[keystone] [keystonemiddleware] [neutron] [keystone_authtoken] auth_url not available via oslo_config
Hi, I'm reaching out for help with a strange issue I've found. Running openstack queens, on ubuntu xenial. We have a bunch of different sites with the same set-up, recently upgraded from mitaka to queens. However, on this one site, after the upgrade, we cannot start neutron-server. The reason is, that the ml2 plugin throws an error because it can't find auth_url from the keystone_authtoken section of neutron.conf. However, it is there in the file. The ml2 plugin is calico, it fails with this error: 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico [-] Exception in function %s: TypeError: expected string or buffer 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico Traceback (most recent call last): 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico File "/usr/lib/python2.7/dist-packages/networking_calico/logutils.py", line 21, in wrapped 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico return fn(*args, **kwargs) 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico File "/usr/lib/python2.7/dist-packages/networking_calico/plugins/ml2/drivers/calico/mech_calico.py", line 347, in _post_fork_init 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico auth_url=re.sub(r'/v3/?$', '', auth_url) + 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico File "/usr/lib/python2.7/re.py", line 155, in sub 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico return _compile(pattern, flags).sub(repl, string, count) 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico TypeError: expected string or buffer When you look at the code, this is because neither auth_url or is found in cfg.CONF.keystone_authtoken. The config defintely exists. I have copied the neutron.conf config from a working site, same error. I have copied the entire /etc/neutron directory from a working site, same error. I have check with strace, and /etc/neutron/neutron.conf is the only neutron.conf being parsed. Here is the keystone_authtoken part of the config: [keystone_authtoken] auth_uri=https://api-srv-cloud.host.domain:5000 region_name=openstack memcached_servers=1.2.3.4:11211 auth_type=password auth_url=https://api-srv-cloud.host.domain:5000 username=neutron password=xxxxxxxxxxxxxxxxxxxxxxxxx user_domain_name=Default project_name=services project_domain_name=Default I'm struggling to understand how the auth_url config is really registered in via oslo_config. I found an excellent exchagne on the ML here: https://openstack.nimeyo.com/115150/openstack-keystone-devstack-confusion-au... This seems to indicate auth_url is only registered if a particular auth plugin requires it. But I can't find the plugin code that does it, so I'm not sure how/where to debug it properly. If anyone has any ideas, I would really appreciate some input or pointers. Thanks! Cheers, Just -- Notice: This email is confidential and may contain copyright material of members of the Ocado Group. Opinions and views expressed in this message may not necessarily reflect the opinions and views of the members of the Ocado Group. If you are not the intended recipient, please notify us immediately and delete all copies of this message. Please note that it is your responsibility to scan this message for viruses. References to the "Ocado Group" are to Ocado Group plc (registered in England and Wales with number 7098618) and its subsidiary undertakings (as that expression is defined in the Companies Act 2006) from time to time. The registered office of Ocado Group plc is Buildings One & Two, Trident Place, Mosquito Way, Hatfield, Hertfordshire, AL10 9UL.
Just to add, it also doesn't seem to be registering the password option from keystone_authtoken either. So, makes me think the auth plugin isn't loading , or not the right one at least ?? Cheers, Just On Thu, 20 Feb 2020 at 20:55, Justin Cattle <j@ocado.com> wrote:
Hi,
I'm reaching out for help with a strange issue I've found. Running openstack queens, on ubuntu xenial.
We have a bunch of different sites with the same set-up, recently upgraded from mitaka to queens. However, on this one site, after the upgrade, we cannot start neutron-server. The reason is, that the ml2 plugin throws an error because it can't find auth_url from the keystone_authtoken section of neutron.conf. However, it is there in the file.
