In ansible, in the toddlers playbook we create a toddlers user and a toddlers queue: https://pagure.io/fedora-infra/ansible/blob/master/f/playbooks/openshift-apps/toddlers.yml#_19-32 In the fedora-messaging configuration, we're connecting to the toddlers queue: https://pagure.io/fedora-infra/ansible/blob/master/f/roles/openshift-apps/toddlers/templates/fedora-messaging.toml#_27-36
However, when the pod starts in openshift it gets:
[INFO toddlers.runner] Updating the routing_keys of the queue toddlers to the topics of interest [INFO fedora_messaging.twisted.service] Authenticating with server using x509 (certfile: /etc/pki/rabbitmq/cert/toddlers.crt, keyfile: /etc/pki/rabbitmq/key/toddlers.key) [INFO twisted] Starting factory FedoraMessagingFactoryV2(parameters=<URLParameters host=rabbitmq.fedoraproject.org port=5671 virtual_host=/pubsub ssl=True>, confirms=True) [WARNING pika.channel] Received remote Channel.Close (403): "ACCESS_REFUSED - access to queue 'toddlers' in vhost '/pubsub' refused for user 'toddlers'" on <Channel number=2 OPEN conn=<pika.adapters.twisted_connection._TwistedConnectionAdapter object at 0x7f058fd3ebd0>> [ERROR fedora_messaging.cli] Unable to declare the queue object on the AMQP broker. The broker responded with (403, "ACCESS_REFUSED - access to queue 'toddlers' in vhost '/pubsub' refused for user 'toddlers'"). Check permissions for your user. [INFO fedora_messaging.twisted.protocol] Waiting for 0 consumer(s) to finish processing before halting [INFO fedora_messaging.twisted.protocol] Finished canceling 0 consumers
On the server side, I see:
2020-06-24 19:27:02.893 [error] <0.488.165> Channel error on connection <0.30768.164> (....:56444 -> ...:5671, vhost: '/pubsub', user: 'toddlers'), channel 2: operation queue.declare caused a channel exception access_refused: access to queue 'toddlers' in vhost '/pubsub' refused for user 'toddlers' 2020-06-24 19:27:02.896 [info] <0.30768.164> closing AMQP connection <0.30768.164> (...:56444 -> 10.3.163.80:5671, vhost: '/pubsub', user: 'toddlers')
I've been looking at the admin UI and couldn't see anything standing out.
Help most welcome on this, I'm running a bit of out ideas
Whenever convenient, no hurry there
Note: I've scaled down the project to 0 pods in openshift as they do not work anyway.
I was able to get a shell in a pod and was able to check that the certs are looking good (afaict) and where accessible, so this doesn't seem like a permission error on the filesystem inside the pod or so.
So @abompard fixed that in less than 2 minutes... We need to specify passive_declare = true in the configuration file.
passive_declare = true
This was fixed in https://pagure.io/fedora-infra/ansible/c/03e5ce1b44e9b4cd94e3ebc653e677ff124d2873?branch=master
Metadata Update from @pingou: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.