Re: [Openstack] moving cloud controller to another IP network
in my situation, endpoint is saved in /etc/keystone/default_templates and ip address is replaced by localhost. i think it is better to use hostname instead of real ip address if you may often change ip network, when you have to change, just modify the /etc/hosts am i right? ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] What's the function of devstack?
a gui like ubuntu installation interface can be provided by dialog which devstack currently doesn't use, devstack just generates plain console output On 1/16/13, Wojciech Dec wrote: > Hi, > > devstack is a scripted (aka using a pre-canned config) openstack setup > using (generally latest) openstack code (from git). While not being an > offical openstack project, it is used by many as a quick & easy way to get > an openstack environment set-up. In terms of GUI, you'll get the horizon > web interface GUI to do basic things, but suggest getting familiarity with > the CLI. > > You clearly should get familiar with http://devstack.org/ > > Cheers, > Woj. > > On 15 January 2013 09:32, Jia Lee wrote: > >> Hi, >> >> Could someone tell me the function of devstack and will there be a >> graphical user interface when the 'stack.sh' is executed? >> >> >> -- >> 世界因你而精彩~ >> >> ___ >> Mailing list: https://launchpad.net/~openstack >> Post to : openstack@lists.launchpad.net >> Unsubscribe : https://launchpad.net/~openstack >> More help : https://help.launchpad.net/ListHelp >> >> > ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Help with Glance
"My glance version is 2012.1.1" i think command like the following way may solve your problem: # glance add is_public=true name="Ubuntu 12.04 UEC" container_format= ovf disk_format=qcow2 < precise-server-cloudimg-amd64.img use "# glance help" to get more details good luck On 1/16/13, JuanFra Rodriguez Cardoso wrote: > It shouldn't be problem with your distro. > > Can you enable flags 'verbose=True' and 'debug=True' both > glance-registry.conf as glance-api.conf? > In this way, you can paste more useful info returned by the error. > > > 2013/1/16 Guilherme Russi > >> I've tried to type all over again: glance image-create --name= "Ubuntu >> 12.04 UEC" is_public= true --container-format= ovf --disk-format= qcow2 < >> precise-server-cloudimg-amd64.img and got the same error, I'm using >> Debian >> Wheezy, maybe can be some problem with my dist? >> >> Thanks. >> >> >> >> 2013/1/16 JuanFra Rodriguez Cardoso >> >>> mmm... can be an error related with quotes copied? >>> Test typing manually "Ubuntu 12.04 UEC" >>> >>> >>> 2013/1/16 Guilherme Russi >>> It returned the same error, it looks like my glance doesn't know the commando --name, "no such option: --name" 2013/1/16 JuanFra Rodriguez Cardoso >>> > > glance image-create --name="Ubuntu 12.04 UEC" *is_public=true* > --container-format= > ovf --disk-format=qcow2 < precise-server-cloudimg-amd64.img >>> >>> >>> -- >>> JuanFra >>> >> >> > > > -- > JuanFra > ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] [glance] how to export snapshot to local file system
dear all, i have deployed openstack essex on ubuntu 12.04 precise, there are some instances running for couple of days now the server becomes unstable, so i want to save my instances' snapshot to remote file system in order to use them in a new environment. i find that there is no such command in glance, so what should i do? i guess i can achieve it by following steps: 1. snapshot instance 2. locate the snapshot file in /var/lib/glance/images/xxx 3. copy this file to a remote host 4. upload this file by 'glance add' as disk_format=qcow2 to a new openstack environment is it correct? and is there any convenient way? thanks for any help ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Multinic issue (essex)
hello I'm trying to use multi nics in essex, but it get an error: ERROR: NoNetworksFound: No networks defined. (HTTP 400) and this link https://bugs.launchpad.net/nova/+bug/953426 says that essex currently not enable specific nics. and i tried to use that patch in essex but failed. I'm wondering why you can launch an instance with single nic while another with two. Do you mind to tell me how you achieve that? thank you very much On 1/23/13, Jesús Moreno wrote: > Hi, > > I'm trying to use multinic to create a scenario with two instances: Client > (with one network interface) and Router (with two interfaces): > > Client(10.0.14.5) (10.0.14.9)Router(10.0.2.9) > > I have modified the gateway in Client routing table, setting Router as the > new gateway, and activated ip_forward in Router. However, when I ping > 10.0.2.9 from Client I get no reply. Capturing the traffic with tcpdump I > have checked that Router gets echo requests packets and that Router sends > echo replys, but then "they get lost somewhere", as I have captured the > traffic in the computation nodes bridges and the echo reply packets don't > appear. I guess that it could be a problem related with Vlans. Any ideas? > Any help would be greatly appreciated. > > Regards, > J. Moreno. > ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] how to get version information
hello everyone,
i'm wondering if there is any rest api for componnets' version info.