The ml2 plugin is calico, it fails with this error:
2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico [-] Exception in function %s: TypeError: expected string or buffer 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico Traceback (most recent call last): 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico File "/usr/lib/python2.7/dist-packages/networking_calico/logutils.py", line 21, in wrapped 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico return fn(*args, **kwargs) 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico File "/usr/lib/python2.7/dist-packages/networking_calico/plugins/ml2/drivers/calico/mech_calico.py", line 347, in _post_fork_init 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico auth_url=re.sub(r'/v3/?$', '', auth_url) + 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico File "/usr/lib/python2.7/re.py", line 155, in sub 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico return _compile(pattern, flags).sub(repl, string, count) 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico TypeError: expected string or buffer
When you look at the code, this is because neither auth_url or is found in cfg.CONF.keystone_authtoken. The config defintely exists.
I have copied the neutron.conf config from a working site, same error. I have copied the entire /etc/neutron directory from a working site, same error.
I have check with strace, and /etc/neutron/neutron.conf is the only neutron.conf being parsed.
Here is the keystone_authtoken part of the config:
[keystone_authtoken] auth_uri=https://api-srv-cloud.host.domain:5000 region_name=openstack memcached_servers=1.2.3.4:11211 auth_type=password auth_url=https://api-srv-cloud.host.domain:5000 username=neutron password=xxxxxxxxxxxxxxxxxxxxxxxxx user_domain_name=Default project_name=services project_domain_name=Default
I'm struggling to understand how the auth_url config is really registered in via oslo_config. I found an excellent exchagne on the ML here:
https://openstack.nimeyo.com/115150/openstack-keystone-devstack-confusion-au...
This seems to indicate auth_url is only registered if a particular auth plugin requires it. But I can't find the plugin code that does it, so I'm not sure how/where to debug it properly.
If anyone has any ideas, I would really appreciate some input or pointers.
Thanks!
Cheers, Just
-- Notice: This email is confidential and may contain copyright material of members of the Ocado Group. Opinions and views expressed in this message may not necessarily reflect the opinions and views of the members of the Ocado Group. If you are not the intended recipient, please notify us immediately and delete all copies of this message. Please note that it is your responsibility to scan this message for viruses. References to the "Ocado Group" are to Ocado Group plc (registered in England and Wales with number 7098618) and its subsidiary undertakings (as that expression is defined in the Companies Act 2006) from time to time. The registered office of Ocado Group plc is Buildings One & Two, Trident Place, Mosquito Way, Hatfield, Hertfordshire, AL10 9UL.
not a keystone person, but I can offer you this: https://opendev.org/openstack/sahara/src/commit/75df1e93872a3a6b761d0eb89ca8... It's a nasty workaround for getting config values from keystone_authtoken which are supposed to private for keystonemiddleware only. It's probably a bad idea. On Fri, Feb 21, 2020 at 9:43 AM Justin Cattle <j@ocado.com> wrote:
Just to add, it also doesn't seem to be registering the password option from keystone_authtoken either.
So, makes me think the auth plugin isn't loading , or not the right one at least ??
Cheers, Just
On Thu, 20 Feb 2020 at 20:55, Justin Cattle <j@ocado.com> wrote:
Hi,
I'm reaching out for help with a strange issue I've found. Running openstack queens, on ubuntu xenial.
We have a bunch of different sites with the same set-up, recently upgraded from mitaka to queens. However, on this one site, after the upgrade, we cannot start neutron-server. The reason is, that the ml2 plugin throws an error because it can't find auth_url from the keystone_authtoken section of neutron.conf. However, it is there in the file.
The ml2 plugin is calico, it fails with this error:
2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico [-] Exception in function %s: TypeError: expected string or buffer 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico Traceback (most recent call last): 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico File "/usr/lib/python2.7/dist-packages/networking_calico/logutils.py", line 21, in wrapped 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico return fn(*args, **kwargs) 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico File "/usr/lib/python2.7/dist-packages/networking_calico/plugins/ml2/drivers/calico/mech_calico.py", line 347, in _post_fork_init 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico auth_url=re.sub(r'/v3/?$', '', auth_url) + 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico File "/usr/lib/python2.7/re.py", line 155, in sub 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico return _compile(pattern, flags).sub(repl, string, count) 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico TypeError: expected string or buffer
When you look at the code, this is because neither auth_url or is found in cfg.CONF.keystone_authtoken. The config defintely exists.
