[openstack-dev] [nova] reckoning time for nova ec2 stack

Matt Riedemann mriedem at linux.vnet.ibm.com
Thu Jan 15 22:49:37 UTC 2015

On 1/15/2015 11:40 AM, Matt Riedemann wrote:
> On 1/13/2015 9:27 PM, Matt Riedemann wrote:
>> On 1/13/2015 12:11 PM, Steven Hardy wrote:
>>> On Tue, Jan 13, 2015 at 10:00:04AM -0600, Matt Riedemann wrote:
>>>> Looks like the fix we merged didn't actually fix the problem. I have
>>>> a patch
>>>> [1] to uncap the boto requirement on master and it's failing the ec2
>>>> tests
>>>> in tempest the same as before.
>>> FWIW, I just re-tested and boto 2.35.1 works fine for me locally, if you
>>> revert my patch it breaks again with "Signature not provided" errors
>>> (for
>>> all ec2 API requests).
>>> If you look at the failures in the log, it actually looks like a
>>> different
>>> problem:
>>> EC2ResponseError: EC2ResponseError: 401 Unauthorized
>>> This is not the same as the original error which rejected any request
>>> inside the nova API before even calling keystone with a message like
>>> this:
>>> AuthFailure: Signature not provided
>>> AFAICT this means my patch is working, and there's a different problem
>>> affecting only a subset of the ec2 boto tests.
>>> Steve
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe:
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> Yeah, new bug reported, looks like we're hitting 401 Unauthorized errors
>> when trying to create security groups in the test:
>> https://bugs.launchpad.net/nova/+bug/1410622
> I have a debug patch up here to try and recreate the tempest failures
> with latest boto but using a nova debug change also to get more
> information when we fail.
> https://review.openstack.org/#/c/147601/

I finally narrowed this down to some code in keystone where it generates 
a signature and compares that to what nova is passing in on the request 
for ec2 credentials and they are different so keystone is rejecting the 
request with a 401.


I'm assuming something needs to change in keystone to support the 
version 4 format?



Matt Riedemann

More information about the OpenStack-dev mailing list