i read the http://api.openstack.org/api-ref.html and find:
1) keystone truly have a rest api for version info:
# curl http://127.0.0.1:5000/v2.0/
{"version": {"status": "beta", "updated": "2011-11-19T00:00:00Z",...
2) nova says it has, but sadly it does not work for essex
# curl -H "X-Auth-Token:token-for-admin-tenant" http://127.0.0.1:8774/v2
Authentication required
# curl -H "X-Auth-Token:token-for-admin-tenant" http://127.0.0.1:8774/v2.0/
{"choices": [{"status": "CURRENT",
so the document may point to folsom, and essex has little difference.
there seems no rest api for glance and horizon, and no CLI for nova
and horizon while CLI has glance --version and nova-manage version
so my question is:
1) is there any rest api for query components' version info in essex
and folsom (beside keystone)?
2) if not, will it be implemented in future?
thanks for any help.
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
[Openstack] [essex vlan]cannot ping vm on other compute node
greeting, stackers i deploy essex with flatdhcp, it works for a long time, but currently i want to use vlan network, so i deploy a new environment everything is same as the previous one, just use vlan network. here is the probelm: i cannot ping vm on other compute node control node (all-in-one) public nic(eth0): 172.16.1.12 vlan nic(eth1): vlan105 br105 10.0.12.6 compute node(nova-compute, nova-network) public nic(eth0): 172.16.1.13 vlan nic(eth1): vlan105 br105 10.0.12.4 now i create 2 vm, one is 10.0.12.5 on control node, another one is 10.0.12.3 on compute node i cannot ping 10.0.12.4 from control node, so i cannot ping 10.0.12.3 neither using tcpdump -nnxx -i eth1 host 10.0.12.3, i capture ARP package from control node with vlan tag 8100 0069 0806 0001 0800 0604, so i think it works right so far. but on compute node i use tcpdump -i eth1 host 10.0.12.3 and get nothing. the cables connect to eth1 are plugged into a cisco catalyst 2950 swither port 22 and 23, working under trunk mode, it allows all vlan by default i guess the problem may be caused by wrong setting of switcher since packets are dropped, but i'm not very sure. after two days search answer on the internet, i've no idea how to solve this question, so please help me ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [essex vlan]cannot ping vm on other compute node
thank you for your help
i guess you point a way to figure out whether the switcher is working
correctly or not
after i add a vlan 5 to eth1 and an ip addr to it, the switcher works
fine, ping get reply
so the switch trunk port seems no problem
but br105 got a 10.0.12.{4,6}/24 as well, and also vlan105@eht1 is
created by nova-network
here is console output:
# ip addr show br105
br105: mtu 1500 qdisc noqueue state UP
link/ether fa:16:3e:3b:cd:60 brd ff:ff:ff:ff:ff:ff
inet 10.0.12.4/24 brd 10.0.12.255 scope global br105
inet6 fe80::9890:d8ff:fe8f:48a9/64 scope link
valid_lft forever preferred_lft forever
#ip addr show vlan105
vlan105@eth1: mtu 1500 qdisc noqueue
master br105 state UP
link/ether fa:16:3e:3b:cd:60 brd ff:ff:ff:ff:ff:ff
inet6 fe80::f816:3eff:fe3b:cd60/64 scope link
valid_lft forever preferred_lft forever
#brctl show
bridge name bridge id STP enabled interfaces
br105 8000.fa163e3bcd60 no vlan105
vnet0
virbr0 8000. yes
here is nova.conf network section:
# cat /etc/nova/nova.conf
...