I have copied the neutron.conf config from a working site, same error. I have copied the entire /etc/neutron directory from a working site, same error.
I have check with strace, and /etc/neutron/neutron.conf is the only neutron.conf being parsed.
Here is the keystone_authtoken part of the config:
[keystone_authtoken] auth_uri=https://api-srv-cloud.host.domain:5000 region_name=openstack memcached_servers=1.2.3.4:11211 auth_type=password auth_url=https://api-srv-cloud.host.domain:5000 username=neutron password=xxxxxxxxxxxxxxxxxxxxxxxxx user_domain_name=Default project_name=services project_domain_name=Default
I'm struggling to understand how the auth_url config is really registered in via oslo_config. I found an excellent exchagne on the ML here:
https://openstack.nimeyo.com/115150/openstack-keystone-devstack-confusion-au...
This seems to indicate auth_url is only registered if a particular auth plugin requires it. But I can't find the plugin code that does it, so I'm not sure how/where to debug it properly.
If anyone has any ideas, I would really appreciate some input or pointers.
Thanks!
Cheers, Just
Notice: This email is confidential and may contain copyright material of members of the Ocado Group. Opinions and views expressed in this message may not necessarily reflect the opinions and views of the members of the Ocado Group.
If you are not the intended recipient, please notify us immediately and delete all copies of this message. Please note that it is your responsibility to scan this message for viruses.
References to the "Ocado Group" are to Ocado Group plc (registered in England and Wales with number 7098618) and its subsidiary undertakings (as that expression is defined in the Companies Act 2006) from time to time. The registered office of Ocado Group plc is Buildings One & Two, Trident Place, Mosquito Way, Hatfield, Hertfordshire, AL10 9UL.
On 2/24/20 9:08 AM, Jeremy Freudberg wrote:
not a keystone person, but I can offer you this: https://opendev.org/openstack/sahara/src/commit/75df1e93872a3a6b761d0eb89ca8...
It's a nasty workaround for getting config values from keystone_authtoken which are supposed to private for keystonemiddleware only. It's probably a bad idea.
Yeah, config opts should generally not be referenced by other projects. The oslo.config deprecation mechanism doesn't handle the case where an opt gets renamed but is still being referred to in the code by its old name. I realize that's not what happened here, but in general it's a good reason not to do this. If a given config value needs to be exposed to consumers of a library it should be explicitly provided via an API. I realize that's not what happened here, but it demonstrates the fragility of referring to another project's config opts directly. It's also possible that a project could change when its opts get registered, which may be what's happening here. If this plugin code is running before keystoneauth has registered its opts that might explain why it's not being found. That may also explain why it's working in some other environments - if the timing of when the opts are registered versus when the plugin code gets called is different it might cause that kind of varying behavior with otherwise identical code/configuration. I have vague memories of this having come up before, but I can't remember exactly what the recommendation was. Hopefully someone from Keystone can chime in.
On Fri, Feb 21, 2020 at 9:43 AM Justin Cattle <j@ocado.com> wrote:
Just to add, it also doesn't seem to be registering the password option from keystone_authtoken either.
So, makes me think the auth plugin isn't loading , or not the right one at least ??
Cheers, Just
On Thu, 20 Feb 2020 at 20:55, Justin Cattle <j@ocado.com> wrote:
Hi,
I'm reaching out for help with a strange issue I've found. Running openstack queens, on ubuntu xenial.
We have a bunch of different sites with the same set-up, recently upgraded from mitaka to queens. However, on this one site, after the upgrade, we cannot start neutron-server. The reason is, that the ml2 plugin throws an error because it can't find auth_url from the keystone_authtoken section of neutron.conf. However, it is there in the file.
