[OpenStack-docs] [install-guide] (not that much) progress with Kilo install on RHEL/Centos 7

Matt Kassawara mkassawara at gmail.com
Mon Apr 13 15:30:05 UTC 2015


Responses inline...

On Sun, Apr 12, 2015 at 8:49 PM, Bernd Bausch <berndbausch at gmail.com> wrote:

> In preparation for the install guide meeting on Tuesday, I would like to
> share what I have been able to do so far and what problems I hit. Advice
> would be welcome (I'd be happy to discuss that in the meeting):
>
> - There are places where the install guide content should be modified
> (flagged with "CONTENT" below). What's the procedure - I file a bug and
> immediately provide the fix?
> - Other places look like packaging bugs; I am using a Kilo repository for
> the Red Hat RDO project that is still work in progress. I think I should
> leave such bugs alone for now, since they are likely to go away. Correct?
>
> This is my report. It's based on Matt's version of the install guide
>
> http://docs-draft.openstack.org/92/167692/13/gate/gate-openstack-manuals-tox
>
> -doc-publish-checkbuild/31c1ab2//publish-docs/trunk/install-guide/install/yu
> m/content/index.html.
>
> ---------------------------
> Section 2 Basic environment
> ---------------------------
>
> openstack-selinux not found in the repositories I am using. On first look,
> it seems that there is no need to install it, as rules in
> /etc/selinux/targeted/contexts/files/* seem to be the same as on my Juno
> installation. So I am brave, plan to watch the audit log and go ahead
> without modifying SELinux configs.
>

In Juno and prior releases, RHEL/CentOS required installing
openstack-selinux to configure SELinux rules, but Fedora included them by
default. Maybe this requirement changed for RHEL/CentOS in Kilo?


>
> CONTENT: The guide lacks info about the firewall rules, except a vague
> allusion in Chapter 2 Basic Environment.
> Since this is Red Hat with a locked-down firewall, nothing will work
> without
> opening ports for fundamental services (DB, RabbitMQ) and the OpenStack
> services.
>

A couple of cycles ago, we decided to make first-time installations easier
by recommending that people disable the the firewall and then use the
security guide later to increase security before moving to production.
Furthermore, no one should use the installation guide architecture for
production without augmenting it with at least the security guide, HA
guide, and potentially a deployment automation system.


>
> My NTP server doesn't work (this has nothing to do with OpenStack).
> This forum says that NTP needs to be started after DNS (???)
>     https://forum.zentyal.org/index.php/topic,13045.0.html
> In any case, issuing a ``systemctl restart ntpd.service`` fixes the
> problem,
> but how can it be done automatically?
>

I haven't seen this issue and need more information here... perhaps some
error messages?


>
> ---------------------------------
> section 2, Maria DB installation:
> ---------------------------------
>
> ``/usr/bin/mysql_secure_installation: line 379: find_mysql_client: command
> not found``
>

I haven't seen this issue. Seems like packaging, but I can't imagine RH
breaking the MariaDB packages.


> CONTENT: The install guide doesn't say how to answer the questions of this
> script.
>

I think we could add some information to the guide, but in the long run
think we should expect our audience to know at least the basics of MariaDB.


> After setting the root password on the DB, I just hit enter at each
> question.
>
> ------------------------------------
> Section 2, Rabbit MQ installation:
> ------------------------------------
>
> CONTENT: The guide asks for adding a line to /etc/rabbitmq/rabbitmq.config.
> Scratching my head because I don't have that file, but then I see that it
> may not always exist. Perhaps this should be made clearer to accommodate
> slow thinkers.
>

I don't see where the guide asks to edit this file.


>
> -------------------------------
> Section 3, Identity concepts
> -------------------------------
>
> CONTENT: The diagram showing the process flow confuses me more than it
> helps.
>

Most of the conceptual sections come from common content (outside of the
installation guide) that needs clarification.


>
> --------------------------------
> Section 3, install and configure
> --------------------------------
>
> ``yum install openstack-keystone python-keystoneclient``: dependency
> python-cryptography can't be found
>
> After adding this repo (found via internet search):
>
>         [npmccallum-python-cryptography]
>         name=Copr repo for python-cryptography owned by npmccallum
>
> baseurl=
> https://copr-be.cloud.fedoraproject.org/results/npmccallum/python-cr
> yptography/epel-7-$basearch/
>         skip_if_unavailable=True
>         gpgcheck=1
>
> gpgkey=
> https://copr-be.cloud.fedoraproject.org/results/npmccallum/python-cry
> ptography/pubkey.gpg
>         enabled=1
>
> it works.
> This looks very much like a packaging error, and I hope it will eventually
> go away.
>

I'm going with a packaging problem.


>
> CONTENT (or perhaps not CONTENT): keystone.conf contains "connection =
> <None>" rather than the connection string cited in the install guide. This
> may be legitimately so, in which case the guide needs to be modified, or a
> packaging error.
>

I don't understand the problem. The guide says to configure "connection
= mysql://keystone:KEYSTONE_DBPASS@controller/keystone" in the
keystone.conf file.


>
> ------------------------------------------------------
> Section 3, create the service entity and API endpoints
> ------------------------------------------------------
>
> CONTENT: ``openstack`` command missing. Found in the package
> python-openstackclient.
>

We need to update the list of packages to install.


>
> CONTENT: ``openstack service create --type identity`` gives me:
>     WARNING: openstackclient.identity.v2_0.service.CreateService The
> argument --type is deprecated, use service create --name <service-name>
> type
> instead.
>

What version of python-openstackclient?


