[Openstack-operators] OpenStack Puppet module Keystone Juno
Russell Cecala
red.cricket.blog at gmail.com
Thu Jan 14 17:50:11 UTC 2016
Thanks for helping out. I hope that I am not being too much of a pest, but
I really want my group to adopt the Openstack community's puppet modules
for deploying Openstack. Now that I have keystone working on one node I
want to expand on that. I have an HAProxy cluster and I have a signed
certificate. I want to use ssl and use my HAProxy cluster. I assume that
I need to change my POC puppet manifest like so ...
class { '::keystone::endpoint':
public_url => "https://${controller_vip_name}:5000
<http://127.0.0.1:5000/>",
admin_url => "https://${controller_vip_name}:35357
<http://127.0.0.1:35357/>",
internal_url => "https://${controller_vip_name}:5000
<http://127.0.0.1:5000/>",
region => 'example-1',
}
Where $controller_vip_name is the hostname (or IP address) of the virtual
interface for my HAProxy
In my haproxy.cfg I have these lines:
frontend keystone-admin-vip
bind 10.29.103.39:35357 ssl crt /etc/haproxy/svl-ost-el7.cisco.com
no-sslv3 ciphers AES128-SHA:AES256-SHA
default_backend keystone-admin-api
frontend keystone-public-vip
bind 10.29.103.39:5000 ssl crt /etc/haproxy/svl-ost-el7.cisco.com
no-sslv3 ciphers AES128-SHA:AES256-SHA
default_backend keystone-public-api
So I guess my question is, "Is there any thing else I need to do besides
changing the values I pass to my keystone::endpoint resource?".
Thanks!
On Fri, Jan 8, 2016 at 10:13 AM, Russell Cecala <red.cricket.blog at gmail.com>
wrote:
> oops. I figured it out ...
>
> MariaDB [keystone_db_name]> select * from project;
>
>
> +----------------------------------+-----------+-------+-----------------------------------+---------+-----------+-----------+
>
> | id | name | extra | description
> | enabled | domain_id | parent_id |
>
>
> +----------------------------------+-----------+-------+-----------------------------------+---------+-----------+-----------+
>
> | af4e7a8966fb4665aaac22a8b9687c8f | openstack | {} | admin tenant
> | 1 | default | NULL |
>
> | b83b33cc7d314181af50a2a80c995b0c | services | {} | Tenant for the
> openstack services | 1 | default | NULL |
>
>
> +----------------------------------+-----------+-------+-----------------------------------+---------+-----------+-----------+
>
> *2 rows in set (0.01 sec)*
>
>
> MariaDB [keystone_db_name]> quit
>
> *Bye*
>
> [root at ost-services-centos-001 ~]# exit
>
> logout
>
> Connection to ost-services-centos-001 closed.
>
> [root at ost-mgmt-centos-001 ~]# openstack --os-auth-url
> http://127.0.0.1:35357 --os-project-name openstack --os-username admin
> --os-auth-type password token issue
>
> Password:
>
> +------------+----------------------------------+
>
> | Field | Value |
>
> +------------+----------------------------------+
>
> | expires | 2016-01-08T19:12:14Z |
>
> | id | 581a5c2e8a074740a510cbadebf17815 |
>
> | project_id | af4e7a8966fb4665aaac22a8b9687c8f |
>
> | user_id | b3f1f4bcfb114559a05378bd6ce39e55 |
>
> +------------+----------------------------------+
>
> On Fri, Jan 8, 2016 at 10:09 AM, Russell Cecala <
> red.cricket.blog at gmail.com> wrote:
>
>> Hi Rich,
>>
>> Thanks for all your help so far.
>> I am getting clean puppet runs (I still get depreciation warnings) but
>> "puppet agent -t" is running without error now:
>>
>> [root at ost-mgmt-centos-001 ~]# puppet agent -t
>>
>> Info: Retrieving pluginfacts
>>
>> Info: Retrieving plugin
>>
>> Info: Loading facts
>>
>> Error: NetworkManager is not running.
