[Openstack-operators] OpenStack Puppet module Keystone Juno

Russell Cecala red.cricket.blog at gmail.com
Thu Jan 14 21:09:42 UTC 2016


Thanks Richard,

I am not sure where to look ...

# pwd

/etc/puppetlabs/puppet/environments/production/modules

# ls

apache  apt  concat  firewall  inifile  keystone  mysql  openstacklib
postgresql  rabbitmq  staging  stdlib

# find . -type f -exec grep -i SECURE_PROXY_SSL_HEADER {} \;

no output. :)



On Thu, Jan 14, 2016 at 1:01 PM, Richard Raseley <richard at raseley.com>
wrote:

> If you’re terminating SSL at HAproxy, look into the
> ‘SECURE_PROXY_SSL_HEADER’ and related parameters.
>
> > On Jan 14, 2016, at 9:50 AM, Russell Cecala <red.cricket.blog at gmail.com>
> wrote:
> >
> > Thanks for helping out.  I hope that I am not being too much of a pest,
> but I really want my group to adopt the Openstack community's puppet
> modules for deploying Openstack.  Now that I have keystone working on one
> node I want to expand on that.  I have an HAProxy cluster and I have a
> signed certificate.  I want to use ssl and use my HAProxy cluster.  I
> assume that I need to change my POC puppet manifest like so ...
> >
> > class { '::keystone::endpoint':
> >
> >        public_url     => "https://${controller_vip_name}:5000",
> >
> >        admin_url      => "https://${controller_vip_name}:35357",
> >
> >        internal_url     => "https://${controller_vip_name}:5000",
> >
> >        region         => 'example-1',
> >
> >     }
> >
> > Where $controller_vip_name is the hostname (or IP address) of the
> virtual interface for my HAProxy
> >
> >
> >
> > In my haproxy.cfg I have these lines:
> >
> > frontend keystone-admin-vip
> >
> >   bind 10.29.103.39:35357 ssl crt /etc/haproxy/svl-ost-el7.cisco.com
> no-sslv3 ciphers AES128-SHA:AES256-SHA
> >
> >   default_backend  keystone-admin-api
> >
> >
> >
> > frontend keystone-public-vip
> >
> >   bind 10.29.103.39:5000 ssl crt /etc/haproxy/svl-ost-el7.cisco.com
> no-sslv3 ciphers AES128-SHA:AES256-SHA
> >
> >
> >   default_backend  keystone-public-api
> >
> > So I guess my question is, "Is there any thing else I need to do besides
> changing the values I pass to my keystone::endpoint resource?".
> >
> >
> >
> > Thanks!
> >
> >
> > On Fri, Jan 8, 2016 at 10:13 AM, Russell Cecala <
> red.cricket.blog at gmail.com> wrote:
> > oops.  I figured it out ...
> >
> > MariaDB [keystone_db_name]> select * from project;
> >
> >
> +----------------------------------+-----------+-------+-----------------------------------+---------+-----------+-----------+
> >
> > | id                               | name      | extra | description
>                    | enabled | domain_id | parent_id |
> >
> >
> +----------------------------------+-----------+-------+-----------------------------------+---------+-----------+-----------+
> >
> > | af4e7a8966fb4665aaac22a8b9687c8f | openstack | {}    | admin tenant
>                   |       1 | default   | NULL      |
> >
> > | b83b33cc7d314181af50a2a80c995b0c | services  | {}    | Tenant for the
> openstack services |       1 | default   | NULL      |
> >
> >
> +----------------------------------+-----------+-------+-----------------------------------+---------+-----------+-----------+
> >
> > 2 rows in set (0.01 sec)
> >
> >
> >
> > MariaDB [keystone_db_name]> quit
> >
> > Bye
> >
> > [root at ost-services-centos-001 ~]# exit
> >
> > logout
> >
> > Connection to ost-services-centos-001 closed.
> >
> > [root at ost-mgmt-centos-001 ~]# openstack --os-auth-url
> http://127.0.0.1:35357    --os-project-name openstack --os-username admin
> --os-auth-type password   token issue
> >
> > Password:
> >
> > +------------+----------------------------------+
> >
> > | Field      | Value                            |
> >
> > +------------+----------------------------------+
> >
> > | expires    | 2016-01-08T19:12:14Z             |
> >
> > | id         | 581a5c2e8a074740a510cbadebf17815 |
> >
> > | project_id | af4e7a8966fb4665aaac22a8b9687c8f |
> >
> > | user_id    | b3f1f4bcfb114559a05378bd6ce39e55 |
> >
> > +------------+----------------------------------+
> >
> >
> > On Fri, Jan 8, 2016 at 10:09 AM, Russell Cecala <
> red.cricket.blog at gmail.com> wrote:
> > Hi Rich,
> >
> > Thanks for all your help so far.
