<div dir="ltr">Thanks for helping out. I hope that I am not being too much of a pest, but I really want my group to adopt the Openstack community's puppet modules for deploying Openstack. Now that I have keystone working on one node I want to expand on that. I have an HAProxy cluster and I have a signed certificate. I want to use ssl and use my HAProxy cluster. I assume that I need to change my POC puppet manifest like so ... <div><br></div><div><span class="im" style="font-size:12.8px"><p>class { '::keystone::endpoint':</p><p> public_url => "https://${controller_vip_name}<a href="http://127.0.0.1:5000/" target="_blank">:5000</a>",</p><p> admin_url => "<span style="font-size:12.8px">https://</span><span style="font-size:12.8px">${controller_vip_name}</span><a href="http://127.0.0.1:35357/" target="_blank" style="font-size:12.8px">:35357</a><span style="font-size:12.8px">"</span><span style="font-size:12.8px">,</span></p></span><p style="font-size:12.8px"> internal_url => "<span style="color:rgb(80,0,80);font-size:12.8px">https://</span><span style="color:rgb(80,0,80);font-size:12.8px">${controller_vip_name}</span><a href="http://127.0.0.1:5000/" target="_blank" style="font-size:12.8px">:5000</a><span style="font-size:12.8px">"</span><span style="font-size:12.8px">,</span></p><p style="font-size:12.8px"> region => 'example-1',</p><p style="font-size:12.8px"> }</p><p style="font-size:12.8px">Where $<span style="color:rgb(80,0,80);font-size:12.8px">controller_vip_name</span><span style="font-size:12.8px"> is the hostname (or IP address) of the virtual interface for my HAProxy </span></p><p style="font-size:12.8px"><span style="font-size:12.8px"><br></span></p><p style="font-size:12.8px"><span style="font-size:12.8px">In my haproxy.cfg I have these lines:</span></p><p style="font-size:12.8px"><span style="font-size:small">frontend keystone-admin-vip</span><br></p><p class=""> bind <a href="http://10.29.103.39:35357">10.29.103.39:35357</a> ssl crt /etc/haproxy/<a href="http://svl-ost-el7.cisco.com">svl-ost-el7.cisco.com</a> no-sslv3 ciphers AES128-SHA:AES256-SHA</p><p class=""> default_backend keystone-admin-api</p><p class=""><br></p><p class="">frontend keystone-public-vip</p><p class=""> bind <a href="http://10.29.103.39:5000">10.29.103.39:5000</a> ssl crt /etc/haproxy/<a href="http://svl-ost-el7.cisco.com">svl-ost-el7.cisco.com</a> no-sslv3 ciphers AES128-SHA:AES256-SHA</p><p style="font-size:12.8px">
</p><p class=""> default_backend keystone-public-api</p><p class="">So I guess my question is, "Is there any thing else I need to do besides changing the values I pass to my <span style="color:rgb(80,0,80);font-size:12.8px">keystone::endpoint resource?".</span></p><p class=""><span style="color:rgb(80,0,80);font-size:12.8px"><br></span></p><p class=""><span style="color:rgb(80,0,80);font-size:12.8px">Thanks!</span></p></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 8, 2016 at 10:13 AM, Russell Cecala <span dir="ltr"><<a href="mailto:red.cricket.blog@gmail.com" target="_blank">red.cricket.blog@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">oops. I figured it out ...<div><br></div><div>
<p>MariaDB [keystone_db_name]> select * from project;</p>
<p>+----------------------------------+-----------+-------+-----------------------------------+---------+-----------+-----------+</p>
<p>| id | name | extra | description | enabled | domain_id | parent_id |</p>
<p>+----------------------------------+-----------+-------+-----------------------------------+---------+-----------+-----------+</p>
<p>| af4e7a8966fb4665aaac22a8b9687c8f | openstack | {} | admin tenant | 1 | default | NULL |</p>
<p>| b83b33cc7d314181af50a2a80c995b0c | services | {} | Tenant for the openstack services | 1 | default | NULL |</p>
<p>+----------------------------------+-----------+-------+-----------------------------------+---------+-----------+-----------+</p>
<p><b>2 rows in set (0.01 sec)</b></p>
<p><br></p>
<p>MariaDB [keystone_db_name]> quit</p>
<p><b>Bye</b></p>
<p>[root@ost-services-centos-001 ~]# exit</p>
<p>logout</p>
<p>Connection to ost-services-centos-001 closed.</p>
<p>[root@ost-mgmt-centos-001 ~]# openstack --os-auth-url <a href="http://127.0.0.1:35357" target="_blank">http://127.0.0.1:35357</a> --os-project-name openstack --os-username admin --os-auth-type password token issue</p>
<p>Password: </p>
<p>+------------+----------------------------------+</p>
