Bug 1205432 – instack-undercloud: unable to connect to the undercloud UI using IP.

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1205432 - instack-undercloud: unable to connect to the undercloud UI using IP.

Summary:	instack-undercloud: unable to connect to the undercloud UI using IP.

Status:	CLOSED WONTFIX

Aliases:	None

Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	rhosp-director (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	Unspecified Unspecified

Priority	high Severity unspecified
Target Milestone:	y3
Target Release:	7.0 (Kilo)
Assigned To:	chris alfonso
QA Contact:	yeylon@redhat.com
Docs Contact:

URL:
Whiteboard:
Keywords:	Triaged, ZStream

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2015-03-24 17:50 EDT by Alexander Chuzhoy
Modified:	2016-04-18 03:14 EDT (History)
CC List:	12 users (show)

See Also:
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	The OpenStack Dashboard (Horizon) is not configured to accept connections on its local IP address. This mean you cannot browse the OpenStack Dashboard, including the Undercloud UI by IP address. As a workaround, use the Undercloud's FQDN instead of IP address. If access through the IP address is desired, edit /etc/openstack-dashboard/local_settings, add the IP address to the ALLOWED_HOSTS setting, then restart the httpd service. This enables the ability to browse OpenStack Dashboard through the host IP address.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-01-20 12:19:30 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	234939	None	None	None	Never
Gerrithub.io	227974	None	None	None	Never

Groups: None (edit)

Description Alexander Chuzhoy 2015-03-24 17:50:37 EDT

instack-undercloud: unable to connect to the undercloud UI using IP.

Environment:
instack-0.0.6.4-g57c723a.el7.centos.noarch
instack-undercloud-2.0.0-dev1491.g323e652.el7.centos.noarch


Steps to reproduce:
1. Install the undercloud.
2. Attempt to connect to horizon using the IP of the machine.


Result:
The requested URL /dashboard was not found on this server.

If, however, the FQDN of the host (with the undercloud installed on it) is placed in the URL - we get to the login window.


Expected result:
Working UI.

Comment 4 James Slagle 2015-03-25 12:20:19 EDT

this will be addressed by:
https://review.gerrithub.io/#/c/227974/

Comment 7 Alexander Chuzhoy 2015-06-18 12:21:30 EDT

Verified: FailedQA
Environment:
instack-undercloud-2.1.2-1.el7ost.noarch

Connecting with IP:
Bad Request (400)

Connecting with the hostname - works as expected.

Comment 9 James Slagle 2015-06-24 10:02:14 EDT

Please attach /etc/openstack-dashboard/local_settings here
What IP are you using to try and connect to horizon?
Please also run the following on the undercloud and provide the output:
hiera controller_host

Comment 10 Mike Burns 2015-06-25 10:12:55 EDT

Adding Omri since sasha is not around

Comment 11 James Slagle 2015-06-30 14:59:25 EDT

so, this still needs info from QE.

But, what I suspect was happening was that an attempt was made to connect to the undercloud horizon using the libvirt default network ip of the instack vm in a virt setup. This isn't the IP address that we write to allowed_hosts in /etc/openstack-dashboard/local_settings.

we write the value for local_ip there, which is typically 192.0.2.1. If you tried to connect to that IP, it would work (verified in my environment).

We don't write all local IP addresses of the undercloud to that file.

We do however write the hostname, so in a baremetal environment where the undercloud actually has a resolvable hostname then you could also connect to it that way.

To work around this in a virt setup, either add a route to 192.0.2.0/24 from the machine that is running the web browser, or add an entry for the hostname to /etc/hosts and connect via hostname.

Comment 12 Omri Hochman 2015-07-06 14:17:18 EDT

I'm getting the same results as Sasha,  by default: 

browse hosts name : 
--------------------
http://rhos-compute-node-18.osqe.lab.eng.bos.redhat.com/dashboard - Works. 

browse external IP: 
---------------------
http://10.19.184.15/dashboard - Fails 

-------------------------------------------------------------------------------

As James mentioned on Comment #11,  that's the default settings under /etc/openstack-dashboard/local_settings : 

#ALLOWED_HOSTS = ['horizon.example.com', ]

ALLOWED_HOSTS = ['192.168.0.1', 'rhos-compute-node-18.osqe.lab.eng.bos.redhat.com', 'localhost', ]


Workaround: 
-----------
(a) edit : /etc/openstack-dashboard/local_settings  

ALLOWED_HOSTS = ['*', 'rhos-compute-node-18.osqe.lab.eng.bos.redhat.com', 'localhost', ]


(b) service httpd restart. 

Changing the allowed hosts from  '192.168.0.1'  to  '*'  and restart httpd, allow to browse undercloud UI via : http://10.19.184.15/dashboard ,

Comment 13 James Slagle 2015-07-07 08:30:03 EDT

(In reply to Omri Hochman from comment #12)
> I'm getting the same results as Sasha,  by default: 
> 
> browse hosts name : 
> --------------------
> http://rhos-compute-node-18.osqe.lab.eng.bos.redhat.com/dashboard - Works. 
> 
> browse external IP: 
> ---------------------
> http://10.19.184.15/dashboard - Fails 
> 
> -----------------------------------------------------------------------------
> --
> 
> As James mentioned on Comment #11,  that's the default settings under
> /etc/openstack-dashboard/local_settings : 
> 
> #ALLOWED_HOSTS = ['horizon.example.com', ]
> 
> ALLOWED_HOSTS = ['192.168.0.1',
> 'rhos-compute-node-18.osqe.lab.eng.bos.redhat.com', 'localhost', ]
> 
> 
> Workaround: 
> -----------
> (a) edit : /etc/openstack-dashboard/local_settings  
> 
> ALLOWED_HOSTS = ['*', 'rhos-compute-node-18.osqe.lab.eng.bos.redhat.com',
> 'localhost', ]
> 
> 
> (b) service httpd restart. 
> 
> Changing the allowed hosts from  '192.168.0.1'  to  '*'  and restart httpd,
> allow to browse undercloud UI via : http://10.19.184.15/dashboard ,

I'd call this not a bug or perhaps an RFE if you can clarify what you're asking for.

ALLOWED_HOSTS is explicitlly not set to '*' as a security precaution:
https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts

We configure ALLOWED_HOSTS with the hostname and IP address of the undercloud we know about. The other IP addresses that might be assigned to any other interfaces on the box we do not add to ALLOWED_HOSTS as we don't do anything to discover them, or even know if they're set via dhcp (in which case adding them to ALLOWED_HOSTS still isn't a good idea).

Comment 14 Omri Hochman 2015-07-07 14:10:22 EDT

Agree that using '*' is not the right way - maybe the specific machine IP instead ?.

but if we're not going to allow access the undercloud-ui via IP-address, we should add it to the documentation,  that accessing the undercloud-ui can be done only by browsing the <Instack-FQDN> .

Comment 15 Mike Burns 2015-09-01 11:04:36 EDT

the patch has been included for a long time, but additional discussion around this since then shows it's not a final solution.

Note You need to log in before you can comment on or make changes to this bug.