Bug 1420111

Summary: upgrade from osp8 to osp9 breaks keystone.
Product: Red Hat OpenStack Reporter: Jeremy <jmelvin>
Component: openstack-tripleoAssignee: James Slagle <jslagle>
Status: CLOSED CURRENTRELEASE QA Contact: Arik Chernetsky <achernet>
Severity: high Docs Contact:
Priority: high    
Version: 9.0 (Mitaka)CC: aschultz, augol, mburns, mcornea, rhel-osp-director-maint, sathlang
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-09 18:14:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jeremy 2017-02-07 21:02:08 UTC
Description of problem: The ip used by httpd is wrongly set after the upgrade. Below are the customer details. You will see that it's set as the internal api ip address instead of the external ip address. I suspect a problem with the way the keystone wsgi puppet manifest brings in this ip to http and the vhost. IF we change the ip address in /etc/httpd/conf/ports.conf to the proper external ip's for each controller then keystone works. 

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1.upgrade from osp8 to osp9
2.
3.

Actual results:
keystone broken. stack commands fail

Expected results:
keystone works

Additional info:

### stack commands fail after upgrade from osp8 to osp9.
###changing haproxy keystone_admin to match the keystone wsgi address works. 


###network-environment.yaml
  ExternalAllocationPools: [{'start': '10.214.14.76', 'end': '10.214.14.100'}]
  InternalApiAllocationPools: [{'start': '10.214.14.194', 'end': '10.214.14.240'}]
ServiceNetMap:
    KeystoneAdminApiNetwork: external
    KeystonePublicApiNetwork: internal_api

###haproxy.conf
listen keystone_admin 
  bind 10.214.14.76:35357 transparent
  mode http
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  server oslabwlk108 10.214.14.66:35357 check fall 5 inter 2000 rise 2   #change this to .197 causes it to work
  server oslabwlk109 10.214.14.67:35357 check fall 5 inter 2000 rise 2
  server oslabwlk110 10.214.14.68:35357 check fall 5 inter 2000 rise 2

listen keystone_public
  bind 10.214.14.76:5000 transparent
  bind 10.214.14.194:5000 transparent
  mode http
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  server oslabwlk108 10.214.14.197:5000 check fall 5 inter 2000 rise 2
  server oslabwlk109 10.214.14.196:5000 check fall 5 inter 2000 rise 2
  server oslabwlk110 10.214.14.201:5000 check fall 5 inter 2000 rise 2



####keystone's vhost file.
# ************************************
# Vhost template in module puppetlabs-apache
# Managed by Puppet
# ************************************

<VirtualHost 10.214.14.197:35357>
  ServerName oslabwlk108.localdomain

  ## Vhost docroot
  DocumentRoot "/var/www/cgi-bin/keystone"

  ## Directories, there should at least be a declaration for /var/www/cgi-bin/keystone

  <Directory "/var/www/cgi-bin/keystone">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Require all granted
  </Directory>

  ## Logging
  ErrorLog "/var/log/httpd/keystone_wsgi_admin_error.log"
  ServerSignature Off
  CustomLog "/var/log/httpd/keystone_wsgi_admin_access.log" combined
  WSGIApplicationGroup %{GLOBAL}
  WSGIDaemonProcess keystone_admin display-name=keystone-admin group=keystone processes=32 threads=1 user=keystone
  WSGIProcessGroup keystone_admin
  WSGIScriptAlias / "/var/www/cgi-bin/keystone/admin"
  WSGIPassAuthorization On
</VirtualHost>



###keystone.conf
public_endpoint = http://10.214.14.76:5000
public_port=5000
admin_bind_host=10.214.14.66
public_bind_host=10.214.14.197
admin_port=35357

Comment 1 Red Hat Bugzilla Rules Engine 2017-02-07 21:02:14 UTC
This bugzilla has been removed from the release and needs to be reviewed and Triaged for another Target Release.

Comment 3 Sofer Athlan-Guyot 2017-02-09 18:14:17 UTC
Hi,

I confirm that a *minor* update is required to get the latest osp8 puppet-module before starting the major upgrade.

As noted by Matt Flusche:

"Looks like they are using an older version of openstack-puppet-modules. I see 7.0.17-1.el7ost.noarch from the sosreport; 7.1.5-1 is the most current. 

Also this BZ is addressed in a more current release and is required for keystone update. 

I assume this is the issue. 

From the openstack-puppet-modules changelog: 

* Sat Jun 18 2016 Lukas Bezdicka <lbezdick@redhat.com> 1:7.1.2-1 - Update to upstream 7.1.2 
  - [puppet-keystone] Add keystone::wsgi::apache::admin_bind_host param (rhbz#1347827)

Closing this one.  Don't hesitate to re-open it if needed.