network_manager=nova.network.manager.VlanManager
vlan_interface=eth1
vlan_start=100
force_dhcp_release=True
dhcpbridge_flagfile=/etc/nova/nova.conf
dhcpbridge=/usr/bin/nova-dhcpbridge
firewall_driver=nova.virt.libvirt.firewall.IptablesFirewallDriver
public_interface=eth0
fixed_range=10.0.0.0/16
multi_host=true
routing_source_ip=172.16.1.13
my_ip=172.16.1.13
flat_injected=false
...
may be somewhere i'm wrong, i think ifconfig eth0.5 may be eth1.5
i run ifconfig eth0.5 10.2.2.2/24 it reports eth0.5: ERROR while
getting interface flags: No such device, i think this is because vlan
is added on eth1 not eth0, if i'm wrong please let me know, thanks
again
---
You could do:
on host connected to port 22 on the switch
vconfig add eth1 5
ifconfig eth0.5 10.2.2.2/24
on host connected on port 23
vconfig add eth1 5
ifconfig eth0.5 10.2.2.3/24
and then try to ping through the switch (ping 10.2.2.2) in order
switch to rule it out.
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [essex vlan]cannot ping vm on other compute node
since i notice that in switcher: sw-31>show interface fastEthernet 0/22 trunk PortMode Encapsulation StatusNative vlan Fa0/22 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/22 1-4094 PortVlans allowed and active in management domain Fa0/22 1,5,7,10-12,16,18-21,27,30,40,50,60,80,88,96,100-101,123,160,192,302-303,600,602,700,800,1000-1001 PortVlans in spanning tree forwarding state and not pruned Fa0/22 1,5,7,10-12,16,18-21,27,30,40,50,60,80,88,96,100-101,123,160,192,302-303,600,602,700,800,1000-1001 the vlan 5 is active in management domain but 105 is not, so i try the same workflow as before but change vlan id 5 to 110, ping gets no reply as vlan105 so may be i should add vlan105 to active list ? sorry i'm a green hand to switcher and got confused. 1) what the different between the allowd list and active list 2) if i should add active list manually, so does the cloud admin, if he create a vlan for a tenant, he should add to switcher active list too? is there any way automatically recoginize the vlan tag and allow it pass? maybe add a range to active list, for example, 100-4000? it's ugly.. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [essex vlan]cannot ping vm on other compute node
thank you very much. actullaly, i have already try these command yesterday, it does not work. currently, i find that vlan id in active list and not pruned list can be passed by switcher, vlan id not in the two list cannot will be droped even they are in allowed list. but the network administrator (and the internet pages) tells me that if vlan is in allowed list, it can go through trunk mode port. there is some hardware info may not be useful, but i list it here, hope it will help someone else. cisco catalyst 2950 switcher only hava """sw-31(config)#interface gigabitEthernet 0/2? . : <0-2> """ so i just operate on fastEthernet 0/22 """sw-31(config)#interface fastEthernet 0/22? . : <0-24> """ and 2950 defaultly 1)allowed all vlan id on trunk mode 2)only support 802.1q on trunk mode so the following commands: > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 1-4094 will not work. On 2/27/13, Aaron Rosen wrote: > Perhaps: > > interface gigbbit 0/22 > switchport mode trunk > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 1-4094 > interface gigbbit 0/23 > switchport mode trunk > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 1-4094 > > > > On Wed, Feb 27, 2013 at 12:02 AM, Ajiva Fan wrote: >> >> since i notice that in switcher: >> sw-31>show interface fastEthernet 0/22 trunk >> >> PortMode Encapsulation StatusNative vlan >> Fa0/22 on 802.1q trunking 1 >> >> Port Vlans allowed on trunk >> Fa0/22 1-4094 >> >> PortVlans allowed and active in management domain >> Fa0/22 >> 1,5,7,10-12,16,18-21,27,30,40,50,60,80,88,96,100-101,123,160,192,302-303,600,602,700,800,1000-1001 >> >> PortVlans in spanning tree forwarding state and not pruned >> Fa0/22 >> 1,5,7,10-12,16,18-21,27,30,40,50,60,80,88,96,100-101,123,160,192,302-303,600,602,700,800,1000-1001 >> >> the vlan 5 is active in management domain but 105 is not, so i try the >> same workflow as before but change vlan id 5 to 110, ping gets no >> reply as vlan105 >> >> so may be i should add vlan105 to active list ? sorry i'm a green hand >> to switcher and got confused. >> 1) what the different between the allowd list and active list >> 2) if i should add active list manually, so does the cloud admin, if >> he create a vlan for a tenant, he should add to switcher active list >> too? is there any way automatically recoginize the vlan tag and allow >> it pass? >> maybe add a range to active list, for example, 100-4000? it's ugly.. > ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [essex vlan]cannot ping vm on other compute node
thanks you for reply
special thanks to Aaron Rosen
the situation is that:
1) openstack is in vlan mode
2) switcher is in trunk mode, all vlan id is allowed
3) vlan in switcher's allowed list, active list and (not pruned) list
can communicate with each other. vlan only in allowed list but not in
the other two list is isolated
4) i tried the way which is from official site guide to set pruned
list but it does not work, the switcher just ignore the prune command
and hold the original config ( i will ask our network administrator
and find more help from cisco site )
now i think openstack is running fine ( at least from my point of view)
and i think swither trunk port is running basically correct
here is my env:
switcher port {22,23}
sw-31#show interfaces fastEthernet 0/22 trunk
PortMode Encapsulation StatusNative vlan
Fa0/22 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/22 1-4094
PortVlans allowed and active in management domain
Fa0/22
1,5,7,10-12,16,18-21,27,30,40,50,60,80,88,96,100-101,123,160,192,302-303,600,602,700,800,1000-1001
PortVlans in spanning tree forwarding state and not pruned
Fa0/22
1,5,7,10-12,16,18-21,27,30,40,50,60,80,88,96,100-101,123,160,192,302-303,600,602,700,800,1000-1001
from openstack control node terminal:
# nova-manage network create --label admin-network-01
--fixed_range_v4=10.0.12.0/24 --vlan=105 --project_id=
# nova-manage network create --label admin-network-02
--fixed_range_v4=10.0.13.0/24 --vlan=101 --project_id=
# nova boot --image cirros --flavor 1 --availability_zone nova:control test01
# nova boot --image cirros --flavor 1 --availability_zone nova:compute test02
now test01 and test02 get two vlan ip addr, and control node and
compute node get two bridge
NOTE: *** vlan101 *** is in switcher's active list and "spanning tree
forwarding state and not pruned" list, but vlan105 is not, vlan105
just in allowed list
control node:
br105 10.0.12.6
br101 10.0.13.6
compute node
br105 10.0.12.4
br101 10.0.13.4
from control node i can ping 10.0.13.4 but cannot ping 10.0.12.4
so the root cause may be the active list and the pruned list of switcher
is there any one meet such problem?
maybe i'm fool or i'm just fooled by some odd issue
please help me
On 2/27/13, Salvatore Orlando wrote:
> I'm not sure I followed the thread correctly from the beginning, but I
> read that you have configured you NIC for private VM networking, in
> VLAN mode, on VLAN 105.
> Is that correct?
>
> In general trunking all your switch ports used for VM networking will
> save you the hassle of adding the VLANs you are using in your setup
> one by one.