<p>| Field | Value |</p>
<p>+------------+----------------------------------+</p>
<p>| expires | 2016-01-08T19:12:14Z |</p>
<p>| id | 581a5c2e8a074740a510cbadebf17815 |</p>
<p>| project_id | af4e7a8966fb4665aaac22a8b9687c8f |</p>
<p>| user_id | b3f1f4bcfb114559a05378bd6ce39e55 |</p>
<p>+------------+----------------------------------+</p></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 8, 2016 at 10:09 AM, Russell Cecala <span dir="ltr"><<a href="mailto:red.cricket.blog@gmail.com" target="_blank">red.cricket.blog@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Rich, <div><br></div><div>Thanks for all your help so far. </div><div>I am getting clean puppet runs (I still get depreciation warnings) but "puppet agent -t" is running without error now:</div><div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><span><div><p>[root@ost-mgmt-centos-001 ~]# puppet agent -t</p></div><div><p>Info: Retrieving pluginfacts</p></div><div><p>Info: Retrieving plugin</p></div><div><p>Info: Loading facts</p></div><div><p>Error: NetworkManager is not running.</p></div><div><p>Info: Caching catalog for <a href="http://ost-mgmt-centos-001.example.com" target="_blank">ost-mgmt-centos-001.example.com</a></p></div><div><p><b>Warning: The tenant parameter is deprecated and will be removed in the future. Please use keystone_user_role to assign a user to a project.</b></p></div><div><p><b>Warning: The ignore_default_tenant parameter is deprecated and will be removed in the future.</b></p></div></span><div><p>Info: Applying configuration version '1452275612'</p></div><div><p>Notice: /Stage[main]/Wrapcontroller/Exec[/usr/bin/curl <a href="http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo" target="_blank">http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo</a> | /usr/bin/tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin]/returns: executed successfully</p></div><div><p>Notice: Finished catalog run in 11.53 seconds</p></div></blockquote><div><br></div><div>Here is the puppet module I am using currently:</div><div><br></div><div>
<p><span>class</span><span> </span>wrapcontroller<span>(</span></p><p><span>... long list of parameters I am not using yet ...</span></p><p><span>) {</span></p><p><span> </span><span>class</span><span> {</span>'my-openstack::disable_firewall'<span>:} -></span></p><p><span> </span><span>class</span><span> {</span>'my-openstack::disable_selinux'<span>:} -></span></p><p><span> </span><span>class</span><span> {</span>'my-openstack::disable_network_manager'<span>:} -></span></p><span><p><br></p><p><span> </span><span>exec</span><span> { </span>'/bin/yum -y install <a href="http://dl.fedora" target="_blank">http://dl.fedora</a><span>project</span>.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm'<span>: </span><span>unless</span><span> => </span>'/bin/rpm -q epel-release'<span>, }</span></p><p><span> </span><span>exec</span><span> { </span>'/bin/yum -y install <a href="http://rdo.fedorapeople.org/openstack-kilo/rdo-release-kilo.rpm" target="_blank">http://rdo.fedorapeople.org/openstack-kilo/rdo-release-kilo.rpm</a>'<span>: </span><span>unless</span><span> => </span>'/bin/rpm -q rdo-release'<span>, }</span></p></span><p><span> </span><span>exec</span><span> { </span>'/usr/bin/curl <a href="http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo" target="_blank">http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo</a> | /usr/bin/tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin'<span>:}</span><br></p></div><div>
<p><span> </span><span>$packages</span><span> = [</span>'mariadb'<span>, </span>'mod_wsgi'<span>, </span>'memcached'<span>, </span>'python-memcached'<span>]</span></p>
<p> <span>package</span> { <span>$packages</span> : <span>ensure</span> => <span>present</span>, }</p><span>
<p><br></p>
<p><span> </span><span>exec</span><span> { </span>'keystone_database_init'<span>:</span></p>
<p><span> </span><span>command</span><span> => </span>'/usr/bin/keystone-manage db_sync'<span>,</span></p>
<p> <span>onlyif</span> => [</p>
<p><span> </span><span>"/usr/bin/mysql -u</span>$keystone_db_user<span> -p</span>$keystone_db_pass<span> -h</span>$db_host<span> -P</span>$db_port<span> </span>$keystone_db_name<span> -e 'show tables'"</span><span>,</span></p>