>>
>> Info: Caching catalog for ost-mgmt-centos-001.example.com
>>
>> *Warning: The tenant parameter is deprecated and will be removed in the
>> future. Please use keystone_user_role to assign a user to a project.*
>>
>> *Warning: The ignore_default_tenant parameter is deprecated and will be
>> removed in the future.*
>>
>> Info: Applying configuration version '1452275612'
>>
>> Notice: /Stage[main]/Wrapcontroller/Exec[/usr/bin/curl
>> http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo
>> | /usr/bin/tee /var/www/cgi-bin/keystone/main
>> /var/www/cgi-bin/keystone/admin]/returns: executed successfully
>>
>> Notice: Finished catalog run in 11.53 seconds
>>
>>
>> Here is the puppet module I am using currently:
>>
>> class wrapcontroller(
>>
>> ... long list of parameters I am not using yet ...
>>
>> ) {
>>
>> class {'my-openstack::disable_firewall':} ->
>>
>> class {'my-openstack::disable_selinux':} ->
>>
>> class {'my-openstack::disable_network_manager':} ->
>>
>>
>> exec { '/bin/yum -y install http://dl.fedoraproject
>> .org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm': unless => '/bin/rpm
>> -q epel-release', }
>>
>> exec { '/bin/yum -y install
>> http://rdo.fedorapeople.org/openstack-kilo/rdo-release-kilo.rpm': unless
>> => '/bin/rpm -q rdo-release', }
>>
>> exec { '/usr/bin/curl
>> http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo
>> | /usr/bin/tee /var/www/cgi-bin/keystone/main
>> /var/www/cgi-bin/keystone/admin':}
>>
>> $packages = ['mariadb', 'mod_wsgi', 'memcached', 'python-memcached']
>>
>> package { $packages : ensure => present, }
>>
>>
>> exec { 'keystone_database_init':
>>
>> command => '/usr/bin/keystone-manage db_sync',
>>
>> onlyif => [
>>
>> "/usr/bin/mysql -u$keystone_db_user -p$keystone_db_pass -h
>> $db_host -P$db_port $keystone_db_name -e 'show tables'",
>>
>> "/usr/bin/test -z \"`/usr/bin/mysql -u$keystone_db_user -p
>> $keystone_db_pass -h$db_host -P$db_port $keystone_db_name -e 'show
>> tables'`\""
>>
>> ],
>>
>> require => Package['mariadb'],
>>
>> }
>>
>> $services = ['memcached']
>>
>> service { $services : ensure => running, enable => true, }
>>
>> # found out that you shouldn't create the wsgi-ketstone.conf file as
>> it prevents httpd from starting
>>
>> file { '/etc/httpd/conf.d/wsgi-keystone.conf':
>>
>> ensure => absent,
>>
>> # content => template( "wrapcontroller/wsgi-keystone.conf.erb" ),
>>
>> }
>>
>> class {'::keystone':
>>
>> admin_token => $keystone_auth_token,
>>
>> catalog_type => 'sql',
>>
>> database_connection => "mysql://${keystone_db_user}:
>> ${keystone_db_pass}@${db_host}:${db_port}/${keystone_db_name}",
>>
>> debug => $debug,
>>
>> verbose => $debug,
>>
>> }
>>
>>
>> # include ::apache
>>
>> # class { '::keystone::wsgi::apache': ssl => false, }
>>
>> class { '::keystone::roles::admin':
>>
>> email => $keystone_admin_email,
>>
>> password => $keystone_admin_password,
>>
>> }
>>
>> class { '::keystone::endpoint':
>>
>> public_url => "http://127.0.0.1:5000",
>>
>> admin_url => "http://127.0.0.1:35357",
>>
>> internal_url => "http://127.0.0.1:5000",
>>
>> region => 'example-1',
>>
>> }
>> }
>>
>> The above runs but I am unable to verify that keystone is working as per
>> the docs here:
>>
>>
>> http://docs.openstack.org/kilo/install-guide/install/yum/content/keystone-verify.html
>>
>> [root at ost-mgmt-centos-001 ~]# openstack --os-auth-url
>> http://127.0.0.1:35357 --os-project-name admin --os-username admin
>> --os-auth-type password token issue
>>
>> Password:
>>
>> ERROR: openstack Invalid user / password (Disable debug mode to suppress
>> these details.) (HTTP 401) (Request-ID:
>> req-7c9b4b3b-dfe8-48a9-98eb-668b18e9b3bb)
>>
>> [root at ost-mgmt-centos-001 ~]# openstack --os-auth-url
>> http://127.0.0.1:35357 --os-project-name admin --os-username admin
>> --os-auth-type password token issue
>>
>> Password:
>>
>> ERROR: openstack Could not find project: admin (Disable debug mode to
>> suppress these details.) (HTTP 401) (Request-ID:
>> req-c42ee03c-eb7b-4858-9743-a376fda0dc1f)
>>
>>
>>
>> openstack Could not find project: admin
>>
>> Hmm what is the project's name? How can I figure that out?
