1235624 – The VIP for keystone and horizon should not be on the control plane

Bug 1235624 - The VIP for keystone and horizon should not be on the control plane

Summary: The VIP for keystone and horizon should not be on the control plane

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	rhosp-director
Sub Component:
Version:	7.0 (Kilo)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	ga
Target Release:	Director
Assignee:	Dan Sneddon
QA Contact:	Udi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-06-25 10:58 UTC by Udi
Modified:	2015-08-05 13:56 UTC (History)
CC List:	9 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-0.8.6-19.el7ost
Doc Type:	Bug Fix
Doc Text:	When deploying an Overcloud, the director placed the Public VIP services on the Provisioning network's "ctlplane". This meant you could not reach the horizon and keystone services from outside of the Overcloud. This fix patches the Heat templates to place the Public VIP on the External network.
Clone Of:
Environment:
Last Closed:	2015-08-05 13:56:03 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	195328	None	None	None	Never
OpenStack gerrit	195722	None	None	None	Never
Red Hat Bugzilla	1235476	None	None	None	Never
Red Hat Product Errata	RHEA-2015:1549	normal	SHIPPED_LIVE	Red Hat Enterprise Linux OpenStack Platform director Release	2015-08-05 17:49:10 UTC

Description Udi 2015-06-25 10:58:37 UTC

Description of problem:
The VIP for keystone and the GUI is on the control plane: export OS_AUTH_URL=http://192.0.2.14:5000/v2.0/

My deployment is on bare metals which are also on the 10.35.xxx.xxx network (and in addition it's a HA setup) - is there a way to have a VIP on that network without going through ssh tunnels from the undercloud? If I have to do it via the undercloud, the HA is worthless because as soon as the undercloud node goes down I'll have no way to get to the overcloud as well.


Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-0.8.6-15.el7ost.noarch


How reproducible:
100%


Steps to Reproduce:
1. I deployed with: openstack overcloud deploy --plan-uuid 30b02f2a-6ccc-4c10-ada4-7dfb93faf3ec --control-scale 3 --neutron-public-interface eth2 --network-cidr 192.168.0.0/16 --floating-ip-start 10.35.190.10 --floating-ip-end 10.35.190.50 --floating-id-cidr 10.35.190.0/24 --bm-network-gateway 10.35.190.254 --neutron-network-type gre --neutron-tunnel-type gre

Comment 3 Udi 2015-06-25 11:00:04 UTC

Dan, is there a patch for this upstream/downstream?

Comment 4 Dan Sneddon 2015-06-25 17:46:10 UTC

(In reply to Udi from comment #3)
> Dan, is there a patch for this upstream/downstream?

I'm pretty sure that this behavior is because of this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1235476

There is an upstream patch to fix that, and assuming it passes CI and gets some +2 reviews it should be merged downstream.

Comment 5 Marius Cornea 2015-06-26 16:19:52 UTC

Verified Dan's patch and the public VIP gets created on the external network:
http://paste.openstack.org/show/321395/

I filed BZ#1236136 in regards to all keystone endpoints using the public VIP.

Comment 7 Leonid Natapov 2015-07-22 08:08:09 UTC

openstack-tripleo-heat-templates-0.8.6-44.el7ost.noarch

keystone and horizon VIP are on external network.

Comment 9 errata-xmlrpc 2015-08-05 13:56:03 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1549

Note You need to log in before you can comment on or make changes to this bug.