Deployment doesn't work without an active public gateway

Fix proposed to branch: master
Review: https://review.openstack.org/137836

Related fix proposed to branch: master
Review: https://review.openstack.org/138446

Related fix proposed to branch: stable/5.1
Review: https://review.openstack.org/138448

5.1.1 is in Hard Code Freeze, and this is not Critical enough to hold back 5.1.1 release. Postponed to 5.1.2. Please provide a description of this bug suitable for release notes.

Since 5.1.1 and 6.0 releases FUEL configures ping resource that checks whether default gateway is accessible in order to fix the corresponding bug:

https://bugs.launchpad.net/fuel/+bug/1370510

Nevertheless, this fix imposes the issue that if user does not have pingable default gateway, deployment of OpenStack cluster will fail as FUEL uses public VIP to configure some of OpenStack entities (e.g. floating ip pools). In order to work this around, user can specify any pingable host as a default gateway, e.g. FUEL master node or apply the patch above and change cluster attribute 'run_ping_checker' to 'false' that will disable the pinger resource.

Added to release notes for 5.1.1:
https://review.openstack.org/#/c/130717/38/pages/release-notes/v5-1/050-known-issues.rst

Please also note, that if user disabled ping checker, that would bring back on original bug https://bugs.launchpad.net/fuel/+bug/1396126 for which that ping checker was created to resolve.

Then we do not perform public GW checks, we should expect that Public vip will not relocate after connection loss on the public nic of the controller node.
Hence, I think this option might be good only for dev deployments.

Reviewed: https://review.openstack.org/138446
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=c37df6f80484dd140571867fa218677e036b0d07
Submitter: Jenkins
Branch: master

commit c37df6f80484dd140571867fa218677e036b0d07
Author: Vladimir Kuklin <email address hidden>
Date: Tue Dec 2 20:20:26 2014 +0300

    Allow user to disable VIP ping resource

    Allow user to disable VIP ping resource
    if user does not need public network
    to be routable.

    Since 5.1.1 and 6.0 releases FUEL configures ping resource that checks whether default gateway is accessible in order to fix the corresponding bug:

    https://bugs.launchpad.net/fuel/+bug/1370510

    Nevertheless, this fix imposes the issue that if user does not have pingable default gateway, deployment of OpenStack cluster will fail as FUEL uses public VIP to configure some of OpenStack entities (e.g. floating ip pools). In order to work this around, user can specify any pingable host as a default gateway, e.g. FUEL master node or apply the patch above and change cluster attribute 'run_ping_checker' to 'false' that will disable the pinger resource. In order to do this user will need to use FUEL CLI and add this parameter manually to the deployment cluster attributes.

    Also, be aware that disabling of pinger will introduce back the corresponding bug https://bugs.launchpad.net/fuel/+bug/1370510

    DocImpact
    Change-Id: I9e1f29b5ee08ec7276175de213dcdae392251045
    Related-bug: #1396126

Adding some info on how to change cluster attribute 'run_ping_checker' to 'false' in order to disable public gateway pinger on controllers.

For HA environment you want to disable pinger for (env id 1 in the example below), please do the following:

* Download env deployment settings via Fuel CLI:
fuel --env 1 deployment default

* Add the following line to every controller yaml (including primary-controller):
run_ping_checker: 'false'

* Upload updated settings via Fuel CLI:
fuel --env 1 deployment upload

After that you can deploy changes.

This isn't a fix for the UX issue here.

We need to resolve at least one, if not both of these
1. Puppet continues running even through a critical resource is lacking (it should fail the deployment)
2. Nailgun needs to validate that this resource exists prior to allowing deployment since the network settings cant be changed after the deployment is started.

The 2nd point could be addressed as a part of granular deployment feature at Nailgun side. For example, as a post deploy verification step which should run after the networking configuration step.
The 1st point should be addressed in Astute orchestrator as well.
So what is the status of this issue? Should we split it into the two new ones?

Fix: it looks like the 1st step could be addressed in puppet manifests as well.

Actually, the latest improvements for pacemaker provider introduced in >=6.0 should fail the deployment when ping checker couldn't be run, so the 1st point should be addressed only for <6.0 cases

The network checker could as well report an error when public GW is not accessible from the nodes, and that could be a fix for UX from Nailgun side.

HA is now the default and only mode in the UI. Editing the deployment yaml is not manageable for nearly all of the users. This is therefor critical.

Adding a setting on the UI to toggle this will reduce it back to high.

The documentation part is addressed by https://review.openstack.org/154130

Currently this bug is blocked by https://bugs.launchpad.net/mos/+bug/1395822

Sorry, wrong link. There is right one: https://bugs.launchpad.net/mos/+bug/1427625

hudson marked this as in progress, but there is no link back to this can we get links?

