<div dir="ltr">Thanks for the responses guys.<div><br></div><div>In the end, tracked down the reason that the config options where not being registered.<div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">One of the [ unrelated ] plugins in neutron was failing to initialise, that the silently broke the plugin loading for the rest. It took a while to track it diwn, because it was a silent failure with no exception! :)<br></div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><br></div><div class="gmail_signature" data-smartmail="gmail_signature">Apllogies, I don't have the details for the code, but it was somewhere in the neutron.manager. The particular server was rebuilt after we found the issue, adn we didn't preserve our debugs :(</div><div class="gmail_signature" data-smartmail="gmail_signature"><br></div><div class="gmail_signature" data-smartmail="gmail_signature">We think one of the plugins could not initialise a connection to the MQ, which was why it didn't load properly. Of course, the ml2 plugin we had an issue with has no relation to the MQ, so we didn't even considder that intiially!</div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><br></div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><br></div><div class="gmail_signature" data-smartmail="gmail_signature">Thanks again for the help, and sorry we don't hav emore detail about the silent failure. If we did I would raise a bug.</div><div class="gmail_signature" data-smartmail="gmail_signature"><br></div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><br></div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">Cheers<br><div>Just</div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 25 Feb 2020 at 22:04, Colleen Murphy <<a href="mailto:colleen@gazlene.net">colleen@gazlene.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, Feb 24, 2020, at 08:17, Ben Nemec wrote:<br>
> <br>
> <br>
> On 2/24/20 9:08 AM, Jeremy Freudberg wrote:<br>
> > not a keystone person, but I can offer you this:<br>
> > <a href="https://opendev.org/openstack/sahara/src/commit/75df1e93872a3a6b761d0eb89ca87de0b2b3620f/sahara/utils/openstack/keystone.py#L32" rel="noreferrer" target="_blank">https://opendev.org/openstack/sahara/src/commit/75df1e93872a3a6b761d0eb89ca87de0b2b3620f/sahara/utils/openstack/keystone.py#L32</a><br>
> > <br>
> > It's a nasty workaround for getting config values from<br>
> > keystone_authtoken which are supposed to private for<br>
> > keystonemiddleware only. It's probably a bad idea.<br>
> <br>
> Yeah, config opts should generally not be referenced by other projects. <br>
> The oslo.config deprecation mechanism doesn't handle the case where an <br>
> opt gets renamed but is still being referred to in the code by its old <br>
> name. I realize that's not what happened here, but in general it's a <br>
> good reason not to do this. If a given config value needs to be exposed <br>
> to consumers of a library it should be explicitly provided via an API.<br>
> <br>
> I realize that's not what happened here, but it demonstrates the <br>
> fragility of referring to another project's config opts directly. It's <br>
> also possible that a project could change when its opts get registered, <br>
> which may be what's happening here. If this plugin code is running <br>
> before keystoneauth has registered its opts that might explain why it's <br>
> not being found. That may also explain why it's working in some other <br>
> environments - if the timing of when the opts are registered versus when <br>
> the plugin code gets called is different it might cause that kind of <br>
> varying behavior with otherwise identical code/configuration.<br>
> <br>
> I have vague memories of this having come up before, but I can't <br>
> remember exactly what the recommendation was. Hopefully someone from <br>
> Keystone can chime in.<br>
<br>
Services that need to connect to keystone with their own session outside of keystonemiddleware can use the keystoneauth loading module to register config options rather than reusing the keystone_authtoken section. For example, this is what nova does:<br>
<br>
<a href="https://opendev.org/openstack/nova/src/branch/master/nova/conf/glance.py" rel="noreferrer" target="_blank">https://opendev.org/openstack/nova/src/branch/master/nova/conf/glance.py</a><br>
<br>
This doesn't help unbreak OP's broken Queens site. Perhaps the neutron or calico contributors can help diagnose what's different about that site in order to figure out what's missing that's causing keystonemiddleware not to load the keystoneauth config opts.<br>
<br>
Colleen<br>
<br>
> <br>
> > <br>
> > <br>
> > On Fri, Feb 21, 2020 at 9:43 AM Justin Cattle <<a href="mailto:j@ocado.com" target="_blank">j@ocado.com</a>> wrote:<br>
> >><br>
> >> Just to add, it also doesn't seem to be registering the password option from keystone_authtoken either.<br>
> >><br>
> >> So, makes me think the auth plugin isn't loading , or not the right one at least ??<br>
> >><br>
> >><br>
> >> Cheers,<br>
> >> Just<br>
> >><br>
> >><br>
> >> On Thu, 20 Feb 2020 at 20:55, Justin Cattle <<a href="mailto:j@ocado.com" target="_blank">j@ocado.com</a>> wrote:<br>
> >>><br>
> >>> Hi,<br>
> >>><br>
> >>><br>
> >>> I'm reaching out for help with a strange issue I've found. Running openstack queens, on ubuntu xenial.<br>
> >>><br>