> Also, there's quite a difference between VLAN access mode and trunk
> mode. I rarely use Cisco switches, but when I do I always put them in
> trunk mode explicitly.
> The list of allowed vlan is a sort of filter that you apply on a trunk
> port. So perhaps you might want to put all your ports in trunk mode
> and use the vlan range defined in nova.conf as allowed vlan list.
>
> Salvatore
>
> On 27 February 2013 10:18, Ajiva Fan wrote:
>> thank you very much.
>>
>> actullaly, i have already try these command yesterday, it does not work.
>>
>> currently, i find that vlan id in active list and not pruned list can
>> be passed by switcher, vlan id not in the two list cannot will be
>> droped even they are in allowed list.
>> but the network administrator (and the internet pages) tells me that
>> if vlan is in allowed list, it can go through trunk mode port.
>>
>>
>>
>>
>> there is some hardware info may not be useful, but i list it here,
>> hope it will help someone else.
>> cisco catalyst 2950 switcher only hava
>> """sw-31(config)#interface gigabitEthernet 0/2?
>> . : <0-2> """
>> so i just operate on fastEthernet 0/22
>> """sw-31(config)#interface fastEthernet 0/22?
>> . : <0-24> """
>> and 2950 defaultly
>> 1)allowed all vlan id on trunk mode
>> 2)only support 802.1q on trunk mode
>> so the following commands:
>>> switchport trunk encapsulation dot1q
>>> switchport trunk allowed vlan 1-4094
>> will not work.
>>
>>
>> On 2/27/13, Aaron Rosen wrote:
>>> Perhaps:
>>>
>>> interface gigbbit 0/22
>>> switchport mode trunk
>>> switchport trunk encapsulation dot1q
>>> switchport trunk allowed vlan 1-4094
>>> interface gigbbit 0/23
>>> switchport mode trunk
>>> switchport trunk encapsulation dot1q
>>> switchport trunk allowed vlan 1-4094
>>>
>>>
>>>
>>> On Wed, Feb 27, 20
Re: [Openstack] [essex vlan]cannot ping vm on other compute node
thank you, Kevin S, and also thanks George i did this command in the beginning of the time when i meet this problem, and it failed because """sw-31(config)#vlan 105 VTP VLAN configuration not allowed when device is in CLIENT mode.""" meanwhile i'm guided to a wrong way by our network administrator, since i'm very new to switcher config. yes, by add a vlan id to switch, the problem is solved. and switcher must be putted to vtp server mode. the client mode just copy vlan config from a server, so any configure about vlan is ignored. ps: i followed this qa on cisco site: https://learningnetwork.cisco.com/thread/15990 thank you very much for your help ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Network configuration on compute node
the output of `#brclt show` shows that your br100 is not bridged on any nic and the output of `ifconfig` shows that your br100 get no ipv4 addr br100 plays roles of: 1) gateway 2) dhcp server 3) dns server so since your br100 is not created correctly, i think the vm will not get an ip trough dhcp please paste your nova.conf file, especially the network part. hope someone will find the problem ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] [nova-network] add-network-to-project
hello everyone:
i have a very simple question which confuses me for a long time:
how should i add a network to a project via rest api?
1) i'm admin of the whole cloud env essex, (i think the folsom is same in
this case)
2) using nova-network:vlan (if using flatdhcp, the associate action is
meanless)
3) a user project "user-project" is created, and the admin:admin is not
that project's admin (and even not a member of it)
4) a network "user-network" is created, but not associated with
"user-project"
5) how to associate the "user-network" with "user-project" ?
i know i can use "nova-manage" via nova-client in the control node,
but what i need to know is how to do this operation via rest api, like curl
or in horizon?
