Appendix C. Tuning and Patching Red Hat OpenStack Platform for Red Hat OpenShift Container Platform

Red Hat OpenStack Platform may require tuning or patching for correct operation of Red Hat OpenShift Container Platform.

C.1. Keystone Token Expiration

The Heat installation of Red Hat OpenShift Container Platform can take longer than one hour. The default Keystone token expiration time is 3600 seconds (one hour). If the stack creation token expires before the stack creation completes, Heat times-out the active task and fails the stack.

The Keystone token expiration time is set in the keystone configuration on all of the Red Hat OpenStack Platform controllers. The value that controls the expiration time is set in /etc/keystone/keystone.conf, in the [tokens] section.

Find and update the expiration value in the [tokens] section as indicated below and restart the httpd services on all of the Red Hat OpenStack Platform controller hosts.

/etc/keystone/keystone.conf fragment

...
[token]
​
​#
​# Options defined in keystone
​#
​
​# External auth mechanisms that should add bind information to
​# token e.g. kerberos, x509. (list value)
​#bind=
​
​# Enforcement policy on tokens presented to keystone with bind
​# information. One of disabled, permissive, strict, required
​# or a specifically required bind mode e.g. kerberos or x509
​# to require binding to that authentication. (string value)
​#enforce_token_bind=permissive
​
​# Amount of time a token should remain valid (in seconds).
​# (integer value)
​#expiration=3600
expiration=7200
...

restart httpd service

systemctl restart httpd

Details of Keystone identity service configuration can be find in the OpenStack Configuration Overview

C.2. Heat Service Metadata URL Publication

OSP10 Heat versions prior to openstack-heat-7.0.3-2.el7ost report metadata lookup URLs to oc-collect-config which point to the IPv4 localhost 127.0.0.1. The problem is described in BZ1452677 - overcloud heat metadata endpoints are incorrectly set to localhost.

For affected versions of openstack-heat the /etc/heat/heat.conf file must be modified to reflect the actual metadata server url. Specifically the values for heat_metadata_server_url, heat_waitcondition_server_url and heat_watch_server_url must contain the IP address of the actual controller host.

See solution overcloud heat metadata endpoints are incorrectly set to localhost for instructions. Replace the IP address in the example with the actual value for the target service.

C.3. Gnocchi User Permissions

In OSP10 the metering, time series data and alarm systems have been split into three services. Prior to OSP10 these were all done by the Ceilometer service. Now the metering is still done by Ceilometer but the time-series data are stored by Gnocchi and alarms are managed by Aodh. Access to the time-series data must be restricted only to the owners of the servers and resources which generated them.

In OSP10, alarms created as Heat resources cannot access the Gnocchi data for the same project. This prevents autoscaling. The problem is described in BZ 1470134 - Unprivileged user can’t access to its Gnocchi resources created by Ceilometer.

This is fixed in openstack-aodh-3.0.3-1.el7ost. Versions before this run but auto-scaling does not work. At the time of this writing the fix expected late summer 2017.