haproxy stats http configuration is suboptimal
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
Medium
|
Michele Baldessari |
Bug Description
a) The haproxy.stats stanza in haproxy config file has pretty much remained the same since newton:
listen haproxy.stats
bind 192.168.24.8:1993 transparent
mode http
stats enable
stats uri /
stats auth admin:tRJre6PnQ
(what has changed post osp10 is that we also enabled the unix local domain stat socket for haproxy):
stats socket /var/lib/
stats timeout 2m
user haproxy
b) what we do today with the haproxy stats makes little sense:
- we bind it to the VIP running on the control-plane network on all controller nodes
- de facto we allow to look at the haproxy stat info via web only on the node holding the ctlplane VIP
- since haproxy does not share stats across nodes, we're effectively limited at looking at the stats info on a single node.
Now imagine ctrl-0 holding the internal_api VIP and ctrl-1 holding the ctlplane VIP. Basically now the only stats you will be able to see are the ones relative to keystone_admin (which for other silly reasons has been moved to ctlplane by default) and very little else.
We need to fix this in two ways:
1) Make it so that an operator can customize the network on which haproxy stats listens on, as currently that is hard-coded to the ctlplane
2) Let it listen on the controller's IP on the defined network
3) Bonus points for not changing current configuration and have it listen on the ctlplane vip as well.
Changed in tripleo: | |
status: | Triaged → In Progress |
Reviewed: https:/ /review. opendev. org/659926 /git.openstack. org/cgit/ openstack/ puppet- tripleo/ commit/ ?id=e76519d2c83 24e71db1871e2a9 219eb66d0ce5c4
Committed: https:/
Submitter: Zuul
Branch: master
commit e76519d2c8324e7 1db1871e2a9219e b66d0ce5c4
Author: Michele Baldessari <email address hidden>
Date: Fri May 24 14:28:02 2019 +0200
Fix tripleo: :haproxy: :stats to be more correct and flexible
In this change we do three things: virtual_ ip as the only bind
'tripleo: :haproxy: :haproxy_ stats_bind_ address' .
1) We make the class parameter 'ip' also be a list so that multiple
bind addresses are possible
2) We remove the hard coded 1993 and move it to a parameter
3) Instead of passing only the controller_
address on all controllers which makes no sense (see linked LP)
we also bind to the IP specified in the hiera key
Tested this change with the accompanying THT patch and correctly
got the haproxy stats on a custom network (internal_api and the
controller vip):
listen haproxy.stats fd00:2000: :16:1993 transparent
bind fd00:fd00:
bind 192.168.24.15:1993 transparent
mode http
stats enable
stats uri /
stats auth admin:password
I did not remove the controller_ virtual_ ip binding as that might be
a breaking change for operators. We could think about deprecating it
and removing it eventually.
Related-Bug: #1830334 4a3543621554e7f 05161d069f2
Change-Id: Iab5f11c3065ff3