<p><span> </span>"/usr/bin/test -z \"`/usr/bin/mysql -u<span>$keystone_db_user</span> -p<span>$keystone_db_pass</span> -h<span>$db_host</span> -P<span>$db_port</span> <span>$keystone_db_name</span> -e 'show tables'`\""</p>
<p> ],</p>
<p> <span>require</span> => <span>Package</span>[<span>'mariadb'</span>],</p>
<p> }</p>
</span><p><span> </span><span>$services</span><span> = [</span>'memcached'<span>]</span></p>
<p> <span>service</span> { <span>$services</span> : <span>ensure</span> => <span>running</span>, <span>enable</span> => <span>true</span>, }</p>
<p> # found out that you shouldn't create the wsgi-ketstone.conf file as it prevents httpd from starting</p>
<p><span> </span><span>file</span><span> { </span>'/etc/httpd/conf.d/wsgi-keystone.conf'<span>:</span></p>
<p> <span>ensure</span> => <span>absent</span>,</p>
<p># content => template( "wrapcontroller/wsgi-keystone.conf.erb" ),</p>
<p> }</p></div><div class="gmail_extra"><span>
<p><span> </span><span>class</span><span> {</span>'::keystone'<span>:</span></p>
<p><span> </span>admin_token<span> => </span>$keystone_auth_token<span>,</span></p>
</span><p> <span>catalog_type</span> => <span>'sql'</span>,</p><span>
<p><span> </span>database_connection<span> => </span><span>"mysql://</span>${keystone_db_user}<span>:</span>${keystone_db_pass}<span>@</span>${db_host}<span>:</span>${db_port}<span>/</span>${keystone_db_name}<span>"</span><span>,</span></p>
<p> <span>debug</span> => <span>$debug</span>,</p>
</span><p> <span>verbose</span> => <span>$debug</span>,</p>
<p> }<br></p>
<p><br></p>
<p># include ::apache</p>
<p># class { '::keystone::wsgi::apache': ssl => false, }</p><span>
<p><span> </span><span>class</span><span> { </span>'::keystone::roles::admin'<span>:</span></p>
<p><span> </span>email<span> => </span>$keystone_admin_email<span>,</span></p>
<p><span> </span>password<span> => </span>$keystone_admin_password<span>,</span></p>
<p> }</p>
<p><span> </span><span>class</span><span> { </span>'::keystone::endpoint'<span>:</span></p>
<p><span> </span><span>public_url</span><span> => </span>"<a href="http://127.0.0.1:5000" target="_blank">http://127.0.0.1:5000</a>"<span>,</span></p>
<p><span> </span><span>admin_url</span><span> => </span>"<a href="http://127.0.0.1:35357" target="_blank">http://127.0.0.1:35357</a>"<span>,</span></p>
</span><p><span> </span><span>internal_url</span><span> => </span>"<a href="http://127.0.0.1:5000" target="_blank">http://127.0.0.1:5000</a>"<span>,</span></p>
<p> <span>region</span> => <span>'example-1'</span>,</p>
<p> }</p></div><div class="gmail_extra">}</div><div class="gmail_extra"><br></div><div class="gmail_extra">The above runs but I am unable to verify that keystone is working as per the docs here:</div><div class="gmail_extra"><br></div><div class="gmail_extra"><a href="http://docs.openstack.org/kilo/install-guide/install/yum/content/keystone-verify.html" target="_blank">http://docs.openstack.org/kilo/install-guide/install/yum/content/keystone-verify.html</a><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">
<p>[root@ost-mgmt-centos-001 ~]# openstack --os-auth-url <a href="http://127.0.0.1:35357" target="_blank">http://127.0.0.1:35357</a> --os-project-name admin --os-username admin --os-auth-type password token issue</p>
<p>Password: </p>
<p>ERROR: openstack Invalid user / password (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-7c9b4b3b-dfe8-48a9-98eb-668b18e9b3bb)</p>
<p>[root@ost-mgmt-centos-001 ~]# openstack --os-auth-url <a href="http://127.0.0.1:35357" target="_blank">http://127.0.0.1:35357</a> --os-project-name admin --os-username admin --os-auth-type password token issue</p>
<p>Password: </p>
<p>ERROR: openstack Could not find project: admin (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-c42ee03c-eb7b-4858-9743-a376fda0dc1f)</p><p><br></p><p><br></p><p>openstack Could not find project: admin <br></p><p>Hmm what is the project's name? How can I figure that out?</p><p><br></p><p>Thanks,</p><p>Russ</p></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 5, 2016 at 2:22 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span>
<div>On 01/05/2016 02:42 PM, Russell Cecala
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Rich,
<div><br>
</div>
<div>I guess I am kind of confused. I thought "<b style="font-size:12.8px">class {
'::keystone::roles::admin':" </b><span style="font-size:12.8px">was suppose to create the "admin"
user and set the password to $keystone_admin_password. If
