api-services only bind to INTERNAL api address when not using haproxy with kolla-ansible

asked 2018-05-05 03:50:15 -0500

theque42 gravatar image

updated 2018-05-05 04:34:15 -0500

When deploying my queens cloud with kolla-ansible and only using a single controller node (and therefore disabling haproxy since its not needed), it seems ALL the api-services only become functional on the internal-api adresses? So for instance:

[root@ctrl1 ~(admin)]# openstack endpoint list -c "Service Name" -c Interface -c URL  | grep "cinder|nova|neutron|Interface"
| Service Name | Interface | URL                                              |
| cinderv3     | internal  | http://172.16.101.100:8776/v3/%(tenant_id)s      |
| neutron      | public    | http://10.10.101.100:9696                        |
| cinder       | public    | http://10.10.101.100:8776/v1/%(tenant_id)s       |
| cinderv3     | public    | http://10.10.101.100:8776/v3/%(tenant_id)s       |
| cinderv3     | admin     | http://172.16.101.100:8776/v3/%(tenant_id)s      |
| cinderv2     | public    | http://10.10.101.100:8776/v2/%(tenant_id)s       |
| neutron      | admin     | http://172.16.101.100:9696                       |
| cinder       | admin     | http://172.16.101.100:8776/v1/%(tenant_id)s      |
| cinderv2     | admin     | http://172.16.101.100:8776/v2/%(tenant_id)s      |
| cinderv2     | internal  | http://172.16.101.100:8776/v2/%(tenant_id)s      |
| nova_legacy  | admin     | http://172.16.101.100:8774/v2/%(tenant_id)s      |
| neutron      | internal  | http://172.16.101.100:9696                       |
| nova         | public    | http://10.10.101.100:8774/v2.1/%(tenant_id)s     |
| nova_legacy  | public    | http://10.10.101.100:8774/v2/%(tenant_id)s       |
| cinder       | internal  | http://172.16.101.100:8776/v1/%(tenant_id)s      |
| nova         | admin     | http://172.16.101.100:8774/v2.1/%(tenant_id)s    |
| nova         | internal  | http://172.16.101.100:8774/v2.1/%(tenant_id)s    |
| nova_legacy  | internal  | http://172.16.101.100:8774/v2/%(tenant_id)s      |

But....

[root@ctrl1 ~(admin)]# lsof -Pni 2>&1 | egrep ":(8774|8776|9696).*LISTEN"
httpd       324     root    3u  IPv4  213971      0t0  TCP 172.16.101.100:8776 (LISTEN)
httpd       352       48    3u  IPv4  213971      0t0  TCP 172.16.101.100:8776 (LISTEN)
httpd       353       48    3u  IPv4  213971      0t0  TCP 172.16.101.100:8776 (LISTEN)
httpd       354       48    3u  IPv4  213971      0t0  TCP 172.16.101.100:8776 (LISTEN)
httpd       355       48    3u  IPv4  213971      0t0  TCP 172.16.101.100:8776 (LISTEN)
httpd       356       48    3u  IPv4  213971      0t0  TCP 172.16.101.100:8776 (LISTEN)
nova-api   7138    42436    7u  IPv4  260534      0t0  TCP 172.16.101.100:8774 (LISTEN)
nova-api   7698    42436    7u  IPv4  260534      0t0  TCP 172.16.101.100:8774 (LISTEN)
nova-api   7699    42436    7u  IPv4  260534      0t0  TCP 172.16.101.100:8774 (LISTEN)
nova-api   7700    42436    7u  IPv4  260534      0t0  TCP 172.16.101.100:8774 (LISTEN)
nova-api   7701    42436    7u  IPv4  260534      0t0  TCP 172.16.101.100:8774 (LISTEN)
nova-api   7702    42436    7u  IPv4  260534      0t0  TCP 172.16.101.100:8774 (LISTEN)
nova-api   7703    42436    7u  IPv4  260534      0t0  TCP 172.16.101.100:8774 (LISTEN)
nova-api   7704    42436    7u  IPv4  260534      0t0  TCP 172.16.101.100:8774 (LISTEN)
nova-api   7705    42436    7u  IPv4  260534      0t0  TCP 172.16.101.100:8774 (LISTEN)
neutron-s 11177    42435    7u  IPv4  303113      0t0  TCP 172.16.101.100:9696 (LISTEN)
neutron-s 11212    42435    7u  IPv4  303113      0t0  TCP 172.16.101.100 ...
(more)
edit retag flag offensive close merge delete

Comments

Some services seem to use the bind_host parameter, others bind_ip, or as nova and cinder, osapi_<name>_listen....Just to simplify configuration :-}

theque42 gravatar imagetheque42 ( 2018-05-05 12:31:25 -0500 )edit

Binding to an specific IP is for security reasons, wont work access to any address in the host because users can jump through networks. You can play with network_interface and api_interface to select on which interface IP address want the services to be bind

Eduardo Gonzalez gravatar imageEduardo Gonzalez ( 2018-05-08 02:54:51 -0500 )edit

That doesnt make sense. Afaik, the openstack service catalog should normally always have the internal, admin, and public interfaces, which implies that the api-servers should bind to different network addresses. The api_interface (and other similar parameters) are all configured on four diff nets.

theque42 gravatar imagetheque42 ( 2018-05-08 04:14:03 -0500 )edit

Furthermore, I would like to now/find more information on what the current use of the diff api endpoints (int/admin/public) are?. In older installations I could see explicit pipeline diffs, but what are the differences today? I cant see any different service behavior on the ones i've checked.

theque42 gravatar imagetheque42 ( 2018-05-08 04:22:16 -0500 )edit

public and internal endoint are mostly the same in code, admin only allows admin tasks (iirc is being removed that difference too).

Eduardo Gonzalez gravatar imageEduardo Gonzalez ( 2018-05-08 04:30:39 -0500 )edit