SUSE Cloud – missing cinder key on computes

2017-11-01 14:30:53.970 27835 ERROR nova.virt.libvirt.driver [instance: c5618826-98cb-4fd6-9d6f-b8899bd320b7] libvirtError: Secret not found: no secret with matching uuid '5b7c1b36-
9093-4a13-b14d-da8b8cbdd8a6'
2017-11-01 14:30:53.970 27835 ERROR nova.virt.libvirt.driver [instance: c5618826-98cb-4fd6-9d6f-b8899bd320b7] 
2017-11-01 14:30:53.971 27835 ERROR nova.virt.block_device [req-9f046c95-fecf-46e5-874d-43b42da1e63f 62169e96ed4b485aa2dfb2ca3235305c 05f20019f1c94952937a7f34087f5471 - - -] [instan
ce: c5618826-98cb-4fd6-9d6f-b8899bd320b7] Driver failed to attach volume 9f33b42f-79ba-472f-8e10-9525f186cde1 at /dev/vdb

Unless you find a key on the compute like (something with crowbar-$ID)

# virsh secret-list 
 UUID                                  Usage
--------------------------------------------------------------------------------
 5b7c1b36-9093-4a13-b14d-da8b8cbdd8a6  ceph crowbar-5b7c1b36-9093-4a13-b14d-da8b8cbdd8a6 secret

you can/have to fix it on your own:

#!/bin/bash

ID="5b7c1b36-9093-4a13-b14d-da8b8cbdd8a6"
# get cinder key from ceph cluster - ceph auth get-key client.cinder
CINDERKEY="AQA4cw1aa2tAAhAAxYl2l/lCaer3squRBdXBYg=="
FILE="<secret ephemeral='no' private='no'><uuid>$ID</uuid><usage type='ceph'><name>client.cinder secret</name></usage></secret>"
FILENAME="/tmp/secret.xml"

for host in 01 02 03 04 05; do
	dest="compute${host}"
	echo "Verifiy host $dest:"
	if ! ssh $dest virsh secret-get-value $ID; then
		echo "Create secret for cinder user."
		ssh $dest "echo \"$FILE\" > $FILENAME"
		ssh $dest virsh secret-define --file $FILENAME
		ssh $dest virsh secret-set-value --secret $ID --base64 $CINDERKEY
	fi
	echo "ok!"	
done

SUSE Openstack Cloud – debugging sleshammer

To get a login shell during the discovery and before the nfs is mounted:

Add the DISCOVERY_ROOT_PASSWORD parameter

root@admin:~ # crowbarctl proposal edit provisioner default
{
  "id": "provisioner-default",
  "description": "Created on Thu, 09 Nov 2017 15:43:20 +0100",
  "attributes": {
    "provisioner": {
[...]
      "discovery": {
        "append": "DISCOVERY_ROOT_PASSWORD=replace-with-your-password"
      }
[...]
    }
}
root@admin:~ # crowbarctl proposal commit provisioner default

SUSE Openstack Cloud – sleshammer – pre/post scripts – pxe trigger

Enable root login for the sleshammer image

(it is used by the suse cloud as a hardware discovery image)

The sleshammer image will mount “/updates” over nfs from the admin node and execute the control.sh. This script will check if there are some pre/post-hooks and will possibly execute them.

root@admin:/updates # cat /updates/discovered-pre/set-root-passwd.hook
#!/bin/bash
echo "root" | passwd --stdin root

echo
echo
echo "ROOT LOGIN IS NOW ENABLED!"
echo
echo
sleep 10

Make sure that the hook set as executable!

SUSE Openstack Cloud supports only pre and post scripts. discovered is the state – discovery or hardware-installed should also work.

