f5-common-python icon indicating copy to clipboard operation
f5-common-python copied to clipboard
verified publisher icon F5Networks

Clustering fails to establish trust domain trust on 12.1

Open pjbreaux opened this issue 9 years ago • 9 comments

When running the multi_device(cluster) tests against a 12.1 BIG-IP device, we get an exception in the validation of the trust domain:

>           raise DeviceNotTrusted(msg)
E           DeviceNotTrusted:
E           u'bigip1' is not trusted by u'bigip2', which trusts: [u'bigip2']
E           u'bigip2' is not trusted by u'bigip1', which trusts: [u'bigip1']

This is likely due to changes introduced in 12.1. This bug will track the work to fix that.

pjbreaux avatar Oct 19 '16 16:10 pjbreaux

Here's the heat output from an attempt to perform clustering on 12.1.1:

2017-08-07 13:05:19.878 22194 DEBUG root [-] post WITH uri: https://10.190.3.43:443/mgmt/tm/sys/application/template/ AND suffix:  AND kwargs: {'json': {'partition': u'Common', 'name': 'trusted_device', 'actions': {'definition': {'implementation': u'tmsh::modify cm trust-domain Root ca-devices add \\{ 10.2.1.5 \\} name bigip1 username admin password admin', 'presentation': ''}}}} wrapper /usr/lib/python2.7/site-packages/icontrol/session.py:257
2017-08-07 13:05:19.917 22194 DEBUG root [-] RESPONSE::STATUS: 200 Content-Type: application/json Content-Encoding: None
Text: u'{"kind":"tm:sys:application:template:templatestate","name":"trusted_device","partition":"Common","fullPath":"/Common/trusted_device","generation":36,"selfLink":"https://localhost/mgmt/tm/sys/application/template/~Common~trusted_device?ver=12.1.1","ignoreVerification":"false","totalSigningStatus":"not-all-signed","verificationStatus":"none","actionsReference":{"link":"https://localhost/mgmt/tm/sys/application/template/~Common~trusted_device/actions?ver=12.1.1","isSubcollection":true}}' wrapper /usr/lib/python2.7/site-packages/icontrol/session.py:265
2017-08-07 13:05:19.918 22194 DEBUG root [-] get WITH uri: https://10.190.3.43:443/mgmt/tm/sys/application/template/~Common~trusted_device AND suffix:  AND kwargs: {} wrapper /usr/lib/python2.7/site-packages/icontrol/session.py:257
2017-08-07 13:05:19.927 22194 DEBUG root [-] RESPONSE::STATUS: 200 Content-Type: application/json Content-Encoding: None
Text: u'{"kind":"tm:sys:application:template:templatestate","name":"trusted_device","partition":"Common","fullPath":"/Common/trusted_device","generation":36,"selfLink":"https://localhost/mgmt/tm/sys/application/template/~Common~trusted_device?ver=12.1.1","ignoreVerification":"false","totalSigningStatus":"not-all-signed","verificationStatus":"none","actionsReference":{"link":"https://localhost/mgmt/tm/sys/application/template/~Common~trusted_device/actions?ver=12.1.1","isSubcollection":true}}' wrapper /usr/lib/python2.7/site-packages/icontrol/session.py:265
2017-08-07 13:05:19.928 22194 DEBUG root [-] post WITH uri: https://10.190.3.43:443/mgmt/tm/sys/application/service/ AND suffix:  AND kwargs: {'json': {'partition': u'Common', 'name': 'trusted_device', 'template': u'/Common/trusted_device'}} wrapper /usr/lib/python2.7/site-packages/icontrol/session.py:257
2017-08-07 13:05:20.350 22194 DEBUG root [-] RESPONSE::STATUS: 400 Content-Type: application/json Content-Encoding: None
Text: u'{"code":400,"message":"script did not successfully complete: (Could not add ca-device (error from devmgmtd): Cannot add a device with the same name as the self device.\\n    while executing\\n\\"tmsh::modify cm trust-domain Root ca-devices add \\\\{ 10.2.1.5 \\\\} name bigip1 username admin password admin\\" line:1)","errorStack":[],"apiError":3}' wrapper /usr/lib/python2.7/site-packages/icontrol/session.py:265
2017-08-07 13:05:20.350 22194 INFO heat.engine.resource [-] CREATE: F5CmCluster "cluster" Stack "cluster" [91a9c905-54e1-4d76-8fa9-5d8327fe61b3]

pjbreaux avatar Aug 07 '17 19:08 pjbreaux

@pjbreaux what is the status of this ?

wojtek0806 avatar Sep 01 '17 08:09 wojtek0806

@wojtek0806 I'm looking into this now.

zancas avatar Sep 08 '17 20:09 zancas

@pjbreaux can you point me at the specific test that fails?

zancas avatar Sep 08 '17 20:09 zancas

Standup two 12.1 bigips in over cloud and run the tests here. https://github.com/F5Networks/f5-common-python/blob/development/f5/multi_device/cluster/test/functional/test_cluster.py

Jeff has some heat templates to give you two over cloud bigips. Like I said, I think this is an onboarding issue, as the 12.1 bigips don't have the same selfips as two 11.6.1 devices. Also, the device and hostnames are not configured properly in 12.1. And the config sync addresses are not set on both 12.1 devices. For information on that see: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-implementations-11-2-0/5.html In the section titled 'Specifying an IP address for config sync'. I have had only a manner of success by changing the device and hostnames on each device, adding the config sync address on each, then trying to cluster. This is when the devices show up as active/active when they're supposed to be active/standby.

pjbreaux avatar Sep 08 '17 21:09 pjbreaux

@zancas ---^

pjbreaux avatar Sep 08 '17 21:09 pjbreaux

I notice the debug trace above specifically complains:

Cannot add a device with the same name as the self device.

zancas avatar Sep 08 '17 21:09 zancas

Use 12.1 docs as i can see you look at 11.2 version

wojtek0806 avatar Sep 09 '17 18:09 wojtek0806

Thanks @wojtek0806

zancas avatar Sep 11 '17 17:09 zancas