The ml2 plugin is calico, it fails with this error:
2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico [-] Exception in function %s: TypeError: expected string or buffer 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico Traceback (most recent call last): 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico File "/usr/lib/python2.7/dist-packages/networking_calico/logutils.py", line 21, in wrapped 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico return fn(*args, **kwargs) 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico File "/usr/lib/python2.7/dist-packages/networking_calico/plugins/ml2/drivers/calico/mech_calico.py", line 347, in _post_fork_init 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico auth_url=re.sub(r'/v3/?$', '', auth_url) + 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico File "/usr/lib/python2.7/re.py", line 155, in sub 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico return _compile(pattern, flags).sub(repl, string, count) 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico TypeError: expected string or buffer
When you look at the code, this is because neither auth_url or is found in cfg.CONF.keystone_authtoken. The config defintely exists.
I have copied the neutron.conf config from a working site, same error. I have copied the entire /etc/neutron directory from a working site, same error.
I have check with strace, and /etc/neutron/neutron.conf is the only neutron.conf being parsed.
Here is the keystone_authtoken part of the config:
[keystone_authtoken] auth_uri=https://api-srv-cloud.host.domain:5000 region_name=openstack memcached_servers=1.2.3.4:11211 auth_type=password auth_url=https://api-srv-cloud.host.domain:5000 username=neutron password=xxxxxxxxxxxxxxxxxxxxxxxxx user_domain_name=Default project_name=services project_domain_name=Default
I'm struggling to understand how the auth_url config is really registered in via oslo_config. I found an excellent exchagne on the ML here:
https://openstack.nimeyo.com/115150/openstack-keystone-devstack-confusion-au...
This seems to indicate auth_url is only registered if a particular auth plugin requires it. But I can't find the plugin code that does it, so I'm not sure how/where to debug it properly.
If anyone has any ideas, I would really appreciate some input or pointers.
Thanks!
Cheers, Just
Notice: This email is confidential and may contain copyright material of members of the Ocado Group. Opinions and views expressed in this message may not necessarily reflect the opinions and views of the members of the Ocado Group.
If you are not the intended recipient, please notify us immediately and delete all copies of this message. Please note that it is your responsibility to scan this message for viruses.
References to the "Ocado Group" are to Ocado Group plc (registered in England and Wales with number 7098618) and its subsidiary undertakings (as that expression is defined in the Companies Act 2006) from time to time. The registered office of Ocado Group plc is Buildings One & Two, Trident Place, Mosquito Way, Hatfield, Hertfordshire, AL10 9UL.
Hi Jeremy-
From what I understand, ksm is set up so that it registers the conf opts for the [keystone_authtoken] section implicitly when you import keystonemiddleware.auth_token, which imports _opts [1], which defines and registers the options [2].
I'm not an expert, but I believe you(r code) should be relying on the above exclusively, and not trying to find/register these options in any other way. Assuming that's already happening, then as others suggested, it may be a matter of import ordering. HTH, efried [1] https://opendev.org/openstack/keystonemiddleware/src/branch/stable/queens/ke... [2] https://opendev.org/openstack/keystonemiddleware/src/branch/stable/queens/ke...
The hacky stuff in Sahara will definitely be removed when I get the chance. I had only added it as a temporary measure until users could transition to using a new section in Sahara's own configuration. (the "trustee" section in sahara.conf, much like the "trustee" section in heat.conf)
On Mon, Feb 24, 2020, at 08:17, Ben Nemec wrote:
On 2/24/20 9:08 AM, Jeremy Freudberg wrote:
not a keystone person, but I can offer you this: https://opendev.org/openstack/sahara/src/commit/75df1e93872a3a6b761d0eb89ca8...
