Bug 1433750

Summary:	Neutron uses the Nova API public endpoint which may not be always reachable from the node running the Neutron service
Product:	Red Hat OpenStack	Reporter:	Marius Cornea <mcornea>
Component:	openstack-tripleo-heat-templates	Assignee:	Brent Eagles <beagles>
Status:	CLOSED ERRATA	QA Contact:	Toni Freger <tfreger>
Severity:	high	Docs Contact:
Priority:	medium
Version:	11.0 (Ocata)	CC:	amuller, aschultz, beagles, cylopez, dbecker, jlibosva, lmarsh, mburns, mcornea, morazi, rhel-osp-director-maint
Target Milestone:	z3	Keywords:	TestOnly, Triaged, ZStream
Target Release:	13.0 (Queens)	Flags:	lmarsh: needinfo- lmarsh: needinfo-
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	openstack-tripleo-heat-templates-8.0.0-0.20180215092255.el7.ost	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1537757 (view as bug list)		Environment:
Last Closed:	2018-11-13 22:26:39 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1537757

Description Marius Cornea 2017-03-19 19:25:08 UTC

Description of problem:
Neutron uses the Nova API public endpoint which may not be always reachable from the node running the Neutron services. We could instead the internal endpoint as this should be reachable from nodes which don't have access to the public endpoint network. 

Scenario where this issue could show up:
Neutron API services are running on a different role than the controller running HAProxy where the public endpoints are binding. The Neutron role is not connected to the OSP-d External network since it runs internal only services and outgoing traffic to the External network from this role nodes is not allowed. 

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-6.0.0-0.20170307170102.3134785.0rc2.el7ost.noarch

How reproducible:
100%

Steps to Reproduce:
1. Deploy overcloud
2. Check /etc/neutron/neutron.conf

Actual results:
[nova]

#
# From neutron
#

# Name of nova region to use. Useful if keystone manages more than one region.
# (string value)
#region_name = <None>

# Type of the nova endpoint to use.  This endpoint will be looked up in the
# keystone catalog and should be one of public, internal or admin. (string
# value)
# Allowed values: public, admin, internal
#endpoint_type = public

Expected results:
endpoint_type = internal

Additional info:

Comment 1 Assaf Muller 2017-03-30 15:03:51 UTC

> Neutron API services are running on a different role than the controller running HAProxy where the public endpoints are binding. The Neutron role is not connected to the OSP-d External network since it runs internal only services and outgoing traffic to the External network from this role nodes is not allowed.

If the Neutron API service is running on a different role, it would be connected to the same external networks the controller nodes are, because users need to be able to reach the public Neutron API endpoint. In that case, Neutron will always have access to the public Nova API endpoint, regardless if it's on a separate node or not. What am I missing?

Comment 2 Marius Cornea 2017-03-30 15:23:56 UTC

(In reply to Assaf Muller from comment #1)
> > Neutron API services are running on a different role than the controller running HAProxy where the public endpoints are binding. The Neutron role is not connected to the OSP-d External network since it runs internal only services and outgoing traffic to the External network from this role nodes is not allowed.
> 
> If the Neutron API service is running on a different role, it would be
> connected to the same external networks the controller nodes are, because
> users need to be able to reach the public Neutron API endpoint. In that
> case, Neutron will always have access to the public Nova API endpoint,
> regardless if it's on a separate node or not. What am I missing?

The public Neutron API endpoint is exposed via HAProxy so the role which runs the Neutron API service doesn't need to be connected to the external network but it uses the internal_api network to reach the controller running HAProxy.

Comment 5 Cyril Lopez 2017-07-04 21:12:43 UTC

I used this workaround in an environment file :

parameter_defaults:
  NovaComputeExtraConfig:
    neutron::config::server_config:
      nova/endpoint_type:
        value: internal

Comment 6 Cyril Lopez 2017-07-05 07:49:20 UTC

Sorry, it's on controller node so I wrote a mistake. Is this :

 parameter_defaults:
   controllerExtraConfig
     neutron::config::server_config:
       nova/endpoint_type:
         value: internal

(In reply to Cyril Lopez from comment #5)
> I used this workaround in an environment file :
> 
> parameter_defaults:
>   NovaComputeExtraConfig:
>     neutron::config::server_config:
>       nova/endpoint_type:
>         value: internal

Comment 11 Lon Hohberger 2018-07-10 10:34:01 UTC

According to our records, this should be resolved by openstack-tripleo-heat-templates-8.0.2-38.el7ost.  This build is available now.

Comment 15 errata-xmlrpc 2018-11-13 22:26:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3587