[OpenStack-docs] [install-guide] (not that much) progress with Kilo install on RHEL/Centos 7
Bernd Bausch
berndbausch at gmail.com
Tue Apr 14 10:39:23 UTC 2015
The packaging problems and possibly others are probably caused by
me using the wrong repository. The RDO project has corrected that.
So I am afraid I have to try again.
A few other comments I made were unnecessary; e.g. there is a remark
about the firewall, and indeed the install guide contains nothing about
the rabbit configuration file (I must have read it in a different
version of the guide). My apologies.
In parallel I am trying to understand the right way to upload an
image to glance using the new process.
Bernd
From: Matt Kassawara [mailto:mkassawara at gmail.com]
Sent: Tuesday, April 14, 2015 12:30 AM
To: Bernd Bausch
Cc: openstack-docs at lists.openstack.org
Subject: Re: [OpenStack-docs] [install-guide] (not that much) progress with Kilo install on RHEL/Centos 7
Responses inline...
On Sun, Apr 12, 2015 at 8:49 PM, Bernd Bausch <berndbausch at gmail.com> wrote:
In preparation for the install guide meeting on Tuesday, I would like to
share what I have been able to do so far and what problems I hit. Advice
would be welcome (I'd be happy to discuss that in the meeting):
- There are places where the install guide content should be modified
(flagged with "CONTENT" below). What's the procedure - I file a bug and
immediately provide the fix?
- Other places look like packaging bugs; I am using a Kilo repository for
the Red Hat RDO project that is still work in progress. I think I should
leave such bugs alone for now, since they are likely to go away. Correct?
This is my report. It's based on Matt's version of the install guide
http://docs-draft.openstack.org/92/167692/13/gate/gate-openstack-manuals-tox
-doc-publish-checkbuild/31c1ab2//publish-docs/trunk/install-guide/install/yu
m/content/index.html.
---------------------------
Section 2 Basic environment
---------------------------
openstack-selinux not found in the repositories I am using. On first look,
it seems that there is no need to install it, as rules in
/etc/selinux/targeted/contexts/files/* seem to be the same as on my Juno
installation. So I am brave, plan to watch the audit log and go ahead
without modifying SELinux configs.
In Juno and prior releases, RHEL/CentOS required installing openstack-selinux to configure SELinux rules, but Fedora included them by default. Maybe this requirement changed for RHEL/CentOS in Kilo?
CONTENT: The guide lacks info about the firewall rules, except a vague
allusion in Chapter 2 Basic Environment.
Since this is Red Hat with a locked-down firewall, nothing will work without
opening ports for fundamental services (DB, RabbitMQ) and the OpenStack
services.
A couple of cycles ago, we decided to make first-time installations easier by recommending that people disable the the firewall and then use the security guide later to increase security before moving to production. Furthermore, no one should use the installation guide architecture for production without augmenting it with at least the security guide, HA guide, and potentially a deployment automation system.
My NTP server doesn't work (this has nothing to do with OpenStack).
This forum says that NTP needs to be started after DNS (???)
https://forum.zentyal.org/index.php/topic,13045.0.html
In any case, issuing a ``systemctl restart ntpd.service`` fixes the problem,
but how can it be done automatically?
I haven't seen this issue and need more information here... perhaps some error messages?
---------------------------------
section 2, Maria DB installation:
---------------------------------
``/usr/bin/mysql_secure_installation: line 379: find_mysql_client: command
not found``
I haven't seen this issue. Seems like packaging, but I can't imagine RH breaking the MariaDB packages.
CONTENT: The install guide doesn't say how to answer the questions of this
script.
I think we could add some information to the guide, but in the long run think we should expect our audience to know at least the basics of MariaDB.
After setting the root password on the DB, I just hit enter at each
question.
------------------------------------
Section 2, Rabbit MQ installation:
------------------------------------
CONTENT: The guide asks for adding a line to /etc/rabbitmq/rabbitmq.config.
Scratching my head because I don't have that file, but then I see that it
may not always exist. Perhaps this should be made clearer to accommodate
slow thinkers.
I don't see where the guide asks to edit this file.
-------------------------------
Section 3, Identity concepts
-------------------------------
CONTENT: The diagram showing the process flow confuses me more than it
helps.
Most of the conceptual sections come from common content (outside of the installation guide) that needs clarification.
--------------------------------
Section 3, install and configure
--------------------------------
``yum install openstack-keystone python-keystoneclient``: dependency
python-cryptography can't be found
After adding this repo (found via internet search):
[npmccallum-python-cryptography]
name=Copr repo for python-cryptography owned by npmccallum
baseurl=https://copr-be.cloud.fedoraproject.org/results/npmccallum/python-cr
yptography/epel-7-$basearch/
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://copr-be.cloud.fedoraproject.org/results/npmccallum/python-cry
ptography/pubkey.gpg
enabled=1
it works.
This looks very much like a packaging error, and I hope it will eventually
go away.
I'm going with a packaging problem.
CONTENT (or perhaps not CONTENT): keystone.conf contains "connection =
<None>" rather than the connection string cited in the install guide. This
may be legitimately so, in which case the guide needs to be modified, or a
packaging error.
I don't understand the problem. The guide says to configure "connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone" in the keystone.conf file.
------------------------------------------------------
Section 3, create the service entity and API endpoints
------------------------------------------------------
CONTENT: ``openstack`` command missing. Found in the package
python-openstackclient.
