VirtualHost is not being set correctly in "openstack_https_frontend.conf" file when deploying hacluster application with bindings
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
charms.openstack |
Fix Released
|
High
|
Tytus Kurek |
Bug Description
The issue was originally reported in bug 1735421, but for some reason the fix for designate / charms.openstack didn't land.
There is a Juju environment with the following spaces:
$ juju spaces
Space Subnets
clo 100.86.0.0/20
oam 100.107.0.0/22
The designate application has been deployed from the "master" branch in the upstream with the following settings:
$ juju deploy \
--bind "oam admin=clo dns-backend=clo internal=clo public=clo shared-db=clo" \
--config "./designate.yaml" \
--num-units 3 \
--series trusty \
--to 22/lxd/
./designate \
designate
$ cat designate.yaml
designate:
debug: "true"
enable-
nameservers: "ns1.example.com. ns1.example.com. ns3.example.com."
openstack-origin: "cloud:
use-syslog: "true"
verbose: "true"
vip: "100.86.0.11"
worker-
and designate-hacluster application has been deployed from charm store with the following settings:
$ juju deploy \
--bind "oam ha=clo" \
--config "./designate-
--series trusty \
./hacluster \
designate-hacluster
$ cat designate-
designate-
corosync_
cluster_count: "3"
The resulting configuration files look as follows:
# cat /etc/haproxy/
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 20000
user haproxy
group haproxy
spread-checks 0
defaults
log global
mode tcp
option tcplog
option dontlognull
retries 3
timeout queue 9000
timeout connect 9000
timeout client 90000
timeout server 90000
listen stats
bind 127.0.0.1:8888
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
stats auth admin:Sx2Ten1UQ
frontend tcp-in_
bind *:9001
acl net_100.86.0.180 dst 100.86.
use_backend designate-
acl net_100.107.2.206 dst 100.107.
use_backend designate-
default_backend designate-
backend designate-
balance leastconn
server designate-0 100.86.0.180:8991 check
server designate-1 100.86.0.179:8991 check
server designate-2 100.86.0.148:8991 check
backend designate-
balance leastconn
server designate-0 100.107.2.206:8991 check
server designate-1 100.107.2.198:8991 check
server designate-2 100.107.2.174:8991 check
# cat /etc/apache2/
Listen 8991
<VirtualHost 100.107.2.206:8991>
ServerName 100.86.0.11
SSLEngine on
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:!RC4:
SSLCertific
SSLCertific
ProxyPass / http://
ProxyPassRe
ProxyPreser
RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
Order allow,deny
Allow from all
</Location>
and the following query results as follows:
$ curl --insecure https:/
curl: (35) gnutls_handshake() failed: An unexpected TLS packet was received.
Setting os-* options in designate charm:
$ juju config designate os-admin-
$ juju config designate os-internal-
$ juju config designate os-public-
solves the problem:
# cat /etc/haproxy/
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 20000
user haproxy
group haproxy
spread-checks 0
defaults
log global
mode tcp
option tcplog
option dontlognull
retries 3
timeout queue 9000
timeout connect 9000
timeout client 90000
timeout server 90000
listen stats
bind 127.0.0.1:8888
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
stats auth admin:Sx2Ten1UQ
frontend tcp-in_
bind *:9001
acl net_100.86.0.180 dst 100.86.
use_backend designate-
acl net_100.107.2.206 dst 100.107.
use_backend designate-
default_backend designate-
backend designate-
balance leastconn
server designate-0 100.86.0.180:8991 check
server designate-1 100.86.0.179:8991 check
server designate-2 100.86.0.148:8991 check
backend designate-
balance leastconn
server designate-0 100.107.2.206:8991 check
server designate-1 100.107.2.198:8991 check
server designate-2 100.107.2.174:8991 check
# cat /etc/apache2/
Listen 8991
<VirtualHost 100.86.0.180:8991>
ServerName 100.86.0.11
SSLEngine on
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:!RC4:
SSLCertific
SSLCertific
ProxyPass / http://
ProxyPassRe
ProxyPreser
RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
Order allow,deny
Allow from all
</Location>
$ curl --insecure https:/
{
"versions": {
"values": [
{
"id": "v1",
"links": [
{
"href": "https:/
"rel": "self"
}
],
"status": "DEPRECATED"
},
{
"id": "v2",
"links": [
{
"href": "https:/
"rel": "self"
}
],
"status": "CURRENT"
}
]
}
}
It looks like the root cause is the IP address in "VirtualHost" definition.
Attached are log files from all designate units.
affects: | charm-designate → charms.openstack |
Changed in charms.openstack: | |
assignee: | nobody → Tytus Kurek (tkurek) |
status: | New → In Progress |
Changed in charms.openstack: | |
importance: | Undecided → High |
As I said, it looks like the root cause is the IP address in "VirtualHost" definition, but there are additional questions which should be answered here: api_admin_ 100.107. 2.206" backend the default backend while the binding was used?
- Why are there two backends while the binding was used?
- Why is the "designate-