BTW: You can also create custom control.sh-script (and also hooks) for a node!

mkdir /updates/d52-54-00-9e-a6-90.cloud.default.net/
cp /updates/control.sh /updates/d52-54-00-9e-a6-90.cloud.default.net/

Some random notes – discovery/install

default pxelinux configuration
(see http://admin-node:8091/discovery/pxelinux.cfg/)

DEFAULT discovery
PROMPT 0
TIMEOUT 10
LABEL discovery
  KERNEL vmlinuz0
  append initrd=initrd0.img crowbar.install.key=machine-install:34e4b23a970dbb05df9c91e0c1cf4b512ecaa7b839c942b95d86db1962178ead69774a9dc8630b13da171bcca0ea204c07575997822b3ec1de984da97fca5b84 crowbar.hostname=d52-54-00-8b-c2-17.cloud.default.net crowbar.state=discovery
  IPAPPEND 2

allocated node

The sleshammer-image will wait for this entry (.*_install) on the admin-node once you allocate a node.

DEFAULT suse-11.3_install
PROMPT 0
TIMEOUT 10
LABEL suse-11.3_install
  KERNEL ../suse-11.3/install/boot/x86_64/loader/linux
  append initrd=../suse-11.3/install/boot/x86_64/loader/initrd   crowbar.install.key=machine-install:34e4b23a970dbb05df9c91e0c1cf4b512ecaa7b839c942b95d86db1962178ead69774a9dc8630b13da171bcca0ea204c07575997822b3ec1de984da97fca5b84 install=http://192.168.124.10:8091/suse-11.3/install autoyast=http://192.168.124.10:8091/nodes/d52-54-00-8b-c2-17.cloud.default.net/autoyast.xml ifcfg=dhcp4 netwait=60
  IPAPPEND 2

“No Java compiler available” on SLES11SP1 and tomcat6

On one of my two sle11 machines i had a java exception which i could not explain.

java.lang.IllegalStateException: No Java compiler available
	org.apache.jasper.JspCompilationContext.createCompiler(JspCompilationContext.java:229)
	org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:581)
	org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:317)
	org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:342)
	org.apache.jasper.servlet.JspServlet.service(JspServlet.java:267)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
	org.mule.galaxy.web.ThreadLocalCacheFilter.doFilter(ThreadLocalCacheFilter.java:27)
[...]
# rpm -qa tomcat6
tomcat6-6.0.18-20.35.36.1

Oracle Java JDK 1.6.0_27

After i compared both, i’ve found some missing links on the second one.

# ln -s /usr/share/java/commons-collections-tomcat5.jar /usr/share/tomcat6/lib/
# ln -s /usr/share/java/commons-dbcp-tomcat5.jar /usr/share/tomcat6/lib/
# ln -s /usr/share/java/commons-pool-tomcat5.jar /usr/share/tomcat6/lib/
# ln -s /usr/share/java/ecj.jar /usr/share/tomcat6/lib/

Restart the tomcat and be happy 🙂

openssl with version information under sles11sp1

If you getting errors like this one

$ /path/to/program
/usr/lib/libcrypto.so.0.9.8: no version information available

you need a libcrypto.so and a libssl.so with version information.

Here are some information about the problem.

openssl has evolved to a very important library in Linux distribution. A
lot of cryptographic applications link to it including system libraries
like pam modules and apache modules. Now it becomes more and more
difficult to get all the binaries and libraries to link to the same
version of openssl. This leads to situations where an application uses
some libraries where on links to openssl 0.9.7 and another one to
version 0.9.8. Since the symbols of the libraries are not yet versioned
this leads to severe segfaults.

