On Jun 17, 2016, at 2:05 PM, Turbo Fredriksson wrote:
> On Jun 17, 2016, at 1:12 PM, Eugen Block wrote:
>
>> Have you nova-compute.logs?
>
> They don't say a thing, so I'm guessing it never gets
> that far.
Running EVERYTHING with debugging, insensitive logging etc etc,
I noticed that Nova could not authenticate "something" (I just got
the non-descriptive "Something, something needs authentication").
I spent a whole day checking, triple checking etc. Everything WAS
ok! I'm almost sure of it! As sure I can get without fully knowing
what I'm doing at least :).
I decided that the easiest way to solve this (which I was going to
do anyway, I was just hoping to put it of until everything was working)
was to create individual service accounts for everything.
Now I can't see the Compute node any more :(.
Running "openstack --debug flavor list" (etc, etc) gives me
(with using my admin-openrc file which is supposed to give me
admin rights):
----- s n i p -----
[..]
Auth plugin password selected
auth_type: password
Using auth plugin: password
Using parameters {'username': 'admin', 'project_name': 'admin', 'auth_url':
'http://control:35357/v3', 'user_domain_name': 'default', 'password': '***',
'project_domain_name': 'default'}
Get auth_ref
REQ: curl -g -i -X GET http://control:35357/v3 -H "Accept: application/json" -H
"User-Agent: python-openstackclient keystoneauth1/2.4.1 python-requests/2.10.0
CPython/2.7.12rc1"
Starting new HTTP connection (1): control
"GET /v3 HTTP/1.1" 200 260
RESP: [200] Vary: X-Auth-Token Content-Type: application/json Content-Length:
260 X-Openstack-Request-Id: req-168f79a9-53d5-482f-841c-d9a68dbb270e Date: Tue,
21 Jun 2016 15:49:27 GMT Connection: keep-alive
RESP BODY: {"version": {"status": "stable", "updated": "2016-04-04T00:00:00Z",
"media-types": [{"base": "application/json", "type":
"application/vnd.openstack.identity-v3+json"}], "id": "v3.6", "links":
[{"href": "http://control:35357/v3/";, "rel": "self"}]}}
Making authentication request to http://control:35357/v3/auth/tokens
"POST /v3/auth/tokens HTTP/1.1" 201 11701
run(Namespace(all=False, columns=[], formatter='table', limit=None, long=False,
marker=None, max_width=0, noindent=False, public=True, quote_mode='nonnumeric'))
Instantiating compute client for VAPI Version Major: 2, Minor: 0
Making authentication request to http://control:35357/v3/auth/tokens
"POST /v3/auth/tokens HTTP/1.1" 201 11701
REQ: curl -g -i -X GET
http://10.0.4.1:8774/v2/1857a7b08b8046038005b98e8b238843/flavors/detail -H
"User-Agent: python-novaclient" -H "Accept: application/json" -H "X-Auth-Token:
{SHA1}e3b5968af44686e0d3abfbf6e3934d6991235c46"
Starting new HTTP connection (1): 10.0.4.1
"GET /v2/1857a7b08b8046038005b98e8b238843/flavors/detail HTTP/1.1" 503 170
RESP: [503] Content-Length: 170 Content-Type: application/json; charset=UTF-8
X-Compute-Request-Id: req-c40a135f-2445-4d68-a6aa-0c37d05f363c Date: Tue, 21
Jun 2016 15:49:29 GMT Connection: keep-alive
RESP BODY: {"message": "The server is currently unavailable. Please try again
at a later time.<br /><br />\n\n\n", "code": "503 Service Unavailable",
"title": "Service Unavailable"}
[..]
----- s n i p -----
And the web GUI gives me:
Error: Unable to get network agents info.
Error: Unable to get nova services list.
Error: Unable to get cinder services list.
Error: Unable to get Orchestration service list.
and the list of "Compute Services" is empty..
Here it's trying to connect (from what I've figured out) the compute
node. This IS up and running (on 10.0.4.3) but it seems like it haven't
(successfully) registered itself to the controller.
