From 4be57ad3bc534685a422fbd65243fd7c258ad5cf Mon Sep 17 00:00:00 2001 From: Mustafa Kemal Gilor Date: Mon, 23 Oct 2023 10:58:39 +0300 Subject: [PATCH] scenarios/ost/keystone/lp1896125: better detection of the LP#1896125 the previous revision of the scenario was tied to the specific keystone versions which impedes the scenario's ability to detect the bug in other keystone versions. the new revision will detect the bug regardless of the keystone version. Closes #756 Signed-off-by: Mustafa Kemal Gilor --- .../openstack/keystone/bugs/lp1896125.yaml | 60 ++++++++++--------- .../bugs/lp1896125-16-30-99-should-raise.yaml | 23 +++++++ .../bugs/lp1896125-17-0-0-should-raise.yaml | 23 +++++++ .../lp1896125-17-0-1-should-not-raise.yaml | 14 +++++ .../lp1896125-17-0-2-should-not-raise.yaml | 14 +++++ .../bugs/lp1896125-18-0-0-should-raise.yaml | 23 +++++++ .../lp1896125-18-0-1-should-not-raise.yaml | 14 +++++ .../openstack/keystone/bugs/lp1896125.yaml | 20 ------- 8 files changed, 144 insertions(+), 47 deletions(-) create mode 100644 hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-16-30-99-should-raise.yaml create mode 100644 hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-0-should-raise.yaml create mode 100644 hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-1-should-not-raise.yaml create mode 100644 hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-2-should-not-raise.yaml create mode 100644 hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-18-0-0-should-raise.yaml create mode 100644 hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-18-0-1-should-not-raise.yaml delete mode 100644 hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125.yaml diff --git a/hotsos/defs/scenarios/openstack/keystone/bugs/lp1896125.yaml b/hotsos/defs/scenarios/openstack/keystone/bugs/lp1896125.yaml index 87edfd681..5ed54d034 100644 --- a/hotsos/defs/scenarios/openstack/keystone/bugs/lp1896125.yaml +++ b/hotsos/defs/scenarios/openstack/keystone/bugs/lp1896125.yaml @@ -3,38 +3,44 @@ checks: apt: keystone: # Train - - min: 2:16.0.0 - max: 2:16.0.1 + - ge: 2:16.0.0 # Ussuri - - min: 2:17.0.0 - max: 2:17.0.0-99 + - ge: 2:17.0.0 + lt: 2:17.0.1 # Victoria - - min: 2:18.0.0 - max: 2:18.0.0-99 - config: - handler: hotsos.core.plugins.openstack.OpenstackConfig - # keystone ldap config be defined globally or per-domain - path: [etc/keystone/keystone.conf, etc/keystone/domains/*] - assertions: - - key: url - section: ldap - ops: [[truth]] # i.e. does the setting have a value - allow-unset: False + - ge: 2:18.0.0 + lt: 2:18.0.1 + # Wallaby + - ge: 2:19.0.0 + lt: 2:19.0.1 + # Xena + - ge: 2:20.0.0 + lt: 2:20.0.1 + # Yoga + - ge: 2:21.0.0 + lt: 2:21.0.1 + # Zed + - ge: 2:22.0.0 + lt: 2:22.0.1 + has_maxconn_reached_error: + input: + path: 'var/log/keystone/keystone.log' + expr: 'ldappool.MaxConnectionReachedError:.*' conclusions: lp1896125: - decision: has_1896125 + decision: + - has_1896125 + - has_maxconn_reached_error raises: type: LaunchpadBug bug-id: 1896125 message: >- - Installed package '{package}' with version {version} has a known bug - that causes memory leak over time and causes LDAP logins to fail. It - is recommended to upgrade to the next point release available for the - package. To workaround LDAP login failure problem, disable LDAP pooling - by setting `ldap-use-pool` to `false` for all deployed `keystone-ldap` - applications in charmed deployments. For non-charmed deployments, set - `use_pool` to `false` in the LDAP domain /etc/keystone/domains/*.conf - file. - format-dict: - package: '@checks.has_1896125.requires.package' - version: '@checks.has_1896125.requires.version' + Known Keystone bug identified that causes Denial-of-Service when + LDAP connection pooling is enabled via use_pool=True. This bug may + manifest itself in LDAP operations such as OpenStack dashboard login + failures. It is recommended to upgrade to the next point release + available for the package. To workaround LDAP login failure problem, + disable LDAP pooling by setting `ldap-use-pool` to `false` for *all* + deployed `keystone-ldap` applications in charmed deployments. For + non-charmed