No worries, glad I could help. Neil Tong EVault | neil.t...@evault.com ________________________________________ From: Piotr Kopec [pkope...@gmail.com] Sent: Thursday, August 22, 2013 8:00 AM To: Neil Tong Cc: openstack@lists.openstack.org Subject: Re: [Openstack] Glance API shows authentication errno 1 during uploading image to swift's container
It works!!! I didn't read the comments above this parameter carefully. Thank you very much, Neil. 2013/8/22 Neil Tong <neil.t...@evault.com<mailto:neil.t...@evault.com>> Try changing the following line Original: swift_store_auth_address = 192.168.0.1:5000/v2.0/<http://192.168.0.1:5000/v2.0/> New: swift_store_auth_address = http://192.168.0.1:5000/v2.0/ If you look at the comments preceding that line it looks like it no method is defined it defaults to https. Neil ________________________________________ From: Piotr Kopec [pkope...@gmail.com<mailto:pkope...@gmail.com>] Sent: Thursday, August 22, 2013 7:39 AM To: Neil Tong Cc: openstack@lists.openstack.org<mailto:openstack@lists.openstack.org> Subject: Re: [Openstack] Glance API shows authentication errno 1 during uploading image to swift's container Thanks for response. [root@openstack182 swift]# cat /etc/glance/glance-api.conf [DEFAULT] # Show more verbose log output (sets INFO log level output) verbose = True # Show debugging output in logs (sets DEBUG log level output) debug = False # Which backend scheme should Glance use by default is not specified # in a request to add a new image to Glance? Known schemes are determined # by the known_stores option below. # Default: 'file' default_store = swift # List of which store classes and store class locations are # currently known to glance at startup. #known_stores = glance.store.filesystem.Store, # glance.store.http.Store, # glance.store.rbd.Store, # glance.store.s3.Store, # glance.store.swift.Store, # Maximum image size (in bytes) that may be uploaded through the # Glance API server. Defaults to 1 TB. # WARNING: this value should only be increased after careful consideration # and must be set to a value under 8 EB (9223372036854775808). #image_size_cap = 1099511627776 # Address to bind the API server bind_host = 0.0.0.0 # Port the bind the API server to bind_port = 9292 # Log to this file. Make sure you do not set the same log # file for both the API and registry servers! log_file = /var/log/glance/api.log # Backlog requests when creating socket backlog = 4096 # TCP_KEEPIDLE value in seconds when creating socket. # Not supported on OS X. #tcp_keepidle = 600 # SQLAlchemy connection string for the reference implementation # registry server. Any valid SQLAlchemy connection string is fine. # See: http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine sql_connection = mysql://glance:openstack@192.168.0.1/glance<http://glance:openstack@192.168.0.1/glance><http://192.168.0.1/glance> # Period in seconds after which SQLAlchemy should reestablish its connection # to the database. # # MySQL uses a default `wait_timeout` of 8 hours, after which it will drop # idle connections. This can result in 'MySQL Gone Away' exceptions. If you # notice this, you can lower this value to ensure that SQLAlchemy reconnects # before MySQL can drop the connection. sql_idle_timeout = 3600 # Number of Glance API worker processes to start. # On machines with more than one CPU increasing this value # may improve performance (especially if using SSL with # compression turned on). It is typically recommended to set # this value to the number of CPUs present on your machine. workers = 1 # Role used to identify an authenticated user as administrator #admin_role = admin # Allow unauthenticated users to access the API with read-only # privileges. This only applies when using ContextMiddleware. #allow_anonymous_access = False # Allow access to version 1 of glance api #enable_v1_api = True # Allow access to version 2 of glance api #enable_v2_api = True # Return the URL that references where the data is stored on # the backend storage system. For example, if using the # file system store a URL of 'file:///path/to/image' will # be returned to the user in the 'direct_url' meta-data field. # The default