[Openstack] nova+keystone troubles in Havana
Stuart Longland
stuartl at vrt.com.au
Wed Nov 6 01:09:17 UTC 2013
Hi all,
Seems I've got Nova arguing with Keystone in my latest deployment of
OpenStack Havana. I'm not sure where I'm going wrong, but needless to
say, it's all fine until I try to create a network (from an Ansible script):
nova --os-username username --os-password password \
--os-auth-url http://our-keystone-cname:35357/v2.0 \
--os-tenant-name tenant network-create private \
--fixed-range-v4=10.20.30.0/24 \
--bridge-interface=privatenet
The bridge 'privatenet' is created by Ubuntu's /etc/network/interfaces.
I can verify the user 'username' works:
> root at host:~# . keystonerc
> root at host:~# keystone user-list
> +----------------------------------+----------+---------+-------+
> | id | name | enabled | email |
> +----------------------------------+----------+---------+-------+
> | d48a98571e9442a08e11c6af07e5f7a5 | cinder | True | |
> | a6aeda6624cc4bcaa904498593275483 | ec2 | True | |
> | f23a0c58d54c4fceb5ea4013cc76bbe8 | glance | True | |
> | ecb5013801b741d8a3fafe6855a1277d | neutron | True | |
> | 79e966e7bdab4242b258d651f79b5d8c | nova | True | |
> | 1822ef2529d54c62b1b5407ec166f01f | swift | True | |
> | d7a25154f6dd437991f6b1be7564f963 | username | True | |
> +----------------------------------+----------+---------+-------+
> root at host:~# cat keystonerc
> export OS_USERNAME=username
> export OS_PASSWORD=password
> export OS_TENANT_NAME=tenant
> export OS_AUTH_URL=http://our-keystone-cname:35357/v2.0
Yet, when I run the above command, or even `nova network-list`:
> root at host:~# nova network-list
> ERROR: Malformed request URL: URL's project_id 'xxxx' doesn't match Context's project_id 'yyyy' (HTTP 400) (Request-ID: zzz)
I've trimmed things down here; xxxx looks like my tenant's ID and is in
hexadecimal, however the project_id is a very long base64-like string of
gobbledygook which looks like what you get from `keystone token-get`.
Request-ID is a typical UUID. The strings given as 'xxxx' and 'yyyy'
above appear much the same each time.
The settings used to work in Grizzly. I don't believe I specified a
project ID anywhere, just a username, password and tenant. I certainly
didn't specify the monstrosity that is given as the "Context's
project_id". What environment variable did I forget to set?
I've tried to replicate what's in the install guide for Havana on Ubuntu
12.04. One thing that the docs are very scant on detail on, is the
confounded paste.ini. Looking through the configuration reference, I
see not one mention anywhere of what is supposed to be in those files.
I know there's an filter:authtoken section -- conflicting information[1]
on what's supposed to be in there in the set-up guides, and no official
documentation that states what settings are required, present, expected,
unexpected, forbidden or otherwise. I have a hunch it could be settings
there. I don't know, as from what I see in the configuration reference,
one would be forgiven for thinking it didn't exist.
At the moment, I have the following in /etc/nova/api-paste.ini:
> [filter:authtoken]
> paste.filter_factory = keystone.middleware.auth_token:filter_factory
> service_protocol = http
> service_host = our-keystone-cname
> service_port = 5000
> auth_host = our-keystone-cname
> auth_port = 35357
> auth_protocol = http
> admin_tenant_name = service
> admin_user = cinder
> admin_password = cinder
> rabbit_host = our-msgqueue-cname
> rabbit_port = 5672
> rabbit_userid = cinder
> rabbit_password = cinder
> rabbit_virtual_host = /nova
and in /etc/nova/nova.conf:
> [DEFAULT]
> dhcpbridge_flagfile = /etc/nova/nova.conf
> dhcpbridge = /usr/bin/nova-dhcpbridge
> logdir = /var/log/nova
> state_path = /var/lib/nova
> lock_path = /var/lock/nova
> force_dhcp_release = True
> iscsi_helper = tgtadm
> libvirt_use_virtio_for_bridges = True
> connection_type = libvirt
> root_helper = sudo nova-rootwrap /etc/nova/rootwrap.conf
> verbose = True
> ec2_private_dns_show_ip = True
> api_paste_config = /etc/nova/api-paste.ini
> volumes_path = /var/lib/nova/volumes
> enabled_apis = ec2,osapi_compute,metadata
> my_ip = 10.40.60.80
> rootwrap_config = /etc/nova/rootwrap.conf
> compute_scheduler_driver = nova.scheduler.filter_scheduler.FilterScheduler
> volume_api_class = nova.volume.cinder.API
> volume_driver = cinder.volume.drivers.rbd.RBDDriver
> rbd_pool = volumes
> glance_api_version = 2
> volume_name_template = volume-%s
> libvirt_type = kvm
> compute_driver = libvirt.LibvirtDriver
> instance_name_template = instance-%08x
> allow_resize_to_same_host = True
> osapi_compute_extension = nova.api.openstack.compute.contrib.standard_extensions
> ec2_dmz_host = our-ec2-cname
> s3_host = our-ec2-cname
> rpc_backend = nova.rpc.impl_kombu
> rabbit_host = our-msgqueue-cname
> rabbit_port = 5672
> rabbit_userid = nova
> rabbit_password = nova
> rabbit_virtual_host = /nova
> image_service = nova.image.glance.GlanceImageService
> glance_api_servers = our-glance-cname:9292
> network_manager = nova.network.manager.FlatDHCPManager
> firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver
> public_interface = projectnet
> vlan_interface = eth2
> flat_network_bridge = privatenet
> fixed_range = 10.20.30.0/24
> allow_same_net_traffic = True
> novncproxy_base_url = http://$my_ip:6080/vnc_auto.html
> vncserver_proxyclient_address = $my_ip
> vncserver_listen = $my_ip
> #auth_strategy = keystone
>
> [database]
> connection = mysql://nova:nova@our-dbase-cname:3306/nova
>
> [keystone_authtoken]
> auth_host = our-keystone-cname
> auth_port = 35357
> auth_protocol = http
> admin_tenant_name = service
> admin_user = nova
> admin_password = nova
> signing_dirname = /tmp/keystone-signing-nova
Is there something hideously obvious that I missed here? The logs
aren't giving me many clues.
Regards,
--
Stuart Longland
Contractor
_ ___
\ /|_) | T: +61 7 3535 9619
\/ | \ | 38b Douglas Street F: +61 7 3535 9699
SYSTEMS Milton QLD 4064 http://www.vrt.com.au
1. https://bugs.launchpad.net/openstack-manuals/+bug/1248001
More information about the Openstack
mailing list