1306399 – glance_registry haproxy config doesn't have any bind directive with an ssl enabled overcloud

Bug 1306399 - glance_registry haproxy config doesn't have any bind directive with an ssl enabled overcloud

Summary: glance_registry haproxy config doesn't have any bind directive with an ssl en...

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	rhosp-director
Sub Component:
Version:	7.0 (Kilo)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	12.0 (Pike)
Assignee:	Cyril Roelandt
QA Contact:	Avi Avraham
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-10 17:39 UTC by Marius Cornea
Modified:	2017-11-29 14:45 UTC (History)
CC List:	17 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-11-29 14:45:26 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Marius Cornea 2016-02-10 17:39:55 UTC

Description of problem:
glance_registry haproxy config doesn't have any bind directive with an ssl enabled overcloud:


Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-0.8.6-117.el7ost.noarch

How reproducible:
100%

Steps to Reproduce:
[root@overcloud-controller-0 ~]# grep -A 5 glance_registry /etc/haproxy/haproxy.cfg 
listen glance_registry
  server overcloud-controller-0 192.168.100.13:9191 check fall 5 inter 2000 rise 2
  server overcloud-controller-1 192.168.100.12:9191 check fall 5 inter 2000 rise 2
  server overcloud-controller-2 192.168.100.16:9191 check fall 5 inter 2000 rise 2

Comment 1 Giulio Fidente 2016-02-10 18:03:49 UTC

I think glance-registry doesn't need to have an SSL binding because it's not user-facing service. It is only glance-api calling it.

Comment 2 Marius Cornea 2016-02-10 18:13:06 UTC

The issue is that there's no binding that uses the internal api vip. The config files are set up with the local ips thus the glance registry requests don't get balanced:

[root@overcloud-controller-0 ~]# grep -A 5 glance_registry /etc/haproxy/haproxy.cfg 
listen glance_registry
  server overcloud-controller-0 192.168.100.13:9191 check fall 5 inter 2000 rise 2
  server overcloud-controller-1 192.168.100.12:9191 check fall 5 inter 2000 rise 2
  server overcloud-controller-2 192.168.100.16:9191 check fall 5 inter 2000 rise 2

[root@overcloud-controller-0 ~]# grep registry_host /etc/glance/*
/etc/glance/glance-api.conf:#registry_host=0.0.0.0
/etc/glance/glance-api.conf:registry_host=192.168.100.13
/etc/glance/glance-cache.conf:#registry_host=0.0.0.0
/etc/glance/glance-cache.conf:registry_host=192.168.100.13
/etc/glance/glance-scrubber.conf:#registry_host=0.0.0.0

Comment 3 Mike Burns 2016-04-07 21:07:13 UTC

This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.

Comment 7 Amit Aviram 2016-11-23 14:45:49 UTC

I believe you are asking the wrong person.. (I'm Amit Aviram, aaviram)

Note You need to log in before you can comment on or make changes to this bug.