Bug 1235624 - The VIP for keystone and horizon should not be on the control plane
Summary: The VIP for keystone and horizon should not be on the control plane
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: rhosp-director
Version: 7.0 (Kilo)
Hardware: Unspecified
OS: Unspecified
Target Milestone: ga
: Director
Assignee: Dan Sneddon
QA Contact: Udi
Depends On:
TreeView+ depends on / blocked
Reported: 2015-06-25 10:58 UTC by Udi
Modified: 2015-08-05 13:56 UTC (History)
9 users (show)

Fixed In Version: openstack-tripleo-heat-templates-0.8.6-19.el7ost
Doc Type: Bug Fix
Doc Text:
When deploying an Overcloud, the director placed the Public VIP services on the Provisioning network's "ctlplane". This meant you could not reach the horizon and keystone services from outside of the Overcloud. This fix patches the Heat templates to place the Public VIP on the External network.
Clone Of:
Last Closed: 2015-08-05 13:56:03 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
OpenStack gerrit 195328 None None None Never
OpenStack gerrit 195722 None None None Never
Red Hat Bugzilla 1235476 None None None Never
Red Hat Product Errata RHEA-2015:1549 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform director Release 2015-08-05 17:49:10 UTC

Description Udi 2015-06-25 10:58:37 UTC
Description of problem:
The VIP for keystone and the GUI is on the control plane: export OS_AUTH_URL=

My deployment is on bare metals which are also on the 10.35.xxx.xxx network (and in addition it's a HA setup) - is there a way to have a VIP on that network without going through ssh tunnels from the undercloud? If I have to do it via the undercloud, the HA is worthless because as soon as the undercloud node goes down I'll have no way to get to the overcloud as well.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. I deployed with: openstack overcloud deploy --plan-uuid 30b02f2a-6ccc-4c10-ada4-7dfb93faf3ec --control-scale 3 --neutron-public-interface eth2 --network-cidr --floating-ip-start --floating-ip-end --floating-id-cidr --bm-network-gateway --neutron-network-type gre --neutron-tunnel-type gre

Comment 3 Udi 2015-06-25 11:00:04 UTC
Dan, is there a patch for this upstream/downstream?

Comment 4 Dan Sneddon 2015-06-25 17:46:10 UTC
(In reply to Udi from comment #3)
> Dan, is there a patch for this upstream/downstream?

I'm pretty sure that this behavior is because of this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1235476

There is an upstream patch to fix that, and assuming it passes CI and gets some +2 reviews it should be merged downstream.

Comment 5 Marius Cornea 2015-06-26 16:19:52 UTC
Verified Dan's patch and the public VIP gets created on the external network:

I filed BZ#1236136 in regards to all keystone endpoints using the public VIP.

Comment 7 Leonid Natapov 2015-07-22 08:08:09 UTC

keystone and horizon VIP are on external network.

Comment 9 errata-xmlrpc 2015-08-05 13:56:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.