Add ssh tunneling for TripleO-UI
Add a systemd service that tunnels traffic between the virthost and the undercloud. We forward ports for the UI itself, and a few other Openstack services, like Keystone, Heat, Mistral, etc. This requires a change that sets up the tripleo-ui javascript config with the proper settings and restarts the httpd service https://gist.github.com/weshayutin/0af348fafd70cb56c96d6856f073d79b Completed this change in Ie9d3e7d12c420b9b65c25692435c0457f1233a27 Access to the TripleO-UI is available from http://virthost:3000 Author: Honza Pokorny <honza@redhat.com> Co-Authored-By: Wes Hayutin <weshayutin@gmail.com> Change-Id: Id53c5bd7f199c64bc9cb37df7e63f27c4673f415
This commit is contained in:
parent
50373f241a
commit
1071bf4066
|
@ -1 +1,8 @@
|
|||
environment_type: libvirt
|
||||
|
||||
# This allows one to browse to the tripleo-ui on the undercloud
|
||||
# This is only required in libvirt based deployments
|
||||
enable_port_forward_for_tripleo_ui: true
|
||||
# Setup for SSL access to the tripleo-ui.
|
||||
# Please consult the tripleo-quickstart documentation prior to enabling this option
|
||||
tripleo_ui_secure_access: false
|
||||
|
|
|
@ -85,6 +85,27 @@ that would look something like this::
|
|||
$ curl --socks5-hostname localhost:1080 http://overcloud.localdomain:5000/
|
||||
{"versions": {"values": [{"status": "stable", "updated": "2016-04-04T00:00:00Z",...
|
||||
|
||||
Access to the overclouds horizon web interface
|
||||
----------------------------------------------
|
||||
|
||||
With baremetal and ovb based deployments you can access horizon via the
|
||||
overclouds's controller public ip address http://<controller_ip>:80
|
||||
|
||||
Deploying TripleO in a libvirt based environment presents an additional
|
||||
challenge of access the isolated ovs networks on the undercloud. By default
|
||||
an ssh-tunnel service has been setup on the virthost with the tripleo-quickstart
|
||||
for libvirt deployments. Access horizon with the following.
|
||||
|
||||
From the localhost::
|
||||
|
||||
http://<virthost>:8181
|
||||
|
||||
Overcloud with SSL enabled
|
||||
|
||||
http://<virthost>:8443
|
||||
|
||||
|
||||
|
||||
Using Firefox
|
||||
^^^^^^^^^^^^^
|
||||
|
||||
|
|
|
@ -3,6 +3,9 @@
|
|||
Accessing the Undercloud
|
||||
========================
|
||||
|
||||
Access via the CLI
|
||||
-------------------
|
||||
|
||||
When your deployment is complete, you will find a file named
|
||||
``ssh.config.ansible`` located inside your ``local_working_dir`` (which
|
||||
defaults to ``$HOME/.quickstart``). This file contains configuration
|
||||
|
@ -40,3 +43,27 @@ the overcloud::
|
|||
| 6 | nova-conductor | overcloud-controller-0 | internal | ...
|
||||
| 7 | nova-compute | overcloud-novacompute-0.localdomain | nova | ...
|
||||
+----+------------------+-------------------------------------+----------+-...
|
||||
|
||||
Access via the TripleO-UI
|
||||
-------------------------
|
||||
|
||||
With baremetal and ovb based deployments you can access the TripleO-UI via the
|
||||
undercloud's public ip address http://<virthost>:3000
|
||||
|
||||
Deploying TripleO in a libvirt based environment presents the additional
|
||||
challenge of accessing the isolated ovs networks on the undercloud. By default
|
||||
an ssh-tunnel service has been setup on the virthost by the tripleo-quickstart
|
||||
`enable_port_forward_for_tripleo_ui` variable. Access the TripleO-UI with the following.
|
||||
|
||||
From your workstation::
|
||||
|
||||
http://<virthost>:3000
|
||||
|
||||
By default an insecure connection the undercloud services has been configured
|
||||
in the /var/www/openstack-tripleo-ui-/dist/tripleo_ui_config.js file. To use
|
||||
ssl connections change the default variable ``tripleo_ui_secure_access`` to true.
|
||||
|
||||
Note:: When using ssl a user must manually allow access due to the self
|
||||
signed ssl certificate by accepting access to https://<virthost>/keystone/v3/auth/tokens
|
||||
in a new browser window or tab. Then one may return to http://virthost:3000
|
||||
and continue.