Install source package from the repository

$ zypper in -t srcpackages openssl

Create patches
/usr/src/packages/SOURCES/openssl-version-patch.patch

diff -Naur openssl-0.9.8h/Configure openssl-0.9.8h-new/Configure
--- openssl-0.9.8h/Configure	2008-05-02 01:11:30.000000000 +0200
+++ openssl-0.9.8h-new/Configure	2011-02-22 15:30:05.000000000 +0100
@@ -1327,6 +1327,8 @@
 	$shlib_minor=$2;
 	}

+$shared_ldflag .= " -Wl,--version-script=openssl.ld";
+
 open(IN,'$Makefile.new") || die "unable to create $Makefile.new:$!\n";
diff -Naur openssl-0.9.8h/engines/openssl.ld openssl-0.9.8h-new/engines/openssl.ld
--- openssl-0.9.8h/engines/openssl.ld	1970-01-01 01:00:00.000000000 +0100
+++ openssl-0.9.8h-new/engines/openssl.ld	2011-02-22 15:31:41.000000000 +0100
@@ -0,0 +1,4 @@
+OPENSSL_0.9.8 {
+    global:
+       *;
+};
diff -Naur openssl-0.9.8h/Makefile openssl-0.9.8h-new/Makefile
--- openssl-0.9.8h/Makefile	2008-05-28 10:48:27.000000000 +0200
+++ openssl-0.9.8h-new/Makefile	2011-02-22 15:30:59.000000000 +0100
@@ -140,9 +140,9 @@
 LIBS=   libcrypto.a libssl.a
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
-SHARED_LIBS=
-SHARED_LIBS_LINK_EXTS=
-SHARED_LDFLAGS=
+SHARED_LIBS=$(SHARED_FIPS) $(SHARED_CRYPTO) $(SHARED_SSL)
+SHARED_LIBS_LINK_EXTS=.so.$(SHLIB_MAJOR) .so
+SHARED_LDFLAGS=-m64 -Wl,--version-script=openssl.ld

 GENERAL=        Makefile
 BASENAME=       openssl
diff -Naur openssl-0.9.8h/openssl.ld openssl-0.9.8h-new/openssl.ld
--- openssl-0.9.8h/openssl.ld	1970-01-01 01:00:00.000000000 +0100
+++ openssl-0.9.8h-new/openssl.ld	2011-02-22 15:31:48.000000000 +0100
@@ -0,0 +1,4 @@
+OPENSSL_0.9.8 {
+    global:
+       *;
+};

/usr/src/packages/SPECS/openssl.spec.patch

--- openssl.spec	2011-02-22 17:00:26.000000000 +0100
+++ openssl-new.spec	2011-02-22 16:59:58.000000000 +0100
@@ -32,7 +32,7 @@
 %endif
 #
 Version:        0.9.8h
-Release:        30.30.1
+Release:        30.30.1.custom
 Summary:        Secure Sockets and Transport Layer Security
 Url:            http://www.openssl.org/
 Source:         http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
@@ -67,6 +67,7 @@
 Patch26:        bug608666.patch
 Patch27:        CVE-2010-3864.patch
 Patch28:        CVE-2010-4180.patch
+Patch29:	openssl-version-patch.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@@ -222,6 +223,7 @@
 %patch26 -p1
 %patch27 -p1
 %patch28 -p1
+%patch29 -p1
 cp -p %{S:10} .
 # lib64 installation fixes
 for i in Makefile.org engines/Makefile; do
@@ -433,6 +435,8 @@
 %{_bindir}/%{name}

 %changelog
+* Tue Feb 22 2011 rmichel@devnu11.net
+- added for rsa usage the version information.
 * Tue Dec  7 2010 gjhe@novell.com
 - fix bug [bnc#657663]
   CVE-2010-4180

Patch the spec file

$ cd /usr/src/packages/SPEC/
$ patch -i openssl.spec.patch
patching file openssl.spec

Build the new rpm packages

$ rpmbuild -bb /usr/src/packages/SPECS/openssl.spec

Apache Tomcat & logrotate

Some linux distribution are shiped without a config for the catalina.out (Tomcat application server) 😉

$ cat /etc/logrotate.d/tomcat
/var/log/tomcat/base/catalina.out {
	compress
	copytruncate
	create 644 tomcat tomcat
	rotate 30
	size 4M
}

The catalina.out will be rotated after 4 mb and stored for 30 days (/var/log/tomcat/base/catalina.out.1; /var/log/tomcat/base/catalina.out.2.gz and so on)