the rest api is: http://api.openstack.org/api-ref.html
POST
v2/{tenant_id}/os-networks/add
with a body identifier the network's id
the problem is that, even i have admin:admin token, i *cannot* associate
the "user-network" with "user-project",
because from the source code of folsom(and essex) nova, in the
nova.api.openstack.wsgi.py of line 931, i find this:
project_id = action_args.pop("project_id", None)
context = request.environ.get('nova.context')
if (context and project_id and (project_id != context.project_id)):
msg = _("Malformed request url")
return Fault(webob.exc.HTTPBadRequest(explanation=msg))
since nova.context.project_id is the project admin_id, and the project_id
is extract from the url,
so the webob.exc is returned.
please help me, i read a lot, (both document and source code, i just cannot
understand or just miss something important)
but still don't know how to do it.
ps: i have sent a mail to openstack-dev on mar 8, but no one reply me. is
my question nonsense?
Note this mail is not the exactly same as previous one since i've more
knowledge of it but the main problem is same
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [nova-network] add-network-to-project
thanks
by compare the doc and the source code, i know the api reference is point
to the current stable, which means folsom.
there is no mistiness for me.
but if there is http://api.openstack.org/essex/api-ref.html,
http://api.openstack.org/folsom/api-ref.html,
http://api.openstack.org/grizzly/api-ref.html and etc, it will be excellent.
i just read the source code of folsom nova, learn from them and make this
extension available in Essex,
so i can use networks extension to create and associate(with a little
difference)
thanks to the contributors
On Thu, Mar 28, 2013 at 9:18 PM, Anne Gentle
wrote:
> In Essex this API extension was unavailable. I apologize that the docs
> site does not currently clarify that. We are working on a solution. In
> Essex you must use the nova-manage commands to manage networks.
>
> Anne Gentle
> Content Stacker
> a...@openstack.org
>
>
> On Mar 28, 2013, at 3:46 AM, Ajiva Fan wrote:
>
> hello everyone:
>
> i have a very simple question which confuses me for a long time:
> how should i add a network to a project via rest api?
>
> 1) i'm admin of the whole cloud env essex, (i think the folsom is same in
> this case)
> 2) using nova-network:vlan (if using flatdhcp, the associate action is
> meanless)
> 3) a user project "user-project" is created, and the admin:admin is not
> that project's admin (and even not a member of it)
> 4) a network "user-network" is created, but not associated with
> "user-project"
> 5) how to associate the "user-network" with "user-project" ?
>
> i know i can use "nova-manage" via nova-client in the control node,
> but what i need to know is how to do this operation via rest api, like
> curl or in horizon?
>
> the rest api is: http://api.openstack.org/api-ref.html
> POST
> v2/{tenant_id}/os-networks/add
> with a body identifier the network's id
>
> the problem is that, even i have admin:admin token, i *cannot* associate
> the "user-network" with "user-project",
> because from the source code of folsom(and essex) nova, in the
> nova.api.openstack.wsgi.py of line 931, i find this:
>
> project_id = action_args.pop("project_id", None)
> context = request.environ.get('nova.context')
> if (context and project_id and (project_id != context.project_id
> )):
> msg = _("Malformed request url")
> return Fault(webob.exc.HTTPBadRequest(explanation=msg))
>
> since nova.context.project_id is the project admin_id, and the project_id
> is extract from the url,
> so the webob.exc is returned.
>
> please help me, i read a lot, (both document and source code, i just
> cannot understand or just miss something important)
> but still don't know how to do it.
>
> ps: i have sent a mail to openstack-dev on mar 8, but no one reply me. is
> my question nonsense?
> Note this mail is not the exactly same as previous one since i've more
> knowledge of it but the main problem is same
>
> ___
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [nova-network] add-network-to-project
Thanks vish
I think it is better not to modify the wsgi file which is depended by
others, it will not be safe for other extensions
My opinion is that only modify the networks extension, for example, add
project-id along with network-id in body, so the NetworkController.add()
use the project-id from body instead from context. (This solution is
mentioned in my mail on Mar 8.)