|
||||
|
|
|
@ -142,6 +142,7 @@ networks:
|
|||
bridge: brovc
|
||||
|
||||
#Enable network isolation with single-nic-vlans for virtualized deployments
|
||||
undercloud_network_cidr: 192.168.24.0/24
|
||||
undercloud_external_network_cidr: 10.0.0.1/24
|
||||
undercloud_external_network_cidr6: 2001:db8:fd00:1000::1/64
|
||||
undercloud_networks:
|
||||
|
@ -204,3 +205,7 @@ libvirt_uri: qemu:///session
|
|||
# that they have sufficient privileges to connect to ovs bridges.
|
||||
non_root_chown: false
|
||||
|
||||
# Enable port forwarding for tripleo-ui access
|
||||
# It is safe to mark this as default true as it only runs on a virthost
|
||||
# This variable is set to true in config/environments/default_libvirt.yml
|
||||
enable_port_forward_for_tripleo_ui: false
|
||||
|
|
|
@ -4,3 +4,6 @@ gating_repo_enabled: true
|
|||
undercloud_use_custom_boot_images: false
|
||||
undercloud_custom_vmlinuz: "{{ working_dir }}/overcloud-full.vmlinuz"
|
||||
undercloud_custom_initrd: "{{ working_dir }}/overcloud-full.initrd"
|
||||
|
||||
ssh_tunnel_service_file: ssh-tunnel.service.j2
|
||||
ssh_tunnel_target_ip: "{{ undercloud_network_cidr|nthhost(1) }}"
|
||||
|
|
|
@ -335,3 +335,50 @@
|
|||
template:
|
||||
src: ssh.config.j2
|
||||
dest: "{{ local_working_dir }}/ssh.config.ansible"
|
||||
|
||||
- when: enable_port_forward_for_tripleo_ui|bool
|
||||
block:
|
||||
|
||||
# TO-DO weshayutin
|
||||
# In the upcoming release of ansible 2.4 this should be moved to
|
||||
# iptables_raw
|
||||
# - name: ensure the required tcp ports are open on the virthost
|
||||
- iptables:
|
||||
table: filter
|
||||
chain: IN_public_allow
|
||||
protocol: tcp
|
||||
match: tcp
|
||||
ctstate: NEW
|
||||
jump: ACCEPT
|
||||
destination_port: "{{ item }}"
|
||||
become: true
|
||||
with_items:
|
||||
- 6385
|
||||
- 5000
|
||||
- 8004
|
||||
- 8080
|
||||
- 9000
|
||||
- 8989
|
||||
- 8774
|
||||
- 3000
|
||||
- 8181
|
||||
- 8443
|
||||
- 443
|
||||
|
||||
- name: Create ssh tunnel systemd service
|
||||
template:
|
||||
src: "{{ ssh_tunnel_service_file }}"
|
||||
dest: "/etc/systemd/system/ssh-tunnel.service"
|
||||
mode: 0755
|
||||
become: true
|
||||
|
||||
- name: reload the systemctl daemon after file update
|
||||
shell: systemctl daemon-reload
|
||||
become: true
|
||||
|
||||
- name: Enable ssh tunnel service
|
||||
service:
|
||||
name: ssh-tunnel
|
||||
enabled: true
|
||||
state: restarted
|
||||
become: true
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
[Unit]
|
||||
Description=Set up ssh tunneling for TripleO
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/ssh -NT -o \
|
||||
ServerAliveInterval=60 -o \
|
||||
UserKnownHostsFile=/dev/null -o \
|
||||
StrictHostKeyChecking=no -o \
|
||||
ExitOnForwardFailure=no -i \
|
||||
/home/{{ ssh_user }}/id_rsa_undercloud {{ ssh_user }}@{{ undercloud_ip }} \
|
||||
-L 0.0.0.0:6385:{{ ssh_tunnel_target_ip }}:6385 \
|
||||
-L 0.0.0.0:5000:{{ ssh_tunnel_target_ip }}:5000 \
|
||||
-L 0.0.0.0:8004:{{ ssh_tunnel_target_ip }}:8004 \
|
||||
-L 0.0.0.0:8080:{{ ssh_tunnel_target_ip }}:8080 \
|
||||
-L 0.0.0.0:9000:{{ ssh_tunnel_target_ip }}:9000 \
|
||||
-L 0.0.0.0:8989:{{ ssh_tunnel_target_ip }}:8989 \
|
||||
-L 0.0.0.0:3000:{{ ssh_tunnel_target_ip }}:3000 \
|
||||
-L 0.0.0.0:443:{{ ssh_tunnel_target_ip }}:443 \
|
||||
-L 0.0.0.0:13000:{{ ssh_tunnel_target_ip }}:13000 \
|
||||
-L 0.0.0.0:8181:overcloud.localdomain:80 \
|
||||
-L 0.0.0.0:8443:overcloud.localdomain:443
|
||||
|
||||
|
||||
# Restart every >2 seconds to avoid StartLimitInterval failure
|
||||
RestartSec=5
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -23,6 +23,15 @@
|
|||
- path: "{{ undercloud_key }}"
|
||||
comment: "ansible_generated_undercloud"
|
||||
|
||||
# Copy the undercloud key to the virthost in the ssh_user directory
|
||||
- name: copy ssh keys to virthost
|
||||
copy:
|
||||
src: "{{ undercloud_key }}"
|
||||
dest: "{{ working_dir }}"
|
||||
owner: "{{ ssh_user }}"
|
||||
group: "{{ ssh_user }}"
|
||||
mode: 0600
|
||||
|
||||
- name: Read virt_power private key
|
||||
no_log: True
|
||||
set_fact:
|
||||
|
|
Loading…
Reference in New Issue