[Openstack-operators] OpenStack Puppet module Keystone Juno

Richard Raseley richard at raseley.com
Thu Jan 14 21:01:28 UTC 2016


If you’re terminating SSL at HAproxy, look into the ‘SECURE_PROXY_SSL_HEADER’ and related parameters.

> On Jan 14, 2016, at 9:50 AM, Russell Cecala <red.cricket.blog at gmail.com> wrote:
> 
> Thanks for helping out.  I hope that I am not being too much of a pest, but I really want my group to adopt the Openstack community's puppet modules for deploying Openstack.  Now that I have keystone working on one node I want to expand on that.  I have an HAProxy cluster and I have a signed certificate.  I want to use ssl and use my HAProxy cluster.  I assume that I need to change my POC puppet manifest like so ...
> 
> class { '::keystone::endpoint':
> 
>        public_url     => "https://${controller_vip_name}:5000",
> 
>        admin_url      => "https://${controller_vip_name}:35357",
> 
>        internal_url     => "https://${controller_vip_name}:5000",
> 
>        region         => 'example-1',
> 
>     }
> 
> Where $controller_vip_name is the hostname (or IP address) of the virtual interface for my HAProxy
> 
> 
> 
> In my haproxy.cfg I have these lines:
> 
> frontend keystone-admin-vip
> 
>   bind 10.29.103.39:35357 ssl crt /etc/haproxy/svl-ost-el7.cisco.com no-sslv3 ciphers AES128-SHA:AES256-SHA
> 
>   default_backend  keystone-admin-api
> 
> 
> 
> frontend keystone-public-vip
> 
>   bind 10.29.103.39:5000 ssl crt /etc/haproxy/svl-ost-el7.cisco.com no-sslv3 ciphers AES128-SHA:AES256-SHA
> 
> 
>   default_backend  keystone-public-api
> 
> So I guess my question is, "Is there any thing else I need to do besides changing the values I pass to my keystone::endpoint resource?".
> 
> 
> 
> Thanks!
> 
> 
> On Fri, Jan 8, 2016 at 10:13 AM, Russell Cecala <red.cricket.blog at gmail.com> wrote:
> oops.  I figured it out ...
> 
> MariaDB [keystone_db_name]> select * from project;
> 
> +----------------------------------+-----------+-------+-----------------------------------+---------+-----------+-----------+
> 
> | id                               | name      | extra | description                       | enabled | domain_id | parent_id |
> 
> +----------------------------------+-----------+-------+-----------------------------------+---------+-----------+-----------+
> 
> | af4e7a8966fb4665aaac22a8b9687c8f | openstack | {}    | admin tenant                      |       1 | default   | NULL      |
> 
> | b83b33cc7d314181af50a2a80c995b0c | services  | {}    | Tenant for the openstack services |       1 | default   | NULL      |
> 
> +----------------------------------+-----------+-------+-----------------------------------+---------+-----------+-----------+
> 
> 2 rows in set (0.01 sec)
> 
> 
> 
> MariaDB [keystone_db_name]> quit
> 
> Bye
> 
> [root at ost-services-centos-001 ~]# exit
> 
> logout
> 
> Connection to ost-services-centos-001 closed.
> 
> [root at ost-mgmt-centos-001 ~]# openstack --os-auth-url http://127.0.0.1:35357    --os-project-name openstack --os-username admin --os-auth-type password   token issue
> 
> Password:
> 
> +------------+----------------------------------+
> 
> | Field      | Value                            |
> 
> +------------+----------------------------------+
> 
> | expires    | 2016-01-08T19:12:14Z             |
> 
> | id         | 581a5c2e8a074740a510cbadebf17815 |
> 
> | project_id | af4e7a8966fb4665aaac22a8b9687c8f |
> 
> | user_id    | b3f1f4bcfb114559a05378bd6ce39e55 |
> 
> +------------+----------------------------------+
> 
> 
> On Fri, Jan 8, 2016 at 10:09 AM, Russell Cecala <red.cricket.blog at gmail.com> wrote:
> Hi Rich,
> 
> Thanks for all your help so far.
> I am getting clean puppet runs (I still get depreciation warnings) but "puppet agent -t" is running without error now:
> 
> [root at ost-mgmt-centos-001 ~]# puppet agent -t
> 
> Info: Retrieving pluginfacts
> 
> Info: Retrieving plugin
> 
> Info: Loading facts
> 
> Error: NetworkManager is not running.