deployments, set `use_pool` to `false` in the LDAP domain + /etc/keystone/domains/*.conf file. diff --git a/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-16-30-99-should-raise.yaml b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-16-30-99-should-raise.yaml new file mode 100644 index 000000000..2bce76b22 --- /dev/null +++ b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-16-30-99-should-raise.yaml @@ -0,0 +1,23 @@ +target-name: lp1896125.yaml +data-root: + files: + sos_commands/dpkg/dpkg_-l: | + ii keystone 2:16.30.99-0ubuntu0.20.04.1 amd64 + var/log/keystone/keystone.log: | + Traceback (most recent call last): + File "/usr/lib/python3.10/contextlib.py", line 135, in __enter__ + return next(self.gen) + File "/usr/lib/python3/dist-packages/ldappool/__init__.py", line 391, in connection + raise MaxConnectionReachedError(self.uri) + ldappool.MaxConnectionReachedError: ldaps://ldapserver.example.com +raised-bugs: + https://bugs.launchpad.net/bugs/1896125: >- + Known Keystone bug identified that causes Denial-of-Service when + LDAP connection pooling is enabled via use_pool=True. This bug may + manifest itself in LDAP operations such as OpenStack dashboard login + failures. It is recommended to upgrade to the next point release + available for the package. To workaround LDAP login failure problem, + disable LDAP pooling by setting `ldap-use-pool` to `false` for *all* + deployed `keystone-ldap` applications in charmed deployments. For + non-charmed deployments, set `use_pool` to `false` in the LDAP domain + /etc/keystone/domains/*.conf file. diff --git a/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-0-should-raise.yaml b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-0-should-raise.yaml new file mode 100644 index 000000000..3dc980269 --- /dev/null +++ b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-0-should-raise.yaml @@ -0,0 +1,23 @@ +target-name: lp1896125.yaml +data-root: + files: + sos_commands/dpkg/dpkg_-l: | + ii keystone 2:17.0.0-0ubuntu0.20.04.1 amd64 + var/log/keystone/keystone.log: | + Traceback (most recent call last): + File "/usr/lib/python3.10/contextlib.py", line 135, in __enter__ + return next(self.gen) + File "/usr/lib/python3/dist-packages/ldappool/__init__.py", line 391, in connection + raise MaxConnectionReachedError(self.uri) + ldappool.MaxConnectionReachedError: ldaps://ldapserver.example.com +raised-bugs: + https://bugs.launchpad.net/bugs/1896125: >- + Known Keystone bug identified that causes Denial-of-Service when + LDAP connection pooling is enabled via use_pool=True. This bug may + manifest itself in LDAP operations such as OpenStack dashboard login + failures. It is recommended to upgrade to the next point release + available for the package. To workaround LDAP login failure problem, + disable LDAP pooling by setting `ldap-use-pool` to `false` for *all* + deployed `keystone-ldap` applications in charmed deployments. For + non-charmed deployments, set `use_pool` to `false` in the LDAP domain + /etc/keystone/domains/*.conf file. diff --git a/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-1-should-not-raise.yaml b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-1-should-not-raise.yaml new file mode 100644 index 000000000..9aaae27bf --- /dev/null +++ b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-1-should-not-raise.yaml @@ -0,0 +1,14 @@ +target-name: lp1896125.yaml +data-root: + files: + sos_commands/dpkg/dpkg_-l: | + ii keystone 2:17.0.1-0ubuntu0.20.04.1 amd64 + var/log/keystone/keystone.log: | + Traceback (most recent call last): + File "/usr/lib/python3.10/contextlib.py", line 135, in __enter__ + return next(self.gen) + File "/usr/lib/python3/dist-packages/ldappool/__init__.py", line 391, in connection + raise MaxConnectionReachedError(self.uri) + ldappool.MaxConnectionReachedError: ldaps://ldapserver.example.com +raised-bugs: + # none \ No newline at end of file diff --git a/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-2-should-not-raise.yaml b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-2-should-not-raise.yaml new file mode 100644 index 000000000..7b31e1aaf --- /dev/null +++ b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-17-0-2-should-not-raise.yaml @@ -0,0 +1,14 @@ +target-name: lp1896125.yaml +data-root: + files: + sos_commands/dpkg/dpkg_-l: | + ii keystone 2:17.0.2-0ubuntu0.20.04.1 amd64 + var/log/keystone/keystone.log: | + Traceback (most recent call last): + File "/usr/lib/python3.10/contextlib.py", line 135, in __enter__ + return next(self.gen) + File "/usr/lib/python3/dist-packages/ldappool/__init__.py", line 391, in connection + raise MaxConnectionReachedError(self.uri) + ldappool.MaxConnectionReachedError: ldaps://ldapserver.example.com +raised-bugs: + # none \ No newline at end of file diff --git a/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-18-0-0-should-raise.yaml b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-18-0-0-should-raise.yaml new file mode 100644 index 000000000..132c0e7ea --- /dev/null +++ b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-18-0-0-should-raise.yaml @@ -0,0 +1,23 @@ +target-name: lp1896125.yaml +data-root: + files: + sos_commands/dpkg/dpkg_-l: | + ii keystone 2:18.0.0-0ubuntu0.20.04.1 amd64 + var/log/keystone/keystone.log: | + Traceback (most recent call last): + File "/usr/lib/python3.10/contextlib.py", line 135, in __enter__ + return next(self.gen) + File "/usr/lib/python3/dist-packages/ldappool/__init__.py", line 391, in connection + raise MaxConnectionReachedError(self.uri) + ldappool.MaxConnectionReachedError: ldaps://ldapserver.example.com +raised-bugs: + https://bugs.launchpad.net/bugs/1896125: >- + Known Keystone bug identified that causes Denial-of-Service when + LDAP connection pooling is enabled via use_pool=True. This bug may + manifest itself in LDAP operations such as OpenStack dashboard login + failures. It is recommended to upgrade to the next point release + available for the package. To workaround LDAP login failure problem, + disable LDAP pooling by setting `ldap-use-pool` to `false` for *all* + deployed `keystone-ldap` applications in charmed deployments. For + non-charmed deployments, set `use_pool` to `false` in the LDAP domain + /etc/keystone/domains/*.conf file. diff --git a/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-18-0-1-should-not-raise.yaml b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-18-0-1-should-not-raise.yaml new file mode 100644 index 000000000..191df635d --- /dev/null +++ b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125-18-0-1-should-not-raise.yaml @@ -0,0 +1,14 @@ +target-name: lp1896125.yaml +data-root: + files: + sos_commands/dpkg/dpkg_-l: | + ii keystone 2:18.0.1-0ubuntu0.20.04.1 amd64 + var/log/keystone/keystone.log: | + Traceback (most recent call last): + File "/usr/lib/python3.10/contextlib.py", line 135, in __enter__ + return next(self.gen) + File "/usr/lib/python3/dist-packages/ldappool/__init__.py", line 391, in connection + raise MaxConnectionReachedError(self.uri) + ldappool.MaxConnectionReachedError: ldaps://ldapserver.example.com +raised-bugs: + # none \ No newline at end of file diff --git a/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125.yaml b/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125.yaml deleted file mode 100644 index 1efbe95c5..000000000 --- a/hotsos/defs/tests/scenarios/openstack/keystone/bugs/lp1896125.yaml +++ /dev/null @@ -1,20 +0,0 @@ -data-root: - files: - sos_commands/dpkg/dpkg_-l: | - ii keystone 2:17.0.0-0ubuntu0.20.04.1 amd64 - etc/keystone/keystone.conf: | - [DEBUG] - debug = True - etc/keystone/domains/domainX.conf: | - [ldap] - url = ldap://10.0.0.1 -raised-bugs: - https://bugs.launchpad.net/bugs/1896125: >- - Installed package 'keystone' with version 2:17.0.0-0ubuntu0.20.04.1 has a known bug - that causes memory leak over time and causes LDAP logins to fail. It - is recommended to upgrade to the next point release available for the - package. To workaround LDAP login failure problem, disable LDAP pooling - by setting `ldap-use-pool` to `false` for all deployed `keystone-ldap` - applications in charmed deployments. For non-charmed deployments, set - `use_pool` to `false` in the LDAP domain /etc/keystone/domains/*.conf - file.