class { '::keystone::roles::admin' doesn't create the admin
user what does?</span></div>
</div>
</blockquote>
<br></span>
It either creates it, or ensures that it has the specified
properties, if it already exists. In this case, it seems that it
already exists, so it attempts to ensure that it has the specified
properties.<span><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><span style="font-size:12.8px">And what kind of user are we
talking about? A user that shows up in the /etc/passwd file
or an mysql user or a keystone user of some sort?</span></div>
</div>
</blockquote>
<br></span>
a keystone user - a user that shows up when you do "$ openstack user
list" as an admin user.<div><div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><span style="font-size:12.8px">Sorry I am pretty confused
:) </span></div>
<div><span style="font-size:12.8px"><br>
</span></div>
<div><span style="font-size:12.8px">After I truncate my
/var/log/keystone/keystone.log and run puppet agent -t I get
this output to my keystone.log </span></div>
<div><br>
</div>
<div>
<p>2016-01-05 16:28:38.342 10596 DEBUG
keystone.middleware.core [-] RBAC: auth_context: {}
process_request
/usr/lib/python2.7/site-packages/keystone/middleware/core.py:239</p>
<p>2016-01-05 16:28:38.346 10596 INFO
keystone.common.wsgi [-] GET /projects?</p>
<p>2016-01-05 16:28:38.347 10596 WARNING
keystone.common.controller [-] RBAC: Bypassing authorization</p>
<p>2016-01-05 16:28:38.352 10596 INFO
eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016
16:28:38] "GET /v3/projects HTTP/1.1" 200 884 0.011000</p>
<p>2016-01-05 16:28:39.144 10596 DEBUG
keystone.middleware.core [-] RBAC: auth_context: {}
process_request
/usr/lib/python2.7/site-packages/keystone/middleware/core.py:239</p>
<p>2016-01-05 16:28:39.147 10596 INFO
keystone.common.wsgi [-] GET /domains?</p>
<p>2016-01-05 16:28:39.148 10596 WARNING
keystone.common.controller [-] RBAC: Bypassing authorization</p>
<p>2016-01-05 16:28:39.152 10596 INFO
eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016
16:28:39] "GET /v3/domains HTTP/1.1" 200 702 0.009214</p>
<p>2016-01-05 16:28:39.929 10596 DEBUG
keystone.middleware.core [-] RBAC: auth_context: {}
process_request
/usr/lib/python2.7/site-packages/keystone/middleware/core.py:239</p>
<p>2016-01-05 16:28:39.932 10596 INFO
keystone.common.wsgi [-] GET /roles?</p>
<p>2016-01-05 16:28:39.933 10596 WARNING
keystone.common.controller [-] RBAC: Bypassing authorization</p>
<p>2016-01-05 16:28:39.938 10596 INFO
eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016
16:28:39] "GET /v3/roles HTTP/1.1" 200 615 0.009210</p>
<p>2016-01-05 16:28:40.712 10596 DEBUG
keystone.middleware.core [-] RBAC: auth_context: {}
process_request
/usr/lib/python2.7/site-packages/keystone/middleware/core.py:239</p>
<p>2016-01-05 16:28:40.716 10596 INFO
keystone.common.wsgi [-] GET /users?</p>
<p>2016-01-05 16:28:40.716 10596 WARNING
keystone.common.controller [-] RBAC: Bypassing authorization</p>
<p>2016-01-05 16:28:40.721 10596 INFO
eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016
16:28:40] "GET /v3/users HTTP/1.1" 200 820 0.008919</p>
<p>2016-01-05 16:28:41.562 10596 DEBUG
keystone.middleware.core [-] RBAC: auth_context: {}
process_request
/usr/lib/python2.7/site-packages/keystone/middleware/core.py:239</p>
<p>2016-01-05 16:28:41.565 10596 INFO
keystone.common.wsgi [-] GET /domains?</p>
<p>2016-01-05 16:28:41.566 10596 WARNING
keystone.common.controller [-] RBAC: Bypassing authorization</p>
<p>2016-01-05 16:28:41.571 10596 INFO
eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016
16:28:41] "GET /v3/domains HTTP/1.1" 200 702 0.009300</p>
<p>2016-01-05 16:28:42.331 10596 DEBUG
keystone.middleware.core [-] RBAC: auth_context: {}
process_request
/usr/lib/python2.7/site-packages/keystone/middleware/core.py:239</p>
<p>2016-01-05 16:28:42.335 10596 INFO
keystone.common.wsgi [-] GET
/users/5ec5abf83d164d439b603d72606b99fd?</p>
<p>2016-01-05 16:28:42.335 10596 WARNING
keystone.common.controller [-] RBAC: Bypassing authorization</p>
<p>2016-01-05 16:28:42.340 10596 INFO
eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016
16:28:42] "GET /v3/users/5ec5abf83d164d439b603d72606b99fd
HTTP/1.1" 200 472 0.009393</p>
<p>2016-01-05 16:28:42.353 10596 DEBUG
keystone.middleware.core [-] RBAC: auth_context: {}
process_request
/usr/lib/python2.7/site-packages/keystone/middleware/core.py:239</p>
