OpenStack-Ansible

novncproxy base uri using should use host/fqdn instead of IP

Bug #1971175 reported by Alexander Binzxxxxxx on 2022-05-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack-Ansible	Fix Released	Undecided	Unassigned

Bug Description

nova_novncproxy_base_uri uses the loadbalander IP instead of the hostname or FQDN. This causes ssl certificates beeing not accepted since they may not include IPs (like in a wildcard cert).
I recommend switching to something like:
nova_novncproxy_base_uri: "{{ nova_novncproxy_proto }}://{{ horizon_server_name }}:{{ nova_novncproxy_port }}"

Tags:

Alexander Binzxxxxxx (devil000000) on 2022-05-02

tags:	added: horizon
tags:	added: haproxy
tags:	added: console nova

Revision history for this message

Jonathan Rosser (jrosser) wrote on 2022-05-03:

Could you please give some more information about how you have set up your deployment, particularly SSL certificates for the external VIP and what you have configured external_lb_vip_address as?

Revision history for this message

Alexander Binzxxxxxx (devil000000) wrote on 2022-05-03:

The configuration is quite minimal and quite default for openstack-ansible (release xena).

as said, the ssl certificate is a wildcard certificate (e.g. *.example.com) and haproxy is configured to use that via:
haproxy_user_ssl_cert: '$some_path'
haproxy_user_ssl_key: '$some_path'
the external lb virtual ip address is set like this:
external_lb_vip_address: '192.168.10.200'

the nova_novncproxy_base_uri is by default build with external_lb_vip_address (so a IP based uri/url instead of host/FQDN based). The ssl wildcard certificate will not include the IP in the SAN part (which would be very unusual for a wildcard certificate to have but also for other certificates this would be unusual). So as soon as the console tab is opened the iframe loads the console via the IP based URL causing the browser to complain about a certificate and target missmatch causing the console request getting blocked.

The correct thing is to use the FQDN in all URLs including nova console ones.

Not sure what other information you need. Don't hesitate to ask if you need more information but please tell me what exactly you need.

Revision history for this message

Jonathan Rosser (jrosser) wrote on 2022-05-03 (last edit on 2022-05-03):

I think that we expect external_lb_vip_address to be set to your FQDN rather than the IP in a production deployment, you should then find that the FQDN gets used in the places which build URLs during the deployment rather than the IP.

See https://github.com/openstack/openstack-ansible/blob/master/etc/openstack_deploy/openstack_user_config.yml.prod.example#L21

Revision history for this message

Jonathan Rosser (jrosser) wrote on 2022-05-03:

For what it's worth - I expect that not setting the external VIP to be your FQDN might also be related to your other bug https://bugs.launchpad.net/openstack-ansible/+bug/1971179

Revision history for this message

Alexander Binzxxxxxx (devil000000) wrote on 2022-05-03:

understand, you expect external_lb_vip_address to hold a FQDN.
the key name suggests to me "virtual IP" and "address" not "hostname" or "fqdn". also I think I have seen this in basically all examples with a IP not a FQDN given but I may be wrong on this one.

About the ticket relation: The legacy mode issue is as far as I can tell unrelated. The direct mode issue could be related.

Revision history for this message

Alexander Binzxxxxxx (devil000000) wrote on 2022-05-11:

I retested with your suggestion.
setting external_lb_vip_address to FQDN sets the nova_novncproxy_base_uri correct. That solved this issue for me. Maybe you want to document that more clearly or change the key name. see last comment.
About https://bugs.launchpad.net/openstack-ansible/+bug/1971179 -
it partially also helps for the image upload but does not solve it see that ticket for details.

Revision history for this message

Dmitriy Rabotyagov (noonedeadpunk) wrote on 2022-05-11:

Yeah, we totally need to document that in better way. As the only mention that it's supposed to be FQDN I can find here https://opendev.org/openstack/openstack-ansible/src/branch/master/etc/openstack_deploy/openstack_user_config.yml.pod.example#L33-L36

While it's not the most obvious place too look for...

