[openstack-dev] [Fuel] wrong network for keystone endpoint in 6.1 ?

Daniel Comnea comnea.dani at gmail.com
Fri Jul 10 06:58:19 UTC 2015 

I know about the flow but what i'm questioning is:

admin endpoint is mapped to br-mgmt subnet (you do have the HAproxy as
below defined in 6.1. In 6.0 and before you had no HAproxy)

listen keystone-2
  bind 192.168.20.3:35357
  option  httpchk
  option  httplog
  option  httpclose
  server node-17 192.168.20.20:35357   check inter 10s fastinter 2s
downinter 3s rise 3 fall 3
  server node-18 192.168.20.21:35357   check inter 10s fastinter 2s
downinter 3s rise 3 fall 3
  server node-23 192.168.20.26:35357   check inter 10s fastinter 2s
downinter 3s rise 3 fall 3

public endpoint is mapped to br-ex

So with this behavior you are saying the bt-mgmt subnet (which i thought is
only for controller <> compute traffic, isolated network) should be
routable in the same way br-ex is?

Dani

On Thu, Jul 9, 2015 at 11:30 PM, Stanislaw Bogatkin <sbogatkin at mirantis.com>
wrote:

> Hi Daniel,
>
> answer is no - actually there is no strong dependency between public and
> internal/admin endpoints. In your case keystone client ask keystone on
> address 10.52.71.39 (which, I think, was provided by system
> variable OS_AUTH_URL), auth on it and then keystone give endpoints list to
> client. Client selected admin endpoint from this list (192.168.20.3
> address) and tried to get information you asked. It's a normal behavior.
>
> So, in Fuel by default we have 3 different endpoints for keystone - public
> on public VIP, port 5000; internal on management VIP, port 5000, admin on
> management VIP, port 35357.
>
> On Thu, Jul 9, 2015 at 4:59 PM, Daniel Comnea <comnea.dani at gmail.com>
> wrote:
>
>> Hi,
>>
>> I'm running Fuel 6.1 and i've seen an interesting behavior which i think
>> match bug [1]
>>
>> Basically the adminUrl & publicUrl part of keystone endpoint are
>> different
>>
>> And the result of that is that you can't run keystone cli - i.e
>> create/list tenants etc
>>
>> keystone --debug tenant-list
>> /usr/local/lib/python2.7/site-packages/keystoneclient/shell.py:65:
>> DeprecationWarning: The keystone CLI is deprecated in favor of python-
>> openstackclient. For a Python library, continue using python-keys
>> toneclient.
>>   'python-keystoneclient.', DeprecationWarning)
>> DEBUG:keystoneclient.auth.identity.v2:Making authentication request to
>> http://10.20.71.39:5000/v2.0/tokens
>> INFO:requests.packages.urllib3.connectionpool:Starting new HTTP
>> connection (1): 10.52.71.39
>> DEBUG:requests.packages.urllib3.connectionpool:"POST /v2.0/tokens
>> HTTP/1.1" 200 3709
>> DEBUG:keystoneclient.session:REQ: curl -g -i -X GET
>> http://192.168.20.3:35357/v2.0/tenants -H "User-Agent: python-
>> keystoneclient" -H "Accept: application/json" -H "X-Auth-Token:
>> {SHA1}cc918b89c2dca563edda43e01964b1f1979c552b"
>>
>> shouldn't adminURL = publicURL = br-ex for keystone?
>>
>>
>> Dani
>>
>>
>> [1] https://bugs.launchpad.net/fuel/+bug/1441855
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150710/5dba7b93/attachment.html>

More information about the OpenStack-dev mailing list