Fix bind host issue when kolla_external_address is different than kolla_internal address
In current kolla ansible deployment, when kolla_external_
different than kolla_internal_
shown in the following example.
export OS_PASSWORD=
export OS_AUTH_URL=http://
[root@kolla-
+------
| Field | Value |
+------
| adminurl | http://
| enabled | True |
| id | 86a90f8548704b5
| internalurl | http://
| publicurl | http://
| region | RegionOne |
| service_id | f2af7b31ea174d8
| service_name | glance |
| service_type | image |
+------
[root@kolla-
Unable to establish connection to http://
This is because the ansible generated glance-api.conf only binds to the the
interface with internal address, e.g.,
bind_host = 192.168.27.102
After I change to "bind_host = 0.0.0.0", glance-api endpoint can be accessed.
So my colleague Marcio (launchpad ID: marcios) proposed a solution to this.
If kolla_external_
If enable_haproxy == "Yes"
Add both private interface and public interface to the backend server
for that service.
else
set bind_host = 0.0.0.0 in the service configuration file (e.g., glance-api.conf.j2)
This should be able to implemented in ansible.
Blueprint information
- Status:
- Not started
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Hui Kang
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Discussion
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
Related branches
Related bugs
Sprints
Whiteboard
This is not a mistake, but rather a design. We will not be binding to 0.0.0.0 under any circumstances. But you as the deployer can update your configs to bind to 0.0.0.0 if you wish. All services should be able to reach other services via the internal address. Where this is not the case services have ways to point to different catalog entries (check our cinder.conf template). To reiterate, the services should _not_ be binding to the external addresses under any circumstance (unless your external address is your internal address). --SamYaple
I totally agree with Sam. Binding to 0.0.0.0 is totally sloppy. My suspicion is the problem i think you really have in your environment is you have two NIC interfaces on your glance node and one is internal and one is external. binding to 0.0.0.0 works because it binds to all interfaces (the internal and the external one). That is the only logical explanation for why this approach would work for you. Binding as you pose could possibily be a security risk - I am not certain, but we are not doing it. --sdake