Why was this reduced from critical, it was raised because of the impact of the failed result and in-ability for the average user to work around it. I've already identified the criteria to reduce it back to high and it doesn't appear to have been met.

Hi, Andrew.
See #1 to link.
Actually, I met this every day when I trying to deploy environment by system tests. It will just fail, if you don't have default gateway accessible, so I need to set it manually every time. It will also fail if you try to deploy next environment with default gateway from another subnet, so it should be set manually too for every of such deployments.

I'll repeat actual link with fix: https://review.openstack.org/#/c/137836/

Reviewed: https://review.openstack.org/137836
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=1e42e667db60922131efeca9c6be8a74c1204b00
Submitter: Jenkins
Branch: master

commit 1e42e667db60922131efeca9c6be8a74c1204b00
Author: Dmitry Ilyin <email address hidden>
Date: Fri Nov 28 20:15:07 2014 +0300

    Switch openrc to internal network

    If public gateway will not available, we can't connect to OpenStack
    services, cause by default all clients connect to public URL. This
    commit changes that behavior by change all URLs to 'internal' by default.

    Change-Id: If0609d37e80ee717f8cba7cb36e6a70154d0a8f2
    Partial-Bug: #1396126

Reviewed: https://review.openstack.org/156188
Committed: https://git.openstack.org/cgit/stackforge/fuel-docs/commit/?id=eb7b336c5e3af39e809dfaed7a5c2c0217945470
Submitter: Jenkins
Branch: master

commit eb7b336c5e3af39e809dfaed7a5c2c0217945470
Author: Dmitry Sutagin <email address hidden>
Date: Mon Feb 16 14:16:40 2015 +0300

    Adds a note about NetworkManager service in VBox guide

    NetworkManager may cause problems for clients using
    Fedora/Red Hat Enterprise Linux (CentOS?) and who try MOS in
    VirtualBox.

    Related-Bug: 1396126

    Change-Id: Ibe434e0d4fd1632c5eb9d16134ac41d2d289fd71

Verified on ISO #304 for CentOS with nova flat and neutron vlan

"build_id": "2015-04-10_22-54-31", "ostf_sha": "c2a76a60ec4ebbd78e508216c2e12787bf25e423", "build_number": "304", "release_versions": {"2014.2-6.1": {"VERSION": {"build_id": "2015-04-10_22-54-31", "ostf_sha": "c2a76a60ec4ebbd78e508216c2e12787bf25e423", "build_number": "304", "api": "1.0", "nailgun_sha": "69547a71abb4696df7e6f44b1f7864b0535f2df7", "openstack_version": "2014.2-6.1", "production": "docker", "python-fuelclient_sha": "9208ff4a08dcb674ce2df132399a5aa3ddfac21c", "astute_sha": "d96a80b63198a578b2c159edbd76048819039eb0", "feature_groups": ["mirantis"], "release": "6.1", "fuelmain_sha": "8daac234aea6ac0a98f27871deec039f74f6fdab", "fuellib_sha": "867028fe78837dc2e4635a2cbb976782856964d0"}}}, "auth_required": true, "api": "1.0", "nailgun_sha": "69547a71abb4696df7e6f44b1f7864b0535f2df7", "openstack_version": "2014.2-6.1", "production": "docker", "python-fuelclient_sha": "9208ff4a08dcb674ce2df132399a5aa3ddfac21c", "astute_sha": "d96a80b63198a578b2c159edbd76048819039eb0", "feature_groups": ["mirantis"], "release": "6.1", "fuelmain_sha": "8daac234aea6ac0a98f27871deec039f74f6fdab", "fuellib_sha": "867028fe78837dc2e4635a2cbb976782856964d0"

Related fix proposed to branch: stable/6.1
Review: https://review.openstack.org/194961

Reviewed: https://review.openstack.org/194961
Committed: https://git.openstack.org/cgit/stackforge/fuel-docs/commit/?id=0e26e7d7cc153d179ec34985645dd23cdd239ddb
Submitter: Jenkins
Branch: stable/6.1

commit 5cc5f0c643aebecaf3bf4580535a3ea7c3334a6c
Author: Mike Scherbakov <email address hidden>
Date: Tue Jun 23 13:43:35 2015 -0700

    Removed streamlined patching backend pieces

    Change-Id: I955e76ccdbd12a9145f4e9b689f80bdf9fcaf929

commit 563c4b5c78ebfcb1f4f91047c2919f6270f9a1d4
Author: Mike Scherbakov <email address hidden>
Date: Tue Jun 23 13:30:30 2015 -0700

    Removed outdated patching guide

    Change-Id: I76180c277789ade9c5ebedd19fe2092847c0b7d9

commit 8d120c14bec1ab41d448683ad146a3053a57c4ee
Author: Irina Povolotskaya <email address hidden>
Date: Tue Jun 23 19:59:11 2015 +0300