>>
>>
>> Thanks,
>>
>> Russ
>>
>> On Tue, Jan 5, 2016 at 2:22 PM, Rich Megginson <rmeggins at redhat.com>
>> wrote:
>>
>>> On 01/05/2016 02:42 PM, Russell Cecala wrote:
>>>
>>> Hi Rich,
>>>
>>> I guess I am kind of confused. I thought "*class {
>>> '::keystone::roles::admin':" *was suppose to create the "admin" user
>>> and set the password to $keystone_admin_password. If class {
>>> '::keystone::roles::admin' doesn't create the admin user what does?
>>>
>>>
>>> It either creates it, or ensures that it has the specified properties,
>>> if it already exists. In this case, it seems that it already exists, so it
>>> attempts to ensure that it has the specified properties.
>>>
>>> And what kind of user are we talking about? A user that shows up in the
>>> /etc/passwd file or an mysql user or a keystone user of some sort?
>>>
>>>
>>> a keystone user - a user that shows up when you do "$ openstack user
>>> list" as an admin user.
>>>
>>>
>>> Sorry I am pretty confused :)
>>>
>>> After I truncate my /var/log/keystone/keystone.log and run puppet agent
>>> -t I get this output to my keystone.log
>>>
>>> 2016-01-05 16:28:38.342 10596 DEBUG keystone.middleware.core [-] RBAC:
>>> auth_context: {} process_request
>>> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>>>
>>> 2016-01-05 16:28:38.346 10596 INFO keystone.common.wsgi [-] GET
>>> /projects?
>>>
>>> 2016-01-05 16:28:38.347 10596 WARNING keystone.common.controller [-]
>>> RBAC: Bypassing authorization
>>>
>>> 2016-01-05 16:28:38.352 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
>>> - [05/Jan/2016 16:28:38] "GET /v3/projects HTTP/1.1" 200 884 0.011000
>>>
>>> 2016-01-05 16:28:39.144 10596 DEBUG keystone.middleware.core [-] RBAC:
>>> auth_context: {} process_request
>>> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>>>
>>> 2016-01-05 16:28:39.147 10596 INFO keystone.common.wsgi [-] GET /domains?
>>>
>>> 2016-01-05 16:28:39.148 10596 WARNING keystone.common.controller [-]
>>> RBAC: Bypassing authorization
>>>
>>> 2016-01-05 16:28:39.152 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
>>> - [05/Jan/2016 16:28:39] "GET /v3/domains HTTP/1.1" 200 702 0.009214
>>>
>>> 2016-01-05 16:28:39.929 10596 DEBUG keystone.middleware.core [-] RBAC:
>>> auth_context: {} process_request
>>> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>>>
>>> 2016-01-05 16:28:39.932 10596 INFO keystone.common.wsgi [-] GET /roles?