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-05-17: Fix proposed to openstack-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/openstack-ansible/+/842132

Changed in openstack-ansible:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-05-18: Fix merged to openstack-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible/+/842132
Committed: https://opendev.org/openstack/openstack-ansible/commit/9bce86e4a3c466b1eade6e2c8290d208346e43ac
Submitter: "Zuul (22348)"
Branch: master

commit 9bce86e4a3c466b1eade6e2c8290d208346e43ac
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue May 17 16:51:35 2022 +0200

[doc] Be even more explicit about lb_vip_address

Add in several places in doc mentions that lb_vip_address can also be
an FQDN, not necessarily an IP

Closes-Bug: #1971175
Change-Id: I812674728990fcbfb234db403c8ea5d4eefb6354

Changed in openstack-ansible:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-05-18: Fix proposed to openstack-ansible (stable/xena)

#10

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/openstack-ansible/+/842327

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-05-18: Fix proposed to openstack-ansible (stable/wallaby)

#11

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/openstack-ansible/+/842328

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-05-18: Fix proposed to openstack-ansible (stable/victoria)

#12

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/openstack-ansible/+/842329

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-05-18: Fix merged to openstack-ansible (stable/xena)

#13

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible/+/842327
Committed: https://opendev.org/openstack/openstack-ansible/commit/21e5e231255d795ca728129f902016253ee17fde
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 21e5e231255d795ca728129f902016253ee17fde
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue May 17 16:51:35 2022 +0200

[doc] Be even more explicit about lb_vip_address

Add in several places in doc mentions that lb_vip_address can also be
an FQDN, not necessarily an IP

    Closes-Bug: #1971175
    Change-Id: I812674728990fcbfb234db403c8ea5d4eefb6354
    (cherry picked from commit 9bce86e4a3c466b1eade6e2c8290d208346e43ac)

tags:

added: in-stable-xena

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-05-18: Fix merged to openstack-ansible (stable/wallaby)

#14

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible/+/842328
Committed: https://opendev.org/openstack/openstack-ansible/commit/bb0fbdba30b6f99de4cd266ad5bbd7371f6f6b8b
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit bb0fbdba30b6f99de4cd266ad5bbd7371f6f6b8b
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue May 17 16:51:35 2022 +0200

[doc] Be even more explicit about lb_vip_address

Add in several places in doc mentions that lb_vip_address can also be
an FQDN, not necessarily an IP

    Closes-Bug: #1971175
    Change-Id: I812674728990fcbfb234db403c8ea5d4eefb6354
    (cherry picked from commit 9bce86e4a3c466b1eade6e2c8290d208346e43ac)

tags:	added: in-stable-wallaby
tags:	added: in-stable-victoria

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-05-18: Fix merged to openstack-ansible (stable/victoria)

#15

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible/+/842329
Committed: https://opendev.org/openstack/openstack-ansible/commit/e373a78f964479e462b7babf46872a0a0ebe7fe1
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit e373a78f964479e462b7babf46872a0a0ebe7fe1
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue May 17 16:51:35 2022 +0200

[doc] Be even more explicit about lb_vip_address

Add in several places in doc mentions that lb_vip_address can also be
an FQDN, not necessarily an IP

    Closes-Bug: #1971175
    Change-Id: I812674728990fcbfb234db403c8ea5d4eefb6354
    (cherry picked from commit 9bce86e4a3c466b1eade6e2c8290d208346e43ac)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-05-30: Fix included in openstack/openstack-ansible 23.3.1

#16

This issue was fixed in the openstack/openstack-ansible 23.3.1 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-05-30: Fix included in openstack/openstack-ansible 24.3.0

#17

This issue was fixed in the openstack/openstack-ansible 24.3.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-06-09: Fix included in openstack/openstack-ansible 25.0.0.0b1

#18

This issue was fixed in the openstack/openstack-ansible 25.0.0.0b1 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-04-12: Fix included in openstack/openstack-ansible victoria-eom

#19

This issue was fixed in the openstack/openstack-ansible victoria-eom release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.