<div dir="ltr">Responses inline...<div class="gmail_extra"><br><div class="gmail_quote">On Sun, Apr 12, 2015 at 8:49 PM, Bernd Bausch <span dir="ltr"><<a href="mailto:berndbausch@gmail.com" target="_blank">berndbausch@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">In preparation for the install guide meeting on Tuesday, I would like to<br>
share what I have been able to do so far and what problems I hit. Advice<br>
would be welcome (I'd be happy to discuss that in the meeting):<br>
<br>
- There are places where the install guide content should be modified<br>
(flagged with "CONTENT" below). What's the procedure - I file a bug and<br>
immediately provide the fix?<br>
- Other places look like packaging bugs; I am using a Kilo repository for<br>
the Red Hat RDO project that is still work in progress. I think I should<br>
leave such bugs alone for now, since they are likely to go away. Correct?<br>
<br>
This is my report. It's based on Matt's version of the install guide<br>
<a href="http://docs-draft.openstack.org/92/167692/13/gate/gate-openstack-manuals-tox
-doc-publish-checkbuild/31c1ab2//publish-docs/trunk/install-guide/install/yu
m/content/index.html" target="_blank">http://docs-draft.openstack.org/92/167692/13/gate/gate-openstack-manuals-tox<br>
-doc-publish-checkbuild/31c1ab2//publish-docs/trunk/install-guide/install/yu<br>
m/content/index.html</a>.<br>
<br>
---------------------------<br>
Section 2 Basic environment<br>
---------------------------<br>
<br>
openstack-selinux not found in the repositories I am using. On first look,<br>
it seems that there is no need to install it, as rules in<br>
/etc/selinux/targeted/contexts/files/* seem to be the same as on my Juno<br>
installation. So I am brave, plan to watch the audit log and go ahead<br>
without modifying SELinux configs.<br></blockquote><div><br></div><div>In Juno and prior releases, RHEL/CentOS required installing openstack-selinux to configure SELinux rules, but Fedora included them by default. Maybe this requirement changed for RHEL/CentOS in Kilo?</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
CONTENT: The guide lacks info about the firewall rules, except a vague<br>
allusion in Chapter 2 Basic Environment.<br>
Since this is Red Hat with a locked-down firewall, nothing will work without<br>
opening ports for fundamental services (DB, RabbitMQ) and the OpenStack<br>
services.<br></blockquote><div><br></div><div>A couple of cycles ago, we decided to make first-time installations easier by recommending that people disable the the firewall and then use the security guide later to increase security before moving to production. Furthermore, no one should use the installation guide architecture for production without augmenting it with at least the security guide, HA guide, and potentially a deployment automation system.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
My NTP server doesn't work (this has nothing to do with OpenStack).<br>
This forum says that NTP needs to be started after DNS (???)<br>
<a href="https://forum.zentyal.org/index.php/topic,13045.0.html" target="_blank">https://forum.zentyal.org/index.php/topic,13045.0.html</a><br>
In any case, issuing a ``systemctl restart ntpd.service`` fixes the problem,<br>
but how can it be done automatically?<br></blockquote><div><br></div><div>I haven't seen this issue and need more information here... perhaps some error messages?</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
---------------------------------<br>
section 2, Maria DB installation:<br>
---------------------------------<br>
<br>
``/usr/bin/mysql_secure_installation: line 379: find_mysql_client: command<br>
not found``<br></blockquote><div><br></div><div>I haven't seen this issue. Seems like packaging, but I can't imagine RH breaking the MariaDB packages.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
CONTENT: The install guide doesn't say how to answer the questions of this<br>
script.<br></blockquote><div><br></div><div>I think we could add some information to the guide, but in the long run think we should expect our audience to know at least the basics of MariaDB.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
After setting the root password on the DB, I just hit enter at each<br>
question.<br>
<br>
------------------------------------<br>
Section 2, Rabbit MQ installation:<br>
------------------------------------<br>
<br>
CONTENT: The guide asks for adding a line to /etc/rabbitmq/rabbitmq.config.<br>
Scratching my head because I don't have that file, but then I see that it<br>
may not always exist. Perhaps this should be made clearer to accommodate<br>
slow thinkers.<br></blockquote><div><br></div><div>I don't see where the guide asks to edit this file.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
-------------------------------<br>
Section 3, Identity concepts<br>
-------------------------------<br>
<br>
CONTENT: The diagram showing the process flow confuses me more than it<br>
helps.<br></blockquote><div><br></div><div>Most of the conceptual sections come from common content (outside of the installation guide) that needs clarification.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
--------------------------------<br>
Section 3, install and configure<br>
--------------------------------<br>
<br>
``yum install openstack-keystone python-keystoneclient``: dependency<br>
python-cryptography can't be found<br>
<br>
After adding this repo (found via internet search):<br>
<br>
[npmccallum-python-cryptography]<br>
name=Copr repo for python-cryptography owned by npmccallum<br>
<br>
baseurl=<a href="https://copr-be.cloud.fedoraproject.org/results/npmccallum/python-cr
yptography/epel-7-$basearch/" target="_blank">https://copr-be.cloud.fedoraproject.org/results/npmccallum/python-cr<br>
yptography/epel-7-$basearch/</a><br>
skip_if_unavailable=True<br>
gpgcheck=1<br>
<br>
gpgkey=<a href="https://copr-be.cloud.fedoraproject.org/results/npmccallum/python-cry
ptography/pubkey.gpg" target="_blank">https://copr-be.cloud.fedoraproject.org/results/npmccallum/python-cry<br>
ptography/pubkey.gpg</a><br>
enabled=1<br>
<br>
it works.<br>
This looks very much like a packaging error, and I hope it will eventually<br>
go away.<br></blockquote><div><br></div><div>I'm going with a packaging problem.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
CONTENT (or perhaps not CONTENT): keystone.conf contains "connection =<br>
<None>" rather than the connection string cited in the install guide. This<br>
may be legitimately so, in which case the guide needs to be modified, or a<br>
packaging error.<br></blockquote><div><br></div><div>I don't understand the problem. The guide says to configure "connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone" in the keystone.conf file.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
------------------------------------------------------<br>
Section 3, create the service entity and API endpoints<br>
------------------------------------------------------<br>
<br>
CONTENT: ``openstack`` command missing. Found in the package<br>
python-openstackclient.<br></blockquote><div><br></div><div>We need to update the list of packages to install.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
CONTENT: ``openstack service create --type identity`` gives me:<br>
WARNING: openstackclient.identity.v2_0.service.CreateService The<br>
argument --type is deprecated, use service create --name <service-name> type<br>
instead.<br></blockquote><div><br></div><div>What version of python-openstackclient?</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
I don't like the openstack client, because its help facility is much<br>
inferior to the one of the separate command line clients. Tough luck, I<br>
guess.<br></blockquote><div><br></div><div>Keystone requires it now, but we don't need to use it for other services.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
CONTENT: The relevance of the sentence "Also, OpenStack supports multiple<br>
regions for scalability" is not clear to a first time (even n-th time) user.<br></blockquote><div><br></div><div>I think we're trying to explain why we keep the installation guide as simple as possible. What do you suggest?</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
CONTENT: Why are we using API v2, not v3? Why a separate adminurl port, and<br>
same port for internal and publicurl? Some clarification would help.<br></blockquote><div><br></div><div>We support Keystone API v2 and v3. Keystone kept /v2.0 for compatibility, although most clients know how to access v3. We could add some clarification between the two ports. In short, administrative operations use 35357 and user operations use 5000.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
CONTENT: I would phrase the note at the end differently, e.g. "You will<br>
create similar endpoints for each of the other services as you install them"<br></blockquote><div><br></div><div>For whatever reason, we're not allowed to use future tense.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
--------------------------------------------<br>
Section 3, Create projects, users, and roles<br>
--------------------------------------------<br>
<br>
CONTENT: Rather than saying "project (tenant)", be a bit more explicit e.g.<br>
"project (also named "tenant" in earlier OpenStack releases)"<br></blockquote><div><br></div><div>Seems reasonable... but we'll just mention it once.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
CONTENT:<br>
# openstack role add --project demo --user demo _member_<br>
ERROR: openstack No role with a name or ID of '_member_' exists.<br>
I fix this by adding the _member_ role first:<br>
# openstack role create _member_<br></blockquote><div><br></div><div>Keystone should create the _member_ role automatically during creation of the demo tenant/user. The guide used to explicitly create this role and later stopped after it caused problems. I think some distributions are using strange configuration options.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
--------------------------------------------<br>
