[Openstack-operators] Problems with https endpoints with IceHouse-->Juno-->Kilo migration

Alvise Dorigo alvise.dorigo at pd.infn.it
Wed Oct 28 08:52:37 UTC 2015


I Matt, thank you for your reply.
I think I've resolved my problem by setting the 'admin_endpoint' and 
'public_endpoint' in the DEFAULT section of keystone.conf (they are not 
mentioned in the installation guide, but in this thread 
https://goo.gl/3JAOHb):

admin_endpoint = http://controller_mgmt_private_ip:35357
public_endpoint = https://public_ip:5000

and everything is now working.

Thank you and sorry for the noise,

     Alvise


On 27/10/2015 21:18, Matt Fischer wrote:
> What's your output from keystone endpoint-list or keystone catalog (or 
> the DB table)? Is it possible the admin URL is simply listed as http?
>
> On Tue, Oct 27, 2015 at 9:32 PM, Alvise Dorigo 
> <alvise.dorigo at pd.infn.it <mailto:alvise.dorigo at pd.infn.it>> wrote:
>
>     I have an IceHouse OpenStack installation, where the endpoints are
>     using https as protocol (i.e. in the keystone.endpoint table  the
>     https protocol is specified).
>
>     Now, I want to migrate this installation to Kilo. For this purpose
>     I followed these steps:
>
>     - I scratched the controller/network node, but the DB was
>     untouched (it resides on different machines), and re-installed
>     with CentOS7
>     - I installed the Juno rpms (without configuring Juno services)
>     - I synced the keystone DB to the Juno version using the usual
>     "db_sync" command:
>
>         su -s /bin/sh -c "keystone-manage db_sync" keystone
>
>     - Then, I scratched the controller/network node, re-installed
>     again with CentOS7 and installed all the Kilo RPMs required to
>     sync the DB to the Kilo version.
>     With all the Kilo's RPM installed, I started from there to
>     configure the Kilo Keystone service as described in the official
>     guide docs.openstack.org <http://docs.openstack.org>.
>
>     That installation configures Keystone exposing v3 API, which can
>     be used only with the openstackclient (and not by the legacy
>     keystone one). But it seems there's a problem with the https
>     endpoints.
>
>     After setting the following env vars
>
>     export OS_PROJECT_DOMAIN_ID=default
>     export OS_USER_DOMAIN_ID=default
>     export OS_PROJECT_NAME=admin
>     export OS_TENANT_NAME=admin
>     export OS_USERNAME=admin
>     export OS_PASSWORD=XXXXXXXX
>     export OS_AUTH_URL=https://cloud-areapd-test.pd.infn.it:35357/v3
>     export OS_CACERT=/etc/grid-security/certificates/INFN-CA-2006.pem
>
>     openstack fires out the following error:
>
>     [root at controller-01 ~]# openstack user list
>     /usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90:
>     InsecurePlatformWarning: A true SSLContext object is not
>     available. This prevents urllib3 from configuring SSL
>     appropriately and may cause certain SSL connections to fail. For
>     more information, see
>     https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
>
>       InsecurePlatformWarning
>     ERROR: openstack Unable to establish connection to
>     http://cloud-areapd-test.pd.infn.it:35357/v3/auth/tokens
>
>
>     With a deeper investigation I see that the Keystone service
>     returns an "http" protocol for the endpoint despite the fact that
>     there's https in the backend database:
>
>     [root at controller-01 ~]# curl -g -i --cacert
>     "/etc/grid-security/certificates/INFN-CA-2006.pem" -X GET
>     https://cloud-areapd-test.pd.infn.it:35357/v3 -H "Accept:
>     application/json" -H "User-Agent: python-keystoneclient"
>     HTTP/1.1 200 OK
>     Vary: X-Auth-Token
>     Content-Type: application/json
>     Content-Length: 268
>     X-Openstack-Request-Id: req-a47a2873-f81b-490a-b249-7f970754914b
>     Date: Tue, 27 Oct 2015 10:32:20 GMT
>     Connection: close
>
>     {"version": {"status": "stable", "updated":
>     "2015-03-30T00:00:00Z", "media-types": [{"base":
>     "application/json", "type":
>     "application/vnd.openstack.identity-v3+json"}], "id": "v3.4",
>     "links": [{"href":
>     "http://cloud-areapd-test.pd.infn.it:35357/v3/", "rel": "self"}]}}
>
>     The above curl command is grabbed from the output of "openstack
>     --debug user list".
>
>     If I switch back to v2.0 API in env var OS_AUTH_URL, keystone
>     client works correctly (and openstack stops working) and shows me
>     the users, tenants, etc.:
>
>     [root at controller-01 ~]# export
>     OS_AUTH_URL=https://cloud-areapd-test.pd.infn.it:35357/v2.0
>     [root at controller-01 ~]# keystone user-list
>     /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65:
>     DeprecationWarning: The keystone CLI is deprecated in favor of
>     python-openstackclient. For a Python library, continue using
>     python-keystoneclient.
>       'python-keystoneclient.', DeprecationWarning)
>     /usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90:
>     InsecurePlatformWarning: A true SSLContext object is not
>     available. This prevents urllib3 from configuring SSL
>     appropriately and may cause certain SSL connections to fail. For
>     more information, see
>     https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
>
>       InsecurePlatformWarning
>     +----------------------------------+----------+---------+---------------------+
>
>     |                id                |   name   | enabled | email   
>         |
>     +----------------------------------+----------+---------+---------------------+
>
>     | 62e64ee442cc42e7b07c0209010148c3 |  admin   |   True  |
>     ADMIN_EMAIL     |
>     | 96ab92677d43476a820428e281d229f2 |  cinder  |   True  |
>     cinder at example.co <mailto:cinder at example.co> |
>     | e737d7af46ab46838bbef6c5d16aff7e |  glance  |   True  |
>     glance at example.com <mailto:glance at example.com> |
>     | 84546c19c2b242738235022f73b2e9c2 | neutron  |   True  |
>     neutron at example.com <mailto:neutron at example.com> |
>     | b99c5365b6c448d4956fdae02fe0ef11 |   nova   |   True  |
>     nova at example.com <mailto:nova at example.com> |
>     | 3c2bde47975b4f738b316d87f3727ec3 | sgaravat |   True |          
>            |
>     +----------------------------------+----------+---------+---------------------+
>
>
>
>     So, the question is: is there a bug in the service code which
>     forcely translates https to http ?
>
>     thanks,
>
>         Alvise Dorigo
>
>     _______________________________________________
>     OpenStack-operators mailing list
>     OpenStack-operators at lists.openstack.org
>     <mailto:OpenStack-operators at lists.openstack.org>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20151028/f579458c/attachment.html>


More information about the OpenStack-operators mailing list