value is false. #show_image_direct_url = False # ================= Syslog Options ============================ # Send logs to syslog (/dev/log) instead of to file specified # by `log_file` use_syslog = False # Facility to use. If unset defaults to LOG_USER. #syslog_log_facility = LOG_LOCAL0 # ================= SSL Options =============================== # Certificate file to use when starting API server securely #cert_file = /path/to/certfile # Private key file to use when starting API server securely #key_file = /path/to/keyfile # CA certificate file to use to verify connecting clients #ca_file = /path/to/cafile # ================= Security Options ========================== # AES key for encrypting store 'location' metadata, including # -- if used -- Swift or S3 credentials # Should be set to a random string of length 16, 24 or 32 bytes #metadata_encryption_key = <16, 24 or 32 char registry metadata key> # ============ Registry Options =============================== # Address to find the registry server registry_host = 192.168.0.1 # Port the registry server is listening on registry_port = 9191 # What protocol to use when connecting to the registry server? # Set to https for secure HTTP communication registry_client_protocol = http # The path to the key file to use in SSL connections to the # registry server, if any. Alternately, you may set the # GLANCE_CLIENT_KEY_FILE environ variable to a filepath of the key file #registry_client_key_file = /path/to/key/file # The path to the cert file to use in SSL connections to the # registry server, if any. Alternately, you may set the # GLANCE_CLIENT_CERT_FILE environ variable to a filepath of the cert file #registry_client_cert_file = /path/to/cert/file # The path to the certifying authority cert file to use in SSL connections # to the registry server, if any. Alternately, you may set the # GLANCE_CLIENT_CA_FILE environ variable to a filepath of the CA cert file #registry_client_ca_file = /path/to/ca/file # When using SSL in connections to the registry server, do not require # validation via a certifying authority. This is the registry's equivalent of # specifying --insecure on the command line using glanceclient for the API # Default: False #registry_client_insecure = False # The period of time, in seconds, that the API server will wait for a registry # request to complete. A value of '0' implies no timeout. # Default: 600 #registry_client_timeout = 600 # Whether to automatically create the database tables. # Default: False #db_auto_create = False # ============ Notification System Options ===================== # Notifications can be sent when images are create, updated or deleted. # There are three methods of sending notifications, logging (via the # log_file directive), rabbit (via a rabbitmq queue), qpid (via a Qpid # message queue), or noop (no notifications sent, the default) notifier_strategy = noop # Configuration options if sending notifications via rabbitmq (these are # the defaults) rabbit_host = localhost rabbit_port = 5672 rabbit_use_ssl = false rabbit_userid = guest rabbit_password = guest rabbit_virtual_host = / rabbit_notification_exchange = glance rabbit_notification_topic = notifications rabbit_durable_queues = False # Configuration options if sending notifications via Qpid (these are # the defaults) qpid_notification_exchange = glance qpid_notification_topic = notifications qpid_host = 192.168.0.1 qpid_port = 5672 qpid_username = qpid_password = qpid_sasl_mechanisms = qpid_reconnect_timeout = 0 qpid_reconnect_limit = 0 qpid_reconnect_interval_min = 0 qpid_reconnect_interval_max = 0 qpid_reconnect_interval = 0 qpid_heartbeat = 5 # Set to 'ssl' to enable SSL qpid_protocol = tcp qpid_tcp_nodelay = True # ============ Filesystem Store Options ======================== # Directory that the Filesystem backend store # writes image data to filesystem_store_datadir = /var/lib/glance/images/ # ============ Swift Store Options ============================= # Version of the authentication service to use # Valid versions are '2' for keystone and '1' for swauth and rackspace swift_store_auth_version = 2 # Address where the Swift authentication service lives # Valid schemes are 'http://' and 'https://' # If no scheme specified, default to 'https://' # For swauth, use something like '127.0.0.1:8080/v1.0/<http://127.0.0.1:8080/v1.0/><http://127.0.0.1:8080/v1.0/>' swift_store_auth_address = 192.168.0.1:5000/v2.0/<http://192.168.0.1:5000/v2.0/> # User to authenticate against the Swift authentication service # If you use Swift authentication service, set it to 'account':'user' # where 'account' is a Swift storage account and 'user' # is a user in that account swift_store_user = service:swift # Auth key for the user authenticating against the # Swift authentication service swift_store_key = openstack # Container within the account that the account should use # for storing images in Swift swift_store_container = glance # Do we create the container if it does not exist? swift_store_create_container_on_put = True # What size, in MB, should Glance start chunking image files # and do a large object manifest in Swift? By default, this is # the maximum object size in Swift, which is 5GB swift_store_large_object_size = 5120 # When doing a large object manifest, what size, in MB, should # Glance write chunks to Swift? This amount of data is written # to a temporary disk buffer during the process of chunking # the image file, and the default is 200MB swift_store_large_object_chunk_size = 200 # Whether to use ServiceNET to communicate with the Swift storage servers. # (If you aren't RACKSPACE, leave this False!) # # To use ServiceNET for authentication, prefix hostname of # `swift_store_auth_address` with 'snet-'. # Ex. https://example.com/v1.0/ -> https://snet-example.com/v1.0/ swift_enable_snet = False # If set to True enables multi-tenant storage mode which causes Glance images # to be stored in tenant specific Swift accounts. #swift_store_multi_tenant = False # A list of swift ACL strings that will be applied as both read and # write ACLs to the containers created by Glance in multi-tenant # mode. This grants the specified tenants/users read and write access # to all newly created image objects. The standard swift ACL string # formats are allowed, including: # <tenant_id>:<username> # <tenant_name>:<username> # *:<username> # Multiple ACLs can be combined using a comma separated list, for # example: swift_store_admin_tenants = service:glance,*:admin #swift_store_admin_tenants = # The region of the swift endpoint to be used for single tenant. This setting # is only necessary if the tenant has multiple swift endpoints. #swift_store_region = # ============ S3 Store Options ============================= # Address where the S3 authentication service lives # Valid schemes are 'http://' and 'https://' # If no scheme specified, default to 'http://' s3_store_host = 127.0.0.1:8080/v1.0/<http://127.0.0.1:8080/v1.0/> # User to authenticate against the S3 authentication service s3_store_access_key = <20-char AWS access key> # Auth key for the user authenticating against the # S3 authentication service s3_store_secret_key = <40-char AWS secret key> # Container within the account that the account should use # for storing images in S3. Note that S3 has a flat namespace, # so you need a unique bucket name for your glance images. An # easy way to do this is append your AWS access key to "glance". # S3 buckets in AWS *must* be lowercased, so remember to lowercase # your AWS access key if you use it in your bucket name below! s3_store_bucket = <lowercased 20-char aws access key>glance # Do we create the bucket if it does not exist? s3_store_create_bucket_on_put = False # When sending images to S3, the data will first be written to a # temporary buffer on disk. By default the platform's temporary directory # will be used. If required, an alternative directory can be specified here. #s3_store_object_buffer_dir = /path/to/dir # When forming a bucket url, boto will either set the bucket name as the # subdomain or as the first token of the path. Amazon's S3 service will # accept it as the subdomain, but Swift's S3 middleware requires it be # in the path. Set this to 'path' or 'subdomain' - defaults to 'subdomain'. #s3_store_bucket_url_format = subdomain # ============ RBD Store Options ============================= # Ceph configuration file path # If using cephx authentication, this file should # include a reference to the right keyring # in a client.