After having successfully bootstrapped a maas-controller on a maas cloud with four servers, I am now trying to deploy openstack/base with juju. All containers come up to now be in the ‘active/idle’ state. The only exceptions are the ovn-central and the ovn-chassis apps. They are in a ‘blocked’ state, with the message being ‘certificates missing’. When I juju ssh into one of the ovn-central units and journalctl -p err -b, I get following error:
May 26 22:24:26 juju-58128b-0-lxd-5 systemd[4316]: snap-snapd-7264.mount: Failed to set up kernel keyring: Required key not available
May 26 22:24:26 juju-58128b-0-lxd-5 systemd[4316]: snap-snapd-7264.mount: Failed at step KEYRING spawning /bin/mount: Required key not available
May 26 22:24:26 juju-58128b-0-lxd-5 systemd[1]: Failed to mount Mount unit for snapd, revision 7264.
May 26 22:37:48 juju-58128b-0-lxd-5 systemd-udevd[6433]: Failed to chown '/dev/net/tun' 0 0: Operation not permitted
May 26 22:37:48 juju-58128b-0-lxd-5 systemd-udevd[6433]: Failed to apply permissions on static device nodes: Operation not permitted
May 26 22:38:09 juju-58128b-0-lxd-5 systemd[1]: Failed to start Execute cloud user/final scripts.
May 27 08:56:34 juju-58128b-0-lxd-5 systemd[185756]: snap-lxd-15161.mount: Failed to link user keyring into session keyring: Required key not available
May 27 08:56:34 juju-58128b-0-lxd-5 systemd[185756]: snap-lxd-15161.mount: Failed to set up kernel keyring: Required key not available
May 27 08:56:34 juju-58128b-0-lxd-5 systemd[185756]: snap-lxd-15161.mount: Failed at step KEYRING spawning /bin/mount: Required key not available
May 27 08:56:34 juju-58128b-0-lxd-5 systemd[1]: Failed to mount Mount unit for lxd, revision 15161.
Thanks for the reply. I have used juju deploy cs:bundle/openstack-base as indicated here. Could there be a link with vault having to be unsealed before this container is requesting the key ?
Thanks a lot. I am trying to remove and redeploy the ovn applications, let’s see if that works. Edit: I have tried this, but it yields the same error. So it is not a question of vault not being unsealed at the moment of installation.
So you do need to unseal Vault but what you also need is an SSL server certificate. You can either do this automatically or manually (with the vault charm’s actions).
Automatically
Have Vault generate a CA certificate and sign a certificate: