[openstack-dev] [nova] reckoning time for nova ec2 stack

Matt Riedemann mriedem at linux.vnet.ibm.com
Thu Jan 15 22:49:37 UTC 2015 


On 1/15/2015 11:40 AM, Matt Riedemann wrote:
>
>
> On 1/13/2015 9:27 PM, Matt Riedemann wrote:
>>
>>
>> On 1/13/2015 12:11 PM, Steven Hardy wrote:
>>> On Tue, Jan 13, 2015 at 10:00:04AM -0600, Matt Riedemann wrote:
>>>> Looks like the fix we merged didn't actually fix the problem. I have
>>>> a patch
>>>> [1] to uncap the boto requirement on master and it's failing the ec2
>>>> tests
>>>> in tempest the same as before.
>>>
>>> FWIW, I just re-tested and boto 2.35.1 works fine for me locally, if you
>>> revert my patch it breaks again with "Signature not provided" errors
>>> (for
>>> all ec2 API requests).
>>>
>>> If you look at the failures in the log, it actually looks like a
>>> different
>>> problem:
>>>
>>> EC2ResponseError: EC2ResponseError: 401 Unauthorized
>>>
>>> This is not the same as the original error which rejected any request
>>> inside the nova API before even calling keystone with a message like
>>> this:
>>>
>>> AuthFailure: Signature not provided
>>>
>>> AFAICT this means my patch is working, and there's a different problem
>>> affecting only a subset of the ec2 boto tests.
>>>
>>> Steve
>>>
>>> __________________________________________________________________________
>>>
>>>
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe:
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>
>> Yeah, new bug reported, looks like we're hitting 401 Unauthorized errors
>> when trying to create security groups in the test:
>>
>> https://bugs.launchpad.net/nova/+bug/1410622
>>
>
> I have a debug patch up here to try and recreate the tempest failures
> with latest boto but using a nova debug change also to get more
> information when we fail.
>
> https://review.openstack.org/#/c/147601/
>

I finally narrowed this down to some code in keystone where it generates 
a signature and compares that to what nova is passing in on the request 
for ec2 credentials and they are different so keystone is rejecting the 
request with a 401.

http://logs.openstack.org/01/147601/3/check/check-tempest-dsvm-full/96bb05e/logs/apache/keystone.txt.gz#_2015-01-15_22_00_27_046

I'm assuming something needs to change in keystone to support the 
version 4 format?

-- 

Thanks,

Matt Riedemann

More information about the OpenStack-dev mailing list