Add config parameter os.region

[ggiamarchi]

To make possible to specify the OpenStack region for endpoints selection.

[vinsh]

Hi Guillaume,
I came up to say hi/introduce my self after the great talk your team gave on this plugin in Paris. Right from the start, the lack of specifying a region is a snag. We have many regions with all services in those regions. This means that I have to specify up to 9 specific urls to direct this plugin to a region. I notice the older 'vagrant-openstack-plugin' had support for regions. I understand this might be non trivial to add to your plugin due to a new design. I'll take a look at it also, so this comment is mainly a big +1 on this enhancement.

[ggiamarchi]

Hi Adam,
Thank you very much for your feedback, we really appreciate. About region, i agree it is tedious to have to specify all the endpoints URL manually and i am currently working on an implementation to support regions. Actually, it is not too complicated to handle regions when the keystone service catalog is correctly configured. However, some public cloud provider configure the service catalog in a way that it is not completely compliant with the "normal way". Nevertheless, i'm not so far from a satisfactory implementation and it will be merged into the master branch in a few days, i hope.

[vinsh]

Great to hear! I'll be ready to test when you do.

[ggiamarchi]

@vinsh, this one is available in the fresh release 0.6.0. Don't hesitate to test it against your OpenStack and to give us your feedback.

[vinsh]

Yes! Thank you for the good work here. Testing to start now. We have 2 regions to work against now and will likely be flipping between each often.

[vinsh]

@ggiamarchi

Let me know if you want a new issue opened for some of these findings:

I have set the following in my Vagrantfile:

            os.region = "#{ENV['OS_REGION_NAME']}"
            os.openstack_auth_url = "#{ENV['OS_AUTH_URL']}/tokens"

I have to specify an auth_url as just specifying region alone wont work.
The readme has something like "specified vagrant will authenticate against the UK authentication endpoint"

But this doesn't make sense in a general use case(no UK endpoint here..).. i'm using a private openstack cloud and without an auth_url in the vagrant file... it has no url to default to.

Next issue is that my network endpoint is https. By default this provider attempts to connect to the http endpoint.

==> dev02-build-001: Finding network(s) for server...
2014-12-01 16:46 | DEBUG | get_networks - start
2014-12-01 16:46 | DEBUG | request  => method  : GET
2014-12-01 16:46 | DEBUG | request  => url     : http://

This fails. I have to specify my https url in the vagrant file for openstack_network_url to get it working.

I would expect that the region support should only require the region and the openstack_auth_url.. and interpret http vs https based on the authurl... and then use that for the other endpoints.

[ggiamarchi]

About your first point, this is just an error in the README because it is inherited from the vagrant-rackspace plugin but there's nothing about that in the code. I just fixed the documentation.

About the protocol error, the plugin never choose to use http or https. It just use what it gets in the catalog. But, even if the neutron endpoint is well configured in https in the Keystone service catalog it is not enough because the neutron URL in the catalog is only used to get the neutron version list (with URLs) to choose the URL of the desired neutron version.

There is a common mistake when using https endpoints on OpenStack. Let's say in your Keystone service catalog you have the neutron service configured with something like :

{
    "endpoints": [
        {
            "adminURL": "http://admin.regionone.neutron",
            "region": "regionOne",
            "internalURL": "http://internal.regionone.neutron",
            "id": "709384a4c86a47abebc3b30e5a03605f",
            "publicURL": "https://public.regionone.neutron"
        },
        {
            "adminURL": "http://admin.regiontwo.neutron",
            "region": "regionTwo",
            "internalURL": "http://internal.regiontwo.neutron",
            "id": "ae5184a4c86a47abebc3b30e5a98de4a",
            "publicURL": "https://public.regiontwo.neutron"
        }
    ],
    "endpoints_links": [],
    "type": "network",
    "name": "neutron"
}

The publicURL are in https as we want.

Then we run a request GET https://public.regionone.neutron on the URL corresponding to the region we want to use. In response we get the version list :

{
    "versions": [
        {
            "status": "CURRENT",
            "id": "v2.0",
            "links": [
                {
                    "href": "https://public.regionone.neutron/v2.0",
                    "rel": "self"
                }
            ]
        }
    ]
}

You should see that in debug logs

2014-12-02 19:27 | DEBUG | request  => method  : GET
2014-12-02 19:27 | DEBUG | request  => url     : https://public.regionone.neutron/
2014-12-02 19:27 | DEBUG | request  => headers : {"X-Auth-Token"=>"xxx", :accept=>:json}
2014-12-02 19:27 | DEBUG | response => code    : 200
2014-12-02 19:27 | DEBUG | response => headers : {:date=>"Tue, 02 Dec 2014 18:27:08 GMT", :server=>"Apache-Coyote/1.1", :content_type=>"application/json;charset=UTF-8", :content_length=>"126"}
2014-12-02 19:27 | DEBUG | response => body    : {"versions": [{"status": "CURRENT", "id": "v2.0", "links": [{"href": "https://public.regionone.neutron/v2.0", "rel": "self"}]}]}

Here, in my example the URL for neutron v2.0 is right but i suspect yours to be in http instead of https.

This is a common issue when OpenStack services are not themselves secured but security is handled by an ssl termination done for instance by a reverse proxy.

[vinsh]

@ggiamarchi You nailed it, that is exactly the case here.

Where does neutron get its endpoint data for version lists from? How do most folks correct this disconnect?

[ggiamarchi]

Unfortunately there is no clean solution to this problem (or if there is one, i have not find it so far). Neutron builds the version URL from the application URL (see versions.py). That means if your neutron server listen on HTTP, your application URL is an HTTP URL and thus your version URL too.

The problem is the same for all the OpenStack services. The simple solution is to enable SSL on all the OpenStack services rather that dealing with SSL at a higher level but i guess you probably don't want to do that.

When i had to deal with this problem i did a kind of search and replace on the response body implemented in a reverse proxy in front of my OpenStack APIs. That's a dirty workaround but i don't have a better solution...

[alanraison]

Hi. Is it possible to provision in two regions at once (i.e. with multiple machines)? It seems to me that the region is chosen before the multi-machine configuration is processed, but I might be wrong :)

[ggiamarchi]

@alanraison You're right, it doesn't work. The region of the first machine is used for the others even if you explicitly specify the region at the machine level.

As a workaround, you can run a command by machine. Let's say you have a Vagrantfile that looks like

Vagrant.configure('2') do |config|
  config.vm.provider :openstack do |os|
    ...
  end

  config.vm.define 'server-1' do |s|
    s.vm.provider :openstack do |os|
      ...
      os.region = 'RegionOne'
    end
  end

  config.vm.define 'server-2' do |s|
    s.vm.provider :openstack do |os|
      ...
      os.region = 'RegionTwo'
    end
  end
end

Running

$ vagrant up server-1
$ vagrant up server-2

Will do the trick.

[jpdionne]

The issue in Openstack: https://bugs.launchpad.net/glance/+bug/1384379 https://review.openstack.org/#/c/206479/ .