This is the Compute node:
----- s n i p -----
bladeA03b:~# rgrep -E '^admin_|^#_tenant_|^#.*_domain_' /etc/nova | egrep -v
'\.orig|~:' | sed "s@\(admin_password = \).*@\1SECRET@" | less
/etc/nova/nova.conf:admin_username = ironic # The [ironic] section:
/etc/nova/nova.conf:admin_password = SECRET
/etc/nova/nova.conf:admin_tenant_name = service
/etc/nova/nova.conf:admin_user = nova # The
[keystone_authtoken] section:
/etc/nova/nova.conf:admin_password = SECRET
/etc/nova/nova.conf:admin_tenant_name = service
/etc/nova/nova.conf:#default_domain_id = <None>
/etc/nova/nova.conf:#default_domain_name = <None>
/etc/nova/nova.conf:#project_domain_id = <None>
/etc/nova/nova.conf:#user_domain_id = <None>
/etc/nova/nova.conf:#user_domain_name = <None>
----- s n i p -----
On the Control:
----- s n i p -----
bladeA01b:~# rgrep -E '^admin_|^#_tenant_|^#.*_domain_'
/etc/{nova,keystone,ironic} | egrep -v '\.orig|~:' | sed
"s@\(.*_\(password\|token\) = \).*@\1SECRET@"/etc/nova/nova.conf:admin_user =
nova
/etc/nova/nova.conf:admin_password = SECRET
/etc/nova/nova.conf:admin_tenant_name = service
/etc/nova/nova.conf:#default_domain_id = <None>
/etc/nova/nova.conf:#default_domain_name = <None>
/etc/nova/nova.conf:#project_domain_id = <None>
/etc/keystone/keystone.conf:admin_token = SECRET
/etc/keystone/keystone.conf:#federated_domain_name =
Federated/etc/keystone/keystone.conf:#default_domain_id = default
/etc/keystone/keystone.conf:#admin_project_domain_name = <None>
----- s n i p -----
Also, basically the only thing i can do is list users etc:
----- s n i p -----
bladeA01b:~# openstack user list
+----------------------------------+------------+
| ID | Name |
+----------------------------------+------------+
| 010049f831d84b19827ae27b72c406f1 | magnum |
| 0b7e5b0653084efdad5d67b66f2cf949 | admin |
| 0bc0163659864511a1610ba784d9e4b3 | mistral |
| 25cc2c5cf61c46329489e68656676ee4 | aodh |
| 4cf009b2dc7c4622b7230ad27f8242fe | nova |
| 4d1f0fd8c7524b7797d823eeba85cb03 | glance |
| 55f3968618b540b2a070ef845eb0c947 | ironic |
| 56e8666f2b044577934f9707ad29da5f | heat |
| 5eda7ede1be44745abd7d7815a85d927 | manila |
| 6e69a71d41da453893769ebf597bf914 | zaqar |
| 8a6694f8dde2497bbe230fbf4382f37d | trove |
| 964a9e06be3e411f9bfa80e9ea07e986 | senlin |
| a5bb89f8bbeb43d496e54109d11b1be6 | cinder |
| c0853dac1d1c4c7294f3bdfa05731c37 | barbican |
| c1bafcd2a72c429dbbf0bde8b35abb38 | murano |
| c63ad4ff853b4b72a70d64dee7aa596b | ceilometer |
| de4b432c9c7b4f1785fd600fc22df6b4 | demo |
| e298427fe3734640bfd0c6e043e13763 | neutron |
| e8bbf36bae5b4d9bb1649395b5a49886 | designate |
+----------------------------------+------------+
bladeA01b:~# openstack user list --project service
bladeA01b:~# openstack user show magnum
+--------------------+----------------------------------+
| Field | Value |
+--------------------+----------------------------------+
| default_project_id | f491fbef5f1748cc8fefed046973974e |
| domain_id | default |
| enabled | True |
| id | 010049f831d84b19827ae27b72c406f1 |
| name | magnum |
+--------------------+----------------------------------+
bladeA01b:~# openstack project show f491fbef5f1748cc8fefed046973974e
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Debian service project |
| domain_id | default |
| enabled | True |
| id | f491fbef5f1748cc8fefed046973974e |
| is_domain | False |
| name | service |
| parent_id | default |
+-------------+----------------------------------+
----- s n i p -----
What "worries" me a little is that the "user list --project"
output is empty! I know that part worked once, on another
install, when I _didn't_ use individual accounts for each
service. But the "user show" seems to indicate that the user
IS in the correct project after all..
So what is the correct way to have services authenticate themselves?
What variable/setting am I missing (or have used when I shouldn't)?
I can't see anything in the logs, even with debugging and verbose
enabled.
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
