Thank you atodorov!
I had a misconfiguration on when to integrate the reverse proxy.
In case there are any lurkers out there:
- ONe uses libcurl to post against the XMLRPC port.
- Set up the nginx reverse proxy for ssl termination before this step: OpenNebula HA Setup — OpenNebula 5.10.5 documentation
- Add the initial server with “onezone server-add 0 --name server-0 --rpc https://IP:2634/RPC2”
- Step through the rest of the HA config and add other nodes similarly ( I found I had to restart opennebula after starting the service on an added node to get it to function).
- oned.conf does not use proxy port, keep default xmlrpc ip and port.
- sunstone-server.conf will need to use https://cluster_leader_ip:2634/RPC2 EDIT Sunstone on cluster leader threw ssl verification error, changed to localhost.
No env change
My nginx is similar to the link in my op.
I did end up editing oned.conf raft hooks like the following:
RAFT_LEADER_HOOK = [ COMMAND = "raft/vip.sh", ARGUMENTS = "leader eth0 {{ one_a_leader_ip }}/19 eth2 {{ one_b_leader_ip }}/19" ]
And then editing vip.sh to pass in the extra args:
INTERFACE2="$4" IFADDR2="$5" IP2="${IFADDR2%%/*}"
Editing vip.sh further to add the extra ip to if (and similar remove to case follower):
case $ACTION in leader) sudo ip address add $IFADDR dev $INTERFACE ##################### # Add second FIP # ##################### sudo ip address add $IFADDR2 dev $INTERFACE2 #####################
This interface addition allows a separation between the webserver and the api for firewall security etc.