<USER> section rbd_store_ceph_conf = /etc/ceph/ceph.conf # RADOS user to authenticate as (only applicable if using cephx) rbd_store_user = glance # RADOS pool in which images are stored rbd_store_pool = images # Images will be chunked into objects of this size (in megabytes). # For best performance, this should be a power of two rbd_store_chunk_size = 8 # ============ Delayed Delete Options ============================= # Turn on/off delayed delete delayed_delete = False # Delayed delete time in seconds scrub_time = 43200 # Directory that the scrubber will use to remind itself of what to delete # Make sure this is also set in glance-scrubber.conf scrubber_datadir = /var/lib/glance/scrubber # =============== Image Cache Options ============================= # Base directory that the Image Cache uses image_cache_dir = /var/lib/glance/image-cache/ [keystone_authtoken] auth_host = 192.168.0.1 auth_port = 35357 auth_protocol = http admin_tenant_name = service admin_user = glance admin_password = openstack [paste_deploy] flavor = keystone # Name of the paste configuration file that defines the available pipelines config_file = /etc/glance/glance-api-paste.ini # Partial name of a pipeline in your paste configuration file with the # service name removed. For example, if your paste section name is # [pipeline:glance-api-keystone], you would configure the flavor below # as 'keystone'. #flavor= [root@openstack182 swift]# cat /etc/glance/glance-registry.conf [DEFAULT] # Show more verbose log output (sets INFO log level output) verbose = True # Show debugging output in logs (sets DEBUG log level output) debug = False # Address to bind the registry server bind_host = 0.0.0.0 # Port the bind the registry server to bind_port = 9191 # Log to this file. Make sure you do not set the same log # file for both the API and registry servers! log_file = /var/log/glance/registry.log # Backlog requests when creating socket backlog = 4096 # TCP_KEEPIDLE value in seconds when creating socket. # Not supported on OS X. #tcp_keepidle = 600 # SQLAlchemy connection string for the reference implementation # registry server. Any valid SQLAlchemy connection string is fine. # See: http://www.sqlalchemy.org/docs/05/reference/sqlalchemy/connections.html#sqlalchemy.create_engine sql_connection = mysql://glance:openstack@192.168.0.1/glance<http://glance:openstack@192.168.0.1/glance><http://192.168.0.1/glance> # Period in seconds after which SQLAlchemy should reestablish its connection # to the database. # # MySQL uses a default `wait_timeout` of 8 hours, after which it will drop # idle connections. This can result in 'MySQL Gone Away' exceptions. If you # notice this, you can lower this value to ensure that SQLAlchemy reconnects # before MySQL can drop the connection. sql_idle_timeout = 3600 # Limit the api to return `param_limit_max` items in a call to a container. If # a larger `limit` query param is provided, it will be reduced to this value. api_limit_max = 1000 # If a `limit` query param is not provided in an api request, it will # default to `limit_param_default` limit_param_default = 25 # Role used to identify an authenticated user as administrator #admin_role = admin # Whether to automatically create the database tables. # Default: False #db_auto_create = False # ================= Syslog Options ============================ # Send logs to syslog (/dev/log) instead of to file specified # by `log_file` use_syslog = False # Facility to use. If unset defaults to LOG_USER. #syslog_log_facility = LOG_LOCAL1 # ================= SSL Options =============================== # Certificate file to use when starting registry server securely #cert_file = /path/to/certfile # Private key file to use when starting registry server securely #key_file = /path/to/keyfile # CA certificate file to use to verify connecting clients #ca_file = /path/to/cafile [keystone_authtoken] auth_host = 192.168.0.1 auth_port = 35357 auth_protocol = http admin_tenant_name = service admin_user = glance admin_password = openstack [paste_deploy] flavor = keystone # Name of the paste configuration file that defines the available pipelines config_file = /etc/glance/glance-registry-paste.ini # Partial name of a pipeline in your paste configuration file with the # service name removed. For example, if your paste section name is # [pipeline:glance-registry-keystone], you would configure the flavor below # as 'keystone'. #flavor= Regards Piotr 2013/8/22 Neil Tong <neil.t...