> >>> We have a bunch of different sites with the same set-up, recently upgraded from mitaka to queens. However, on this one site, after the upgrade, we cannot start neutron-server. The reason is, that the ml2 plugin throws an error because it can't find auth_url from the keystone_authtoken section of neutron.conf. However, it is there in the file.<br>
> >>><br>
> >>> The ml2 plugin is calico, it fails with this error:<br>
> >>><br>
> >>> 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico [-] Exception in function %s: TypeError: expected string or buffer<br>
> >>> 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico Traceback (most recent call last):<br>
> >>> 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico File "/usr/lib/python2.7/dist-packages/networking_calico/logutils.py", line 21, in wrapped<br>
> >>> 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico return fn(*args, **kwargs)<br>
> >>> 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico File "/usr/lib/python2.7/dist-packages/networking_calico/plugins/ml2/drivers/calico/mech_calico.py", line 347, in _post_fork_init<br>
> >>> 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico auth_url=re.sub(r'/v3/?$', '', auth_url) +<br>
> >>> 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico File "/usr/lib/python2.7/re.py", line 155, in sub<br>
> >>> 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico return _compile(pattern, flags).sub(repl, string, count)<br>
> >>> 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico TypeError: expected string or buffer<br>
> >>><br>
> >>><br>
> >>> When you look at the code, this is because neither auth_url or is found in cfg.CONF.keystone_authtoken. The config defintely exists.<br>
> >>><br>
> >>> I have copied the neutron.conf config from a working site, same error. I have copied the entire /etc/neutron directory from a working site, same error.<br>
> >>><br>
> >>> I have check with strace, and /etc/neutron/neutron.conf is the only neutron.conf being parsed.<br>
> >>><br>
> >>> Here is the keystone_authtoken part of the config:<br>
> >>><br>
> >>> [keystone_authtoken]<br>
> >>> auth_uri=<a href="https://api-srv-cloud.host.domain:5000" rel="noreferrer" target="_blank">https://api-srv-cloud.host.domain:5000</a><br>
> >>> region_name=openstack<br>
> >>> memcached_servers=<a href="http://1.2.3.4:11211" rel="noreferrer" target="_blank">1.2.3.4:11211</a><br>
> >>> auth_type=password<br>
> >>> auth_url=<a href="https://api-srv-cloud.host.domain:5000" rel="noreferrer" target="_blank">https://api-srv-cloud.host.domain:5000</a><br>
> >>> username=neutron<br>
> >>> password=xxxxxxxxxxxxxxxxxxxxxxxxx<br>
> >>> user_domain_name=Default<br>
> >>> project_name=services<br>
> >>> project_domain_name=Default<br>
> >>><br>
> >>><br>
> >>> I'm struggling to understand how the auth_url config is really registered in via oslo_config.<br>
> >>> I found an excellent exchagne on the ML here:<br>
> >>><br>
> >>> <a href="https://openstack.nimeyo.com/115150/openstack-keystone-devstack-confusion-auth_url-middleware" rel="noreferrer" target="_blank">https://openstack.nimeyo.com/115150/openstack-keystone-devstack-confusion-auth_url-middleware</a><br>
> >>><br>
> >>> This seems to indicate auth_url is only registered if a particular auth plugin requires it. But I can't find the plugin code that does it, so I'm not sure how/where to debug it properly.<br>
> >>><br>
> >>> If anyone has any ideas, I would really appreciate some input or pointers.<br>
> >>><br>
> >>> Thanks!<br>
> >>><br>
> >>><br>
> >>> Cheers,<br>
> >>> Just<br>
> >><br>
> >><br>
> >> Notice:<br>
> >> This email is confidential and may contain copyright material of members of the Ocado Group. Opinions and views expressed in this message may not necessarily reflect the opinions and views of the members of the Ocado Group.<br>
> >><br>
> >> If you are not the intended recipient, please notify us immediately and delete all copies of this message. Please note that it is your responsibility to scan this message for viruses.<br>
> >><br>
> >> References to the "Ocado Group" are to Ocado Group plc (registered in England and Wales with number 7098618) and its subsidiary undertakings (as that expression is defined in the Companies Act 2006) from time to time. The registered office of Ocado Group plc is Buildings One & Two, Trident Place, Mosquito Way, Hatfield, Hertfordshire, AL10 9UL.<br>
> > <br>
> <br>
><br>
<br>
</blockquote></div>
<br>
<p style="margin:0px;background-color:rgb(255,255,255)"><font face="Calibri, sans-serif" color="#aeaaaa"><span style="font-size:14.6667px">Notice: <br>This email is confidential and may contain copyright material of members of the Ocado Group. Opinions and views expressed in this message may not necessarily reflect the opinions and views of the members of the Ocado Group.<br><br>If you are not the intended recipient, please notify us immediately and delete all copies of this message. Please note that it is your responsibility to scan this message for viruses.<br><br>References to the "Ocado Group" are to Ocado Group plc (registered in England and Wales with number 7098618) and its subsidiary undertakings (as that expression is defined in the Companies Act 2006) from time to time. The registered office of Ocado Group plc is Buildings One & Two, Trident Place, Mosquito Way, Hatfield, Hertfordshire, AL10 9UL.</span></font></p>