<p>2016-01-05 16:28:42.356 10596 INFO
keystone.common.wsgi [-] GET
/users/5ec5abf83d164d439b603d72606b99fd/projects?</p>
<p>2016-01-05 16:28:42.357 10596 WARNING
keystone.common.controller [-] RBAC: Bypassing authorization</p>
<p>2016-01-05 16:28:42.370 10596 INFO
eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016
16:28:42] "GET
/v3/users/5ec5abf83d164d439b603d72606b99fd/projects
HTTP/1.1" 200 632 0.016973</p>
<p>2016-01-05 16:28:43.217 10599 DEBUG
keystone.middleware.core [-] Auth token not in the request
header. Will not build auth context. process_request
/usr/lib/python2.7/site-packages/keystone/middleware/core.py:229</p>
<p>2016-01-05 16:28:43.220 10599 INFO
eventlet.wsgi.server [-] 10.29.103.19 - - [05/Jan/2016
16:28:43] "POST /v2.0/auth/tokens HTTP/1.1" 404 318 0.002948</p>
<p>2016-01-05 16:28:43.318 10599 DEBUG
keystone.middleware.core [-] Auth token not in the request
header. Will not build auth context. process_request
/usr/lib/python2.7/site-packages/keystone/middleware/core.py:229</p>
<p>2016-01-05 16:28:43.321 10599 INFO
eventlet.wsgi.server [-] 10.29.103.19 - - [05/Jan/2016
16:28:43] "POST /v2.0/auth/tokens HTTP/1.1" 404 318 0.002887</p>
</div>
</div>
</blockquote>
<br></div></div>
This is strange. /v2.0/auth/tokens does not exist. It is
/v2.0/tokens for v2, and /v3/auth/tokens for v3. This would
indicate that perhaps your openrc setting with the "/v2.0" suffix is
polluting the puppet run?<div><div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<p>2016-01-05 16:28:44.076 10596 DEBUG
keystone.middleware.core [-] RBAC: auth_context: {}
process_request
/usr/lib/python2.7/site-packages/keystone/middleware/core.py:239</p>
<p>2016-01-05 16:28:44.079 10596 INFO
keystone.common.wsgi [-] GET /services?</p>
<p>2016-01-05 16:28:44.079 10596 WARNING
keystone.common.controller [-] RBAC: Bypassing authorization</p>
<p>2016-01-05 16:28:44.084 10596 INFO
eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016
16:28:44] "GET /v3/services HTTP/1.1" 200 558 0.008541</p>
<p>2016-01-05 16:28:44.871 10596 DEBUG
keystone.middleware.core [-] RBAC: auth_context: {}
process_request
/usr/lib/python2.7/site-packages/keystone/middleware/core.py:239</p>
<p>2016-01-05 16:28:44.873 10596 INFO
keystone.common.wsgi [-] GET /endpoints?</p>
<p>2016-01-05 16:28:44.878 10596 INFO
eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016
16:28:44] "GET /v2.0/endpoints HTTP/1.1" 200 764 0.006931</p>
<p>2016-01-05 16:28:44.891 10596 DEBUG
keystone.middleware.core [-] RBAC: auth_context: {}
process_request
/usr/lib/python2.7/site-packages/keystone/middleware/core.py:239</p>
<p>2016-01-05 16:28:44.892 10596 INFO
keystone.common.wsgi [-] GET
/OS-KSADM/services/07622af16010436aadb463adffff4099?</p>
<p>2016-01-05 16:28:44.896 10596 INFO
eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016
16:28:44] "GET
/v2.0/OS-KSADM/services/07622af16010436aadb463adffff4099
HTTP/1.1" 200 385 0.005287</p>
<p>2016-01-05 16:28:44.899 10596 DEBUG
keystone.middleware.core [-] RBAC: auth_context: {}
process_request
/usr/lib/python2.7/site-packages/keystone/middleware/core.py:239</p>
<p>2016-01-05 16:28:44.900 10596 INFO
keystone.common.wsgi [-] GET
/OS-KSADM/services/07622af16010436aadb463adffff4099?</p>
<p>2016-01-05 16:28:44.904 10596 INFO
eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016
16:28:44] "GET
/v2.0/OS-KSADM/services/07622af16010436aadb463adffff4099
HTTP/1.1" 200 385 0.005030</p>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Jan 4, 2016 at 3:22 PM, Rich
Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>
<div>
<div>On 01/04/2016 03:07 PM, Russell Cecala wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Thank you for the reply Rich,
<div><br>
</div>
<div>Here are the versions of my puppet modules:</div>
<div><br>
</div>
<div>
<p>[root@ost-puppet-centos-001 keystone]# puppet
module list </p>
<p>/etc/puppetlabs/puppet/environments/production/modules</p>
<p>├── nanliu-staging (<span>v1.0.3</span>)</p>
<p>├── openstack-keystone (<span>v6.1.0</span>)</p>
<p>├── openstack-openstacklib (<span>v6.1.0</span>)</p>
<p>├── puppetlabs-apache (<span>v1.7.0</span>)</p>
<p>├── puppetlabs-apt (<span>v1.8.0</span>)</p>
<p>├── puppetlabs-concat (<span>v1.2.4</span>)</p>
<p>├── puppetlabs-firewall (<span>v1.7.1</span>)</p>
<p>├── puppetlabs-inifile (<span>v1.4.2</span>)</p>
<p>├── puppetlabs-mysql (<span>v3.6.1</span>)</p>
<p>├── puppetlabs-postgresql (<span>v3.4.2</span>)</p>