> 
> Info: Caching catalog for ost-mgmt-centos-001.example.com
> 
> Warning: The tenant parameter is deprecated and will be removed in the future. Please use keystone_user_role to assign a user to a project.
> 
> Warning: The ignore_default_tenant parameter is deprecated and will be removed in the future.
> 
> Info: Applying configuration version '1452275612'
> 
> Notice: /Stage[main]/Wrapcontroller/Exec[/usr/bin/curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo | /usr/bin/tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin]/returns: executed successfully
> 
> Notice: Finished catalog run in 11.53 seconds
> 
> 
> Here is the puppet module I am using currently:
> 
> class wrapcontroller(
> 
> ... long list of parameters I am not using yet ...
> 
> ) {
> 
>     class {'my-openstack::disable_firewall':} ->
> 
>     class {'my-openstack::disable_selinux':} ->
> 
>     class {'my-openstack::disable_network_manager':} ->
> 
> 
> 
>     exec { '/bin/yum -y install http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm': unless => '/bin/rpm -q epel-release', }
> 
>     exec { '/bin/yum -y install http://rdo.fedorapeople.org/openstack-kilo/rdo-release-kilo.rpm': unless => '/bin/rpm -q rdo-release', }
> 
>     exec { '/usr/bin/curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo | /usr/bin/tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin':}
> 
>     $packages = ['mariadb', 'mod_wsgi', 'memcached', 'python-memcached']
> 
>     package { $packages : ensure => present, }
> 
> 
> 
>     exec { 'keystone_database_init':
> 
>         command => '/usr/bin/keystone-manage db_sync',
> 
>         onlyif => [
> 
>             "/usr/bin/mysql -u$keystone_db_user -p$keystone_db_pass -h$db_host -P$db_port $keystone_db_name -e 'show tables'",
> 
>             "/usr/bin/test -z \"`/usr/bin/mysql -u$keystone_db_user -p$keystone_db_pass -h$db_host -P$db_port $keystone_db_name -e 'show tables'`\""
> 
>         ],
> 
>         require => Package['mariadb'],
> 
>     }
> 
>     $services = ['memcached']
> 
>     service { $services : ensure => running, enable => true, }
> 
>     # found out that you shouldn't create the wsgi-ketstone.conf file as it prevents httpd from starting
> 
>     file { '/etc/httpd/conf.d/wsgi-keystone.conf':
> 
>         ensure  => absent,
> 
> #        content => template( "wrapcontroller/wsgi-keystone.conf.erb" ),
> 
>     }
> 
>     class {'::keystone':
> 
>         admin_token                => $keystone_auth_token,
> 
>         catalog_type               => 'sql',
> 
>         database_connection        => "mysql://${keystone_db_user}:${keystone_db_pass}@${db_host}:${db_port}/${keystone_db_name}",
> 
>         debug                      => $debug,
> 
>         verbose                    => $debug,
> 
>     }
> 
> 
> 
> #    include ::apache
> 
> #    class { '::keystone::wsgi::apache': ssl => false, }
> 
>     class { '::keystone::roles::admin':
> 
>        email        => $keystone_admin_email,
> 
>        password     => $keystone_admin_password,
> 
>     }
> 
>     class { '::keystone::endpoint':
> 
>        public_url     => "http://127.0.0.1:5000",
> 
>        admin_url      => "http://127.0.0.1:35357",
> 
>        internal_url     => "http://127.0.0.1:5000",
> 
>        region         => 'example-1',
> 
>     }
> 
> }
> 
> The above runs but I am unable to verify that keystone is working as per the docs here:
> 
> http://docs.openstack.org/kilo/install-guide/install/yum/content/keystone-verify.html
> 
> [root at ost-mgmt-centos-001 ~]# openstack --os-auth-url http://127.0.0.1:35357    --os-project-name admin --os-username admin --os-auth-type password   token issue
> 
> Password:
> 
> ERROR: openstack Invalid user / password (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-7c9b4b3b-dfe8-48a9-98eb-668b18e9b3bb)
> 
> [root at ost-mgmt-centos-001 ~]# openstack --os-auth-url http://127.0.0.1:35357    --os-project-name admin --os-username admin --os-auth-type password   token issue
> 
> Password:
> 
> ERROR: openstack Could not find project: admin (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-c42ee03c-eb7b-4858-9743-a376fda0dc1f)
> 
> 
> 
> 
> 
> openstack Could not find project: admin
> 
> Hmm what is the project's name?  How can I figure that out?