>>>
>>> 2016-01-05 16:28:39.933 10596 WARNING keystone.common.controller [-]
>>> RBAC: Bypassing authorization
>>>
>>> 2016-01-05 16:28:39.938 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
>>> - [05/Jan/2016 16:28:39] "GET /v3/roles HTTP/1.1" 200 615 0.009210
>>>
>>> 2016-01-05 16:28:40.712 10596 DEBUG keystone.middleware.core [-] RBAC:
>>> auth_context: {} process_request
>>> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>>>
>>> 2016-01-05 16:28:40.716 10596 INFO keystone.common.wsgi [-] GET /users?
>>>
>>> 2016-01-05 16:28:40.716 10596 WARNING keystone.common.controller [-]
>>> RBAC: Bypassing authorization
>>>
>>> 2016-01-05 16:28:40.721 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
>>> - [05/Jan/2016 16:28:40] "GET /v3/users HTTP/1.1" 200 820 0.008919
>>>
>>> 2016-01-05 16:28:41.562 10596 DEBUG keystone.middleware.core [-] RBAC:
>>> auth_context: {} process_request
>>> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>>>
>>> 2016-01-05 16:28:41.565 10596 INFO keystone.common.wsgi [-] GET /domains?
>>>
>>> 2016-01-05 16:28:41.566 10596 WARNING keystone.common.controller [-]
>>> RBAC: Bypassing authorization
>>>
>>> 2016-01-05 16:28:41.571 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
>>> - [05/Jan/2016 16:28:41] "GET /v3/domains HTTP/1.1" 200 702 0.009300
>>>
>>> 2016-01-05 16:28:42.331 10596 DEBUG keystone.middleware.core [-] RBAC:
>>> auth_context: {} process_request
>>> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>>>
>>> 2016-01-05 16:28:42.335 10596 INFO keystone.common.wsgi [-] GET
>>> /users/5ec5abf83d164d439b603d72606b99fd?
>>>
>>> 2016-01-05 16:28:42.335 10596 WARNING keystone.common.controller [-]
>>> RBAC: Bypassing authorization
>>>
>>> 2016-01-05 16:28:42.340 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
>>> - [05/Jan/2016 16:28:42] "GET /v3/users/5ec5abf83d164d439b603d72606b99fd
>>> HTTP/1.1" 200 472 0.009393
>>>
>>> 2016-01-05 16:28:42.353 10596 DEBUG keystone.middleware.core [-] RBAC:
>>> auth_context: {} process_request
>>> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>>>
>>> 2016-01-05 16:28:42.356 10596 INFO keystone.common.wsgi [-] GET
>>> /users/5ec5abf83d164d439b603d72606b99fd/projects?
>>>
>>> 2016-01-05 16:28:42.357 10596 WARNING keystone.common.controller [-]
>>> RBAC: Bypassing authorization
>>>
>>> 2016-01-05 16:28:42.370 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
>>> - [05/Jan/2016 16:28:42] "GET
>>> /v3/users/5ec5abf83d164d439b603d72606b99fd/projects HTTP/1.1" 200 632
>>> 0.016973
>>>
>>> 2016-01-05 16:28:43.217 10599 DEBUG keystone.middleware.core [-] Auth
>>> token not in the request header. Will not build auth context.
>>> process_request
>>> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:229
>>>
>>> 2016-01-05 16:28:43.220 10599 INFO eventlet.wsgi.server [-] 10.29.103.19
>>> - - [05/Jan/2016 16:28:43] "POST /v2.0/auth/tokens HTTP/1.1" 404 318
>>> 0.002948
>>>
>>> 2016-01-05 16:28:43.318 10599 DEBUG keystone.middleware.core [-] Auth
>>> token not in the request header. Will not build auth context.
>>> process_request
>>> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:229
>>>
>>> 2016-01-05 16:28:43.321 10599 INFO eventlet.wsgi.server [-] 10.29.103.19
>>> - - [05/Jan/2016 16:28:43] "POST /v2.0/auth/tokens HTTP/1.1" 404 318
>>> 0.002887
>>>
>>>
>>> This is strange. /v2.0/auth/tokens does not exist. It is /v2.0/tokens
>>> for v2, and /v3/auth/tokens for v3. This would indicate that perhaps your
>>> openrc setting with the "/v2.0" suffix is polluting the puppet run?
