Bug 1420111 - upgrade from osp8 to osp9 breaks keystone.
Summary: upgrade from osp8 to osp9 breaks keystone.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo
Version: 9.0 (Mitaka)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: James Slagle
QA Contact: Arik Chernetsky
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-07 21:02 UTC by Jeremy
Modified: 2020-03-11 15:55 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-09 18:14:17 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Jeremy 2017-02-07 21:02:08 UTC
Description of problem: The ip used by httpd is wrongly set after the upgrade. Below are the customer details. You will see that it's set as the internal api ip address instead of the external ip address. I suspect a problem with the way the keystone wsgi puppet manifest brings in this ip to http and the vhost. IF we change the ip address in /etc/httpd/conf/ports.conf to the proper external ip's for each controller then keystone works. 

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1.upgrade from osp8 to osp9
2.
3.

Actual results:
keystone broken. stack commands fail

Expected results:
keystone works

Additional info:

### stack commands fail after upgrade from osp8 to osp9.
###changing haproxy keystone_admin to match the keystone wsgi address works. 


###network-environment.yaml
  ExternalAllocationPools: [{'start': '10.214.14.76', 'end': '10.214.14.100'}]
  InternalApiAllocationPools: [{'start': '10.214.14.194', 'end': '10.214.14.240'}]
ServiceNetMap:
    KeystoneAdminApiNetwork: external
    KeystonePublicApiNetwork: internal_api

###haproxy.conf
listen keystone_admin 
  bind 10.214.14.76:35357 transparent
  mode http
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  server oslabwlk108 10.214.14.66:35357 check fall 5 inter 2000 rise 2   #change this to .197 causes it to work
  server oslabwlk109 10.214.14.67:35357 check fall 5 inter 2000 rise 2
  server oslabwlk110 10.214.14.68:35357 check fall 5 inter 2000 rise 2

listen keystone_public
  bind 10.214.14.76:5000 transparent
  bind 10.214.14.194:5000 transparent
  mode http
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  server oslabwlk108 10.214.14.197:5000 check fall 5 inter 2000 rise 2
  server oslabwlk109 10.214.14.196:5000 check fall 5 inter 2000 rise 2
  server oslabwlk110 10.214.14.201:5000 check fall 5 inter 2000 rise 2



####keystone's vhost file.
# ************************************
# Vhost template in module puppetlabs-apache
# Managed by Puppet
# ************************************

<VirtualHost 10.214.14.197:35357>
  ServerName oslabwlk108.localdomain

  ## Vhost docroot
  DocumentRoot "/var/www/cgi-bin/keystone"

  ## Directories, there should at least be a declaration for /var/www/cgi-bin/keystone

  <Directory "/var/www/cgi-bin/keystone">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Require all granted
  </Directory>

  ## Logging
  ErrorLog "/var/log/httpd/keystone_wsgi_admin_error.log"
  ServerSignature Off
  CustomLog "/var/log/httpd/keystone_wsgi_admin_access.log" combined
  WSGIApplicationGroup %{GLOBAL}
  WSGIDaemonProcess keystone_admin display-name=keystone-admin group=keystone processes=32 threads=1 user=keystone
  WSGIProcessGroup keystone_admin
  WSGIScriptAlias / "/var/www/cgi-bin/keystone/admin"
  WSGIPassAuthorization On
</VirtualHost>



###keystone.conf
public_endpoint = http://10.214.14.76:5000
public_port=5000
admin_bind_host=10.214.14.66
public_bind_host=10.214.14.197
admin_port=35357

Comment 1 Red Hat Bugzilla Rules Engine 2017-02-07 21:02:14 UTC
This bugzilla has been removed from the release and needs to be reviewed and Triaged for another Target Release.

Comment 3 Sofer Athlan-Guyot 2017-02-09 18:14:17 UTC
Hi,

I confirm that a *minor* update is required to get the latest osp8 puppet-module before starting the major upgrade.

As noted by Matt Flusche:

"Looks like they are using an older version of openstack-puppet-modules. I see 7.0.17-1.el7ost.noarch from the sosreport; 7.1.5-1 is the most current. 

Also this BZ is addressed in a more current release and is required for keystone update. 

I assume this is the issue. 

From the openstack-puppet-modules changelog: 

* Sat Jun 18 2016 Lukas Bezdicka <lbezdick> 1:7.1.2-1 - Update to upstream 7.1.2 
  - [puppet-keystone] Add keystone::wsgi::apache::admin_bind_host param (rhbz#1347827)

Closing this one.  Don't hesitate to re-open it if needed.


Note You need to log in before you can comment on or make changes to this bug.