[Openstack-operators] [puppet] openstack provider errors with openrc and keystone v3
Alex Schultz
aschultz at redhat.com
Thu Nov 10 16:32:27 UTC 2016
Hey Justin,
On Thu, Nov 10, 2016 at 8:48 AM, Justin Cattle <j at ocado.com> wrote:
> Hi,
>
>
> I was looking at this class in the keystone module:
>
> keystone::disable_admin_token_auth
>
> ..which suggests:
>
> # After this class is run,
> # future puppet runs must have an openrc file with valid keystone v3
> # admin credentials in /root/openrc available
>
>
>
> So when I change the openrc file from the v2 to v3 keystone endpoint, puppet
> runs then fail with various openstack provider errors.
>
> e.g.
>
> Error: Could not prefetch keystone_service provider 'openstack': Execution
> of '/usr/bin/openstack service list --quiet --format csv --long' returned 2:
> openstack: 'service' is not an openstack command. See 'openstack --help'.
> Did you mean one of these?
> resource member create
> resource member delete
> resource member list
> resource member show
> resource member update
> server add security group
> server add volume
> server create
> server delete
> server dump create
> server image create
> server list
> server lock
> server migrate
> server pause
> server reboot
> server rebuild
> server remove security group
> server remove volume
> server rescue
> server resize
> server resume
> server set
> server shelve
> server show
> server ssh
> server start
> server stop
> server suspend
> server unlock
> server unpause
> server unrescue
> server unset
> server unshelve (tried 44, for a total of 170 seconds)
>
>
> ..and..
>
> Error:
> /Stage[main]/Neutron::Keystone::Auth/Keystone::Resource::Service_identity[neutron]/Keystone_user[neutron]:
> Could not evaluate: Execution of '/usr/bin/openstack domain list --quiet
> --format csv' returned 2: openstack: 'domain' is not an openstack command.
> See 'openstack --help'.
> Did you mean one of these?
> command list
> container create
> container delete
> container list
> container save
> container set
> container show
> container unset (tried 44, for a total of 170 seconds)
>
>
These errors seem to point to an outdated openstackclient. What
version are you using?
>
> The v3 openrc file I have in place, works fine when just using the openstack
> cli, which makes the situation all the more strange :) Here it is for
> reference:
>
> #!/bin/sh
> export OS_NO_CACHE='true'
> export OS_TENANT_NAME='admin'
> export OS_USERNAME='admin'
> export OS_PASSWORD='supersecret'
> export OS_AUTH_URL='http://1.2.3.4:5000/v3/'
> export OS_AUTH_STRATEGY='keystone'
> export OS_IDENTITY_API_VERSION="3"
> export OS_REGION_NAME='openstack'
> export OS_USER_DOMAIN_NAME='default'
> export OS_PROJECT_DOMAIN_NAME='default'
> export CINDER_ENDPOINT_TYPE='publicURL'
> export GLANCE_ENDPOINT_TYPE='publicURL'
> export KEYSTONE_ENDPOINT_TYPE='publicURL'
> export NOVA_ENDPOINT_TYPE='publicURL'
> export NEUTRON_ENDPOINT_TYPE='publicURL'
>
>
This looks ok, but it's OS_PROJECT_NAME now. All our CI uses v3 now
and here's an example file from a recent CI run.
#!/bin/sh
export OS_NO_CACHE='true'
export OS_PROJECT_NAME='openstack'
export OS_USERNAME='admin'
export OS_PASSWORD='a_big_secret'
export OS_AUTH_URL='https://[::1]:5000/v3/'
export OS_AUTH_STRATEGY='keystone'
export OS_REGION_NAME='RegionOne'
export OS_PROJECT_DOMAIN_NAME='default'
export OS_USER_DOMAIN_NAME='default'
export CINDER_ENDPOINT_TYPE='publicURL'
export GLANCE_ENDPOINT_TYPE='publicURL'
export KEYSTONE_ENDPOINT_TYPE='publicURL'
export NOVA_ENDPOINT_TYPE='publicURL'
export NEUTRON_ENDPOINT_TYPE='publicURL'
export OS_IDENTITY_API_VERSION='3'
We actually have an openstack_extras module that we use to generate
ours in our CI runs.
https://github.com/openstack/puppet-openstack_extras/blob/master/manifests/auth_file.pp
Thanks,
-Alex
>
> Can anyone advise how the openrc file should be formatted ?
>
> Thanks!
>
>
>
>
> Cheers,
> Just
>
> Notice: This email is confidential and may contain copyright material of
> members of the Ocado Group. Opinions and views expressed in this message may
> not necessarily reflect the opinions and views of the members of the Ocado
> Group.
>
>
>
> If you are not the intended recipient, please notify us immediately and
> delete all copies of this message. Please note that it is your
> responsibility to scan this message for viruses.
>
>
>
> Fetch and Sizzle are trading names of Speciality Stores Limited and Fabled
> is a trading name of Marie Claire Beauty Limited, both members of the Ocado
> Group.
>
>
>
> References to the “Ocado Group” are to Ocado Group plc (registered in
> England and Wales with number 7098618) and its subsidiary undertakings (as
> that expression is defined in the Companies Act 2006) from time to time.
> The registered office of Ocado Group plc is Titan Court, 3 Bishops Square,
> Hatfield Business Park, Hatfield, Herts. AL10 9NE.
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
More information about the OpenStack-operators
mailing list