<p>├── puppetlabs-rabbitmq (<span>v5.3.1</span>)</p>
<p>└── puppetlabs-stdlib (<span>v4.9.0</span>)</p>
<p>/etc/puppetlabs/puppet/modules</p>
<p>├── cisco-gis-openstack (<span>???</span>)</p>
<p>├── haproxy (<span>???</span>)</p>
<p>├── keepalived (<span>???</span>)</p>
<p>├── mikduart-unnamed (<span>v0.1.0</span>)</p>
<p>├── mikduart-unnamed (<span>v0.1.0</span>)</p>
<p>├── mikduart-unnamed (<span>v0.1.0</span>)</p>
<p>├── puppetlabs-mongodb (<span>v0.10.0</span>)</p>
<p>├── saz-memcached (<span>v2.4.0</span>)</p>
<p>├── setup_mariadb_script (<span>???</span>)</p>
<p>├── sysctl (<span>???</span>)</p>
<p>└── wrapmongodb (<span>???</span>)</p>
<p>/opt/puppet/share/puppet/modules</p>
<p>├── puppetlabs-pe_accounts (<span>v2.0.2-8-g8acc04e</span>)</p>
<p>├── puppetlabs-pe_concat (<span>v1.1.2-4-g2b7bba2</span>)</p>
<p>├── puppetlabs-pe_console_prune (<span>v0.1.1-4-g293f45b</span>)</p>
<p>├── puppetlabs-pe_inifile (<span>v1.1.4-16-gcb39966</span>)</p>
<p>├── puppetlabs-pe_java_ks (<span>v1.2.4-35-g44fbb26</span>)</p>
<p>├── puppetlabs-pe_postgresql (<span>v3.4.4-15-g32e56ed</span>)</p>
<p>├── puppetlabs-pe_razor (<span>v0.2.1-9-g8d78ec2</span>)</p>
<p>├── puppetlabs-pe_repo (<span>v0.7.7-59-g4514315</span>)</p>
<p>├── puppetlabs-pe_staging (<span>v0.3.3-6-gbd9db2b</span>)</p>
<p>└── puppetlabs-puppet_enterprise (<span>v3.7.1-117-g9c48e73</span>)</p>
<p><br>
</p>
<p>I am not sure I have the right values in my
openrc but I have been using:</p>
<p><br>
</p>
<p># cat openrc.localhost </p>
<p>export OS_AUTH_URL=<a href="http://127.0.0.1:5000/v2.0" target="_blank">http://127.0.0.1:5000/v2.0</a></p>
<p>export OS_PASSWORD=xxxxxxxxxxxxxxxx</p>
<p>export OS_TENANT_NAME=admin</p>
<p> </p>
<p>export OS_USERNAME=admin</p>
</div>
</div>
</blockquote>
<br>
</div>
</div>
Is this sourced into the environment where puppet is
running? It should not be.
<div>
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<p><br>
</p>
<p>I believe this is the openstackclient version
I am using:</p>
<p><br>
</p>
<p>[root@ost-mgmt-centos-001 ~]# rpm -qa | grep
openstackclient</p>
<p> </p>
<p>python-<span><b>openstackclient</b></span>-1.0.3-2.el7.noarch</p>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Jan 4, 2016 at
1:19 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank"></a><a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span>
<div>On 01/04/2016 02:06 PM, Russell
Cecala wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Emilien,
<div><br>
</div>
<div><br>
</div>
<div>I am trying to use <a href="https://github.com/openstack/puppet-keystone" target="_blank"></a><a href="https://github.com/openstack/puppet-keystone" target="_blank">https://github.com/openstack/puppet-keystone</a>
to set up a Kilo keystone node.</div>
</div>
</blockquote>
<br>
</span> I'm assuming you're using the kilo
branch there?<span><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>I was hoping to could help me out
so I can get my team to adopt puppet
for setting up OpenStack.</div>
<div><br>
</div>
<div>On my keystone node I am running
centos7 with selinux disabled ...</div>
</div>
</blockquote>
<br>
</span> What version of openstackclient are
you using?<br>
<br>
Do you have a $HOME/openrc or /root/openrc,
or are you otherwise defining OS_*
environment variables in the environment
before running puppet?<br>
<br>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">
<div><br>
</div>
<div>
<p>[root@svl-ost-mgmt-centos-001
~]# sestatus </p>
<p>SELinux status:
disabled</p>
<p>... and I have flushed my
iptables ...</p>
<p><br>
</p>
<p>[root@svl-ost-mgmt-centos-001
~]# iptables -L</p>
<p>Chain INPUT (policy ACCEPT)</p>
<p>target prot opt source
destination </p>
<p><br>
</p>
<p>Chain FORWARD (policy ACCEPT)</p>
<p>target prot opt source
destination </p>
<p><br>
</p>
<p>Chain OUTPUT (policy ACCEPT)</p>
<p> </p>
<p>target prot opt source
destination </p>
<p><br>
</p>
<p>Yet when I run "puppet agent
-t" I get these errors:</p>
<p><br>
</p>
<p>[root@ost-mgmt-centos-001 ~]#
puppet agent -t</p>
<p>Info: Retrieving pluginfacts</p>
<p>Info: Retrieving plugin</p>
<p>Info: Loading facts</p>
<p>Error: NetworkManager is not
running.</p>
<p>Info: Caching catalog for <a href="http://ost-mgmt-centos-001.example.com" target="_blank">ost-mgmt-centos-001.example.com</a></p>
<p><b>Warning: The tenant
parameter is deprecated and
will be removed in the future.