It's a nasty workaround for getting config values from keystone_authtoken which are supposed to private for keystonemiddleware only. It's probably a bad idea.
Yeah, config opts should generally not be referenced by other projects. The oslo.config deprecation mechanism doesn't handle the case where an opt gets renamed but is still being referred to in the code by its old name. I realize that's not what happened here, but in general it's a good reason not to do this. If a given config value needs to be exposed to consumers of a library it should be explicitly provided via an API.
I realize that's not what happened here, but it demonstrates the fragility of referring to another project's config opts directly. It's also possible that a project could change when its opts get registered, which may be what's happening here. If this plugin code is running before keystoneauth has registered its opts that might explain why it's not being found. That may also explain why it's working in some other environments - if the timing of when the opts are registered versus when the plugin code gets called is different it might cause that kind of varying behavior with otherwise identical code/configuration.
I have vague memories of this having come up before, but I can't remember exactly what the recommendation was. Hopefully someone from Keystone can chime in.
Services that need to connect to keystone with their own session outside of keystonemiddleware can use the keystoneauth loading module to register config options rather than reusing the keystone_authtoken section. For example, this is what nova does: https://opendev.org/openstack/nova/src/branch/master/nova/conf/glance.py This doesn't help unbreak OP's broken Queens site. Perhaps the neutron or calico contributors can help diagnose what's different about that site in order to figure out what's missing that's causing keystonemiddleware not to load the keystoneauth config opts. Colleen
On Fri, Feb 21, 2020 at 9:43 AM Justin Cattle <j@ocado.com> wrote:
Just to add, it also doesn't seem to be registering the password option from keystone_authtoken either.
So, makes me think the auth plugin isn't loading , or not the right one at least ??
Cheers, Just
On Thu, 20 Feb 2020 at 20:55, Justin Cattle <j@ocado.com> wrote:
Hi,
I'm reaching out for help with a strange issue I've found. Running openstack queens, on ubuntu xenial.
We have a bunch of different sites with the same set-up, recently upgraded from mitaka to queens. However, on this one site, after the upgrade, we cannot start neutron-server. The reason is, that the ml2 plugin throws an error because it can't find auth_url from the keystone_authtoken section of neutron.conf. However, it is there in the file.
The ml2 plugin is calico, it fails with this error:
2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico [-] Exception in function %s: TypeError: expected string or buffer 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico Traceback (most recent call last): 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico File "/usr/lib/python2.7/dist-packages/networking_calico/logutils.py", line 21, in wrapped 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico return fn(*args, **kwargs) 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico File "/usr/lib/python2.7/dist-packages/networking_calico/plugins/ml2/drivers/calico/mech_calico.py", line 347, in _post_fork_init 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico auth_url=re.sub(r'/v3/?$', '', auth_url) + 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico File "/usr/lib/python2.7/re.py", line 155, in sub 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico return _compile(pattern, flags).sub(repl, string, count) 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico TypeError: expected string or buffer
When you look at the code, this is because neither auth_url or is found in cfg.CONF.keystone_authtoken. The config defintely exists.
I have copied the neutron.conf config from a working site, same error. I have copied the entire /etc/neutron directory from a working site, same error.
I have check with strace, and /etc/neutron/neutron.conf is the only neutron.conf being parsed.
Here is the keystone_authtoken part of the config:
[keystone_authtoken] auth_uri=https://api-srv-cloud.host.domain:5000 region_name=openstack memcached_servers=1.2.3.4:11211 auth_type=password auth_url=https://api-srv-cloud.host.domain:5000 username=neutron password=xxxxxxxxxxxxxxxxxxxxxxxxx user_domain_name=Default project_name=services project_domain_name=Default
I'm struggling to understand how the auth_url config is really registered in via oslo_config. I found an excellent exchagne on the ML here:
https://openstack.nimeyo.com/115150/openstack-keystone-devstack-confusion-au...