We need to update the list of packages to install.
CONTENT: ``openstack service create --type identity`` gives me:
WARNING: openstackclient.identity.v2_0.service.CreateService The
argument --type is deprecated, use service create --name <service-name> type
instead.
What version of python-openstackclient?
I don't like the openstack client, because its help facility is much
inferior to the one of the separate command line clients. Tough luck, I
guess.
Keystone requires it now, but we don't need to use it for other services.
CONTENT: The relevance of the sentence "Also, OpenStack supports multiple
regions for scalability" is not clear to a first time (even n-th time) user.
I think we're trying to explain why we keep the installation guide as simple as possible. What do you suggest?
CONTENT: Why are we using API v2, not v3? Why a separate adminurl port, and
same port for internal and publicurl? Some clarification would help.
We support Keystone API v2 and v3. Keystone kept /v2.0 for compatibility, although most clients know how to access v3. We could add some clarification between the two ports. In short, administrative operations use 35357 and user operations use 5000.
CONTENT: I would phrase the note at the end differently, e.g. "You will
create similar endpoints for each of the other services as you install them"
For whatever reason, we're not allowed to use future tense.
--------------------------------------------
Section 3, Create projects, users, and roles
--------------------------------------------
CONTENT: Rather than saying "project (tenant)", be a bit more explicit e.g.
"project (also named "tenant" in earlier OpenStack releases)"
Seems reasonable... but we'll just mention it once.
CONTENT:
# openstack role add --project demo --user demo _member_
ERROR: openstack No role with a name or ID of '_member_' exists.
I fix this by adding the _member_ role first:
# openstack role create _member_
Keystone should create the _member_ role automatically during creation of the demo tenant/user. The guide used to explicitly create this role and later stopped after it caused problems. I think some distributions are using strange configuration options.
--------------------------------------------
Section 3, verify operation
--------------------------------------------
CONTENT: There is no /etc/keystone/keystone-paste.ini; it's now under
/usr/share/keystone. Not sure yet if this file is supposed to be modified.
It seems that all the Paste/Deploy files are now under /usr/share.
We can use a different directory for RH.
For now, instead of changing paste.ini I just remove the admin token from
keystone.conf.
This just changes the token to "ADMIN" rather than disabling the method.
--------------------------------------------
Section 4, Glance install and configure
--------------------------------------------
ugly message when synching DB:
/usr/lib/python2.7/site-packages/glance/db/sqlalchemy/artifacts.py:20:
DeprecationWarning: The oslo namespace package is deprecated. Please use
oslo_config instead.
Not sure what to do about this.
I haven't seen this on Ubuntu yet. Maybe a packaging problem.
--------------------------------------------
Section 4, Verify operation
--------------------------------------------
Major problems with glance. I am stuck with problem 3 below.
Problem 1:
~~~~~~~~~~
glance image-create fails. See also Monty Taylor's comments on the docs and
dev mailing lists.
It turns out that I am using glance API v2, set in the rc files:
export OS_IMAGE_API_VERSION=2
Glance v2 requires a quite different workflow to upload images. Setting API
version to 1 for the moment.
The python-glanceclient should use version 2, but nova still uses version 1. The command to upload images changes slightly for version 2. Basically, "--is-public True" becomes "--visibility public" for image creation.
Problem 2:
~~~~~~~~~~
It turns out glance is not running. api.log says:
ERROR glance.common.config [-] Unable to load glance-api-keystone
from configuration file /usr/share/glance/glance-api-dist-paste.ini.
Got: ImportError('No module named elasticsearch',)
After pip install elasticsearch, I can start glance.
Packaging.
Still getting a strange warning in api.log:
2015-04-12 17:42:30.267 6789 WARNING oslo_config.cfg [-] Option
"username" from group "keystone_authtoken" is deprecated. Use option
"username" from group "keystone_authtoken".
This is a side effect of OpenStack deprecating "username" several releases ago and then bringing it back in a different form for Kilo. Upstream problem.
Problem 3:
~~~~~~~~~~
Trying to upload an image now fails because of wrong credentials???? Haven't
resolved this yet. Any glance request is rejected with
# glance image-list
Invalid OpenStack Identity credentials.
Could be a number of things.
Glance's API log:
2015-04-12 22:31:03.932 9048 DEBUG keystoneclient.session [-] REQ: curl -g
-i -X GET http://kilocontrol:35357 -H "Accept: application/json" -H
"User-Agent: python-keystoneclient" _http_log_request
/usr/lib/python2.7/site-packages/keystoneclient/session.py:195
2015-04-12 22:31:03.935 9048 WARNING
keystoneclient.auth.identity.generic.base [-] Discovering versions from the
identity service failed when creating the password plugin. Attempting to
determine version from URL.
2015-04-12 22:31:03.936 9048 WARNING keystonemiddleware.auth_token [-]
Authorization failed for token
This seems to be related with this DEBUG entry in keystone.log:
keystone.middleware.core [-] Auth token not in the request header. Will not
build auth context. process_request
/usr/lib/python2.7/site-packages/keystone/middleware/core.py:229
I assume a misconfiguration on my side but haven't figured out what it might
be. Need to study the nature of WSGI middleware.
_______________________________________________
OpenStack-docs mailing list
OpenStack-docs at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-docs
More information about the OpenStack-docs
mailing list