There is a danger that if a admin:user-project pass the authentication and
since he is a admin role, then he can associate any network to any project,
or i may have some misunderstand of the authentication. If only admin:admin
has a valid authorize on the networks extension, then this is safe.( ps, i
think the option you mentiond to check context.is_admin will have the same
problem if admin:user-project's context will set is_admin to True)
best wish.
ps:
Detail why add project-id in body is not safe is listed bellow:
Here is my knowledge from following the extension's authentication:
in the networks.py
there is a function pointer:
authorize = extensions.extension_authorizer('compute', 'networks')
and in the class NetworkController.add() function, it invokes
authorize(context)
in nova.api.openstack.extension.extension_authorize(), it says: (in essex
it is the same)
def extension_authorizer(api_name, extension_name):
def authorize(context, target=None):
if target is None:
target = {'project_id': context.project_id,
'user_id': context.user_id}
action = '%s_extension:%s' % (api_name, extension_name)
nova.policy.enforce(context, action, target)
return authorize
in the /etc/nova/policy.json, the networks extension's rule is:
"admin_api": [["is_admin:True"]],
"compute_extension:networks": [["rule:admin_api"]],
the nova.openstack.common.policy will _check_rule(), _check_role() and
_check_generic(), and for the _check_generic, it will check
context["is_admin"] == True.
nova.api.auth.NovaKeystoneContext will instance nova.context.RequestContext
with a self.is_admin = nova.policy.check_is_admin(self.roles), while the
check_is_admin only invoke nova.openstack.common.policy.enforce() to check
if it has a role named "admin", so if
keystone.middleware.auth_token.pyfill the header with a "admin" in
"X-Roles", this will be authorized. Which
i think admin:user-porject will be valid.
On Thu, Mar 28, 2013 at 11:12 PM, Vishvananda Ishaya
wrote:
> I just looked at the code and it appears this is not possible through the
> os_networks extension. This appears to be an oversight. It should probably
> allow a project to be passed in.
>
> Bug report here: https://bugs.launchpad.net/nova/+bug/1161441
>
> That said, the first time a user boots an instance, he automatically gets
> assigned a network, so in many cases it isn't needed.
>
> Another option would be to modify the code you mentioned to allow a
> workaround:
>
> if (context and not context.is_admin and project_id and (project_id !=
> context.project_id)):
>
> Vish
>
> On Mar 28, 2013, at 1:46 AM, Ajiva Fan wrote:
>
> hello everyone:
>
> i have a very simple question which confuses me for a long time:
> how should i add a network to a project via rest api?
>
> 1) i'm admin of the whole cloud env essex, (i think the folsom is same in
> this case)
> 2) using nova-network:vlan (if using flatdhcp, the associate action is
> meanless)
> 3) a user project "user-project" is created, and the admin:admin is not
> that project's admin (and even not a member of it)
> 4) a network "user-network" is created, but not associated with
> "user-project"
> 5) how to associate the "user-network" with "user-project" ?
>
> i know i can use "nova-manage" via nova-client in the control node,
> but what i need to know is how to do this operation via rest api, like
> curl or in horizon?
>
> the rest api is: http://api.openstack.org/api-ref.html
> POST
> v2/{tenant_id}/os-networks/add
> with a body identifier the network's id
>
> the problem is that, even i have admin:admin token, i *cannot* associate
> the "user-network" with "user-project",
> because from the source code of folsom(and essex) nova, in the
> nova.api.openstack.wsgi.py of line 931, i find this:
>
> project_id = action_args.pop("project_id", None)
> context = request.environ.get('nova.context')
> if (context and project_id and (project_id != context.project_id
> )):
> msg = _("Malformed request url")
> return Fault(webob.exc.HTTPBadRequest(explanation=msg))
>
> since nova.context.project_id is the projec
Re: [Openstack] [nova-network] add-network-to-project
thanks for the "admin" clarify : )
here is more information about other extensions avoid the problem:
i read the policy.json file, find some other extension meet the same
problem and watch how they impl
for example. the quota api just shows like this
GET v2/{tenant_id}/os-quota-sets/{tenant_id} Show quotas for tenant
POST v2/{tenant_id}/os-quota-sets/{tenant_id} Update quotas for tenant.