Please use keystone_user_role
to assign a user to a project.</b></p>
<p><b>Warning: The
ignore_default_tenant
parameter is deprecated and
will be removed in the future.</b></p>
<p>Info: Applying configuration
version '1451940682'</p>
<p><b>Error:
/Stage[main]/Keystone::Roles::Admin/Keystone_user[admin]:
Could not evaluate: Execution
of '/usr/bin/openstack token
issue --format value' returned
1: ERROR: openstack The
resource could not be found.
(HTTP 404) (Request-ID:
req-ca2a6dd1-fdb6-48f4-94fe-8f736fcc01dd)</b></p>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
</div>
</div>
<b>This usually indicates that it is trying to ensure that
the user "admin" exists but the password is incorrect.
That is, the class { '::keystone::roles::admin':
password => $keystone_admin_password is not
correct.<br>
<br>
If you are sure it is correct, then it could be a
mismatch between the identity api version used by the
puppet module and the one specified in the environment.
Check the keystone access logs to see what URL this is
trying to access - something with /token or /tokens, or
something with /auth/token or /auth/tokens<br>
<br>
</b>
<div>
<div>
<blockquote type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<blockquote type="cite">
<div>
<div>
<div dir="ltr">
<div>
<p>Notice:
/Stage[main]/Keystone::Roles::Admin/Keystone_user_role[admin@openstack]:
Dependency Keystone_user[admin]
has failures: true</p>
<p><b>Warning:
/Stage[main]/Keystone::Roles::Admin/Keystone_user_role[admin@openstack]:
Skipping because of failed
dependencies</b></p>
<p> </p>
<p>Notice: Finished catalog run in
12.38 seconds</p>
<p>Here's code I am using on my
puppet master ...</p>
<p><span>class</span><span> </span>wrapcontroller<span>(</span></p>
<p> </p>
<p>... big list of parameters I am
not using until I can get
keystone going ...</p>
<p>) {</p>
<p><br>
</p>
<p><span> </span><span>exec</span><span>
{ </span>'/bin/yum -y install
<a href="http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm" target="_blank">http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm</a>'<span>:
</span><span>unless</span><span>
=> </span>'/bin/rpm -q
epel-release'<span>, }</span></p>
<p><span> </span><span>exec</span><span>
{ </span>'/bin/yum -y install
<a href="http://rdo.fedorapeople.org/openstack-kilo/rdo-release-kilo.rpm" target="_blank">http://rdo.fedorapeople.org/openstack-kilo/rdo-release-kilo.rpm</a>'<span>:
</span><span>unless</span><span>
=> </span>'/bin/rpm -q
rdo-release'<span>, }</span></p>
<p><br>
</p>
<p> <span>package</span> { <span>'mariadb'</span>:
<span>ensure</span> => <span>present</span>,
}</p>
<p><span> </span><span>exec</span><span>
{ </span>'keystone_database_init'<span>:</span></p>
<p><span> </span><span>command</span><span>
=> </span>'/usr/bin/keystone-manage
db_sync'<span>,</span></p>
<p> <span>onlyif</span>
=> [</p>
<p><span> </span><span>"/usr/bin/mysql
-u</span>$keystone_db_user<span>
-p</span>$keystone_db_pass<span>
-h</span>$db_host<span> -P</span>$db_port<span>
</span>$keystone_db_name<span>
-e 'show tables'"</span><span>,</span></p>
<p><span> </span>"/usr/bin/test
-z \"`/usr/bin/mysql -u<span>$keystone_db_user</span>
-p<span>$keystone_db_pass</span>
-h<span>$db_host</span> -P<span>$db_port</span>
<span>$keystone_db_name</span>
-e 'show tables'`\""</p>
<p> ],</p>
<p> <span>require</span>
=> <span>Package</span>[<span>'mariadb'</span>],</p>
<p> }</p>
<p><br>
</p>
<p><span> </span><span>class</span><span>
{</span>'::keystone'<span>:</span></p>
<p><span> </span>admin_token<span>
=> </span>$keystone_auth_token<span>,</span></p>
<p><span> </span>database_connection<span>
=> </span><span>"mysql://</span>${keystone_db_user}<span>:</span>${keystone_db_pass}<span>@</span>${db_host}<span>:</span>${db_port}<span>/</span>${keystone_db_name}<span>"</span><span>,</span></p>
<p> <span>debug</span>
=> <span>$debug</span>,</p>
