Description of problem: We currently have the following for horizon: server overcloud-controller-0.internalapi.localdomain 172.17.0.22:80 check cookie overcloud-controller-0 fall 5 inter 2000 rise 2 server overcloud-controller-1.internalapi.localdomain 172.17.0.25:80 check cookie overcloud-controller-0 fall 5 inter 2000 rise 2 server overcloud-controller-2.internalapi.localdomain 172.17.0.12:80 check cookie overcloud-controller-0 fall 5 inter 2000 rise 2 The cookie should point to each member hostname to get session persistence
Should look like this: server overcloud-controller-0.internalapi.localdomain 172.17.0.22:80 check cookie overcloud-controller-0 fall 5 inter 2000 rise 2 server overcloud-controller-1.internalapi.localdomain 172.17.0.25:80 check cookie overcloud-controller-1 fall 5 inter 2000 rise 2 server overcloud-controller-2.internalapi.localdomain 172.17.0.12:80 check cookie overcloud-controller-2 fall 5 inter 2000 rise 2 The cookie name should be the same as the respective service name.
Ok so with the linked review, I correctly get: listen horizon bind 10.0.0.5:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 10.0.0.5:80 transparent bind 172.17.0.18:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem bind 172.17.0.18:80 transparent mode http cookie SERVERID insert indirect nocache http-request set-header X-Forwarded-Proto https if { ssl_fc } http-request set-header X-Forwarded-Proto http if !{ ssl_fc } option forwardfor option httpchk redirect scheme https code 301 if !{ ssl_fc } rsprep ^Location:\ http://(.*) Location:\ https://\1 server overcloud-controller-0.internalapi.localdomain 172.17.0.14:80 check cookie overcloud-controller-0.internalapi.localdomain fall 5 inter 2000 rise 2 server overcloud-controller-1.internalapi.localdomain 172.17.0.17:80 check cookie overcloud-controller-1.internalapi.localdomain fall 5 inter 2000 rise 2 server overcloud-controller-2.internalapi.localdomain 172.17.0.19:80 check cookie overcloud-controller-2.internalapi.localdomain fall 5 inter 2000 rise 2 Ryan, could you expand a bit on the impact of this? I.e. should I look at backporting this to pike?
Yes, this should probably be backported. The problem here is that the cookie is being inserted into the response by haproxy so that we have session persistence. When you login to horizon you want the session to be persistent and go to the same backend server. When haproxy sees a match for the cookie, it does just that. The cookie value will should match the server name. Prior to your fix (see comment #0) each server was matching on the same cookie (overcloud-controller-0) which is not correct. What I would best to to demonstrate the problem and verify the fix. I am not sure how to do this because in my environment (everything running in VMs) it is difficult to open a web browser and point to the horizon VIP. Is there a trick we can use to do this?
(Note there's an OSP10 bz about this, which could be used for the backport, at https://bugzilla.redhat.com/show_bug.cgi?id=1520799)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0607