@evault.com<mailto:neil.t...@evault.com><mailto:neil.t...@evault.com<mailto:neil.t...@evault.com>>> Can you give us your glance config? This is the error that makes me suspect some sort of incorrect SSL config ClientException: Authorization Failure. Authorization Failed: [Errno 1] _ssl.c:490: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol Neil ________________________________________ From: Piotr Kopec [pkope...@gmail.com<mailto:pkope...@gmail.com><mailto:pkope...@gmail.com<mailto:pkope...@gmail.com>>] Sent: Thursday, August 22, 2013 7:26 AM To: Neil Tong Cc: openstack@lists.openstack.org<mailto:openstack@lists.openstack.org><mailto:openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>> Subject: Re: [Openstack] Glance API shows authentication errno 1 during uploading image to swift's container No. I think all my services are using just http protocol and just password for authentication. Part of /etc/keystone/keystone.conf below: ```[ssl] enable = False #certfile = /etc/keystone/ssl/certs/keystone.pem #keyfile = /etc/keystone/ssl/private/keystonekey.pem #ca_certs = /etc/keystone/ssl/certs/ca.pem #cert_required = True [signing] #token_format = PKI #certfile = /etc/keystone/ssl/certs/signing_cert.pem #keyfile = /etc/keystone/ssl/private/signing_key.pem #ca_certs = /etc/keystone/ssl/certs/ca.pem #key_size = 1024 #valid_days = 3650 #ca_password = None``` 2013/8/22 Neil Tong <neil.t...@evault.com<mailto:neil.t...@evault.com><mailto:neil.t...@evault.com<mailto:neil.t...@evault.com>><mailto:neil.t...@evault.com<mailto:neil.t...@evault.com><mailto:neil.t...@evault.com<mailto:neil.t...@evault.com>>>> Looks like an SSL problem, so you have Keystone setup to use SSL? Piotr Kopec <pkope...@gmail.com<mailto:pkope...@gmail.com><mailto:pkope...@gmail.com<mailto:pkope...@gmail.com>><mailto:pkope...@gmail.com<mailto:pkope...@gmail.com><mailto:pkope...@gmail.com<mailto:pkope...@gmail.com>>>> wrote: Hello folks, I have met problem during configuration of Swift as a backend storage service for Glance. I have configured Glance according to Red Hat Instalation Guide. Now when I am trying to upload image using glance image-create command following message occures: [root@openstack182 ~]# glance image-create --name="Cirros 0.3.1" --disk-format=qcow2 --container-format bare < /tmp/images/cirros-0.3.1-x86_64-disk.img Request returned failure status. 500 Internal Server Error The server has either erred or is incapable of performing the requested operation. (HTTP 500) So the problem is with Swift server. Although Swift is able to create containers and upload files to them usingswift upload command: [root@openstack182 ~]# swift upload c4 data3.file data3.file [root@openstack182 ~]# swift list c1 c2 c3 c4 [root@openstack182 ~]# swift list c4 data3.file Glance also works well if the default_store parameter is set to file. After attempting to upload image to swift's container Glance API logs shows there is some problem with authentication: [root@openstack182 ~]# glance image-create --name="Cirros 0.3.1" --disk-format=qcow2 --container-format bare < /tmp/images/cirros-0.3.1-x86_64-disk.img Request returned failure status. 