Hello,
After installing MP for Openstack i try to configure MP for Openstack adapter. First of all - i could not connect to OpenStack API host (pls find an screenshot attached).
Always get the same Error: Unable to establish a valid connection to the target system. Error trying to make connection: Unrecognized SSL message, plaintext connection?
According documentation API host is openstack vm with keystone services... I tested connection to Controller directly (put controller IP address in OpenStack API Host field) and to load ballancer later expecting redirection to controller. Connection unsuccessful and error message is the same.
Q1 What does it mean OpenStack API host in VIO environment?
Q2 Should i configure adapter in vRealize operations manager at all? May be, this is done by script when integrating OpenStack with Endpoint Operation management agent - sudo viocli epops install... ?
Anyway, OpenStack environment does not appear on vRealize desktop.
Thank you in advance,
Mindaugas
Not sure about your second question, but I believe the VIO API host is going to be the "public" IP for your OpenStack load balancers - the same IP developers would use.
Yes Q2 is "good question" 🙂 - i see... Sorry...
The problem is, that i cannot access load balancer public ip from internal/private network (connection timeout). Our network people says that there are no restrictions for this operation.
When i telnet to LB's public ip from another computer on a public network - everything is ok. When i use internal/private ip of LB for test connection - i get "connection refused" message. Maybe, internal access is not allowed to LB from internal (management) network? If yes - what should i do on load balancer (firewall or lb restrictions)?
Hi Mindaugas,
By default Load balancer routes traffic through gateway configured for external network (eth1 interface). There is a restriction in linux kernel (called reverse path filtering) that blocks the traffic if reverse path of packet would go through a different interface that it came from. In your case, you're trying to reach public VIP from internal(mgmt) network, which means that packet arrives on eth1, but it tries to go back using eth0 interface. Generally this is an intended behavior - if you are in the mgmt network, you should connect mgmt interface, and if you are in public network, you should connect public interface (and not be able to connect to mgmt interface at all). In this case you could consume internal VIP instead of public VIP.
Other ways to achieve your goal (run those on loadbalancers )
1) disable rp_filter completely:
sysctl -w net.ipv4.conf.eth0.rp_filter=0
sysctl -w net.ipv4.conf.eth1.rp_filter=0
This will break the security model though
2) Force traffic coming to public vip to go back via the same route:
ip route add default via PUBLIC_NETWORK_DEFAULT_GW_IP dev eth1 table device_eth1
ip rule add from PUBLIC_VIP lookup device_eth1
ip rule add to PUBLIC_VIP lookup device_eth1
replace PUBLIC_NETWORK_DEFAULT_GW_IP and PUBLIC_VIP with values in your network.
Hello,
Thank you for responce.
I changed net.ipv4.conf.ethx.rp_filter to 0.
Now i can access the server:
But after i accept certificate -
Something else. I checked tenant and admin login name/password once again. They are correct....