[Openstack-operators] [puppet] openstack provider errors with openrc and keystone v3
Matt Fischer
matt at mattfischer.com
Fri Nov 11 13:54:48 UTC 2016
There is a known issue where some providers fail when you have an openrc
sourced. I remember it being glance that failed. Bug #1524599
On Nov 11, 2016 4:15 AM, "Justin Cattle" <j at ocado.com> wrote:
> There was two problems here!
>
> The puppet libs in use were coming from the wrong environment - so a
> pretty terminal issue.
> The openrc file wasn't quite correct, as already noted :)
>
> We're still using puppet3, and directory environments on puppet3 have a
> few issues around plugin-download with multiple directory environments.
> I was already accounting for that, but somehow I missed something and some
> of the libs from the production env slipped back in.
> Now that is sorted, and the correct openrc file is place, pupping is
> smooth again :)
>
>
> I do notice one further issue.
>
> If I source the openrc file, then run pup in that same shell, some of the
> providers fail.
>
> Notice: Puppet::Type::Neutron_network::ProviderNeutron: Unable to
> complete neutron request due to non-fatal error: "Execution of
> '/usr/bin/neutron net-list --format=csv --column=id --quote=none' returned
> 1: The request you have made requires authentication. (HTTP 401)
> (Request-ID: req-031655a9-3eab-4ac6-b1e8-8840b6b49b4e)". Retrying for 9
> sec.
> Notice: Puppet::Type::Neutron_network::ProviderNeutron: Unable to
> complete neutron request due to non-fatal error: "Execution of
> '/usr/bin/neutron net-list --format=csv --column=id --quote=none' returned
> 1: The request you have made requires authentication. (HTTP 401)
> (Request-ID: req-9d5e6e3e-65ba-4a92-af95-ef0be5fa30f6)". Retrying for 6
> sec.
> Notice: Puppet::Type::Neutron_network::ProviderNeutron: Unable to
> complete neutron request due to non-fatal error: "Execution of
> '/usr/bin/neutron net-list --format=csv --column=id --quote=none' returned
> 1: The request you have made requires authentication. (HTTP 401)
> (Request-ID: req-36f18e6a-50e1-464b-b8bd-fc7cb6ee223e)". Retrying for 3
> sec.
> Notice: Puppet::Type::Neutron_network::ProviderNeutron: Unable to
> complete neutron request due to non-fatal error: "Execution of
> '/usr/bin/neutron net-list --format=csv --column=id --quote=none' returned
> 1: The request you have made requires authentication. (HTTP 401)
> (Request-ID: req-35c8125d-7647-49a3-829b-ff485adb2234)". Retrying for 0
> sec.
>
>
> If i don't have the OS_ variables in my shell, then it all works fine.
>
> Is this a bug?
>
>
>
>
> Cheers,
> Just
>
> On 10 November 2016 at 21:46, Justin Cattle <j at ocado.com> wrote:
>
>> I tried switching the OS_TENANT_NAME for OS_PROJECT_NAME as a quick test
>> , it didn't seem to fix it.
>>
>> However, I'll generate the openrc file from the class in openstack_extras
>> just to make sure it's 100% correct, and report back.
>>
>>
>>
>> Cheers,
>> Just
>>
>> On 10 November 2016 at 17:43, Alex Schultz <aschultz at redhat.com> wrote:
>>
>>> On Thu, Nov 10, 2016 at 10:28 AM, Justin Cattle <j at ocado.com> wrote:
>>> > Hi Alex,
>>> >
>>> >
>>> > Thanks very much for the response.
>>> >
>>> > We're using python-openstackclient-2.3.0-2~cloud0, which is from
>>> ubuntu
>>> > cloud archive, trusty-updates/mitaka/main.
>>> >
>>> > What's the minimum version I need do you think?
>>> >
>>>
>>> I think that should be good. You might want to try switching out
>>> OS_TENANT_NAME for OS_PROJECT_NAME as project name is for v3 which may
>>> be causing the issue. The keystone::disable_admin_token_auth had a
>>> dependency on a change[0] to add OS_PROJECT_NAME in. You should be
>>> able to test the underlying commands to see if that fixes the problem.
>>> The root cause seems to be more of the openstack client interactions
>>> (and missing commands) based on the rc file than a puppet issue.
>>>
>>> Thanks,
>>> -Alex
>>>
>>> [0] https://review.openstack.org/#/c/274296/
>>>
>>> >
>>> > Actually we haven't been using puppet-openstack_extras, but I'll look
>>> at
>>> > that for the openrc file at least :)
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > Cheers,
>>> > Just
>>> >
>>> > On 10 November 2016 at 16:32, Alex Schultz <aschultz at redhat.com>
>>> wrote:
>>> >>
>>> >> Hey Justin,
>>> >>
>>> >>
>>> >>
>>> >> On Thu, Nov 10, 2016 at 8:48 AM, Justin Cattle <j at ocado.com> wrote:
>>> >> > Hi,
>>> >> >
>>> >> >
>>> >> > I was looking at this class in the keystone module:
>>> >> >
>>> >> > keystone::disable_admin_token_auth
>>> >> >
>>> >> > ..which suggests:
>>> >> >
>>> >> > # After this class is run,
>>> >> > # future puppet runs must have an openrc file with valid keystone v3
>>> >> > # admin credentials in /root/openrc available
>>> >> >
>>> >> >
>>> >> >
>>> >> > So when I change the openrc file from the v2 to v3 keystone
>>> endpoint,
>>> >> > puppet
>>> >> > runs then fail with various openstack provider errors.
>>> >> >
>>> >> > e.g.
>>> >> >
>>> >> > Error: Could not prefetch keystone_service provider 'openstack':
>>> >> > Execution
>>> >> > of '/usr/bin/openstack service list --quiet --format csv --long'
>>> >> > returned 2:
>>> >> > openstack: 'service' is not an openstack command. See 'openstack
>>> >> > --help'.
>>> >> > Did you mean one of these?
>>> >> > resource member create
>>> >> > resource member delete
>>> >> > resource member list
>>> >> > resource member show
>>> >> > resource member update
>>> >> > server add security group
>>> >> > server add volume
>>> >> > server create
>>> >> > server delete
>>> >> > server dump create
>>> >> > server image create
>>> >> > server list
>>> >> > server lock
>>> >> > server migrate
>>> >> > server pause
>>> >> > server reboot
>>> >> > server rebuild
>>> >> > server remove security group
>>> >> > server remove volume
>>> >> > server rescue
>>> >> > server resize
>>> >> > server resume
>>> >> > server set
>>> >> > server shelve
>>> >> > server show
>>> >> > server ssh
>>> >> > server start
>>> >> > server stop
>>> >> > server suspend
>>> >> > server unlock
>>> >> > server unpause
>>> >> > server unrescue
>>> >> > server unset
>>> >> > server unshelve (tried 44, for a total of 170 seconds)
>>> >> >
>>> >> >
>>> >> > ..and..
>>> >> >
>>> >> > Error:
>>> >> >
>>> >> > /Stage[main]/Neutron::Keystone::Auth/Keystone::Resource::Ser
>>> vice_identity[neutron]/Keystone_user[neutron]:
>>> >> > Could not evaluate: Execution of '/usr/bin/openstack domain list
>>> --quiet
>>> >> > --format csv' returned 2: openstack: 'domain' is not an openstack
>>> >> > command.
>>> >> > See 'openstack --help'.
>>> >> > Did you mean one of these?
>>> >> > command list
>>> >> > container create
>>> >> > container delete
>>> >> > container list
>>> >> > container save
>>> >> > container set
>>> >> > container show
>>> >> > container unset (tried 44, for a total of 170 seconds)
>>> >> >
>>> >> >
>>> >>
>>> >> These errors seem to point to an outdated openstackclient. What
>>> >> version are you using?
>>> >>
>>> >> >
>>> >> > The v3 openrc file I have in place, works fine when just using the
>>> >> > openstack
>>> >> > cli, which makes the situation all the more strange :) Here it is
>>> for
>>> >> > reference:
>>> >> >
>>> >> > #!/bin/sh
>>> >> > export OS_NO_CACHE='true'
>>> >> > export OS_TENANT_NAME='admin'
>>> >> > export OS_USERNAME='admin'
>>> >> > export OS_PASSWORD='supersecret'
>>> >> > export OS_AUTH_URL='http://1.2.3.4:5000/v3/'
>>> >> > export OS_AUTH_STRATEGY='keystone'
>>> >> > export OS_IDENTITY_API_VERSION="3"
>>> >> > export OS_REGION_NAME='openstack'
>>> >> > export OS_USER_DOMAIN_NAME='default'
>>> >> > export OS_PROJECT_DOMAIN_NAME='default'
>>> >> > export CINDER_ENDPOINT_TYPE='publicURL'
>>> >> > export GLANCE_ENDPOINT_TYPE='publicURL'
>>> >> > export KEYSTONE_ENDPOINT_TYPE='publicURL'
>>> >> > export NOVA_ENDPOINT_TYPE='publicURL'
>>> >> > export NEUTRON_ENDPOINT_TYPE='publicURL'
>>> >> >
>>> >> >
>>> >>
>>> >> This looks ok, but it's OS_PROJECT_NAME now. All our CI uses v3 now
>>> >> and here's an example file from a recent CI run.