This seems to indicate auth_url is only registered if a particular auth plugin requires it. But I can't find the plugin code that does it, so I'm not sure how/where to debug it properly.
If anyone has any ideas, I would really appreciate some input or pointers.
Thanks!
Cheers, Just
Notice: This email is confidential and may contain copyright material of members of the Ocado Group. Opinions and views expressed in this message may not necessarily reflect the opinions and views of the members of the Ocado Group.
If you are not the intended recipient, please notify us immediately and delete all copies of this message. Please note that it is your responsibility to scan this message for viruses.
References to the "Ocado Group" are to Ocado Group plc (registered in England and Wales with number 7098618) and its subsidiary undertakings (as that expression is defined in the Companies Act 2006) from time to time. The registered office of Ocado Group plc is Buildings One & Two, Trident Place, Mosquito Way, Hatfield, Hertfordshire, AL10 9UL.
Thanks for the responses guys. In the end, tracked down the reason that the config options where not being registered. One of the [ unrelated ] plugins in neutron was failing to initialise, that the silently broke the plugin loading for the rest. It took a while to track it diwn, because it was a silent failure with no exception! :) Apllogies, I don't have the details for the code, but it was somewhere in the neutron.manager. The particular server was rebuilt after we found the issue, adn we didn't preserve our debugs :( We think one of the plugins could not initialise a connection to the MQ, which was why it didn't load properly. Of course, the ml2 plugin we had an issue with has no relation to the MQ, so we didn't even considder that intiially! Thanks again for the help, and sorry we don't hav emore detail about the silent failure. If we did I would raise a bug. Cheers Just On Tue, 25 Feb 2020 at 22:04, Colleen Murphy <colleen@gazlene.net> wrote:
On Mon, Feb 24, 2020, at 08:17, Ben Nemec wrote:
On 2/24/20 9:08 AM, Jeremy Freudberg wrote:
not a keystone person, but I can offer you this:
https://opendev.org/openstack/sahara/src/commit/75df1e93872a3a6b761d0eb89ca8...
It's a nasty workaround for getting config values from keystone_authtoken which are supposed to private for keystonemiddleware only. It's probably a bad idea.
Yeah, config opts should generally not be referenced by other projects. The oslo.config deprecation mechanism doesn't handle the case where an opt gets renamed but is still being referred to in the code by its old name. I realize that's not what happened here, but in general it's a good reason not to do this. If a given config value needs to be exposed to consumers of a library it should be explicitly provided via an API.
I realize that's not what happened here, but it demonstrates the fragility of referring to another project's config opts directly. It's also possible that a project could change when its opts get registered, which may be what's happening here. If this plugin code is running before keystoneauth has registered its opts that might explain why it's not being found. That may also explain why it's working in some other environments - if the timing of when the opts are registered versus when the plugin code gets called is different it might cause that kind of varying behavior with otherwise identical code/configuration.
I have vague memories of this having come up before, but I can't remember exactly what the recommendation was. Hopefully someone from Keystone can chime in.
Services that need to connect to keystone with their own session outside of keystonemiddleware can use the keystoneauth loading module to register config options rather than reusing the keystone_authtoken section. For example, this is what nova does:
https://opendev.org/openstack/nova/src/branch/master/nova/conf/glance.py
This doesn't help unbreak OP's broken Queens site. Perhaps the neutron or calico contributors can help diagnose what's different about that site in order to figure out what's missing that's causing keystonemiddleware not to load the keystoneauth config opts.
Colleen
On Fri, Feb 21, 2020 at 9:43 AM Justin Cattle <j@ocado.com> wrote:
Just to add, it also doesn't seem to be registering the password
So, makes me think the auth plugin isn't loading , or not the right
one at least ??
Cheers, Just
On Thu, 20 Feb 2020 at 20:55, Justin Cattle <j@ocado.com> wrote:
Hi,
I'm reaching out for help with a strange issue I've found. Running
openstack queens, on ubuntu xenial.
