OpenStack-Ansible

SoftwareDeployment Heat resource can not poll internal heat API

Bug #1432742 reported by Miguel Alejandro Cantu
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Low
Miguel Alejandro Cantu

Bug Description

os-collect-config, the application responsible for polling information from heat, determines which API to poll by using the 'heat_metadata_server_url' directive in the heat.conf file. From my understanding of our current ref arch, VMs are not be able to hit internal endpoints, which is the current implementation for 'heat_metadata_server_url. This ultimately renders the SoftwareDeployment Heat resource in-operable by making it unable to poll the Heat internal API.

See:
https://github.com/stackforge/os-ansible-deployment/blob/master/playbooks/roles/os_heat/defaults/main.yml#L79
https://github.com/openstack/heat/blob/master/heat/engine/resources/openstack/nova/server.py#L413

Miguel Alejandro Cantu (miguel-cantu)
Changed in openstack-ansible:
assignee: nobody → Miguel Alejandro Cantu (miguel-cantu)
Revision history for this message
Miguel Grinberg (miguelgrinberg) wrote :

In my experience this works fine, as long as the load balancer is configured properly. There isn't anything architecture-wise that prevents instances from hitting the load balancer.

Note that this is not only required for software config resources, but also for wait conditions and any other heat resources that accept signals.

Revision history for this message
Kevin Carter (kevin-carter) wrote :

@Miguel Alejandro Cantu (miguel-cantu) - when you have time might you be able to respond to Miguel Grinberg (miguelgrinberg) regarding the architecture and the reasoning for the change?

As a side note in master this can be set on a per deployment basis using user_variables.yml and adding in an entry for:
heat_metadata_server_url: "{{ heat_service_proto }}://{{ external_lb_vip_address }}:{{ heat_cfn_service_port }}"

Does this solve the issue without changing the default?

Changed in openstack-ansible:
status: New → Incomplete
Revision history for this message
Miguel Alejandro Cantu (miguel-cantu) wrote :

Hey miguelgrinberg. It was my understanding that in the ref arch, internal APIs shouldn't be accessible from VMs. Is it okay for VMs to have access to the internal openstack APIs?

kevin-cater: Yes! That would definitely fix the issue. This might be a better approach since there is no way of telling if a deployment will be using Heat resources that require access to the heat APIs. The user can just add the override if need be.
It's ultimately up to you guys if you want to keep the default the same, or change it. I talked to James D. and walked away with the understanding that VMs shouldn't have access to internal APIs. I could have been mistaken, however :)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to os-ansible-deployment (master)

Reviewed: https://review.openstack.org/164785
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=9d715dbc0a64a6343532cf972403c9c71503cf97
Submitter: Jenkins
Branch: master

commit 9d715dbc0a64a6343532cf972403c9c71503cf97
Author: elextro <email address hidden>
Date: Mon Mar 16 12:08:10 2015 -0500

    Change heat_metadata_server_url to external API.

    This PR changes this directive to use the external API, which is needed
    for Heat SoftwareDeployments. See the bug description.

    Change-Id: I04c3bebe77e13e0db21292409a32f24a11788a6f
    Closes-Bug: #1432742

Changed in openstack-ansible:
status: Incomplete → Fix Committed
Kevin Carter (kevin-carter)
Changed in openstack-ansible:
importance: Undecided → Low
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.