> 
> 
> 
> Thanks,
> 
> Russ
> 
> 
> On Tue, Jan 5, 2016 at 2:22 PM, Rich Megginson <rmeggins at redhat.com> wrote:
> On 01/05/2016 02:42 PM, Russell Cecala wrote:
>> Hi Rich,
>> 
>> I guess I am kind of confused. I thought "class { '::keystone::roles::admin':" was suppose to create the "admin" user and set the password to $keystone_admin_password.  If class { '::keystone::roles::admin' doesn't create the admin user what does?
> 
> It either creates it, or ensures that it has the specified properties, if it already exists.  In this case, it seems that it already exists, so it attempts to ensure that it has the specified properties.
> 
>> And what kind of user are we talking about?  A user that shows up in the /etc/passwd file or an mysql user or a keystone user of some sort?
> 
> a keystone user - a user that shows up when you do "$ openstack user list" as an admin user.
> 
> 
>> Sorry I am pretty confused :)
>> 
>> After I truncate my /var/log/keystone/keystone.log and run puppet agent -t I get this output to my keystone.log
>> 
>> 2016-01-05 16:28:38.342 10596 DEBUG keystone.middleware.core [-] RBAC: auth_context: {} process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>> 
>> 2016-01-05 16:28:38.346 10596 INFO keystone.common.wsgi [-] GET /projects?
>> 
>> 2016-01-05 16:28:38.347 10596 WARNING keystone.common.controller [-] RBAC: Bypassing authorization
>> 
>> 2016-01-05 16:28:38.352 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016 16:28:38] "GET /v3/projects HTTP/1.1" 200 884 0.011000
>> 
>> 2016-01-05 16:28:39.144 10596 DEBUG keystone.middleware.core [-] RBAC: auth_context: {} process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>> 
>> 2016-01-05 16:28:39.147 10596 INFO keystone.common.wsgi [-] GET /domains?
>> 
>> 2016-01-05 16:28:39.148 10596 WARNING keystone.common.controller [-] RBAC: Bypassing authorization
>> 
>> 2016-01-05 16:28:39.152 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016 16:28:39] "GET /v3/domains HTTP/1.1" 200 702 0.009214
>> 
>> 2016-01-05 16:28:39.929 10596 DEBUG keystone.middleware.core [-] RBAC: auth_context: {} process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>> 
>> 2016-01-05 16:28:39.932 10596 INFO keystone.common.wsgi [-] GET /roles?
>> 
>> 2016-01-05 16:28:39.933 10596 WARNING keystone.common.controller [-] RBAC: Bypassing authorization
>> 
>> 2016-01-05 16:28:39.938 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016 16:28:39] "GET /v3/roles HTTP/1.1" 200 615 0.009210
>> 
>> 2016-01-05 16:28:40.712 10596 DEBUG keystone.middleware.core [-] RBAC: auth_context: {} process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>> 
>> 2016-01-05 16:28:40.716 10596 INFO keystone.common.wsgi [-] GET /users?
>> 
>> 2016-01-05 16:28:40.716 10596 WARNING keystone.common.controller [-] RBAC: Bypassing authorization
>> 
>> 2016-01-05 16:28:40.721 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016 16:28:40] "GET /v3/users HTTP/1.1" 200 820 0.008919
>> 
>> 2016-01-05 16:28:41.562 10596 DEBUG keystone.middleware.core [-] RBAC: auth_context: {} process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>> 
>> 2016-01-05 16:28:41.565 10596 INFO keystone.common.wsgi [-] GET /domains?
>> 
>> 2016-01-05 16:28:41.566 10596 WARNING keystone.common.controller [-] RBAC: Bypassing authorization
>> 
>> 2016-01-05 16:28:41.571 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016 16:28:41] "GET /v3/domains HTTP/1.1" 200 702 0.009300
>> 
>> 2016-01-05 16:28:42.331 10596 DEBUG keystone.middleware.core [-] RBAC: auth_context: {} process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>> 
>> 2016-01-05 16:28:42.335 10596 INFO keystone.common.wsgi [-] GET /users/5ec5abf83d164d439b603d72606b99fd?