>>> >>
>>> >> #!/bin/sh
>>> >> export OS_NO_CACHE='true'
>>> >> export OS_PROJECT_NAME='openstack'
>>> >> export OS_USERNAME='admin'
>>> >> export OS_PASSWORD='a_big_secret'
>>> >> export OS_AUTH_URL='https://[::1]:5000/v3/'
>>> >> export OS_AUTH_STRATEGY='keystone'
>>> >> export OS_REGION_NAME='RegionOne'
>>> >> export OS_PROJECT_DOMAIN_NAME='default'
>>> >> export OS_USER_DOMAIN_NAME='default'
>>> >> export CINDER_ENDPOINT_TYPE='publicURL'
>>> >> export GLANCE_ENDPOINT_TYPE='publicURL'
>>> >> export KEYSTONE_ENDPOINT_TYPE='publicURL'
>>> >> export NOVA_ENDPOINT_TYPE='publicURL'
>>> >> export NEUTRON_ENDPOINT_TYPE='publicURL'
>>> >> export OS_IDENTITY_API_VERSION='3'
>>> >>
>>> >> We actually have an openstack_extras module that we use to generate
>>> >> ours in our CI runs.
>>> >>
>>> >>
>>> >> https://github.com/openstack/puppet-openstack_extras/blob/ma
>>> ster/manifests/auth_file.pp
>>> >>
>>> >> Thanks,
>>> >> -Alex
>>> >>
>>> >>
>>> >> >
>>> >> > Can anyone advise how the openrc file should be formatted ?
>>> >> >
>>> >> > Thanks!
>>> >> >
>>> >> >
>>> >> >
>>> >> >
>>> >> > Cheers,
>>> >> > Just
>>> >> >
>>> >> > Notice: This email is confidential and may contain copyright
>>> material
>>> >> > of
>>> >> > members of the Ocado Group. Opinions and views expressed in this
>>> message
>>> >> > may
>>> >> > not necessarily reflect the opinions and views of the members of the
>>> >> > Ocado
>>> >> > Group.
>>> >> >
>>> >> >
>>> >> >
>>> >> > If you are not the intended recipient, please notify us immediately
>>> and
>>> >> > delete all copies of this message. Please note that it is your
>>> >> > responsibility to scan this message for viruses.
>>> >> >
>>> >> >
>>> >> >
>>> >> > Fetch and Sizzle are trading names of Speciality Stores Limited and
>>> >> > Fabled
>>> >> > is a trading name of Marie Claire Beauty Limited, both members of
>>> the
>>> >> > Ocado
>>> >> > Group.
>>> >> >
>>> >> >
>>> >> >
>>> >> > References to the “Ocado Group” are to Ocado Group plc (registered
>>> in
>>> >> > England and Wales with number 7098618) and its subsidiary
>>> undertakings
>>> >> > (as
>>> >> > that expression is defined in the Companies Act 2006) from time to
>>> time.
>>> >> > The registered office of Ocado Group plc is Titan Court, 3 Bishops
>>> >> > Square,
>>> >> > Hatfield Business Park, Hatfield, Herts. AL10 9NE.
>>> >> >
>>> >> >
>>> >> > _______________________________________________
>>> >> > OpenStack-operators mailing list
>>> >> > OpenStack-operators at lists.openstack.org
>>> >> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstac
>>> k-operators
>>> >> >
>>> >
>>> >
>>> >
>>> > Notice: This email is confidential and may contain copyright material
>>> of
>>> > members of the Ocado Group. Opinions and views expressed in this
>>> message may
>>> > not necessarily reflect the opinions and views of the members of the
>>> Ocado
>>> > Group.
>>> >
>>> >
>>> >
>>> > If you are not the intended recipient, please notify us immediately and
>>> > delete all copies of this message. Please note that it is your
>>> > responsibility to scan this message for viruses.
>>> >
>>> >
>>> >
>>> > Fetch and Sizzle are trading names of Speciality Stores Limited and
>>> Fabled
>>> > is a trading name of Marie Claire Beauty Limited, both members of the
>>> Ocado
>>> > Group.
>>> >
>>> >
>>> >
>>> > References to the “Ocado Group” are to Ocado Group plc (registered in
>>> > England and Wales with number 7098618) and its subsidiary undertakings
>>> (as
>>> > that expression is defined in the Companies Act 2006) from time to
>>> time.
>>> > The registered office of Ocado Group plc is Titan Court, 3 Bishops
>>> Square,
>>> > Hatfield Business Park, Hatfield, Herts. AL10 9NE.
>>>
>>
>>
>
> Notice: This email is confidential and may contain copyright material of
> members of the Ocado Group. Opinions and views expressed in this message
> may not necessarily reflect the opinions and views of the members of the
> Ocado Group.
>
>
>
> If you are not the intended recipient, please notify us immediately and
> delete all copies of this message. Please note that it is your
> responsibility to scan this message for viruses.
>
>
>
> Fetch and Sizzle are trading names of Speciality Stores Limited and Fabled
> is a trading name of Marie Claire Beauty Limited, both members of the Ocado
> Group.
>
>
>
> References to the “Ocado Group” are to Ocado Group plc (registered in
> England and Wales with number 7098618) and its subsidiary undertakings (as
> that expression is defined in the Companies Act 2006) from time to time.
> The registered office of Ocado Group plc is Titan Court, 3 Bishops Square,
> Hatfield Business Park, Hatfield, Herts. AL10 9NE.
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20161111/a203c417/attachment.html>
More information about the OpenStack-operators
mailing list