Bug 1485446
| Summary: | [OSP12] horizon stanza in haproxy.cfg needs tweaking | |||
|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Michele Baldessari <michele> | |
| Component: | puppet-tripleo | Assignee: | Michele Baldessari <michele> | |
| Status: | CLOSED ERRATA | QA Contact: | nlevinki <nlevinki> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 12.0 (Pike) | CC: | bperkins, chjones, jjoyce, jschluet, rohara, sclewis, slinaber, tvignaud, ushkalim | |
| Target Milestone: | z2 | Keywords: | Triaged, ZStream | |
| Target Release: | 12.0 (Pike) | |||
| Hardware: | Unspecified | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | puppet-tripleo-7.4.8-1.el7ost | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1552245 (view as bug list) | Environment: | ||
| Last Closed: | 2018-03-28 17:27:14 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1552245 | |||
|
Description
Michele Baldessari
2017-08-25 18:10:08 UTC
Should look like this: server overcloud-controller-0.internalapi.localdomain 172.17.0.22:80 check cookie overcloud-controller-0 fall 5 inter 2000 rise 2 server overcloud-controller-1.internalapi.localdomain 172.17.0.25:80 check cookie overcloud-controller-1 fall 5 inter 2000 rise 2 server overcloud-controller-2.internalapi.localdomain 172.17.0.12:80 check cookie overcloud-controller-2 fall 5 inter 2000 rise 2 The cookie name should be the same as the respective service name. Ok so with the linked review, I correctly get:
listen horizon
bind 10.0.0.5:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
bind 10.0.0.5:80 transparent
bind 172.17.0.18:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
bind 172.17.0.18:80 transparent
mode http
cookie SERVERID insert indirect nocache
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
option forwardfor
option httpchk
redirect scheme https code 301 if !{ ssl_fc }
rsprep ^Location:\ http://(.*) Location:\ https://\1
server overcloud-controller-0.internalapi.localdomain 172.17.0.14:80 check cookie overcloud-controller-0.internalapi.localdomain fall 5 inter 2000 rise 2
server overcloud-controller-1.internalapi.localdomain 172.17.0.17:80 check cookie overcloud-controller-1.internalapi.localdomain fall 5 inter 2000 rise 2
server overcloud-controller-2.internalapi.localdomain 172.17.0.19:80 check cookie overcloud-controller-2.internalapi.localdomain fall 5 inter 2000 rise 2
Ryan, could you expand a bit on the impact of this? I.e. should I look at backporting this to pike?
Yes, this should probably be backported. The problem here is that the cookie is being inserted into the response by haproxy so that we have session persistence. When you login to horizon you want the session to be persistent and go to the same backend server. When haproxy sees a match for the cookie, it does just that. The cookie value will should match the server name. Prior to your fix (see comment #0) each server was matching on the same cookie (overcloud-controller-0) which is not correct. What I would best to to demonstrate the problem and verify the fix. I am not sure how to do this because in my environment (everything running in VMs) it is difficult to open a web browser and point to the horizon VIP. Is there a trick we can use to do this? (Note there's an OSP10 bz about this, which could be used for the backport, at https://bugzilla.redhat.com/show_bug.cgi?id=1520799) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0607 |