<p> <span>enabled</span>
=> <span>true</span>,</p>
<p> <span>enable_ssl</span>
=> <span>false</span>,</p>
<p> <span>service_name</span>
=> <span>'httpd'</span>,<span>
# this is a kilo thing</span></p>
<p> <span>verbose</span>
=> <span>$debug</span>,</p>
<p> }</p>
<p><br>
</p>
<p> <span>include</span>
::apache</p>
<p><span> </span><span>class</span><span>
{ </span>'::keystone::wsgi::apache'<span>:
</span><span>ssl</span><span>
=> </span><span>false</span><span>,
}</span></p>
<p><span> </span><span>class</span><span>
{ </span>'::keystone::roles::admin'<span>:</span></p>
<p><span> </span>email<span>
=> </span>$keystone_admin_email<span>,</span></p>
<p><span> </span>password<span>
=> </span>$keystone_admin_password<span>,</span></p>
<p> }</p>
<p><span> </span><span>class</span><span>
{ </span>'::keystone::endpoint'<span>:</span></p>
<p><span> </span><span>public_url</span><span>
=> </span>"<a href="http://127.0.0.1:5000" target="_blank"></a><a href="http://127.0.0.1:5000" target="_blank">http://127.0.0.1:5000</a>"<span>,</span></p>
<p><span> </span><span>admin_url</span><span>
=> </span>"<a href="http://127.0.0.1:35357" target="_blank"></a><a href="http://127.0.0.1:35357" target="_blank">http://127.0.0.1:35357</a>"<span>,</span></p>
<p><span> </span>default_domain<span>
=> </span><span>'admin'</span><span>,</span></p>
<p> }</p>
<p> </p>
<p>}</p>
</div>
<div>Thanks! And Happy New Year to
you :)</div>
<div>Red</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Nov
24, 2015 at 2:38 PM, Emilien
Macchi <span dir="ltr"><<a href="mailto:emilien@redhat.com" target="_blank"></a><a href="mailto:emilien@redhat.com" target="_blank">emilien@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span><br>
<br>
On 11/24/2015 11:21 PM,
Russell Cecala wrote:<br>
> I am trying to use the
OpenStack community puppet
modules. Here's the<br>
> keystone module I am
using: <a href="https://github.com/openstack/puppet-keystone" target="_blank"></a><a href="https://github.com/openstack/puppet-keystone" target="_blank">https://github.com/openstack/puppet-keystone</a><br>
> I am using the stable
juno branch. I have in my
puppet manifest for my<br>
> controller nodes this
resource definition:<br>
><br>
> class {
'::keystone::roles::admin':<br>
> admin
=> $keystone_admin_user,<br>
> email
=> $keystone_admin_email,<br>
> password
=>
$keystone_admin_password,<br>
> } -><br>
><br>
> And when puppet runs that
code I get this error:<br>
><br>
> Error:<br>
>
/Stage[main]/Keystone::Roles::Admin/Keystone_user_role[keystone_admin_user@openstack]:<br>
> Could not evaluate:
Execution of
'/usr/bin/openstack domain
show<br>
> --format shell' returned
2: usage: openstack domain
show [-h] [-f<br>
> {shell,table,value}] [-c
COLUMN]<br>
>
[--max-width
<integer>] [--prefix
PREFIX]<br>
>
<domain><br>
> openstack domain
show: error: too few arguments<br>
<br>
</span>Sounds like an issue with
your version of openstackclient,
can you<br>
provide it?<br>
<span><br>
><br>
> Can anyone help me? Are
these Puppet modules still
being supported?<br>
<br>
</span>Yes :-)<br>
<span><br>
> Does anyone use them?
Thanks!<br>
<br>
</span>Double yes.<br>
<span><font color="#888888">--<br>
Emilien Macchi<br>
<br>
</font></span></blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<span>
<pre>_______________________________________________
OpenStack-operators mailing list
<a href="mailto:OpenStack-operators@lists.openstack.org" target="_blank">OpenStack-operators@lists.openstack.org</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a>
</pre>
</span></blockquote>
<br>
</div>
<br>
_______________________________________________<br>
OpenStack-operators mailing list<br>
<a href="mailto:OpenStack-operators@lists.openstack.org" target="_blank">OpenStack-operators@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div></div></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>