OpenStack-Ansible

haproxy SSL, nova console set to http on the horizon link

Bug #1630950 reported by admin0
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Medium
Jesse Pretorius

Bug Description

Hi,

stable/newton

SSL is via haproxy.

When you go to instances and click console: the text is:

"If console is not responding to keyboard input: click the grey status bar below. Click here to show only console To exit the fullscreen mode, click the browser's back button."

the "Click here to show only console" opens in a link that is only http://

however, the working one is https://

## config

 global_overrides:
   internal_lb_vip_address: cloud101int.stack31.com
   external_lb_vip_address: cloud101.stack31.com

 haproxy_hosts:
   c14:
     ip: 172.29.236.14
   c15:
     ip: 172.29.236.15
   c16:
     ip: 172.29.236.16

##variables ##

haproxy_keepalived_external_vip_cidr: "10.11.12.3/22"
haproxy_keepalived_internal_vip_cidr: "172.29.236.3/22"
haproxy_keepalived_external_interface: ens2
haproxy_keepalived_internal_interface: br-mgmt

haproxy_keepalived_external_virtual_router_id: 10
haproxy_keepalived_internal_virtual_router_id: 11

haproxy_user_ssl_cert: /opt/stack31.crt
haproxy_user_ssl_key: /opt/stack31.key

Revision history for this message
admin0 (shashi-eu) wrote :

html5proxy_base_url = , it is http:// there, instead of https://

Praveen N (praveenn)
Changed in openstack-ansible:
assignee: nobody → Praveen N (praveenn)
Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

nova_spice_html5proxy_base_proto should be set to https.

Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

I'll be more precise on my comment:

I suppose you're using spice and not novnc.

Due to the way spice works, the connection from the end-user has to be transparently forwarded to the console. If possible, the spice data protocol should match the one of the frame (so https on your case).

By default, the protocol for spice is set to http, so you'll have to override this by setting nova_spice_html5proxy_base_proto to https.

We currently don't provide a group_vars setting that checks if horizon is on https to set the spice in https.

Revision history for this message
admin0 (shashi-eu) wrote :

"I suppose you're using spice and not novnc."

I am just following the installation guide, and assuming thing will work.
Nothing in the guide pointed (upto the after-deployment) that I can select one or the other.

So in this remark, the default ansible-installation selected spice in the installation and not the novnc.

I will retry with: nova_spice_html5proxy_base_proto: https and report back

Revision history for this message
admin0 (shashi-eu) wrote :

nova_spice_html5proxy_base_proto: https fixed the console !!

Revision history for this message
admin0 (shashi-eu) wrote :

for people using https:// ( shouldn't this even be the default ) , should this go to the documentation ?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-os_nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/384377

Changed in openstack-ansible:
assignee: Praveen N (praveenn) → Jesse Pretorius (jesse-pretorius)
status: New → In Progress
Jesse Pretorius (jesse-pretorius)
Changed in openstack-ansible:
importance: Undecided → Medium
Revision history for this message
Jesse Pretorius (jesse-pretorius) wrote :

I have tested and confirmed with an AIO that https://review.openstack.org/384377 ensures that the protocol is appropriately detected and implemented for console endpoint without any user intervention.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-os_nova (master)

Reviewed: https://review.openstack.org/384377
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_nova/commit/?id=8fc0304b6616bc738e25cdb7ee84fa302b7a1aef
Submitter: Jenkins
Branch: master

commit 8fc0304b6616bc738e25cdb7ee84fa302b7a1aef
Author: Jesse Pretorius <email address hidden>
Date: Mon Oct 10 10:09:29 2016 +0100

    Ensure that novnc/spice consoles use the public endpoint protocol

    When using HTTPS as the public endpoint protocol, the novnc/spice
    console endpoint provided must also be HTTPS.

    This patch ensures that the novnc/spice console endpoint keys off
    the general OpenStack service protocol set for the public endpoints.

    It still remains possible to override the endpoint protocol, if
    necessary.

    Closes-Bug: #1630950
    Closes-Bug: #1630953
    Change-Id: If3c751adfc4cb74c3230db1c8d4f1c9c3672bea8

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-os_nova (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/385011

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-os_nova (stable/newton)

Reviewed: https://review.openstack.org/385011
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_nova/commit/?id=27d42de97d9b76ed29f285d35b909fbf45fbf92c
Submitter: Jenkins
Branch: stable/newton

commit 27d42de97d9b76ed29f285d35b909fbf45fbf92c
Author: Jesse Pretorius <email address hidden>
Date: Mon Oct 10 10:09:29 2016 +0100

    Ensure that novnc/spice consoles use the public endpoint protocol

    When using HTTPS as the public endpoint protocol, the novnc/spice
    console endpoint provided must also be HTTPS.

    This patch ensures that the novnc/spice console endpoint keys off
    the general OpenStack service protocol set for the public endpoints.

    It still remains possible to override the endpoint protocol, if
    necessary.

    Closes-Bug: #1630950
    Closes-Bug: #1630953
    Change-Id: If3c751adfc4cb74c3230db1c8d4f1c9c3672bea8
    (cherry picked from commit 8fc0304b6616bc738e25cdb7ee84fa302b7a1aef)

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to openstack-ansible (stable/newton)

Related fix proposed to branch: stable/newton
Review: https://review.openstack.org/385370

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to openstack-ansible (stable/newton)

Reviewed: https://review.openstack.org/385370
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=0d824ce48db89e872caca5e579152caf3a79f005
Submitter: Jenkins
Branch: stable/newton

commit 0d824ce48db89e872caca5e579152caf3a79f005
Author: Jesse Pretorius <email address hidden>
Date: Wed Oct 12 10:46:05 2016 +0100

    Update role SHAs for 14.0.0 2016-10-12

    Related-Bug: #1627174
    Related-Bug: #1631158
    Related-Bug: #1630950
    Related-Bug: #1630953
    Related-Bug: #1631362
    Closes-Bug: #1631922
    Closes-Bug: #1631924
    Closes-Bug: #1631927

    Change-Id: I3657bf31136b5d00931bedc8c7cd7109a31c5c5f

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_nova 14.0.0.0rc3

This issue was fixed in the openstack/openstack-ansible-os_nova 14.0.0.0rc3 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_nova 15.0.0.0b1

This issue was fixed in the openstack/openstack-ansible-os_nova 15.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.