500 Internal Server Error The server has either erred or is incapable of performing the requested operation. (HTTP 500) [root@openstack182 ~]# date czw, 22 sie 2013, 14:39:00 CEST [root@openstack182 ~]# tail -n 50 /var/log/glance/api.log 2013-08-22 14:38:49.316 ERROR glance.api.v1.images [f32b8f75-054d-4be0-a048-dd797016d043 f554f1bf0c964ab3843214c0dfabf7a6 c154fa85885b4589aeb3b76f3a8d8beb] Failed to upload image 2013-08-22 14:38:49.316 8466 TRACE glance.api.v1.images Traceback (most recent call last): 2013-08-22 14:38:49.316 8466 TRACE glance.api.v1.images File "/usr/lib/python2.6/site-packages/glance/api/v1/images.py", line 444, in _upload 2013-08-22 14:38:49.316 8466 TRACE glance.api.v1.images image_meta['size']) 2013-08-22 14:38:49.316 8466 TRACE glance.api.v1.images File "/usr/lib/python2.6/site-packages/glance/store/swift.py", line 321, in add 2013-08-22 14:38:49.316 8466 TRACE glance.api.v1.images self._create_container_if_missing(location.container, connection) 2013-08-22 14:38:49.316 8466 TRACE glance.api.v1.images File "/usr/lib/python2.6/site-packages/glance/store/swift.py", line 490, in _create_container_if_missing 2013-08-22 14:38:49.316 8466 TRACE glance.api.v1.images connection.head_container(container) 2013-08-22 14:38:49.316 8466 TRACE glance.api.v1.images File "/usr/lib/python2.6/site-packages/swiftclient/client.py", line 1070, in head_container 2013-08-22 14:38:49.316 8466 TRACE glance.api.v1.images return self._retry(None, head_container, container) 2013-08-22 14:38:49.316 8466 TRACE glance.api.v1.images File "/usr/lib/python2.6/site-packages/swiftclient/client.py", line 1022, in _retry 2013-08-22 14:38:49.316 8466 TRACE glance.api.v1.images self.url, self.token = self.get_auth() 2013-08-22 14:38:49.316 8466 TRACE glance.api.v1.images File "/usr/lib/python2.6/site-packages/swiftclient/client.py", line 1010, in get_auth 2013-08-22 14:38:49.316 8466 TRACE glance.api.v1.images insecure=self.insecure) 2013-08-22 14:38:49.316 8466 TRACE glance.api.v1.images File "/usr/lib/python2.6/site-packages/swiftclient/client.py", line 329, in get_auth 2013-08-22 14:38:49.316 8466 TRACE glance.api.v1.images insecure=insecure) 2013-08-22 14:38:49.316 8466 TRACE glance.api.v1.images File "/usr/lib/python2.6/site-packages/swiftclient/client.py", line 266, in get_keystoneclient_2_0 2013-08-22 14:38:49.316 8466 TRACE glance.api.v1.images raise ClientException('Authorization Failure. %s' % err) 2013-08-22 14:38:49.316 8466 TRACE glance.api.v1.images ClientException: Authorization Failure. Authorization Failed: [Errno 1] _ssl.c:490: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2013-08-22 14:38:49.316 8466 TRACE glance.api.v1.images Some keystone command output: [root@openstack182 ~]# keystone user-list +----------------------------------+---------+---------+-------+ | id | name | enabled | email | +----------------------------------+---------+---------+-------+ | f554f1bf0c964ab3843214c0dfabf7a6 | admin | True | | | ce494e0d76e44f1e9a4e4bccc5d6d3b2 | cinder | True | | | efa48ad1e0cb4142a7043cdc97ff605e | ec2 | True | | | 39d7c739fc31408c97cae9112a6da056 | glance | True | | | 147bf1212187401e8a21ee18a6e174b1 | nova | True | | | ac2a95560972434a84583df494b721ba | quantum | True | | | 97b1c6a788bc476ba620152c769b20b5 | swift | True | | +----------------------------------+---------+---------+-------+ [root@openstack182 ~]# keystone tenant-list +----------------------------------+---------+---------+ | id | name | enabled | +----------------------------------+---------+---------+ | c154fa85885b4589aeb3b76f3a8d8beb | demo | True | | ae243f7ba98441aea224d712cdd97ed0 | service | True | +----------------------------------+---------+---------+ [root@openstack182 ~]# keystone service-list +----------------------------------+----------+--------------+------------------------------+ | id | name | type | description | +----------------------------------+----------+--------------+------------------------------+ | 8d5ec35259d2442e999a709f49e6355d | cinder | volume | Cinder Volume Service | | e93f78475fd8476895ff7a74fac8842b | ec2 | ec2 | EC2 Compatibility Layer | | 422c6b4ccb8f4765ab55c51d9fd5d11a | glance | image | Image Service | | 64dd013cbab24a48a8d3b25423d8c555 | keystone | identity | Identity Service | | c807829b23444d90a065a0597c691424 | nova | compute | Compute Service | | 97179db088674c35b31b51abf9605bc7 | quantum | network | OpenStack Networking service | | 72a8718bb35143cfaac726cc7a41e60e | swift | object-store | Object Storage Service | +----------------------------------+----------+--------------+------------------------------+ Could anyone help me with this issue, please? All answers are appreciated. Regards. Piotr _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