Section 3, verify operation<br>
--------------------------------------------<br>
<br>
CONTENT: There is no /etc/keystone/keystone-paste.ini; it's now under<br>
/usr/share/keystone. Not sure yet if this file is supposed to be modified.<br>
It seems that all the Paste/Deploy files are now under /usr/share.<br></blockquote><div><br></div><div>We can use a different directory for RH.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
For now, instead of changing paste.ini I just remove the admin token from<br>
keystone.conf.<br></blockquote><div><br></div><div>This just changes the token to "ADMIN" rather than disabling the method.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
--------------------------------------------<br>
Section 4, Glance install and configure<br>
--------------------------------------------<br>
<br>
ugly message when synching DB:<br>
/usr/lib/python2.7/site-packages/glance/db/sqlalchemy/artifacts.py:20:<br>
DeprecationWarning: The oslo namespace package is deprecated. Please use<br>
oslo_config instead.<br>
Not sure what to do about this.<br></blockquote><div><br></div><div>I haven't seen this on Ubuntu yet. Maybe a packaging problem.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
--------------------------------------------<br>
Section 4, Verify operation<br>
--------------------------------------------<br>
<br>
Major problems with glance. I am stuck with problem 3 below.<br>
<br>
Problem 1:<br>
~~~~~~~~~~<br>
<br>
glance image-create fails. See also Monty Taylor's comments on the docs and<br>
dev mailing lists.<br>
<br>
It turns out that I am using glance API v2, set in the rc files:<br>
<br>
export OS_IMAGE_API_VERSION=2<br>
<br>
Glance v2 requires a quite different workflow to upload images. Setting API<br>
version to 1 for the moment.<br></blockquote><div><br></div><div>The python-glanceclient should use version 2, but nova still uses version 1. The command to upload images changes slightly for version 2. Basically, "--is-public True" becomes "--visibility public" for image creation.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
Problem 2:<br>
~~~~~~~~~~<br>
<br>
It turns out glance is not running. api.log says:<br>
<br>
ERROR glance.common.config [-] Unable to load glance-api-keystone<br>
from configuration file /usr/share/glance/glance-api-dist-paste.ini.<br>
Got: ImportError('No module named elasticsearch',)<br>
<br>
After pip install elasticsearch, I can start glance.<br></blockquote><div><br></div><div>Packaging.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
Still getting a strange warning in api.log:<br>
2015-04-12 17:42:30.267 6789 WARNING oslo_config.cfg [-] Option<br>
"username" from group "keystone_authtoken" is deprecated. Use option<br>
"username" from group "keystone_authtoken".<br></blockquote><div><br></div><div>This is a side effect of OpenStack deprecating "username" several releases ago and then bringing it back in a different form for Kilo. Upstream problem.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
Problem 3:<br>
~~~~~~~~~~<br>
<br>
Trying to upload an image now fails because of wrong credentials???? Haven't<br>
resolved this yet. Any glance request is rejected with<br>
# glance image-list<br>
Invalid OpenStack Identity credentials.<br></blockquote><div><br></div><div>Could be a number of things.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
Glance's API log:<br>
2015-04-12 22:31:03.932 9048 DEBUG keystoneclient.session [-] REQ: curl -g<br>
-i -X GET <a href="http://kilocontrol:35357" target="_blank">http://kilocontrol:35357</a> -H "Accept: application/json" -H<br>
"User-Agent: python-keystoneclient" _http_log_request<br>
/usr/lib/python2.7/site-packages/keystoneclient/session.py:195<br>
2015-04-12 22:31:03.935 9048 WARNING<br>
keystoneclient.auth.identity.generic.base [-] Discovering versions from the<br>
identity service failed when creating the password plugin. Attempting to<br>
determine version from URL.<br>
2015-04-12 22:31:03.936 9048 WARNING keystonemiddleware.auth_token [-]<br>
Authorization failed for token<br>
<br>
This seems to be related with this DEBUG entry in keystone.log:<br>
keystone.middleware.core [-] Auth token not in the request header. Will not<br>
build auth context. process_request<br>
/usr/lib/python2.7/site-packages/keystone/middleware/core.py:229<br>
<br>
I assume a misconfiguration on my side but haven't figured out what it might<br>
be. Need to study the nature of WSGI middleware.<br>
<br>
<br>
_______________________________________________<br>
OpenStack-docs mailing list<br>
<a href="mailto:OpenStack-docs@lists.openstack.org">OpenStack-docs@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-docs" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-docs</a><br>
</blockquote></div><br></div></div>