© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Some more info on this...
-------
Orange reported issue "Impossible to access Contrail WebUI through HAProxy":
"I am currently facing a problem with a deployment RedHat OSP 10 + Contrail 3.2.3 : I am not able to connect to Contrail WebUI using Overcloud VIP on External Network.
When trying to access the WebUI, the webbrowser tries to load the page but nothing happens.
Note that if I try to access the WebUI using Contrail VIP (on Contrail network), it works well. It seems that there is a misconfiguration in haproxy, leading to this issue.
Here is the configuration deployed in haproxy:
listen contrail_
bind 172.20.71.115:8143 transparent ssl crt /etc/pki/
bind 192.168.19.2:8143 transparent
balance source
hash-type consistent
server 192.168.19.9 192.168.19.9:8143 check fall 5 inter 2000 rise 2
server 192.168.19.10 192.168.19.10:8143 check fall 5 inter 2000 rise 2
server 192.168.19.11 192.168.19.11:8143 check fall 5 inter 2000 rise 2
172.20.71.115 is the VIP on External network, when I try to access it, it doesn't work.
192.168.19.2 is the VIP on Contrail Network, when I try to access it : it works."
-------
Below is the communication with Orange broken into the 3 points:
1. Manual procedure
Changing:
bind 172.20.71.115:8143 transparent ssl crt /etc/pki/
To:
bind 172.20.71.115:8143 transparent
Resolves the problem of access to webui. However, this certificate is not used anymore for contrail webui. Instead of this Orange certificate, you get Contrail's default self-signed certificate when accessing the webui. (Btw, as you have found it already, this is because of:
server 192.168.19.9 192.168.19.9:8143 check fall 5 inter 2000 rise 2
.. in haproxy settings and config.
This is not acceptable since you can't change this default certificate for now (For this we have ER-075586 - Custom SSL certificate for Contrail WebUI).
You have a solution that could be more acceptable. Instead of removing the "ssl crt ..." instruction on the "bind" line, you added "ssl verify none" on "server" lines, giving that solution :
listen contrail_
bind 192.168.213.12:8143 transparent ssl crt /etc/pki/
bind 192.168.215.12:8143 transparent
balance source
hash-type consistent
server 192.168.215.18 192.168.215.18:8143 check fall 5 inter 2000 rise 2 ssl verify none
server 192.168.215.19 192.168.215.19:8143 check fall 5 inter 2000 rise 2 ssl verify none
server 192.168.215.20 192.168.215.20:8143 check fall 5 inter 2000 rise 2 ssl verify none
This manual solution worked well and is acceptable to you. User now gets Orange overcloud signed certificate.
You want this to be implemented in point 2 (Managed by RH Director) and you are concerned with point 3 in your design (HAProxy "balance source").
2. Managed by RH Director
You want HAProxy's configuration to be managed by RH Director / Contrail deployment scripts only. Contrail's deployment (through Director) must deploy this configuration. How to achieve this through Contrail templates?
* Juniper Contrail Engineering will look at it while working on mentioned ER-075586.
3. HAProxy balance algorithm
There is a "balance source" instruction in the configuration. You are using a reverse proxy in front of openstack/contrail platform, making all requests coming from a unique source (the reverse proxy). You are concerned if this configuration will prevent requests from being properly load-balanced between Contrail webui nodes?
* "balance roundrobin" could be used in this case (https:/
But let me create a follow up case for this point to confirm with engineering. If balance source doesn't work in your design, we would need to make sure that this parameter is also changed in https:/
Can you please confirm mine understanding that the manual procedure works for you, and you want this to be managed by RHOSPd (point 2) with concerns from point 3 related to your design?
-------
You understood our concerns very well : I confirm you that the manual procedure works for us, and that we want the HA Proxy configuration to be managed by Director during the deployment with Contrail templates.