[keystone] [keystonemiddleware] [neutron] [keystone_authtoken] auth_url not available via oslo_config

Justin Cattle j at ocado.com
Fri Feb 28 10:39:11 UTC 2020


Thanks for the responses guys.

In the end, tracked down the reason that the config options where not being
registered.
One of the [ unrelated ] plugins in neutron was failing to initialise, that
the silently broke the plugin loading for the rest.  It took a while to
track it diwn, because it was a silent failure with no exception! :)

Apllogies, I don't have the details for the code, but it was somewhere in
the neutron.manager.  The particular server was rebuilt after we found the
issue, adn we didn't preserve our debugs :(

We think one of the plugins could not initialise a connection to the MQ,
which was why it didn't load properly.  Of course, the ml2 plugin we had an
issue with has no relation to the MQ, so we didn't even considder that
intiially!


Thanks again for the help, and sorry we don't hav emore detail about the
silent failure.  If we did I would raise a bug.


Cheers
Just


On Tue, 25 Feb 2020 at 22:04, Colleen Murphy <colleen at gazlene.net> wrote:

> On Mon, Feb 24, 2020, at 08:17, Ben Nemec wrote:
> >
> >
> > On 2/24/20 9:08 AM, Jeremy Freudberg wrote:
> > > not a keystone person, but I can offer you this:
> > >
> https://opendev.org/openstack/sahara/src/commit/75df1e93872a3a6b761d0eb89ca87de0b2b3620f/sahara/utils/openstack/keystone.py#L32
> > >
> > > It's a nasty workaround for getting config values from
> > > keystone_authtoken which are supposed to private for
> > > keystonemiddleware only. It's probably a bad idea.
> >
> > Yeah, config opts should generally not be referenced by other projects.
> > The oslo.config deprecation mechanism doesn't handle the case where an
> > opt gets renamed but is still being referred to in the code by its old
> > name. I realize that's not what happened here, but in general it's a
> > good reason not to do this. If a given config value needs to be exposed
> > to consumers of a library it should be explicitly provided via an API.
> >
> > I realize that's not what happened here, but it demonstrates the
> > fragility of referring to another project's config opts directly. It's
> > also possible that a project could change when its opts get registered,
> > which may be what's happening here. If this plugin code is running
> > before keystoneauth has registered its opts that might explain why it's
> > not being found. That may also explain why it's working in some other
> > environments - if the timing of when the opts are registered versus when
> > the plugin code gets called is different it might cause that kind of
> > varying behavior with otherwise identical code/configuration.
> >
> > I have vague memories of this having come up before, but I can't
> > remember exactly what the recommendation was. Hopefully someone from
> > Keystone can chime in.
>
> Services that need to connect to keystone with their own session outside
> of keystonemiddleware can use the keystoneauth loading module to register
> config options rather than reusing the keystone_authtoken section. For
> example, this is what nova does:
>
> https://opendev.org/openstack/nova/src/branch/master/nova/conf/glance.py
>
> This doesn't help unbreak OP's broken Queens site. Perhaps the neutron or
> calico contributors can help diagnose what's different about that site in
> order to figure out what's missing that's causing keystonemiddleware not to
> load the keystoneauth config opts.
>
> Colleen
>
> >
> > >
> > >
> > > On Fri, Feb 21, 2020 at 9:43 AM Justin Cattle <j at ocado.com> wrote:
> > >>
> > >> Just to add, it also doesn't seem to be registering the password
> option from keystone_authtoken either.
> > >>
> > >> So, makes me think the auth plugin isn't loading , or not the right
> one at least ??
> > >>
> > >>
> > >> Cheers,
> > >> Just
> > >>
> > >>
> > >> On Thu, 20 Feb 2020 at 20:55, Justin Cattle <j at ocado.com> wrote:
> > >>>
> > >>> Hi,
> > >>>
> > >>>
> > >>> I'm reaching out for help with a strange issue I've found.  Running
> openstack queens, on ubuntu xenial.
> > >>>
> > >>> We have a bunch of different sites with the same set-up, recently
> upgraded from mitaka to queens.  However, on this one site, after the
> upgrade, we cannot start neutron-server.  The reason is, that the ml2
> plugin throws an error because it can't find auth_url from the
> keystone_authtoken section of neutron.conf.  However, it is there in the
> file.
> > >>>
> > >>> The ml2 plugin is calico, it fails with this error:
> > >>>
> > >>> 2020-02-20 20:14:22.495 2964911 ERROR
> networking_calico.plugins.ml2.drivers.calico.mech_calico [-] Exception in
> function %s: TypeError: expected string or buffer