>
> I don't like the openstack client, because its help facility is much
> inferior to the one of the separate command line clients. Tough luck, I
> guess.
>

Keystone requires it now, but we don't need to use it for other services.


>
> CONTENT: The relevance of the sentence "Also, OpenStack supports multiple
> regions for scalability" is not clear to a first time (even n-th time)
> user.
>

I think we're trying to explain why we keep the installation guide as
simple as possible. What do you suggest?


>
> CONTENT: Why are we using API v2, not v3? Why a separate adminurl port, and
> same port for internal and publicurl? Some clarification would help.
>

We support Keystone API v2 and v3. Keystone kept /v2.0 for compatibility,
although most clients know how to access v3. We could add some
clarification between the two ports. In short, administrative operations
use 35357 and user operations use 5000.


>
> CONTENT: I would phrase the note at the end differently, e.g. "You will
> create similar endpoints for each of the other services as you install
> them"
>

For whatever reason, we're not allowed to use future tense.


>
> --------------------------------------------
> Section 3, Create projects, users, and roles
> --------------------------------------------
>
> CONTENT: Rather than saying "project (tenant)", be a bit more explicit e.g.
> "project (also named "tenant" in earlier OpenStack releases)"
>

Seems reasonable... but we'll just mention it once.


>
> CONTENT:
> # openstack role add --project demo --user demo _member_
> ERROR: openstack No role with a name or ID of '_member_' exists.
> I fix this by adding the _member_ role first:
> # openstack role create _member_
>

Keystone should create the _member_ role automatically during creation of
the demo tenant/user. The guide used to explicitly create this role and
later stopped after it caused problems. I think some distributions are
using strange configuration options.


>
> --------------------------------------------
> Section 3, verify operation
> --------------------------------------------
>
> CONTENT: There is no /etc/keystone/keystone-paste.ini; it's now under
> /usr/share/keystone. Not sure yet if this file is supposed to be modified.
> It seems that all the Paste/Deploy files are now under /usr/share.
>

We can use a different directory for RH.


>
> For now, instead of changing paste.ini I just remove the admin token from
> keystone.conf.
>

This just changes the token to "ADMIN" rather than disabling the method.


>
> --------------------------------------------
> Section 4, Glance install and configure
> --------------------------------------------
>
> ugly message when synching DB:
> /usr/lib/python2.7/site-packages/glance/db/sqlalchemy/artifacts.py:20:
> DeprecationWarning: The oslo namespace package is deprecated. Please use
> oslo_config instead.
> Not sure what to do about this.
>

I haven't seen this on Ubuntu yet. Maybe a packaging problem.


>
> --------------------------------------------
> Section 4, Verify operation
> --------------------------------------------
>
> Major problems with glance. I am stuck with problem 3 below.
>
> Problem 1:
> ~~~~~~~~~~
>
> glance image-create fails. See also Monty Taylor's comments on the docs and
> dev mailing lists.
>
> It turns out that I am using glance API v2, set in the rc files:
>
>     export OS_IMAGE_API_VERSION=2
>
> Glance v2 requires a quite different workflow to upload images. Setting API
> version to 1 for the moment.
>

The python-glanceclient should use version 2, but nova still uses version
1. The command to upload images changes slightly for version 2. Basically,
"--is-public True" becomes "--visibility public" for image creation.


>
> Problem 2:
> ~~~~~~~~~~
>
> It turns out glance is not running. api.log says:
>
>         ERROR glance.common.config [-] Unable to load glance-api-keystone
> from configuration file /usr/share/glance/glance-api-dist-paste.ini.
>         Got: ImportError('No module named elasticsearch',)
>
> After pip install elasticsearch, I can start glance.
>

Packaging.


>
> Still getting a strange warning in api.log:
>     2015-04-12 17:42:30.267 6789 WARNING oslo_config.cfg [-] Option
> "username" from group "keystone_authtoken" is deprecated. Use option
> "username" from group "keystone_authtoken".
>

This is a side effect of OpenStack deprecating "username" several releases
ago and then bringing it back in a different form for Kilo. Upstream
problem.


>
> Problem 3:
> ~~~~~~~~~~
>
> Trying to upload an image now fails because of wrong credentials????
> Haven't
> resolved this yet. Any glance request is rejected with
>     # glance image-list
>     Invalid OpenStack Identity credentials.
>

Could be a number of things.


>
> Glance's API log:
> 2015-04-12 22:31:03.932 9048 DEBUG keystoneclient.session [-] REQ: curl -g
> -i -X GET http://kilocontrol:35357 -H "Accept: application/json" -H
> "User-Agent: python-keystoneclient" _http_log_request
> /usr/lib/python2.7/site-packages/keystoneclient/session.py:195
> 2015-04-12 22:31:03.935 9048 WARNING
> keystoneclient.auth.identity.generic.base [-] Discovering versions from the
> identity service failed when creating the password plugin. Attempting to
> determine version from URL.
> 2015-04-12 22:31:03.936 9048 WARNING keystonemiddleware.auth_token [-]
> Authorization failed for token
>
> This seems to be related with this DEBUG entry in keystone.log:
> keystone.middleware.core [-] Auth token not in the request header. Will not
> build auth context. process_request
> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:229
>
> I assume a misconfiguration on my side but haven't figured out what it
> might
> be. Need to study the nature of WSGI middleware.
>
>
> _______________________________________________
> OpenStack-docs mailing list
> OpenStack-docs at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-docs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-docs/attachments/20150413/9d0f19b7/attachment-0001.html>


More information about the OpenStack-docs mailing list