[openstack-dev] [Fuel] wrong network for keystone endpoint in 6.1 ?

Daniel Comnea comnea.dani at gmail.com
Fri Jul 10 14:45:37 UTC 2015 

Okay Vladimir, thanks for confirmation!

So then you happy to stick my sketch proposal (of course needs re-wording)
into documentation?

Dani

On Fri, Jul 10, 2015 at 11:31 AM, Vladimir Kuklin <vkuklin at mirantis.com>
wrote:

> Daniel
>
> Yes, if you want to do some administrative stuff you need to have access
> to management network to be able to work with internal and admin endpoints.
>
> On Fri, Jul 10, 2015 at 9:58 AM, Daniel Comnea <comnea.dani at gmail.com>
> wrote:
>
>> I know about the flow but what i'm questioning is:
>>
>> admin endpoint is mapped to br-mgmt subnet (you do have the HAproxy as
>> below defined in 6.1. In 6.0 and before you had no HAproxy)
>>
>> listen keystone-2
>>   bind 192.168.20.3:35357
>>   option  httpchk
>>   option  httplog
>>   option  httpclose
>>   server node-17 192.168.20.20:35357   check inter 10s fastinter 2s
>> downinter 3s rise 3 fall 3
>>   server node-18 192.168.20.21:35357   check inter 10s fastinter 2s
>> downinter 3s rise 3 fall 3
>>   server node-23 192.168.20.26:35357   check inter 10s fastinter 2s
>> downinter 3s rise 3 fall 3
>>
>> public endpoint is mapped to br-ex
>>
>> So with this behavior you are saying the bt-mgmt subnet (which i thought
>> is only for controller <> compute traffic, isolated network) should be
>> routable in the same way br-ex is?
>>
>> Dani
>>
>>
>> On Thu, Jul 9, 2015 at 11:30 PM, Stanislaw Bogatkin <
>> sbogatkin at mirantis.com> wrote:
>>
>>> Hi Daniel,
>>>
>>> answer is no - actually there is no strong dependency between public and
>>> internal/admin endpoints. In your case keystone client ask keystone on
>>> address 10.52.71.39 (which, I think, was provided by system
>>> variable OS_AUTH_URL), auth on it and then keystone give endpoints list to
>>> client. Client selected admin endpoint from this list (192.168.20.3
>>> address) and tried to get information you asked. It's a normal behavior.
>>>
>>> So, in Fuel by default we have 3 different endpoints for keystone -
>>> public on public VIP, port 5000; internal on management VIP, port 5000,
>>> admin on management VIP, port 35357.
>>>
>>> On Thu, Jul 9, 2015 at 4:59 PM, Daniel Comnea <comnea.dani at gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I'm running Fuel 6.1 and i've seen an interesting behavior which i
>>>> think match bug [1]
>>>>
>>>> Basically the adminUrl & publicUrl part of keystone endpoint are
>>>> different
>>>>
>>>> And the result of that is that you can't run keystone cli - i.e
>>>> create/list tenants etc
>>>>
>>>> keystone --debug tenant-list
>>>> /usr/local/lib/python2.7/site-packages/keystoneclient/shell.py:65:
>>>> DeprecationWarning: The keystone CLI is deprecated in favor of python-
>>>> openstackclient. For a Python library, continue using python-keys
>>>> toneclient.
>>>>   'python-keystoneclient.', DeprecationWarning)
>>>> DEBUG:keystoneclient.auth.identity.v2:Making authentication request to
>>>> http://10.20.71.39:5000/v2.0/tokens
>>>> INFO:requests.packages.urllib3.connectionpool:Starting new HTTP
>>>> connection (1): 10.52.71.39
>>>> DEBUG:requests.packages.urllib3.connectionpool:"POST /v2.0/tokens
>>>> HTTP/1.1" 200 3709
>>>> DEBUG:keystoneclient.session:REQ: curl -g -i -X GET
>>>> http://192.168.20.3:35357/v2.0/tenants -H "User-Agent: python-
>>>> keystoneclient" -H "Accept: application/json" -H "X-Auth-Token:
>>>> {SHA1}cc918b89c2dca563edda43e01964b1f1979c552b"
>>>>
>>>> shouldn't adminURL = publicURL = br-ex for keystone?
>>>>
>>>>
>>>> Dani
>>>>
>>>>
>>>> [1] https://bugs.launchpad.net/fuel/+bug/1441855
>>>>
>>>>
>>>> __________________________________________________________________________
>>>> OpenStack Development Mailing List (not for usage questions)
>>>> Unsubscribe:
>>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>>
>>>
>>>
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe:
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> Yours Faithfully,
> Vladimir Kuklin,
> Fuel Library Tech Lead,
> Mirantis, Inc.
> +7 (495) 640-49-04
> +7 (926) 702-39-68
> Skype kuklinvv
> 35bk3, Vorontsovskaya Str.
> Moscow, Russia,
> www.mirantis.com <http://www.mirantis.ru/>
> www.mirantis.ru
> vkuklin at mirantis.com
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150710/8bf4c0c7/attachment.html>

More information about the OpenStack-dev mailing list