Bug 1433750 - Neutron uses the Nova API public endpoint which may not be always reachable from the node running the Neutron service
Summary: Neutron uses the Nova API public endpoint which may not be always reachable f...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 11.0 (Ocata)
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: z3
: 13.0 (Queens)
Assignee: Brent Eagles
QA Contact: Toni Freger
URL:
Whiteboard:
Depends On:
Blocks: 1537757
TreeView+ depends on / blocked
 
Reported: 2017-03-19 19:25 UTC by Marius Cornea
Modified: 2018-11-13 22:28 UTC (History)
11 users (show)

Fixed In Version: openstack-tripleo-heat-templates-8.0.0-0.20180215092255.el7.ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1537757 (view as bug list)
Environment:
Last Closed: 2018-11-13 22:26:39 UTC
Target Upstream Version:
lmarsh: needinfo-
lmarsh: needinfo-


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Launchpad 1745002 None None None 2018-01-23 19:51:11 UTC
OpenStack gerrit 536944 None None None 2018-01-23 19:51:51 UTC
Red Hat Product Errata RHBA-2018:3587 None None None 2018-11-13 22:28:09 UTC

Description Marius Cornea 2017-03-19 19:25:08 UTC
Description of problem:
Neutron uses the Nova API public endpoint which may not be always reachable from the node running the Neutron services. We could instead the internal endpoint as this should be reachable from nodes which don't have access to the public endpoint network. 

Scenario where this issue could show up:
Neutron API services are running on a different role than the controller running HAProxy where the public endpoints are binding. The Neutron role is not connected to the OSP-d External network since it runs internal only services and outgoing traffic to the External network from this role nodes is not allowed. 

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-6.0.0-0.20170307170102.3134785.0rc2.el7ost.noarch

How reproducible:
100%

Steps to Reproduce:
1. Deploy overcloud
2. Check /etc/neutron/neutron.conf

Actual results:
[nova]

#
# From neutron
#

# Name of nova region to use. Useful if keystone manages more than one region.
# (string value)
#region_name = <None>

# Type of the nova endpoint to use.  This endpoint will be looked up in the
# keystone catalog and should be one of public, internal or admin. (string
# value)
# Allowed values: public, admin, internal
#endpoint_type = public

Expected results:
endpoint_type = internal

Additional info:

Comment 1 Assaf Muller 2017-03-30 15:03:51 UTC
> Neutron API services are running on a different role than the controller running HAProxy where the public endpoints are binding. The Neutron role is not connected to the OSP-d External network since it runs internal only services and outgoing traffic to the External network from this role nodes is not allowed.

If the Neutron API service is running on a different role, it would be connected to the same external networks the controller nodes are, because users need to be able to reach the public Neutron API endpoint. In that case, Neutron will always have access to the public Nova API endpoint, regardless if it's on a separate node or not. What am I missing?

Comment 2 Marius Cornea 2017-03-30 15:23:56 UTC
(In reply to Assaf Muller from comment #1)
> > Neutron API services are running on a different role than the controller running HAProxy where the public endpoints are binding. The Neutron role is not connected to the OSP-d External network since it runs internal only services and outgoing traffic to the External network from this role nodes is not allowed.
> 
> If the Neutron API service is running on a different role, it would be
> connected to the same external networks the controller nodes are, because
> users need to be able to reach the public Neutron API endpoint. In that
> case, Neutron will always have access to the public Nova API endpoint,
> regardless if it's on a separate node or not. What am I missing?

The public Neutron API endpoint is exposed via HAProxy so the role which runs the Neutron API service doesn't need to be connected to the external network but it uses the internal_api network to reach the controller running HAProxy.

Comment 5 Cyril Lopez 2017-07-04 21:12:43 UTC
I used this workaround in an environment file :

parameter_defaults:
  NovaComputeExtraConfig:
    neutron::config::server_config:
      nova/endpoint_type:
        value: internal

Comment 6 Cyril Lopez 2017-07-05 07:49:20 UTC
Sorry, it's on controller node so I wrote a mistake. Is this :

 parameter_defaults:
   controllerExtraConfig
     neutron::config::server_config:
       nova/endpoint_type:
         value: internal

(In reply to Cyril Lopez from comment #5)
> I used this workaround in an environment file :
> 
> parameter_defaults:
>   NovaComputeExtraConfig:
>     neutron::config::server_config:
>       nova/endpoint_type:
>         value: internal

Comment 11 Lon Hohberger 2018-07-10 10:34:01 UTC
According to our records, this should be resolved by openstack-tripleo-heat-templates-8.0.2-38.el7ost.  This build is available now.

Comment 15 errata-xmlrpc 2018-11-13 22:26:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3587


Note You need to log in before you can comment on or make changes to this bug.