On 10/24/24 16:43, Andy Speagle wrote:
Hey Folks,
I'm having some trouble getting barbican to generate and/or store keys in our hashicorp vault in our charmed openstack environment. I have issues with both TPM and SSL related keys.
I get extremely generic errors back that I can't seem to figure out how to troubleshoot:
'Traceback (most recent call last):\n File "/usr/lib/python3/dist- packages/nova/conductor/manager.py", line 688, in build_instances\n scheduler_utils.populate_retry(\n File "/usr/lib/python3/dist- packages/nova/scheduler/utils.py", line 998, in populate_retry\n raise exception.MaxRetriesExceeded(reason=msg)\nnova.exception.MaxRetriesExce eded: Exceeded maximum number of retries. Exceeded max scheduling attempts 3 for instance 0c50b2d7-8ac5-41a2-90ab-1e33f7aa1c22. Last exception: Key manager error: Internal Server Error: Secret creation failure seen - please contact site administrator.\n'
Just FYI this is the generic MaxRetriesExceeded error which means that the server action failed on nova-compute(s). So you'll want to look in your nova-compute.log for the error that triggered the retries and eventual MaxRetriesExceeded.
I'm using barbican 14.0.2 in yoga/stable ... anyone have an ideas how to troubleshoot this?
I'm guessing in nova-compute.log you will see an error 403 forbidden for creating a barbican secret. If so, the most common reason I have seen for this is if you have in your barbican.conf [oslo.policy]enforce_new_defaults = False, then secret creates require the requester to have the 'creator' role assigned to them (you can do this by 'openstack role add <options> <role>' [1]). When [oslo.policy]enforce_new_defaults = True, the 'creator' role is not required. The tl;dr is 'enforce_new_defaults' means to use the newer secure RBAC policies and the secure RBAC changes are shown in the Wallaby release notes: https://docs.openstack.org/releasenotes/barbican/wallaby.html If you're curious about the code, you can see the deprecated vs current policy checks here (note this is the master branch): https://github.com/openstack/barbican/blob/97ce039f266f4a9ffef3798b8d0f6ac71... -melwitt [1] https://docs.openstack.org/python-openstackclient/latest/cli/command-objects...