>> 
>> 2016-01-05 16:28:42.335 10596 WARNING keystone.common.controller [-] RBAC: Bypassing authorization
>> 
>> 2016-01-05 16:28:42.340 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016 16:28:42] "GET /v3/users/5ec5abf83d164d439b603d72606b99fd HTTP/1.1" 200 472 0.009393
>> 
>> 2016-01-05 16:28:42.353 10596 DEBUG keystone.middleware.core [-] RBAC: auth_context: {} process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>> 
>> 2016-01-05 16:28:42.356 10596 INFO keystone.common.wsgi [-] GET /users/5ec5abf83d164d439b603d72606b99fd/projects?
>> 
>> 2016-01-05 16:28:42.357 10596 WARNING keystone.common.controller [-] RBAC: Bypassing authorization
>> 
>> 2016-01-05 16:28:42.370 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016 16:28:42] "GET /v3/users/5ec5abf83d164d439b603d72606b99fd/projects HTTP/1.1" 200 632 0.016973
>> 
>> 2016-01-05 16:28:43.217 10599 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:229
>> 
>> 2016-01-05 16:28:43.220 10599 INFO eventlet.wsgi.server [-] 10.29.103.19 - - [05/Jan/2016 16:28:43] "POST /v2.0/auth/tokens HTTP/1.1" 404 318 0.002948
>> 
>> 2016-01-05 16:28:43.318 10599 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:229
>> 
>> 2016-01-05 16:28:43.321 10599 INFO eventlet.wsgi.server [-] 10.29.103.19 - - [05/Jan/2016 16:28:43] "POST /v2.0/auth/tokens HTTP/1.1" 404 318 0.002887
>> 
> 
> This is strange.  /v2.0/auth/tokens does not exist.  It is /v2.0/tokens for v2, and /v3/auth/tokens for v3.  This would indicate that perhaps your openrc setting with the "/v2.0" suffix is polluting the puppet run?
> 
> 
>> 2016-01-05 16:28:44.076 10596 DEBUG keystone.middleware.core [-] RBAC: auth_context: {} process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>> 
>> 2016-01-05 16:28:44.079 10596 INFO keystone.common.wsgi [-] GET /services?
>> 
>> 2016-01-05 16:28:44.079 10596 WARNING keystone.common.controller [-] RBAC: Bypassing authorization
>> 
>> 2016-01-05 16:28:44.084 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016 16:28:44] "GET /v3/services HTTP/1.1" 200 558 0.008541
>> 
>> 2016-01-05 16:28:44.871 10596 DEBUG keystone.middleware.core [-] RBAC: auth_context: {} process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>> 
>> 2016-01-05 16:28:44.873 10596 INFO keystone.common.wsgi [-] GET /endpoints?
>> 
>> 2016-01-05 16:28:44.878 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016 16:28:44] "GET /v2.0/endpoints HTTP/1.1" 200 764 0.006931
>> 
>> 2016-01-05 16:28:44.891 10596 DEBUG keystone.middleware.core [-] RBAC: auth_context: {} process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>> 
>> 2016-01-05 16:28:44.892 10596 INFO keystone.common.wsgi [-] GET /OS-KSADM/services/07622af16010436aadb463adffff4099?
>> 
>> 2016-01-05 16:28:44.896 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016 16:28:44] "GET /v2.0/OS-KSADM/services/07622af16010436aadb463adffff4099 HTTP/1.1" 200 385 0.005287
>> 
>> 2016-01-05 16:28:44.899 10596 DEBUG keystone.middleware.core [-] RBAC: auth_context: {} process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
>> 
>> 2016-01-05 16:28:44.900 10596 INFO keystone.common.wsgi [-] GET /OS-KSADM/services/07622af16010436aadb463adffff4099?
