Bug 1445766
| Summary: | Horizon is not reachable when Horizon service is running on a standalone role | |||
|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Marius Cornea <mcornea> | |
| Component: | openstack-tripleo-heat-templates | Assignee: | Radomir Dopieralski <rdopiera> | |
| Status: | CLOSED ERRATA | QA Contact: | Udi Kalifon <ukalifon> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | high | |||
| Version: | 11.0 (Ocata) | CC: | abishop, aschultz, dbecker, emacchi, iovadia, jjoyce, jmelvin, jpichon, jrist, mburns, mlopes, morazi, rdopiera, rhel-osp-director-maint, slinaber | |
| Target Milestone: | z5 | Keywords: | Triaged, ZStream | |
| Target Release: | 11.0 (Ocata) | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | openstack-tripleo-heat-templates-6.2.7-3.el7ost | Doc Type: | No Doc Update | |
| Doc Text: |
undefined
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1537168 1542203 (view as bug list) | Environment: | ||
| Last Closed: | 2018-05-18 17:02:55 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1537168, 1542203 | |||
|
Description
Marius Cornea
2017-04-26 13:08:21 UTC
A short explanation of what I know so far: In this particular configuration, you are not accessing horizon directly, but instead through a loadbalancer on the controller node. That loadbalancer is configured to proxy the traffic to the correct node, however, the ports on which it does that are not open in its firewall configuration. This is not a problem specific to Horizon, as that works fine on its own node. It just can't be accessed, because this one piece of configuration is missing. Of course this should be handled automatically by tripleo. So this is something missing somewhere in our heat templates, that should tell puppet to open the ports when it configures haproxy to forward for Horizon. The fix will most likely be in tripleo-heat-templates. I'm looking into this but I don't think this ever worked (even in 10) as the firewall rules would not end up on the right host if horizon is not collocated with haproxy. Currently when splitting out horizon needs to be colocated with haproxy or an external load balancer needs to be used for it to work. What's happening is that today the 80/443 firewall rule comes from the horizon service in THT. When it is not on the same node as haproxy, the 80/443 rule is only applied to the horizon node and haproxy is not configured to allow 80/443 connections. Possible fix https://review.openstack.org/#/c/460175 According to our records, this should be resolved by openstack-tripleo-heat-templates-6.2.0-3.el7ost. This build is available now. The bug wasn't backported to Ocata upstream and downstream. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:1627 |