> > >>> 2020-02-20 20:14:22.495 2964911 ERROR
> networking_calico.plugins.ml2.drivers.calico.mech_calico Traceback (most
> recent call last):
> > >>> 2020-02-20 20:14:22.495 2964911 ERROR
> networking_calico.plugins.ml2.drivers.calico.mech_calico   File
> "/usr/lib/python2.7/dist-packages/networking_calico/logutils.py", line 21,
> in wrapped
> > >>> 2020-02-20 20:14:22.495 2964911 ERROR
> networking_calico.plugins.ml2.drivers.calico.mech_calico     return
> fn(*args, **kwargs)
> > >>> 2020-02-20 20:14:22.495 2964911 ERROR
> networking_calico.plugins.ml2.drivers.calico.mech_calico   File
> "/usr/lib/python2.7/dist-packages/networking_calico/plugins/ml2/drivers/calico/mech_calico.py",
> line 347, in _post_fork_init
> > >>> 2020-02-20 20:14:22.495 2964911 ERROR
> networking_calico.plugins.ml2.drivers.calico.mech_calico
>  auth_url=re.sub(r'/v3/?$', '', auth_url) +
> > >>> 2020-02-20 20:14:22.495 2964911 ERROR
> networking_calico.plugins.ml2.drivers.calico.mech_calico   File
> "/usr/lib/python2.7/re.py", line 155, in sub
> > >>> 2020-02-20 20:14:22.495 2964911 ERROR
> networking_calico.plugins.ml2.drivers.calico.mech_calico     return
> _compile(pattern, flags).sub(repl, string, count)
> > >>> 2020-02-20 20:14:22.495 2964911 ERROR
> networking_calico.plugins.ml2.drivers.calico.mech_calico TypeError:
> expected string or buffer
> > >>>
> > >>>
> > >>> When you look at the code, this is because neither auth_url or is
> found in cfg.CONF.keystone_authtoken.  The config defintely exists.
> > >>>
> > >>> I have copied the neutron.conf config from a working site, same
> error.  I have copied the entire /etc/neutron directory from a working
> site, same error.
> > >>>
> > >>> I have check with strace, and  /etc/neutron/neutron.conf is the only
> neutron.conf being parsed.
> > >>>
> > >>> Here is the keystone_authtoken part of the config:
> > >>>
> > >>> [keystone_authtoken]
> > >>> auth_uri=https://api-srv-cloud.host.domain:5000
> > >>> region_name=openstack
> > >>> memcached_servers=1.2.3.4:11211
> > >>> auth_type=password
> > >>> auth_url=https://api-srv-cloud.host.domain:5000
> > >>> username=neutron
> > >>> password=xxxxxxxxxxxxxxxxxxxxxxxxx
> > >>> user_domain_name=Default
> > >>> project_name=services
> > >>> project_domain_name=Default
> > >>>
> > >>>
> > >>> I'm struggling to understand how the auth_url config is really
> registered in via oslo_config.
> > >>> I found an excellent exchagne on the ML here:
> > >>>
> > >>>
> https://openstack.nimeyo.com/115150/openstack-keystone-devstack-confusion-auth_url-middleware
> > >>>
> > >>> This seems to indicate auth_url is only registered if a particular
> auth plugin requires it.  But I can't find the plugin code that does it, so
> I'm not sure how/where to debug it properly.
> > >>>
> > >>> If anyone has any ideas, I would really appreciate some input or
> pointers.
> > >>>
> > >>> Thanks!
> > >>>
> > >>>
> > >>> Cheers,
> > >>> Just
> > >>
> > >>
> > >> Notice:
> > >> This email is confidential and may contain copyright material of
> members of the Ocado Group. Opinions and views expressed in this message
> may not necessarily reflect the opinions and views of the members of the
> Ocado Group.
> > >>
> > >> If you are not the intended recipient, please notify us immediately
> and delete all copies of this message. Please note that it is your
> responsibility to scan this message for viruses.
> > >>
> > >> References to the "Ocado Group" are to Ocado Group plc (registered in
> England and Wales with number 7098618) and its subsidiary undertakings (as
> that expression is defined in the Companies Act 2006) from time to time.
> The registered office of Ocado Group plc is Buildings One & Two, Trident
> Place, Mosquito Way, Hatfield, Hertfordshire, AL10 9UL.
> > >
> >
> >
>
>

-- 


Notice: 
This email is confidential and may contain copyright material of 
members of the Ocado Group. Opinions and views expressed in this message 
may not necessarily reflect the opinions and views of the members of the 
Ocado Group.

If you are not the intended recipient, please notify us 
immediately and delete all copies of this message. Please note that it is 
your responsibility to scan this message for viruses.

References to the 
"Ocado Group" are to Ocado Group plc (registered in England and Wales with 
number 7098618) and its subsidiary undertakings (as that expression is 
defined in the Companies Act 2006) from time to time. The registered office 
of Ocado Group plc is Buildings One & Two, Trident Place, Mosquito Way, 
Hatfield, Hertfordshire, AL10 9UL.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200228/2012b91c/attachment-0001.html>


More information about the openstack-discuss mailing list