Bug 1485446 - [OSP12] horizon stanza in haproxy.cfg needs tweaking
Summary: [OSP12] horizon stanza in haproxy.cfg needs tweaking
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-tripleo
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: z2
: 12.0 (Pike)
Assignee: Michele Baldessari
QA Contact: nlevinki
URL:
Whiteboard:
Depends On:
Blocks: 1552245
TreeView+ depends on / blocked
 
Reported: 2017-08-25 18:10 UTC by Michele Baldessari
Modified: 2021-06-10 12:53 UTC (History)
9 users (show)

Fixed In Version: puppet-tripleo-7.4.8-1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1552245 (view as bug list)
Environment:
Last Closed: 2018-03-28 17:27:14 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 530122 0 None stable/pike: MERGED puppet-tripleo: Give horizon's stanza in haproxy a per-server cookie (Ieb9cf3c6a8373df288a73ff2dacfc9d0b09e675a) 2018-02-21 14:19:24 UTC
OpenStack gerrit 530379 0 None stable/pike: MERGED puppet-tripleo: Replace colon with a dash. (I87a1fb8952081dcb49f64ffff62414df120dccac) 2018-02-21 14:19:18 UTC
Red Hat Product Errata RHBA-2018:0607 0 None None None 2018-03-28 17:28:17 UTC

Description Michele Baldessari 2017-08-25 18:10:08 UTC
Description of problem:
We currently have the following for horizon:
server overcloud-controller-0.internalapi.localdomain 172.17.0.22:80 check cookie overcloud-controller-0 fall 5 inter 2000 rise 2
server overcloud-controller-1.internalapi.localdomain 172.17.0.25:80 check cookie overcloud-controller-0 fall 5 inter 2000 rise 2
server overcloud-controller-2.internalapi.localdomain 172.17.0.12:80 check cookie overcloud-controller-0 fall 5 inter 2000 rise 2

The cookie should point to each member hostname to get session persistence

Comment 1 Ryan O'Hara 2017-08-25 18:12:32 UTC
Should look like this:

server overcloud-controller-0.internalapi.localdomain 172.17.0.22:80 check cookie overcloud-controller-0 fall 5 inter 2000 rise 2
server overcloud-controller-1.internalapi.localdomain 172.17.0.25:80 check cookie overcloud-controller-1 fall 5 inter 2000 rise 2
server overcloud-controller-2.internalapi.localdomain 172.17.0.12:80 check cookie overcloud-controller-2 fall 5 inter 2000 rise 2

The cookie name should be the same as the respective service name.

Comment 2 Michele Baldessari 2017-09-12 07:32:33 UTC
Ok so with the linked review, I correctly get:
listen horizon
  bind 10.0.0.5:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
  bind 10.0.0.5:80 transparent
  bind 172.17.0.18:443 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
  bind 172.17.0.18:80 transparent
  mode http
  cookie SERVERID insert indirect nocache
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
  option forwardfor
  option httpchk
  redirect scheme https code 301 if !{ ssl_fc }
  rsprep ^Location:\ http://(.*) Location:\ https://\1
  server overcloud-controller-0.internalapi.localdomain 172.17.0.14:80 check cookie overcloud-controller-0.internalapi.localdomain fall 5 inter 2000 rise 2
  server overcloud-controller-1.internalapi.localdomain 172.17.0.17:80 check cookie overcloud-controller-1.internalapi.localdomain fall 5 inter 2000 rise 2
  server overcloud-controller-2.internalapi.localdomain 172.17.0.19:80 check cookie overcloud-controller-2.internalapi.localdomain fall 5 inter 2000 rise 2


Ryan, could you expand a bit on the impact of this? I.e. should I look at backporting this to pike?

Comment 3 Ryan O'Hara 2017-09-12 14:41:21 UTC
Yes, this should probably be backported.

The problem here is that the cookie is being inserted into the response by haproxy so that we have session persistence. When you login to horizon you want the session to be persistent and go to the same backend server. When haproxy sees a match for the cookie, it does just that. The cookie value will should match the server name. Prior to your fix (see comment #0) each server was matching on the same cookie (overcloud-controller-0) which is not correct.

What I would best to to demonstrate the problem and verify the fix. I am not sure how to do this because in my environment (everything running in VMs) it is difficult to open a web browser and point to the horizon VIP. Is there a trick we can use to do this?

Comment 5 Chris Jones 2017-12-07 09:20:05 UTC
(Note there's an OSP10 bz about this, which could be used for the backport, at https://bugzilla.redhat.com/show_bug.cgi?id=1520799)

Comment 14 errata-xmlrpc 2018-03-28 17:27:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0607


Note You need to log in before you can comment on or make changes to this bug.