wallaby + - ge: 2:19.0.0 + lt: 2:19.0.1 + # Xena + - ge: 2:20.0.0 + lt: 2:20.0.1 + # Yoga + - ge: 2:21.0.0 + lt: 2:21.0.1 + # Zed + - ge: 2:22.0.0 + lt: 2:22.0.1 + has_maxconn_reached_error: + input: + path: 'var/log/keystone/keystone.log' + expr: 'ldappool.MaxConnectionReachedError:.*' conclusions: lp1896125: - decision: has_1896125 + decision: + - has_1896125 + - has_maxconn_reached_error raises: type: LaunchpadBug bug-id: 1896125 message: >- - Installed package '{package}' with version {version} has a known bug - that causes memory leak over time and causes LDAP logins to fail. It - is recommended to upgrade to the next point release available for the - package. To workaround LDAP login failure problem, disable LDAP pooling - by setting `ldap-use-pool` to `false` for all deployed `keystone-ldap` - applications in charmed deployments. For non-charmed deployments, set - `use_pool` to `false` in the LDAP domain /etc/keystone/domains/*.conf - file. - format-dict: - package: '@checks.has_1896125.requires.package' - version: '@checks.has_1896125.requires.version' + Known Keystone bug identified that causes Denial-of-Service when + LDAP connection pooling is enabled via use_pool=True. This bug may + manifest itself in LDAP operations such as OpenStack dashboard login + failures. It is recommended to upgrade to the next point release + available for the package. To workaround LDAP login failure problem, + disable LDAP pooling by setting `ldap-use-pool` to `false` for *all* + deployed `keystone-ldap` applications in charmed deployments. For + non-charmed deployments, set `use_pool` to `false` in the LDAP domain + /etc/keystone/domains/*.conf file. diff --git a/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-16-30-99-should-raise.yaml b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-16-30-99-should-raise.yaml new file mode 100644 index 000000000..2bce76b22 --- /dev/null +++ b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-16-30-99-should-raise.yaml @@ -0,0 +1,23 @@ +target-name: lp1896125.yaml +data-root: + files: + sos_commands/dpkg/dpkg_-l: | + ii keystone 2:16.30.99-0ubuntu0.20.04.1 amd64 + var/log/keystone/keystone.log: | + Traceback (most recent call last): + File "/usr/lib/python3.10/contextlib.py", line 135, in __enter__ + return next(self.gen) + File "/usr/lib/python3/dist-packages/ldappool/__init__.py", line 391, in connection + raise MaxConnectionReachedError(self.uri) + ldappool.MaxConnectionReachedError: ldaps://ldapserver.example.com +raised-bugs: + https://bugs.launchpad.net/bugs/1896125: >- + Known Keystone bug identified that causes Denial-of-Service when + LDAP connection pooling is enabled via use_pool=True. This bug may + manifest itself in LDAP operations such as OpenStack dashboard login + failures. It is recommended to upgrade to the next point release + available for the package. To workaround LDAP login failure problem, + disable LDAP pooling by setting `ldap-use-pool` to `false` for *all* + deployed `keystone-ldap` applications in charmed deployments. For + non-charmed deployments, set `use_pool` to `false` in the LDAP domain + /etc/keystone/domains/*.conf file. diff --git a/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-0-should-raise.yaml b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-0-should-raise.yaml new file mode 100644 index 000000000..3dc980269 --- /dev/null +++ b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-0-should-raise.yaml @@ -0,0 +1,23 @@ +target-name: lp1896125.yaml +data-root: + files: + sos_commands/dpkg/dpkg_-l: | + ii keystone 2:17.0.0-0ubuntu0.20.04.1 amd64 + var/log/keystone/keystone.log: | + Traceback (most recent call last): + File "/usr/lib/python3.10/contextlib.py", line 135, in __enter__ + return next(self.gen) + File "/usr/lib/python3/dist-packages/ldappool/__init__.py", line 391, in connection + raise MaxConnectionReachedError(self.uri) + ldappool.MaxConnectionReachedError: ldaps://ldapserver.example.com +raised-bugs: + https://bugs.launchpad.net/bugs/1896125: >- + Known Keystone bug identified that causes Denial-of-Service when + LDAP connection pooling is enabled via use_pool=True. This bug may + manifest itself in LDAP operations such as OpenStack dashboard login + failures. It is recommended to upgrade to the next point release + available for the package. To workaround LDAP login failure problem, + disable LDAP pooling by setting `ldap-use-pool` to `false` for *all* + deployed `keystone-ldap` applications in charmed deployments. For + non-charmed deployments, set `use_pool` to `false` in the LDAP domain + /etc/keystone/domains/*.conf file. diff --git a/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-1-should-not-raise.yaml b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-1-should-not-raise.yaml new file mode 100644 index 000000000..723e47891 --- /dev/null +++ b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-1-should-not-raise.yaml @@ -0,0 +1,13 @@ +target-name: lp1896125.yaml +data-root: + files: + sos_commands/dpkg/dpkg_-l: | + ii keystone 2:17.0.1-0ubuntu0.20.04.1 amd64 + var/log/keystone/keystone.log: | + Traceback (most recent call last): + File "/usr/lib/python3.10/contextlib.py", line 135, in __enter__ + return next(self.gen) + File "/usr/lib/python3/dist-packages/ldappool/__init__.py", line 391, in connection + raise MaxConnectionReachedError(self.uri) + ldappool.MaxConnectionReachedError: ldaps://ldapserver.example.com +raised-bugs: # none diff --git a/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-2-should-not-raise.yaml b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-2-should-not-raise.yaml new file mode 100644 index 000000000..af53eaa54 --- /dev/null +++ b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-2-should-not-raise.yaml @@ -0,0 +1,13 @@ +target-name: lp1896125.yaml +data-root: + files: + sos_commands/dpkg/dpkg_-l: | + ii keystone 2:17.0.2-0ubuntu0.20.04.1 amd64 + var/log/keystone/keystone.log: | + Traceback (most recent call last): + File "/usr/lib/python3.10/contextlib.py", line 135, in __enter__ + return next(self.gen) + File "/usr/lib/python3/dist-packages/ldappool/__init__.py", line 391, in connection + raise MaxConnectionReachedError(self.uri) + ldappool.MaxConnectionReachedError: ldaps://ldapserver.example.com +raised-bugs: # none diff --git a/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-18-0-0-should-raise.yaml b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-18-0-0-should-raise.yaml new file mode 100644 index 000000000..132c0e7ea --- /dev/null +++ b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-18-0-0-should-raise.yaml @@ -0,0 +1,23 @@ +target-name: lp1896125.yaml +data-root: + files: + sos_commands/dpkg/dpkg_-l: | + ii keystone 2:18.0.0-0ubuntu0.20.04.1 amd64 + var/log/keystone/keystone.log: | + Traceback (most recent call last): + File "/usr/lib/python3.10/contextlib.py", line 135, in __enter__ + return next(self.gen) + File "/usr/lib/python3/dist-packages/ldappool/__init__.py", line 391, in connection + raise MaxConnectionReachedError(self.uri) + ldappool.MaxConnectionReachedError: ldaps://ldapserver.example.com +raised-bugs: + https://bugs.launchpad.net/bugs/1896125: >- + Known Keystone bug identified that causes Denial-of-Service when + LDAP connection pooling is enabled via use_pool=True. This bug may + manifest itself in LDAP operations such as OpenStack dashboard login + failures. It is recommended to upgrade to the next point release + available for the package. To workaround LDAP login failure problem, + disable LDAP pooling by setting `ldap-use-pool` to `false` for *all* + deployed `keystone-ldap` applications in charmed deployments. For + non-charmed deployments, set `use_pool` to `false` in the LDAP domain + /etc/keystone/domains/*.conf file. diff --git a/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-18-0-1-should-not-raise.yaml b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-18-0-1-should-not-raise.yaml new file mode 100644 index 000000000..94ea5245c --- /dev/null +++ b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-18-0-1-should-not-raise.yaml @@ -0,0 +1,13 @@ +target-name: lp1896125.yaml +data-root: + files: + sos_commands/dpkg/dpkg_-l: | + ii keystone 2:18.0.1-0ubuntu0.20.04.1 amd64 + var/log/keystone/keystone.log: | + Traceback (most recent call last): + File "/usr/lib/python3.10/contextlib.py", line 135, in __enter__ + return next(self.gen) + File "/usr/lib/python3/dist-packages/ldappool/__init__.py", line 391, in connection + raise MaxConnectionReachedError(self.uri) + ldappool.MaxConnectionReachedError: ldaps://ldapserver.example.com +raised-bugs: # none diff --git a/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125.yaml b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125.yaml deleted file mode 100644 index 1efbe95c5..000000000 --- a/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125.yaml +++ /dev/null @@ -1,20 +0,0 @@ -data-root: - files: - sos_commands/dpkg/dpkg_-l: | - ii keystone 2:17.0.0-0ubuntu0.20.04.1 amd64 - etc/keystone/keystone.conf: | - [DEBUG] - debug = True - etc/keystone/domains/domainX.conf: | - [ldap] - url = ldap://10.0.0.1 -raised-bugs: - https://bugs.launchpad.net/bugs/1896125: >- - Installed package 'keystone' with version 2:17.0.0-0ubuntu0.20.04.1 has a known bug - that causes memory leak over time and causes LDAP logins to fail. It - is recommended to upgrade to the next point release available for the - package. To workaround LDAP login failure problem, disable LDAP pooling - by setting `ldap-use-pool` to `false` for all deployed `keystone-ldap` - applications in charmed deployments. For non-charmed deployments, set - `use_pool` to `false` in the LDAP domain /etc/keystone/domains/*.conf - file.