[openstack-dev] [Fuel] wrong network for keystone endpoint in 6.1 ?

Vladimir Kuklin vkuklin at mirantis.com
Fri Jul 10 10:31:35 UTC 2015


Daniel

Yes, if you want to do some administrative stuff you need to have access to
management network to be able to work with internal and admin endpoints.

On Fri, Jul 10, 2015 at 9:58 AM, Daniel Comnea <comnea.dani at gmail.com>
wrote:

> I know about the flow but what i'm questioning is:
>
> admin endpoint is mapped to br-mgmt subnet (you do have the HAproxy as
> below defined in 6.1. In 6.0 and before you had no HAproxy)
>
> listen keystone-2
>   bind 192.168.20.3:35357
>   option  httpchk
>   option  httplog
>   option  httpclose
>   server node-17 192.168.20.20:35357   check inter 10s fastinter 2s
> downinter 3s rise 3 fall 3
>   server node-18 192.168.20.21:35357   check inter 10s fastinter 2s
> downinter 3s rise 3 fall 3
>   server node-23 192.168.20.26:35357   check inter 10s fastinter 2s
> downinter 3s rise 3 fall 3
>
> public endpoint is mapped to br-ex
>
> So with this behavior you are saying the bt-mgmt subnet (which i thought
> is only for controller <> compute traffic, isolated network) should be
> routable in the same way br-ex is?
>
> Dani
>
>
> On Thu, Jul 9, 2015 at 11:30 PM, Stanislaw Bogatkin <
> sbogatkin at mirantis.com> wrote:
>
>> Hi Daniel,
>>
>> answer is no - actually there is no strong dependency between public and
>> internal/admin endpoints. In your case keystone client ask keystone on
>> address 10.52.71.39 (which, I think, was provided by system
>> variable OS_AUTH_URL), auth on it and then keystone give endpoints list to
>> client. Client selected admin endpoint from this list (192.168.20.3
>> address) and tried to get information you asked. It's a normal behavior.
>>
>> So, in Fuel by default we have 3 different endpoints for keystone -
>> public on public VIP, port 5000; internal on management VIP, port 5000,
>> admin on management VIP, port 35357.
>>
>> On Thu, Jul 9, 2015 at 4:59 PM, Daniel Comnea <comnea.dani at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I'm running Fuel 6.1 and i've seen an interesting behavior which i
>>> think match bug [1]
>>>
>>> Basically the adminUrl & publicUrl part of keystone endpoint are
>>> different
>>>
>>> And the result of that is that you can't run keystone cli - i.e
>>> create/list tenants etc
>>>
>>> keystone --debug tenant-list
>>> /usr/local/lib/python2.7/site-packages/keystoneclient/shell.py:65:
>>> DeprecationWarning: The keystone CLI is deprecated in favor of python-
>>> openstackclient. For a Python library, continue using python-keys
>>> toneclient.
>>>   'python-keystoneclient.', DeprecationWarning)
>>> DEBUG:keystoneclient.auth.identity.v2:Making authentication request to
>>> http://10.20.71.39:5000/v2.0/tokens
>>> INFO:requests.packages.urllib3.connectionpool:Starting new HTTP
>>> connection (1): 10.52.71.39
>>> DEBUG:requests.packages.urllib3.connectionpool:"POST /v2.0/tokens
>>> HTTP/1.1" 200 3709
>>> DEBUG:keystoneclient.session:REQ: curl -g -i -X GET
>>> http://192.168.20.3:35357/v2.0/tenants -H "User-Agent: python-
>>> keystoneclient" -H "Accept: application/json" -H "X-Auth-Token:
>>> {SHA1}cc918b89c2dca563edda43e01964b1f1979c552b"
>>>
>>> shouldn't adminURL = publicURL = br-ex for keystone?
>>>
>>>
>>> Dani
>>>
>>>
>>> [1] https://bugs.launchpad.net/fuel/+bug/1441855
>>>
>>>
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe:
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Yours Faithfully,
Vladimir Kuklin,
Fuel Library Tech Lead,
Mirantis, Inc.
+7 (495) 640-49-04
+7 (926) 702-39-68
Skype kuklinvv
35bk3, Vorontsovskaya Str.
Moscow, Russia,
www.mirantis.com <http://www.mirantis.ru/>
www.mirantis.ru
vkuklin at mirantis.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150710/fc8f424c/attachment.html>


More information about the OpenStack-dev mailing list