    Add dual hypervisor ref arch into 6.1 docs

    Change-Id: I900c24c9de878eafadbfc995aa879b7f55737fac

commit feebd1592d3305b64bbdfd0bc5fe108190aef120
Author: OlgaGusarenko <email address hidden>
Date: Tue Jun 23 18:38:17 2015 +0300

    [OPs guide] Running Ceilometer section edits

    1. conf file extract is updated
    2. note is updated

    Closes-bug: 1467817
    Change-Id: I0217e164108e0ba6c1397045a5e57d13ff429223

commit 44a93f9dead7511a3461ec35248dbb689c81eafd
Author: OlgaGusarenko <email address hidden>
Date: Tue Jun 23 18:04:40 2015 +0300

    [RN6_1] Final changes

    1. capitalization
    2. 2014.2 to 2014.2.2
    3. general improvements

    Change-Id: I45057e90c90550559f66bc67ccdf97a559fd9000

commit bb41389cae58084285688853281516b659686422
Author: evkonstantinov <email address hidden>
Date: Tue Jun 23 16:45:35 2015 +0300

    Update patching decription

    Update patching description with
    the standard Linux commands.

    Change-Id: Ia1a8346639c468fdfce15a11d2430bf3a4731244

commit bf3018fae3f2e564413d33aba6cdebf8868f0b4e
Author: OlgaGusarenko <email address hidden>
Date: Tue Jun 23 15:55:49 2015 +0300

    [RN6_1] Clean up

    1. Rearranges sections
    2. Improves RST
    3. Changes titles order

    Change-Id: I6110bf515667d3d6ba08ad35ff5d593dbc96641e

commit 1c7e4457808e8f2d6c56fdf31252170972e444b9
Author: Maria Zlatkova <email address hidden>
Date: Tue Jun 23 15:26:28 2015 +0300

    Replaces VBOX screenshots

    This patch:
    - replaces VBOX screenshots
    - changes the link for Download Mirantis VirtualBox scripts
     to https://docs.mirantis.com/openstack/fuel/fuel-master/#downloads

    Change-Id: I58dede960c5c3355d39b07ff44b757403f6af02c
    Closes-Bug: #1467872

commit 0a568bf53fc0e25d1d692d5d74b4a7b4d983bbcc
Author: evkonstantinov <email address hidden>
Date: Tue Jun 23 14:01:55 2015 +0300

    6.1 --separate repos

    change wording and add links to the
    separate repos feature.

    Change-Id: Ib5d0778a0d8f1534f79ed2f553574cb69a3150b0

commit 95a188b21cbdd064d92696b7920e6a0105fe0c56
Author: Maria Zlatkova <email address hidden>
Date: Tue Jun 23 12:07:28 2015 +0300

    Corrects the output 'pcs status'

    Changes the example outputs to appropriate ones.

    Change-Id: Ib6d83...

Change abandoned by Igor Shishkin (<email address hidden>) on branch: stable/5.1
Review: https://review.openstack.org/138448
Reason: This review is > 4 weeks without comment and currently blocked by a core reviewer with a -2. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and contacting the reviewer with the -2 on this review to ensure you address their concerns.

Fix proposed to branch: mos-8.0
Change author: Sergey Kolekonov <email address hidden>
Review: https://review.fuel-infra.org/10953

Reviewed: https://review.fuel-infra.org/10953
Submitter: Denis Egorenko <email address hidden>
Branch: mos-8.0

Commit: 07ebbeaa7093c9c222a5edea7ceaf087825a3999
Author: Sergey Kolekonov <email address hidden>
Date: Thu Sep 17 13:20:38 2015

Use internal url during authorization

If public gateway will not available, we can't connect to OpenStack
services, cause by default all clients connect to public URL. This
commit changes that behavior by changing URLs to 'internal' by default.

Fuel-specific
Partial-Bug: #1396126

Change-Id: I2d04f87c369674910f8de5ad5abbe7e7d878f641

Won't Fix for 5.1.1-updates and 6.0-updates as we don't expect new 5.1.1 and 6.0 deployments

Reopened and targeted to 9.2 as this issue was observed when deploying 9.0 cloud.

Closed, as it is a feature, not a bug. Please, read the documentation, we highlight something about it couple releases ago. Anyway, it is a duplicate of https://bugs.launchpad.net/fuel/+bug/1524640 for now.

The bug shouldn't be added to RN 9.2 (confirmed with Vitaly Sedelnik). Already described in RN 6.1 as a New feature [0].

[0]: https://docs.mirantis.com/openstack/fuel/fuel-6.1/release-notes.html#release-notes