so the quota meet the same problem and just add the target tenant id to the
url,
and its update function takes the id from the result of routes.mapper point
to the secondary tenant_id
since some extension even don't care which tenant is operate on,
they just need to know if the token in the header is a admin token, for
example:
"compute_extension:server_diagnostics": [["rule:admin_api"]]
GET v2/{tenant_id}/servers/{server_id}/diagnostics Retrieves basic usage
data for a given server.
from the source code, it doesn't check the tenant id at all. it just invoke
authorize(context) to check if it is admin.
But i do know for some case tenant_id is necessary for policy/security
check or as a param
and for the consistency, the extension should act the same way.
and since the APIRouter use ProjectMapper as the mapper and routes the
request,
so it seems the redundent tenant_id cannot be avoid.
On Thu, Mar 28, 2013 at 11:12 PM, Vishvananda Ishaya
wrote:
> I just looked at the code and it appears this is not possible through the
> os_networks extension. This appears to be an oversight. It should probably
> allow a project to be passed in.
>
> Bug report here: https://bugs.launchpad.net/nova/+bug/1161441
>
> That said, the first time a user boots an instance, he automatically gets
> assigned a network, so in many cases it isn't needed.
>
> Another option would be to modify the code you mentioned to allow a
> workaround:
>
> if (context and not context.is_admin and project_id and (project_id !=
> context.project_id)):
>
> Vish
>
> On Mar 28, 2013, at 1:46 AM, Ajiva Fan wrote:
>
> hello everyone:
>
> i have a very simple question which confuses me for a long time:
> how should i add a network to a project via rest api?
>
> 1) i'm admin of the whole cloud env essex, (i think the folsom is same in
> this case)
> 2) using nova-network:vlan (if using flatdhcp, the associate action is
> meanless)
> 3) a user project "user-project" is created, and the admin:admin is not
> that project's admin (and even not a member of it)
> 4) a network "user-network" is created, but not associated with
> "user-project"
> 5) how to associate the "user-network" with "user-project" ?
>
> i know i can use "nova-manage" via nova-client in the control node,
> but what i need to know is how to do this operation via rest api, like
> curl or in horizon?
>
> the rest api is: http://api.openstack.org/api-ref.html
> POST
> v2/{tenant_id}/os-networks/add
> with a body identifier the network's id
>
> the problem is that, even i have admin:admin token, i *cannot* associate
> the "user-network" with "user-project",
> because from the source code of folsom(and essex) nova, in the
> nova.api.openstack.wsgi.py of line 931, i find this:
>
> project_id = action_args.pop("project_id", None)
> context = request.environ.get('nova.context')
> if (context and project_id and (project_id != context.project_id
> )):
> msg = _("Malformed request url")
> return Fault(webob.exc.HTTPBadRequest(explanation=msg))
>
> since nova.context.project_id is the project admin_id, and the project_id
> is extract from the url,
> so the webob.exc is returned.
>
> please help me, i read a lot, (both document and source code, i just
> cannot understand or just miss something important)
> but still don't know how to do it.
>
> ps: i have sent a mail to openstack-dev on mar 8, but no one reply me. is
> my question nonsense?
> Note this mail is not the exactly same as previous one since i've more
> knowledge of it but the main problem is same
> ___
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
>
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
[Openstack] grizzly nova+quantum+gre cannot ping instance after nova boot
i'm following this guide https://github.com/mseknibilel/OpenStack-Grizzly-Install-Guide if i launch an instance from horizon, i can using ip netns exec qrouter-xxx ping xxx to ping that instance and ssh to it, and access external network, everything seems fine, at least from my view. **However, i cannot ping it if i launch the instance via nova boot command** is there anybody has met such problem? please help me ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