>>>
>>>
>>> 2016-01-05 16:28:44.076 10596 DEBUG keystone.middleware.core [-] RBAC:
>>> auth_context: {} process_request
>>> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>>>
>>> 2016-01-05 16:28:44.079 10596 INFO keystone.common.wsgi [-] GET
>>> /services?
>>>
>>> 2016-01-05 16:28:44.079 10596 WARNING keystone.common.controller [-]
>>> RBAC: Bypassing authorization
>>>
>>> 2016-01-05 16:28:44.084 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
>>> - [05/Jan/2016 16:28:44] "GET /v3/services HTTP/1.1" 200 558 0.008541
>>>
>>> 2016-01-05 16:28:44.871 10596 DEBUG keystone.middleware.core [-] RBAC:
>>> auth_context: {} process_request
>>> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>>>
>>> 2016-01-05 16:28:44.873 10596 INFO keystone.common.wsgi [-] GET
>>> /endpoints?
>>>
>>> 2016-01-05 16:28:44.878 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
>>> - [05/Jan/2016 16:28:44] "GET /v2.0/endpoints HTTP/1.1" 200 764 0.006931
>>>
>>> 2016-01-05 16:28:44.891 10596 DEBUG keystone.middleware.core [-] RBAC:
>>> auth_context: {} process_request
>>> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>>>
>>> 2016-01-05 16:28:44.892 10596 INFO keystone.common.wsgi [-] GET
>>> /OS-KSADM/services/07622af16010436aadb463adffff4099?
>>>
>>> 2016-01-05 16:28:44.896 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
>>> - [05/Jan/2016 16:28:44] "GET
>>> /v2.0/OS-KSADM/services/07622af16010436aadb463adffff4099 HTTP/1.1" 200 385
>>> 0.005287
>>>
>>> 2016-01-05 16:28:44.899 10596 DEBUG keystone.middleware.core [-] RBAC:
>>> auth_context: {} process_request
>>> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>>>
>>> 2016-01-05 16:28:44.900 10596 INFO keystone.common.wsgi [-] GET
>>> /OS-KSADM/services/07622af16010436aadb463adffff4099?
>>>
>>> 2016-01-05 16:28:44.904 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
>>> - [05/Jan/2016 16:28:44] "GET
>>> /v2.0/OS-KSADM/services/07622af16010436aadb463adffff4099 HTTP/1.1" 200 385
>>> 0.005030
>>>
>>> On Mon, Jan 4, 2016 at 3:22 PM, Rich Megginson <rmeggins at redhat.com>
>>> wrote:
>>>
>>>> On 01/04/2016 03:07 PM, Russell Cecala wrote:
>>>>
>>>> Thank you for the reply Rich,
>>>>
>>>> Here are the versions of my puppet modules:
>>>>
>>>> [root at ost-puppet-centos-001 keystone]# puppet module list
>>>>
>>>> /etc/puppetlabs/puppet/environments/production/modules
>>>>
>>>> ├── nanliu-staging (v1.0.3)
>>>>
>>>> ├── openstack-keystone (v6.1.0)
>>>>
>>>> ├── openstack-openstacklib (v6.1.0)
>>>>
>>>> ├── puppetlabs-apache (v1.7.0)
>>>>
>>>> ├── puppetlabs-apt (v1.8.0)
>>>>
>>>> ├── puppetlabs-concat (v1.2.4)
>>>>
>>>> ├── puppetlabs-firewall (v1.7.1)
>>>>
>>>> ├── puppetlabs-inifile (v1.4.2)
>>>>
>>>> ├── puppetlabs-mysql (v3.6.1)
>>>>
>>>> ├── puppetlabs-postgresql (v3.4.2)
>>>>
>>>> ├── puppetlabs-rabbitmq (v5.3.1)
>>>>
>>>> └── puppetlabs-stdlib (v4.9.0)
>>>>
>>>> /etc/puppetlabs/puppet/modules
>>>>
>>>> ├── cisco-gis-openstack (???)
>>>>
>>>> ├── haproxy (???)
