Bug 1418159

Summary: OpenStack Heat may fail to connect keystone admin API in multi-region environment
Product: Red Hat OpenStack Reporter: Akira YOSHIYAMA <a-yoshiyama>
Component: openstack-heatAssignee: Rabi Mishra <ramishra>
Status: CLOSED ERRATA QA Contact: Amit Ugol <augol>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0 (Mitaka)CC: a-yoshiyama, jjoyce, mburns, ramishra, rhel-osp-director-maint, sbaker, sclewis, shardy, srevivo, zbitter
Target Milestone: asyncKeywords: Triaged, ZStream
Target Release: 9.0 (Mitaka)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-heat-6.1.0-3.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1419348 1428632 (view as bug list) Environment:
Last Closed: 2017-06-14 15:37:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1419348, 1428632    
Attachments:
Description Flags
our patch to fix this problem none

Description Akira YOSHIYAMA 2017-02-01 04:12:04 UTC 
Created attachment 1246507 [details]
our patch to fix this problem

Description of problem:
Heat uses Keystone Trust to build a stack as a tenant user. To do so, heat-engine needs connections to a Keystone admin API endpoint.
In multi-region environment, each region may have its own Keystone admin API and Keystone may have multiple endpoint entries. In this case, heat-engine uses the 1st. So, heat-engine in regions without the 1st endpoint tries to connect another region with the 1st. It will fail if there is no route to the endpoint.

Version-Release number of selected component (if applicable):
openstack-heat-common-6.0.0-8.el7ost.noarch

How reproducible:
100% in regions without the 1st endpoint.

Steps to Reproduce:
1. Register multiple Keystone admin endpoints. The 1st entry should have dummy region name and inaccessible IP address from heat-engine.
2. "heat stack-create <template>"
3.

Actual results:
heat command failed with and error:
ConnectFailure: Unable to establish connection to http://<inaccessbile>:35357/v2.0/OS-TRUST/trusts

Expected results:
heat-engine works properly and the stack creation completed.

Additional info:
The attached patch fixes the problem.
Comment 1 Zane Bitter 2017-02-02 15:57:54 UTC 
Can you please submit this patch upstream and post a link to the review here? I will make sure it gets reviewed and backported. Thanks!
Comment 6 errata-xmlrpc 2017-06-14 15:37:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:1464