We have a bunch of different sites with the same set-up, recently
upgraded from mitaka to queens. However, on this one site, after the upgrade, we cannot start neutron-server. The reason is, that the ml2
The ml2 plugin is calico, it fails with this error:
2020-02-20 20:14:22.495 2964911 ERROR
networking_calico.plugins.ml2.drivers.calico.mech_calico [-] Exception in function %s: TypeError: expected string or buffer
2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico Traceback (most recent call last): 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico File "/usr/lib/python2.7/dist-packages/networking_calico/logutils.py", line 21, in wrapped 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico return fn(*args, **kwargs) 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico File "/usr/lib/python2.7/dist-packages/networking_calico/plugins/ml2/drivers/calico/mech_calico.py",
2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico auth_url=re.sub(r'/v3/?$', '', auth_url) + 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico File "/usr/lib/python2.7/re.py", line 155, in sub 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico return _compile(pattern, flags).sub(repl, string, count) 2020-02-20 20:14:22.495 2964911 ERROR networking_calico.plugins.ml2.drivers.calico.mech_calico TypeError: expected string or buffer
When you look at the code, this is because neither auth_url or is found in cfg.CONF.keystone_authtoken. The config defintely exists.
I have copied the neutron.conf config from a working site, same error. I have copied the entire /etc/neutron directory from a working site, same error.
I have check with strace, and /etc/neutron/neutron.conf is the only neutron.conf being parsed.
Here is the keystone_authtoken part of the config:
[keystone_authtoken] auth_uri=https://api-srv-cloud.host.domain:5000 region_name=openstack memcached_servers=1.2.3.4:11211 auth_type=password auth_url=https://api-srv-cloud.host.domain:5000 username=neutron password=xxxxxxxxxxxxxxxxxxxxxxxxx user_domain_name=Default project_name=services project_domain_name=Default
I'm struggling to understand how the auth_url config is really registered in via oslo_config. I found an excellent exchagne on the ML here:
https://openstack.nimeyo.com/115150/openstack-keystone-devstack-confusion-au...
This seems to indicate auth_url is only registered if a particular
auth plugin requires it. But I can't find the plugin code that does it, so I'm not sure how/where to debug it properly.
If anyone has any ideas, I would really appreciate some input or
Thanks!
Cheers, Just
Notice: This email is confidential and may contain copyright material of members of the Ocado Group. Opinions and views expressed in this message may not necessarily reflect the opinions and views of the members of the Ocado Group.
If you are not the intended recipient, please notify us immediately and delete all copies of this message. Please note that it is your responsibility to scan this message for viruses.
References to the "Ocado Group" are to Ocado Group plc (registered in England and Wales with number 7098618) and its subsidiary undertakings (as
option from keystone_authtoken either. plugin throws an error because it can't find auth_url from the keystone_authtoken section of neutron.conf. However, it is there in the file. line 347, in _post_fork_init pointers. that expression is defined in the Companies Act 2006) from time to time. The registered office of Ocado Group plc is Buildings One & Two, Trident Place, Mosquito Way, Hatfield, Hertfordshire, AL10 9UL.
-- Notice: This email is confidential and may contain copyright material of members of the Ocado Group. Opinions and views expressed in this message may not necessarily reflect the opinions and views of the members of the Ocado Group. If you are not the intended recipient, please notify us immediately and delete all copies of this message. Please note that it is your responsibility to scan this message for viruses. References to the "Ocado Group" are to Ocado Group plc (registered in England and Wales with number 7098618) and its subsidiary undertakings (as that expression is defined in the Companies Act 2006) from time to time. The registered office of Ocado Group plc is Buildings One & Two, Trident Place, Mosquito Way, Hatfield, Hertfordshire, AL10 9UL.
participants (5)
-
Ben Nemec
-
Colleen Murphy
-
Eric Fried
-
Jeremy Freudberg
-
Justin Cattle