>> 
>> 2016-01-05 16:28:44.904 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - - [05/Jan/2016 16:28:44] "GET /v2.0/OS-KSADM/services/07622af16010436aadb463adffff4099 HTTP/1.1" 200 385 0.005030
>> 
>> 
>> On Mon, Jan 4, 2016 at 3:22 PM, Rich Megginson <rmeggins at redhat.com> wrote:
>> On 01/04/2016 03:07 PM, Russell Cecala wrote:
>>> Thank you for the reply Rich,
>>> 
>>> Here are the versions of my puppet modules:
>>> 
>>> [root at ost-puppet-centos-001 keystone]# puppet module list
>>> 
>>> /etc/puppetlabs/puppet/environments/production/modules
>>> 
>>> ├── nanliu-staging (v1.0.3)
>>> 
>>> ├── openstack-keystone (v6.1.0)
>>> 
>>> ├── openstack-openstacklib (v6.1.0)
>>> 
>>> ├── puppetlabs-apache (v1.7.0)
>>> 
>>> ├── puppetlabs-apt (v1.8.0)
>>> 
>>> ├── puppetlabs-concat (v1.2.4)
>>> 
>>> ├── puppetlabs-firewall (v1.7.1)
>>> 
>>> ├── puppetlabs-inifile (v1.4.2)
>>> 
>>> ├── puppetlabs-mysql (v3.6.1)
>>> 
>>> ├── puppetlabs-postgresql (v3.4.2)
>>> 
>>> ├── puppetlabs-rabbitmq (v5.3.1)
>>> 
>>> └── puppetlabs-stdlib (v4.9.0)
>>> 
>>> /etc/puppetlabs/puppet/modules
>>> 
>>> ├── cisco-gis-openstack (???)
>>> 
>>> ├── haproxy (???)
>>> 
>>> ├── keepalived (???)
>>> 
>>> ├── mikduart-unnamed (v0.1.0)
>>> 
>>> ├── mikduart-unnamed (v0.1.0)
>>> 
>>> ├── mikduart-unnamed (v0.1.0)
>>> 
>>> ├── puppetlabs-mongodb (v0.10.0)
>>> 
>>> ├── saz-memcached (v2.4.0)
>>> 
>>> ├── setup_mariadb_script (???)
>>> 
>>> ├── sysctl (???)
>>> 
>>> └── wrapmongodb (???)
>>> 
>>> /opt/puppet/share/puppet/modules
>>> 
>>> ├── puppetlabs-pe_accounts (v2.0.2-8-g8acc04e)
>>> 
>>> ├── puppetlabs-pe_concat (v1.1.2-4-g2b7bba2)
>>> 
>>> ├── puppetlabs-pe_console_prune (v0.1.1-4-g293f45b)
>>> 
>>> ├── puppetlabs-pe_inifile (v1.1.4-16-gcb39966)
>>> 
>>> ├── puppetlabs-pe_java_ks (v1.2.4-35-g44fbb26)
>>> 
>>> ├── puppetlabs-pe_postgresql (v3.4.4-15-g32e56ed)
>>> 
>>> ├── puppetlabs-pe_razor (v0.2.1-9-g8d78ec2)
>>> 
>>> ├── puppetlabs-pe_repo (v0.7.7-59-g4514315)
>>> 
>>> ├── puppetlabs-pe_staging (v0.3.3-6-gbd9db2b)
>>> 
>>> └── puppetlabs-puppet_enterprise (v3.7.1-117-g9c48e73)
>>> 
>>> 
>>> I am not sure I have the right values in my openrc but I have been using:
>>> 
>>> 
>>> # cat openrc.localhost
>>> 
>>> export OS_AUTH_URL=http://127.0.0.1:5000/v2.0
>>> 
>>> export OS_PASSWORD=xxxxxxxxxxxxxxxx
>>> 
>>> export OS_TENANT_NAME=admin
>>> 
>>> 
>>> export OS_USERNAME=admin
>>> 
>> 
>> Is this sourced into the environment where puppet is running?  It should not be.
>> 
>> 
>>> 
>>> I believe this is the openstackclient version I am using:
>>> 
>>> 
>>> [root at ost-mgmt-centos-001 ~]# rpm -qa | grep openstackclient
>>> 
>>> 
>>> python-openstackclient-1.0.3-2.el7.noarch
>>> 
>>> 
>>> On Mon, Jan 4, 2016 at 1:19 PM, Rich Megginson <rmeggins at redhat.com> wrote:
>>> On 01/04/2016 02:06 PM, Russell Cecala wrote:
>>>> Hi Emilien,
>>>> 
>>>> 
>>>> I am trying to use https://github.com/openstack/puppet-keystone to set up a Kilo keystone node.