>>>>
>>>> ├── keepalived (???)
>>>>
>>>> ├── mikduart-unnamed (v0.1.0)
>>>>
>>>> ├── mikduart-unnamed (v0.1.0)
>>>>
>>>> ├── mikduart-unnamed (v0.1.0)
>>>>
>>>> ├── puppetlabs-mongodb (v0.10.0)
>>>>
>>>> ├── saz-memcached (v2.4.0)
>>>>
>>>> ├── setup_mariadb_script (???)
>>>>
>>>> ├── sysctl (???)
>>>>
>>>> └── wrapmongodb (???)
>>>>
>>>> /opt/puppet/share/puppet/modules
>>>>
>>>> ├── puppetlabs-pe_accounts (v2.0.2-8-g8acc04e)
>>>>
>>>> ├── puppetlabs-pe_concat (v1.1.2-4-g2b7bba2)
>>>>
>>>> ├── puppetlabs-pe_console_prune (v0.1.1-4-g293f45b)
>>>>
>>>> ├── puppetlabs-pe_inifile (v1.1.4-16-gcb39966)
>>>>
>>>> ├── puppetlabs-pe_java_ks (v1.2.4-35-g44fbb26)
>>>>
>>>> ├── puppetlabs-pe_postgresql (v3.4.4-15-g32e56ed)
>>>>
>>>> ├── puppetlabs-pe_razor (v0.2.1-9-g8d78ec2)
>>>>
>>>> ├── puppetlabs-pe_repo (v0.7.7-59-g4514315)
>>>>
>>>> ├── puppetlabs-pe_staging (v0.3.3-6-gbd9db2b)
>>>>
>>>> └── puppetlabs-puppet_enterprise (v3.7.1-117-g9c48e73)
>>>>
>>>>
>>>> I am not sure I have the right values in my openrc but I have been
>>>> using:
>>>>
>>>>
>>>> # cat openrc.localhost
>>>>
>>>> export OS_AUTH_URL=http://127.0.0.1:5000/v2.0
>>>>
>>>> export OS_PASSWORD=xxxxxxxxxxxxxxxx
>>>>
>>>> export OS_TENANT_NAME=admin
>>>>
>>>> export OS_USERNAME=admin
>>>>
>>>>
>>>> Is this sourced into the environment where puppet is running? It
>>>> should not be.
>>>>
>>>>
>>>>
>>>> I believe this is the openstackclient version I am using:
>>>>
>>>>
>>>> [root at ost-mgmt-centos-001 ~]# rpm -qa | grep openstackclient
>>>>
>>>> python-*openstackclient*-1.0.3-2.el7.noarch
>>>>
>>>> On Mon, Jan 4, 2016 at 1:19 PM, Rich Megginson < <rmeggins at redhat.com>
>>>> rmeggins at redhat.com> wrote:
>>>>
>>>>> On 01/04/2016 02:06 PM, Russell Cecala wrote:
>>>>>
>>>>> Hi Emilien,
>>>>>
>>>>>
>>>>> I am trying to use <https://github.com/openstack/puppet-keystone>
>>>>> https://github.com/openstack/puppet-keystone to set up a Kilo
>>>>> keystone node.
>>>>>
>>>>>
>>>>> I'm assuming you're using the kilo branch there?
>>>>>
>>>>> I was hoping to could help me out so I can get my team to adopt puppet
>>>>> for setting up OpenStack.
>>>>>
>>>>> On my keystone node I am running centos7 with selinux disabled ...
>>>>>
>>>>>
>>>>> What version of openstackclient are you using?
>>>>>
>>>>> Do you have a $HOME/openrc or /root/openrc, or are you otherwise
>>>>> defining OS_* environment variables in the environment before running
>>>>> puppet?
>>>>>
>>>>>
>>>>> [root at svl-ost-mgmt-centos-001 ~]# sestatus
>>>>>
>>>>> SELinux status: disabled
>>>>>
>>>>> ... and I have flushed my iptables ...
