Description of problem: Neutron uses the Nova API public endpoint which may not be always reachable from the node running the Neutron services. We could instead the internal endpoint as this should be reachable from nodes which don't have access to the public endpoint network. Scenario where this issue could show up: Neutron API services are running on a different role than the controller running HAProxy where the public endpoints are binding. The Neutron role is not connected to the OSP-d External network since it runs internal only services and outgoing traffic to the External network from this role nodes is not allowed. Version-Release number of selected component (if applicable): openstack-tripleo-heat-templates-6.0.0-0.20170307170102.3134785.0rc2.el7ost.noarch How reproducible: 100% Steps to Reproduce: 1. Deploy overcloud 2. Check /etc/neutron/neutron.conf Actual results: [nova] # # From neutron # # Name of nova region to use. Useful if keystone manages more than one region. # (string value) #region_name = <None> # Type of the nova endpoint to use. This endpoint will be looked up in the # keystone catalog and should be one of public, internal or admin. (string # value) # Allowed values: public, admin, internal #endpoint_type = public Expected results: endpoint_type = internal Additional info:
> Neutron API services are running on a different role than the controller running HAProxy where the public endpoints are binding. The Neutron role is not connected to the OSP-d External network since it runs internal only services and outgoing traffic to the External network from this role nodes is not allowed. If the Neutron API service is running on a different role, it would be connected to the same external networks the controller nodes are, because users need to be able to reach the public Neutron API endpoint. In that case, Neutron will always have access to the public Nova API endpoint, regardless if it's on a separate node or not. What am I missing?
(In reply to Assaf Muller from comment #1) > > Neutron API services are running on a different role than the controller running HAProxy where the public endpoints are binding. The Neutron role is not connected to the OSP-d External network since it runs internal only services and outgoing traffic to the External network from this role nodes is not allowed. > > If the Neutron API service is running on a different role, it would be > connected to the same external networks the controller nodes are, because > users need to be able to reach the public Neutron API endpoint. In that > case, Neutron will always have access to the public Nova API endpoint, > regardless if it's on a separate node or not. What am I missing? The public Neutron API endpoint is exposed via HAProxy so the role which runs the Neutron API service doesn't need to be connected to the external network but it uses the internal_api network to reach the controller running HAProxy.
I used this workaround in an environment file : parameter_defaults: NovaComputeExtraConfig: neutron::config::server_config: nova/endpoint_type: value: internal
Sorry, it's on controller node so I wrote a mistake. Is this : parameter_defaults: controllerExtraConfig neutron::config::server_config: nova/endpoint_type: value: internal (In reply to Cyril Lopez from comment #5) > I used this workaround in an environment file : > > parameter_defaults: > NovaComputeExtraConfig: > neutron::config::server_config: > nova/endpoint_type: > value: internal
According to our records, this should be resolved by openstack-tripleo-heat-templates-8.0.2-38.el7ost. This build is available now.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3587