Bug 1235624

Summary: The VIP for keystone and horizon should not be on the control plane
Product: Red Hat OpenStack Reporter: Udi Kalifon <ukalifon>
Component: rhosp-directorAssignee: Dan Sneddon <dsneddon>
Status: CLOSED ERRATA QA Contact: Udi Kalifon <ukalifon>
Severity: high Docs Contact:
Priority: high    
Version: 7.0 (Kilo)CC: calfonso, dmacpher, dsneddon, lnatapov, mburns, mcornea, morazi, rhel-osp-director-maint, rrosa
Target Milestone: gaKeywords: Triaged
Target Release: Director   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-0.8.6-19.el7ost Doc Type: Bug Fix
Doc Text:
When deploying an Overcloud, the director placed the Public VIP services on the Provisioning network's "ctlplane". This meant you could not reach the horizon and keystone services from outside of the Overcloud. This fix patches the Heat templates to place the Public VIP on the External network.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-05 13:56:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Udi Kalifon 2015-06-25 10:58:37 UTC 
Description of problem:
The VIP for keystone and the GUI is on the control plane: export OS_AUTH_URL=http://192.0.2.14:5000/v2.0/

My deployment is on bare metals which are also on the 10.35.xxx.xxx network (and in addition it's a HA setup) - is there a way to have a VIP on that network without going through ssh tunnels from the undercloud? If I have to do it via the undercloud, the HA is worthless because as soon as the undercloud node goes down I'll have no way to get to the overcloud as well.


Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-0.8.6-15.el7ost.noarch


How reproducible:
100%


Steps to Reproduce:
1. I deployed with: openstack overcloud deploy --plan-uuid 30b02f2a-6ccc-4c10-ada4-7dfb93faf3ec --control-scale 3 --neutron-public-interface eth2 --network-cidr 192.168.0.0/16 --floating-ip-start 10.35.190.10 --floating-ip-end 10.35.190.50 --floating-id-cidr 10.35.190.0/24 --bm-network-gateway 10.35.190.254 --neutron-network-type gre --neutron-tunnel-type gre
Comment 3 Udi Kalifon 2015-06-25 11:00:04 UTC 
Dan, is there a patch for this upstream/downstream?
Comment 4 Dan Sneddon 2015-06-25 17:46:10 UTC 
(In reply to Udi from comment #3)
> Dan, is there a patch for this upstream/downstream?

I'm pretty sure that this behavior is because of this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1235476

There is an upstream patch to fix that, and assuming it passes CI and gets some +2 reviews it should be merged downstream.
Comment 5 Marius Cornea 2015-06-26 16:19:52 UTC 
Verified Dan's patch and the public VIP gets created on the external network:
http://paste.openstack.org/show/321395/

I filed BZ#1236136 in regards to all keystone endpoints using the public VIP.
Comment 7 Leonid Natapov 2015-07-22 08:08:09 UTC 
openstack-tripleo-heat-templates-0.8.6-44.el7ost.noarch

keystone and horizon VIP are on external network.
Comment 9 errata-xmlrpc 2015-08-05 13:56:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1549