>>>>>
>>>>>
>>>>> [root at svl-ost-mgmt-centos-001 ~]# iptables -L
>>>>>
>>>>> Chain INPUT (policy ACCEPT)
>>>>>
>>>>> target prot opt source destination
>>>>>
>>>>>
>>>>> Chain FORWARD (policy ACCEPT)
>>>>>
>>>>> target prot opt source destination
>>>>>
>>>>>
>>>>> Chain OUTPUT (policy ACCEPT)
>>>>>
>>>>> target prot opt source destination
>>>>>
>>>>>
>>>>> Yet when I run "puppet agent -t" I get these errors:
>>>>>
>>>>>
>>>>> [root at ost-mgmt-centos-001 ~]# puppet agent -t
>>>>>
>>>>> Info: Retrieving pluginfacts
>>>>>
>>>>> Info: Retrieving plugin
>>>>>
>>>>> Info: Loading facts
>>>>>
>>>>> Error: NetworkManager is not running.
>>>>>
>>>>> Info: Caching catalog for ost-mgmt-centos-001.example.com
>>>>>
>>>>> *Warning: The tenant parameter is deprecated and will be removed in
>>>>> the future. Please use keystone_user_role to assign a user to a project.*
>>>>>
>>>>> *Warning: The ignore_default_tenant parameter is deprecated and will
>>>>> be removed in the future.*
>>>>>
>>>>> Info: Applying configuration version '1451940682'
>>>>>
>>>>> *Error: /Stage[main]/Keystone::Roles::Admin/Keystone_user[admin]:
>>>>> Could not evaluate: Execution of '/usr/bin/openstack token issue --format
>>>>> value' returned 1: ERROR: openstack The resource could not be found. (HTTP
>>>>> 404) (Request-ID: req-ca2a6dd1-fdb6-48f4-94fe-8f736fcc01dd)*
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *This usually indicates that it is trying to ensure that the user
>>>> "admin" exists but the password is incorrect. That is, the class {
>>>> '::keystone::roles::admin': password => $keystone_admin_password
>>>> is not correct. If you are sure it is correct, then it could be a mismatch
>>>> between the identity api version used by the puppet module and the one
>>>> specified in the environment. Check the keystone access logs to see what
>>>> URL this is trying to access - something with /token or /tokens, or
>>>> something with /auth/token or /auth/tokens *
>>>>
>>>> Notice:
>>>>> /Stage[main]/Keystone::Roles::Admin/Keystone_user_role[admin at openstack]:
>>>>> Dependency Keystone_user[admin] has failures: true
>>>>>
>>>>> *Warning:
>>>>> /Stage[main]/Keystone::Roles::Admin/Keystone_user_role[admin at openstack]:
>>>>> Skipping because of failed dependencies*
>>>>>
>>>>> Notice: Finished catalog run in 12.38 seconds
>>>>>
>>>>> Here's code I am using on my puppet master ...
>>>>>
>>>>> class wrapcontroller(
>>>>>
>>>>> ... big list of parameters I am not using until I can get keystone
>>>>> going ...
