Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1703460

Summary:	Tripleo deploys semi-functional overcloud with internal TLS if KernelDisableIPv6 is enabled
Product:	Red Hat OpenStack	Reporter:	Alex Stupnikov <astupnik>
Component:	openstack-tripleo-heat-templates	Assignee:	Grzegorz Grasza <ggrasza>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Pavan <pkesavar>
Severity:	high	Docs Contact:
Priority:	high
Version:	13.0 (Queens)	CC:	aschultz, augol, bdobreli, cylopez, dmendiza, ggrasza, hrybacki, ipetrova, jschluet, mburns, mmethot, nkinder, pcaruana, pkesavar, rcarrier, rmascena, schhabdi
Target Milestone:	z8	Keywords:	TestOnly, Triaged, ZStream
Target Release:	13.0 (Queens)
Hardware:	All
OS:	All
Whiteboard:
Fixed In Version:	openstack-tripleo-heat-templates-8.3.1-57.el7ost, puppet-tripleo-8.4.1-17.el7ost	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1731079 1731080 (view as bug list)		Environment:
Last Closed:	2019-08-26 10:45:31 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Alex Stupnikov 2019-04-26 13:55:56 UTC

Description of problem:

A user will not get functional environment if he will decide to deploy overcloud with internal TLS [1] and will also decide to set KernelDisableIPv6 flag.

This issue will occur because we implement internal TLS for some services by putting httpd proxy between openstack endpoint and haproxy. For example, for neutron-server we will:

- start neutron_server_tls_proxy containers on every controller node
- start httpd inside this container with configuration [2]
- configure neutron to listen on localhost [3]

As a result, we will get the following set of servers listening on neutron-server port:

[root@controller-0 ~]# netstat -tupln | grep 9696
tcp        0      0 172.17.1.23:9696        0.0.0.0:*               LISTEN      110860/httpd        
tcp        0      0 172.17.1.101:9696       0.0.0.0:*               LISTEN      71254/haproxy       
tcp6       0      0 ::1:9696                :::*                    LISTEN      113384/python2


As you can see, neutron-server uses IPv6 localhost address to process requests that were proxied by httpd. This scheme works great unless user decides to tune kernel networking settings. In our case customer enabled KernelDisableIPv6 flag.


As a result, httpd failed to proxy requests and generated the following errors:

[Wed Apr 03 18:43:33.927156 2019] [proxy:error] [pid 16] (111)Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:9696 (localhost) failed
[Wed Apr 03 18:43:33.927188 2019] [proxy:error] [pid 16] AH00959: ap_proxy_connect_backend disabling worker for (localhost) for 10s
[Wed Apr 03 18:43:33.927194 2019] [proxy_http:error] [pid 16] [client 10.164.227.136:39478] AH01114: HTTP: failed to make connection to backend: localhost 

[Wed Apr 03 18:43:25.913045 2019] [proxy:error] [pid 16] AH00940: HTTP: disabled connection for (localhost)


Setting bug's severity to high as important customer is affected.

[1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/advanced_overcloud_customization/sect-enabling_internal_ssltls_on_the_overcloud
[2] 

[root@controller-0 ~]# cat /var/lib/config-data/puppet-generated/neutron/etc/httpd/conf.d/25-neutron-api-proxy.conf 
# ************************************
# Vhost template in module puppetlabs-apache
# Managed by Puppet
# ************************************

<VirtualHost 172.17.1.23:9696>
  ServerName controller-0.internalapi.redhat.local

  ## Logging
  ErrorLog "/var/log/httpd/neutron-api-proxy_error_ssl.log"
  ServerSignature Off
  CustomLog "/var/log/httpd/neutron-api-proxy_access_ssl.log" combined 

  ## Request header rules
  ## as per http://httpd.apache.org/docs/2.2/mod/mod_headers.html#requestheader
  RequestHeader set X-Forwarded-Proto "https"

  ## Proxy rules
  ProxyRequests Off
  ProxyPreserveHost Off
  ProxyPass / http://localhost:9696/ retry=10
  ProxyPassReverse / http://localhost:9696/

  ## SSL directives
  SSLEngine on
  SSLCertificateFile      "/etc/pki/tls/certs/httpd/httpd-internal_api.crt"
  SSLCertificateKeyFile   "/etc/pki/tls/private/httpd/httpd-internal_api.key"
</VirtualHost>

[3]
[root@controller-0 ~]# grep bind_host /var/lib/config-data/puppet-generated/neutron/etc/neutron/neutron.conf 
#bind_host = 0.0.0.0
bind_host=localhost

Comment 3 Irina Petrova 2019-07-03 10:45:39 UTC

*** Bug 1726195 has been marked as a duplicate of this bug. ***

Comment 28 Lon Hohberger 2019-08-09 10:42:30 UTC

According to our records, this should be resolved by puppet-tripleo-8.4.1-20.el7ost.  This build is available now.