>>> 
>>> I'm assuming you're using the kilo branch there?
>>> 
>>>> I was hoping to could help me out so I can get my team to adopt puppet for setting up OpenStack.
>>>> 
>>>> On my keystone node I am running centos7 with selinux disabled ...
>>> 
>>> What version of openstackclient are you using?
>>> 
>>> Do you have a $HOME/openrc or /root/openrc, or are you otherwise defining OS_* environment variables in the environment before running puppet?
>>> 
>>>> 
>>>> [root at svl-ost-mgmt-centos-001 ~]# sestatus
>>>> 
>>>> SELinux status:                 disabled
>>>> 
>>>> ... and I have flushed my iptables ...
>>>> 
>>>> 
>>>> [root at svl-ost-mgmt-centos-001 ~]# iptables -L
>>>> 
>>>> Chain INPUT (policy ACCEPT)
>>>> 
>>>> target     prot opt source               destination
>>>> 
>>>> 
>>>> Chain FORWARD (policy ACCEPT)
>>>> 
>>>> target     prot opt source               destination
>>>> 
>>>> 
>>>> Chain OUTPUT (policy ACCEPT)
>>>> 
>>>> 
>>>> target     prot opt source               destination
>>>> 
>>>> 
>>>> Yet when I run "puppet agent -t"  I get these errors:
>>>> 
>>>> 
>>>> [root at ost-mgmt-centos-001 ~]# puppet agent -t
>>>> 
>>>> Info: Retrieving pluginfacts
>>>> 
>>>> Info: Retrieving plugin
>>>> 
>>>> Info: Loading facts
>>>> 
>>>> Error: NetworkManager is not running.
>>>> 
>>>> Info: Caching catalog for ost-mgmt-centos-001.example.com
>>>> 
>>>> Warning: The tenant parameter is deprecated and will be removed in the future. Please use keystone_user_role to assign a user to a project.
>>>> 
>>>> Warning: The ignore_default_tenant parameter is deprecated and will be removed in the future.
>>>> 
>>>> Info: Applying configuration version '1451940682'
>>>> 
>>>> Error: /Stage[main]/Keystone::Roles::Admin/Keystone_user[admin]: Could not evaluate: Execution of '/usr/bin/openstack token issue --format value' returned 1: ERROR: openstack The resource could not be found. (HTTP 404) (Request-ID: req-ca2a6dd1-fdb6-48f4-94fe-8f736fcc01dd)
>>>> 
>> 
>> This usually indicates that it is trying to ensure that the user "admin" exists but the password is incorrect.  That is, the class { '::keystone::roles::admin':        password     => $keystone_admin_password is not correct.
>> 
>> If you are sure it is correct, then it could be a mismatch between the identity api version used by the puppet module and the one specified in the environment.  Check the keystone access logs to see what URL this is trying to access - something with /token or /tokens, or something with /auth/token or /auth/tokens
>> 
>>>> Notice: /Stage[main]/Keystone::Roles::Admin/Keystone_user_role[admin at openstack]: Dependency Keystone_user[admin] has failures: true
>>>> 
>>>> Warning: /Stage[main]/Keystone::Roles::Admin/Keystone_user_role[admin at openstack]: Skipping because of failed dependencies
>>>> 
>>>> 
>>>> Notice: Finished catalog run in 12.38 seconds
>>>> 
>>>> Here's code I am using on my puppet master ...
>>>> 
>>>> class wrapcontroller(
>>>> 
>>>> 
>>>> ... big list of parameters I am not using until I can get keystone going ...