>>>>>
>>>>> ) {
>>>>>
>>>>>
>>>>> exec { '/bin/yum -y install
>>>>> http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
>>>>> ': unless => '/bin/rpm -q epel-release', }
>>>>>
>>>>> exec { '/bin/yum -y install
>>>>> http://rdo.fedorapeople.org/openstack-kilo/rdo-release-kilo.rpm':
>>>>> unless => '/bin/rpm -q rdo-release', }
>>>>>
>>>>>
>>>>> package { 'mariadb': ensure => present, }
>>>>>
>>>>> exec { 'keystone_database_init':
>>>>>
>>>>> command => '/usr/bin/keystone-manage db_sync',
>>>>>
>>>>> onlyif => [
>>>>>
>>>>> "/usr/bin/mysql -u$keystone_db_user -p$keystone_db_pass -h
>>>>> $db_host -P$db_port $keystone_db_name -e 'show tables'",
>>>>>
>>>>> "/usr/bin/test -z \"`/usr/bin/mysql -u$keystone_db_user -p
>>>>> $keystone_db_pass -h$db_host -P$db_port $keystone_db_name -e 'show
>>>>> tables'`\""
>>>>>
>>>>> ],
>>>>>
>>>>> require => Package['mariadb'],
>>>>>
>>>>> }
>>>>>
>>>>>
>>>>> class {'::keystone':
>>>>>
>>>>> admin_token => $keystone_auth_token,
>>>>>
>>>>> database_connection => "mysql://${keystone_db_user}:
>>>>> ${keystone_db_pass}@${db_host}:${db_port}/${keystone_db_name}",
>>>>>
>>>>> debug => $debug,
>>>>>
>>>>> enabled => true,
>>>>>
>>>>> enable_ssl => false,
>>>>>
>>>>> service_name => 'httpd', # this is a kilo thing
>>>>>
>>>>> verbose => $debug,
>>>>>
>>>>> }
>>>>>
>>>>>
>>>>> include ::apache
>>>>>
>>>>> class { '::keystone::wsgi::apache': ssl => false, }
>>>>>
>>>>> class { '::keystone::roles::admin':
>>>>>
>>>>> email => $keystone_admin_email,
>>>>>
>>>>> password => $keystone_admin_password,
>>>>>
>>>>> }
>>>>>
>>>>> class { '::keystone::endpoint':
>>>>>
>>>>> public_url => " <http://127.0.0.1:5000>
>>>>> http://127.0.0.1:5000",
>>>>>
>>>>> admin_url => " <http://127.0.0.1:35357>
>>>>> http://127.0.0.1:35357",
>>>>>
>>>>> default_domain => 'admin',
>>>>>
>>>>> }
>>>>>
>>>>> }
>>>>> Thanks! And Happy New Year to you :)
>>>>> Red
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Nov 24, 2015 at 2:38 PM, Emilien Macchi < <emilien at redhat.com>
>>>>> emilien at redhat.com> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> On 11/24/2015 11:21 PM, Russell Cecala wrote:
>>>>>> > I am trying to use the OpenStack community puppet modules. Here's
>>>>>> the
>>>>>> > keystone module I am using:
>>>>>> <https://github.com/openstack/puppet-keystone>
>>>>>> https://github.com/openstack/puppet-keystone
>>>>>> > I am using the stable juno branch. I have in my puppet manifest
>>>>>> for my
>>>>>> > controller nodes this resource definition:
>>>>>> >
>>>>>> > class { '::keystone::roles::admin':
>>>>>> > admin => $keystone_admin_user,
>>>>>> > email => $keystone_admin_email,
>>>>>> > password => $keystone_admin_password,
>>>>>> > } ->
>>>>>> >
>>>>>> > And when puppet runs that code I get this error:
>>>>>> >
>>>>>> > Error:
>>>>>> >
>>>>>> /Stage[main]/Keystone::Roles::Admin/Keystone_user_role[keystone_admin_user at openstack
>>>>>> ]:
>>>>>> > Could not evaluate: Execution of '/usr/bin/openstack domain show
>>>>>> > --format shell' returned 2: usage: openstack domain show [-h] [-f
>>>>>> > {shell,table,value}] [-c COLUMN]
>>>>>> > [--max-width <integer>] [--prefix
>>>>>> PREFIX]
>>>>>> > <domain>
>>>>>> > openstack domain show: error: too few arguments
>>>>>>
>>>>>> Sounds like an issue with your version of openstackclient, can you
>>>>>> provide it?
>>>>>>
>>>>>> >
>>>>>> > Can anyone help me? Are these Puppet modules still being supported?
>>>>>>
>>>>>> Yes :-)
>>>>>>
>>>>>> > Does anyone use them? Thanks!
>>>>>>
>>>>>> Double yes.
>>>>>> --
>>>>>> Emilien Macchi
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OpenStack-operators mailing listOpenStack-operators at lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OpenStack-operators mailing list
>>>>> OpenStack-operators at lists.openstack.org
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20160114/61e2fe90/attachment.html>
More information about the OpenStack-operators
mailing list