Description of problem: The ip used by httpd is wrongly set after the upgrade. Below are the customer details. You will see that it's set as the internal api ip address instead of the external ip address. I suspect a problem with the way the keystone wsgi puppet manifest brings in this ip to http and the vhost. IF we change the ip address in /etc/httpd/conf/ports.conf to the proper external ip's for each controller then keystone works. Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1.upgrade from osp8 to osp9 2. 3. Actual results: keystone broken. stack commands fail Expected results: keystone works Additional info: ### stack commands fail after upgrade from osp8 to osp9. ###changing haproxy keystone_admin to match the keystone wsgi address works. ###network-environment.yaml ExternalAllocationPools: [{'start': '10.214.14.76', 'end': '10.214.14.100'}] InternalApiAllocationPools: [{'start': '10.214.14.194', 'end': '10.214.14.240'}] ServiceNetMap: KeystoneAdminApiNetwork: external KeystonePublicApiNetwork: internal_api ###haproxy.conf listen keystone_admin bind 10.214.14.76:35357 transparent mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server oslabwlk108 10.214.14.66:35357 check fall 5 inter 2000 rise 2 #change this to .197 causes it to work server oslabwlk109 10.214.14.67:35357 check fall 5 inter 2000 rise 2 server oslabwlk110 10.214.14.68:35357 check fall 5 inter 2000 rise 2 listen keystone_public bind 10.214.14.76:5000 transparent bind 10.214.14.194:5000 transparent mode http http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } server oslabwlk108 10.214.14.197:5000 check fall 5 inter 2000 rise 2 server oslabwlk109 10.214.14.196:5000 check fall 5 inter 2000 rise 2 server oslabwlk110 10.214.14.201:5000 check fall 5 inter 2000 rise 2 ####keystone's vhost file. # ************************************ # Vhost template in module puppetlabs-apache # Managed by Puppet # ************************************ <VirtualHost 10.214.14.197:35357> ServerName oslabwlk108.localdomain ## Vhost docroot DocumentRoot "/var/www/cgi-bin/keystone" ## Directories, there should at least be a declaration for /var/www/cgi-bin/keystone <Directory "/var/www/cgi-bin/keystone"> Options Indexes FollowSymLinks MultiViews AllowOverride None Require all granted </Directory> ## Logging ErrorLog "/var/log/httpd/keystone_wsgi_admin_error.log" ServerSignature Off CustomLog "/var/log/httpd/keystone_wsgi_admin_access.log" combined WSGIApplicationGroup %{GLOBAL} WSGIDaemonProcess keystone_admin display-name=keystone-admin group=keystone processes=32 threads=1 user=keystone WSGIProcessGroup keystone_admin WSGIScriptAlias / "/var/www/cgi-bin/keystone/admin" WSGIPassAuthorization On </VirtualHost> ###keystone.conf public_endpoint = http://10.214.14.76:5000 public_port=5000 admin_bind_host=10.214.14.66 public_bind_host=10.214.14.197 admin_port=35357
This bugzilla has been removed from the release and needs to be reviewed and Triaged for another Target Release.
Hi, I confirm that a *minor* update is required to get the latest osp8 puppet-module before starting the major upgrade. As noted by Matt Flusche: "Looks like they are using an older version of openstack-puppet-modules. I see 7.0.17-1.el7ost.noarch from the sosreport; 7.1.5-1 is the most current. Also this BZ is addressed in a more current release and is required for keystone update. I assume this is the issue. From the openstack-puppet-modules changelog: * Sat Jun 18 2016 Lukas Bezdicka <lbezdick> 1:7.1.2-1 - Update to upstream 7.1.2 - [puppet-keystone] Add keystone::wsgi::apache::admin_bind_host param (rhbz#1347827) Closing this one. Don't hesitate to re-open it if needed.