>>>> 
>>>> ) {
>>>> 
>>>> 
>>>>     exec { '/bin/yum -y install http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm': unless => '/bin/rpm -q epel-release', }
>>>> 
>>>>     exec { '/bin/yum -y install http://rdo.fedorapeople.org/openstack-kilo/rdo-release-kilo.rpm': unless => '/bin/rpm -q rdo-release', }
>>>> 
>>>> 
>>>>     package { 'mariadb': ensure => present, }
>>>> 
>>>>     exec { 'keystone_database_init':
>>>> 
>>>>         command => '/usr/bin/keystone-manage db_sync',
>>>> 
>>>>         onlyif => [
>>>> 
>>>>             "/usr/bin/mysql -u$keystone_db_user -p$keystone_db_pass -h$db_host -P$db_port $keystone_db_name -e 'show tables'",
>>>> 
>>>>             "/usr/bin/test -z \"`/usr/bin/mysql -u$keystone_db_user -p$keystone_db_pass -h$db_host -P$db_port $keystone_db_name -e 'show tables'`\""
>>>> 
>>>>         ],
>>>> 
>>>>         require => Package['mariadb'],
>>>> 
>>>>     }
>>>> 
>>>> 
>>>>     class {'::keystone':
>>>> 
>>>>         admin_token                => $keystone_auth_token,
>>>> 
>>>>         database_connection        => "mysql://${keystone_db_user}:${keystone_db_pass}@${db_host}:${db_port}/${keystone_db_name}",
>>>> 
>>>>         debug                      => $debug,
>>>> 
>>>>         enabled                    => true,
>>>> 
>>>>         enable_ssl                 => false,
>>>> 
>>>>         service_name               => 'httpd', # this is a kilo thing
>>>> 
>>>>         verbose                    => $debug,
>>>> 
>>>>     }
>>>> 
>>>> 
>>>>     include ::apache
>>>> 
>>>>     class { '::keystone::wsgi::apache': ssl => false, }
>>>> 
>>>>     class { '::keystone::roles::admin':
>>>> 
>>>>        email        => $keystone_admin_email,
>>>> 
>>>>        password     => $keystone_admin_password,
>>>> 
>>>>     }
>>>> 
>>>>     class { '::keystone::endpoint':
>>>> 
>>>>        public_url     => "http://127.0.0.1:5000",
>>>> 
>>>>        admin_url      => "http://127.0.0.1:35357",
>>>> 
>>>>        default_domain => 'admin',
>>>> 
>>>>     }
>>>> 
>>>> 
>>>> }
>>>> 
>>>> Thanks! And Happy New Year to you :)
>>>> Red
>>>> 
>>>> 
>>>> 
>>>> On Tue, Nov 24, 2015 at 2:38 PM, Emilien Macchi <emilien at redhat.com> wrote:
>>>> 
>>>> 
>>>> On 11/24/2015 11:21 PM, Russell Cecala wrote:
>>>> > I am trying to use the OpenStack community puppet modules.  Here's the
>>>> > keystone module I am using:  https://github.com/openstack/puppet-keystone
>>>> > I am using the stable juno branch.  I have in my puppet manifest for my
>>>> > controller nodes this resource definition:
>>>> >
>>>> >     class { '::keystone::roles::admin':
>>>> >         admin        => $keystone_admin_user,
>>>> >         email        => $keystone_admin_email,
>>>> >         password     => $keystone_admin_password,
>>>> >     } ->
>>>> >
>>>> > And when puppet runs that code I get this error:
>>>> >
>>>> >     Error:
>>>> > /Stage[main]/Keystone::Roles::Admin/Keystone_user_role[keystone_admin_user at openstack]:
>>>> > Could not evaluate: Execution of '/usr/bin/openstack domain show
>>>> > --format shell' returned 2: usage: openstack domain show [-h] [-f
>>>> > {shell,table,value}] [-c COLUMN]
>>>> >                                  [--max-width <integer>] [--prefix PREFIX]
>>>> >                                  <domain>
>>>> >     openstack domain show: error: too few arguments
>>>> 
>>>> Sounds like an issue with your version of openstackclient, can you
>>>> provide it?
>>>> 
>>>> >
>>>> > Can anyone help me?  Are these Puppet modules still being supported?
>>>> 
>>>> Yes :-)
>>>> 
>>>> > Does anyone use them?  Thanks!
>>>> 
>>>> Double yes.
>>>> --
>>>> Emilien Macchi
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OpenStack-operators mailing list
>>>> 
>>>> OpenStack-operators at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>> 
>>> 
>>> _______________________________________________
>>> OpenStack-operators mailing list
>>> OpenStack-operators at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>> 
>>> 
>> 
>> 
> 
> 
> 
> 
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20160114/b91e2d27/attachment-0001.pgp>


More information about the OpenStack-operators mailing list