horizon connection reset from external network

asked 2020-05-11 05:28:31 -0500

tekkafedora gravatar image

Hello, I have installed Openstack Queens on CentOS 7 with 3 controllers. At the end of overcloud deploy I got:

 2020-05-04 09:34:19Z [overcloud]: CREATE_COMPLETE  Stack CREATE completed successfully
 Stack overcloud CREATE_COMPLETE 
Host 172.23.0.231 not found in /home/stack/.ssh/known_hosts
Started Mistral Workflow tripleo.deployment.v1.get_horizon_url. Execution ID: 13b02fc2-dadf-41bb-8b68-ca1502e472b4
Overcloud Endpoint: http://172.23.0.231:5000/
Overcloud Horizon Dashboard URL: http://172.23.0.231:80/dashboard
Overcloud rc file: /home/stack/overcloudrc
Overcloud Deployed

Director node has its host ip on 172.19.0/24 network and during undercloud install it set up:

7: br-ctlplane: <broadcast,multicast,up,lower_up> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 56:6f:3d:48:00:14 brd ff:ff:ff:ff:ff:ff
    inet 172.23.0.220/24 brd 172.23.0.255 scope global br-ctlplane
       valid_lft forever preferred_lft forever
    inet 172.23.0.222/32 scope global br-ctlplane
       valid_lft forever preferred_lft forever
    inet 172.23.0.221/32 scope global br-ctlplane
       valid_lft forever preferred_lft forever
    inet6 fe80::546f:3dff:fe48:14/64 scope link 
       valid_lft forever preferred_lft forever
8: docker0: <no-carrier,broadcast,multicast,up> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:6a:09:7f:36 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 scope global docker0
       valid_lft forever preferred_lft forever

From a desktop on the 172.23.0.0 network I'm able to access the dashboard, while from a desktop on another network (also the network of undercloud director for example, the 172.19.0.0) I receive a "the connection was reset" message in the browser (ERR_CONNECTION_RESET).

Is this the default expected setup usign tripleo? How can I change the configuration to allow connections coming from different networks? If I go on controller node where the cluster resource ip-172.23.0.231 resource is active I can see that:

Going into the haproxy container, the haproxy:

[root@ostack-ctrl1 ~]# docker exec -it haproxy-bundle-docker-1 bash
()[root@ostack-ctrl1 /]#
()[root@ostack-ctrl1 /]# more /etc/haproxy/haproxy.cfg 
....
listen horizon
  bind 172.23.0.231:80 transparent
  mode http
  cookie SERVERID insert indirect nocache
  option forwardfor
  option httpchk
  server ostack-ctrl1.internalapi.localdomain 172.23.0.227:80 check cookie ostack-ctrl1.internalapi.localdomain fall 5 i
nter 2000 rise 2
  server ostack-ctrl2.internalapi.localdomain 172.23.0.235:80 check cookie ostack-ctrl2.internalapi.localdomain fall 5 i
nter 2000 rise 2
  server ostack-ctrl0.internalapi.localdomain 172.23.0.238:80 check cookie ostack-ctrl0.internalapi.localdomain fall 5 i
nter 2000 rise 2
...

As the first in the chain is controller1, I go inside its horizon container and its config is this:

# docker exec -it horizon bash
()[root@ostack-ctrl0 /]# grep ^ALLOW /etc/openstack-dashboard/local_settings
ALLOWED_HOSTS = ['*', ]
()[root@ostack-ctrl0 /]# 

And the if I "tail -f horizon.log", when I try to open the horizon dashboard page coming from an ip on 172.19.0.0 network I see this inside it:

2020-05-11 12:18:38,961 61 ...
(more)
edit retag flag offensive close merge delete