OpenStack nova service responds with an erroneous httpd redirect to a "GET,version_controller,show" request.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Eric Fried |
Bug Description
Description:
When a client, eg. the OpenStack dashboard, makes a nova service request of "http://
1. If, for security reasons, you place the nova service behind an SSL termination proxy, the redirect generated as follows:
from : https:/
to : http://
is invalid because the proxy_port requires encrypted traffic and the replacement URL is using the wrong protocol (http). The request fails on the client side with "Unable to establish connection to http://
2. Even if we are not using a proxy server, the nova service is effectively complaining about a missing trailing forward slash ("/"), telling the client to reissue the same request but with the missing character. This creates unnecessary network traffic (the redirect plus a second request) and additional server load (two requests instead of one). It should be noted that "http://
Solution:
Replace the first ROUTE_LIST entry (and associated comments) in nova.api.
# NOTE: This is a redirection from '' to '/'. The request to the '/v2.1'
# or '/2.0' without the ending '/' will get a response with status code
# '302' returned.
('', '/'),
to:
# The following 3 lines replaces a redirect specification that caused additional network traffic and load. See bug #xxxxx.
('', {
'GET': [version_
I've applied/tested a fix/workaround here: https:/
To recreate:
1. Install Openstack (ocata/pike) as per https:/
2. Monitor network traffic (tcpdump) on client.
3. Login to the dashboard, and view compute-
To see "Unable to establish connection to http://
4. Install HAProxy.
5. Serve the nova public endpoint via the SSL termination proxy server. Our HAProxy configuration for this is as follows:
frontend nova_public
bind controller_
reqadd X-Forwarded-Proto:\ https
default_backend nova_internal
backend nova_internal
redirect scheme https code 301 if !{ ssl_fc }
server controller controller:8774 check
6. Redefine the nova public endpoint in the sql database:
mysql -ukeystone -p
connect keystone;
update endpoint set url="https:/
7. Dashboard will display "Unable to retrieve usage data" red flag each time the project overview page is displayed, and the http error log will report the connection failure.
Changed in nova: | |
assignee: | nobody → Colin Leavett-Brown (crlb-f) |
status: | New → In Progress |
tags: | added: api |
Changed in nova: | |
assignee: | Colin Leavett-Brown (crlb-f) → Eric Fried (efried) |
Changed in nova: | |
assignee: | Eric Fried (efried) → melanie witt (melwitt) |
Changed in nova: | |
assignee: | melanie witt (melwitt) → Eric Fried (efried) |
importance: | Undecided → Medium |
Fix proposed to branch: master /review. openstack. org/516796
Review: https:/