Appendix C. Tuning and Patching Red Hat OpenStack Platform for Red Hat OpenShift Container Platform
Red Hat OpenStack Platform may require tuning or patching for correct operation of Red Hat OpenShift Container Platform.
C.1. Keystone Token Expiration
The Heat installation of Red Hat OpenShift Container Platform can take longer than one hour. The default Keystone token expiration time is 3600 seconds (one hour). If the stack creation token expires before the stack creation completes, Heat times-out the active task and fails the stack.
The Keystone token expiration time is set in the keystone configuration on all of the Red Hat OpenStack Platform controllers. The value that controls the expiration time is set in
/etc/keystone/keystone.conf, in the
Find and update the
expiration value in the
[tokens] section as indicated below and restart the httpd services on all of the Red Hat OpenStack Platform controller hosts.
... [token] # # Options defined in keystone # # External auth mechanisms that should add bind information to # token e.g. kerberos, x509. (list value) #bind= # Enforcement policy on tokens presented to keystone with bind # information. One of disabled, permissive, strict, required # or a specifically required bind mode e.g. kerberos or x509 # to require binding to that authentication. (string value) #enforce_token_bind=permissive # Amount of time a token should remain valid (in seconds). # (integer value) #expiration=3600 expiration=7200 ...
restart httpd service
systemctl restart httpd
C.2. Heat Service Metadata URL Publication
OSP10 Heat versions prior to
openstack-heat-7.0.3-2.el7ost report metadata lookup URLs to
oc-collect-config which point to the IPv4 localhost 127.0.0.1. The problem is described in BZ1452677 - overcloud heat metadata endpoints are incorrectly set to localhost.
For affected versions of openstack-heat the
/etc/heat/heat.conf file must be modified to reflect the actual metadata server url. Specifically the values for
heat_watch_server_url must contain the IP address of the actual controller host.
See solution overcloud heat metadata endpoints are incorrectly set to localhost for instructions. Replace the IP address in the example with the actual value for the target service.
- Bug Report: https://bugzilla.redhat.com/show_bug.cgi?id=1395139
- Solution: https://access.redhat.com/solutions/2868471 (requires subscription)
C.3. Gnocchi User Permissions
In OSP10 the metering, time series data and alarm systems have been split into three services. Prior to OSP10 these were all done by the Ceilometer service. Now the metering is still done by Ceilometer but the time-series data are stored by Gnocchi and alarms are managed by Aodh. Access to the time-series data must be restricted only to the owners of the servers and resources which generated them.
In OSP10, alarms created as Heat resources cannot access the Gnocchi data for the same project. This prevents autoscaling. The problem is described in BZ 1470134 - Unprivileged user can’t access to its Gnocchi resources created by Ceilometer.
This is fixed in
openstack-aodh-3.0.3-1.el7ost. Versions before this run but auto-scaling does not work. At the time of this writing the fix expected late summer 2017.