> > I am getting clean puppet runs (I still get depreciation warnings) but
> "puppet agent -t" is running without error now:
> >
> > [root at ost-mgmt-centos-001 ~]# puppet agent -t
> >
> > Info: Retrieving pluginfacts
> >
> > Info: Retrieving plugin
> >
> > Info: Loading facts
> >
> > Error: NetworkManager is not running.
> >
> > Info: Caching catalog for ost-mgmt-centos-001.example.com
> >
> > Warning: The tenant parameter is deprecated and will be removed in the
> future. Please use keystone_user_role to assign a user to a project.
> >
> > Warning: The ignore_default_tenant parameter is deprecated and will be
> removed in the future.
> >
> > Info: Applying configuration version '1452275612'
> >
> > Notice: /Stage[main]/Wrapcontroller/Exec[/usr/bin/curl
> http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo
> | /usr/bin/tee /var/www/cgi-bin/keystone/main
> /var/www/cgi-bin/keystone/admin]/returns: executed successfully
> >
> > Notice: Finished catalog run in 11.53 seconds
> >
> >
> > Here is the puppet module I am using currently:
> >
> > class wrapcontroller(
> >
> > ... long list of parameters I am not using yet ...
> >
> > ) {
> >
> >     class {'my-openstack::disable_firewall':} ->
> >
> >     class {'my-openstack::disable_selinux':} ->
> >
> >     class {'my-openstack::disable_network_manager':} ->
> >
> >
> >
> >     exec { '/bin/yum -y install
> http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm':
> unless => '/bin/rpm -q epel-release', }
> >
> >     exec { '/bin/yum -y install
> http://rdo.fedorapeople.org/openstack-kilo/rdo-release-kilo.rpm': unless
> => '/bin/rpm -q rdo-release', }
> >
> >     exec { '/usr/bin/curl
> http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo
> | /usr/bin/tee /var/www/cgi-bin/keystone/main
> /var/www/cgi-bin/keystone/admin':}
> >
> >     $packages = ['mariadb', 'mod_wsgi', 'memcached', 'python-memcached']
> >
> >     package { $packages : ensure => present, }
> >
> >
> >
> >     exec { 'keystone_database_init':
> >
> >         command => '/usr/bin/keystone-manage db_sync',
> >
> >         onlyif => [
> >
> >             "/usr/bin/mysql -u$keystone_db_user -p$keystone_db_pass
> -h$db_host -P$db_port $keystone_db_name -e 'show tables'",
> >
> >             "/usr/bin/test -z \"`/usr/bin/mysql -u$keystone_db_user
> -p$keystone_db_pass -h$db_host -P$db_port $keystone_db_name -e 'show
> tables'`\""
> >
> >         ],
> >
> >         require => Package['mariadb'],
> >
> >     }
> >
> >     $services = ['memcached']
> >
> >     service { $services : ensure => running, enable => true, }
> >
> >     # found out that you shouldn't create the wsgi-ketstone.conf file as
> it prevents httpd from starting
> >
> >     file { '/etc/httpd/conf.d/wsgi-keystone.conf':
> >
> >         ensure  => absent,
> >
> > #        content => template( "wrapcontroller/wsgi-keystone.conf.erb" ),
> >
> >     }
> >
> >     class {'::keystone':
> >
> >         admin_token                => $keystone_auth_token,
> >
> >         catalog_type               => 'sql',
> >
> >         database_connection        =>
> "mysql://${keystone_db_user}:${keystone_db_pass}@
> ${db_host}:${db_port}/${keystone_db_name}",
> >
> >         debug                      => $debug,
> >
> >         verbose                    => $debug,
> >
> >     }
> >
> >
> >
> > #    include ::apache
> >
> > #    class { '::keystone::wsgi::apache': ssl => false, }
> >
> >     class { '::keystone::roles::admin':
> >
> >        email        => $keystone_admin_email,
> >
> >        password     => $keystone_admin_password,
> >
> >     }
> >
> >     class { '::keystone::endpoint':
> >
> >        public_url     => "http://127.0.0.1:5000",
> >
> >        admin_url      => "http://127.0.0.1:35357",
> >
> >        internal_url     => "http://127.0.0.1:5000",
> >
> >        region         => 'example-1',
> >
> >     }
> >
> > }
> >
> > The above runs but I am unable to verify that keystone is working as per
> the docs here:
> >
> >
> http://docs.openstack.org/kilo/install-guide/install/yum/content/keystone-verify.html
> >
> > [root at ost-mgmt-centos-001 ~]# openstack --os-auth-url
> http://127.0.0.1:35357    --os-project-name admin --os-username admin
> --os-auth-type password   token issue
> >
> > Password:
> >
> > ERROR: openstack Invalid user / password (Disable debug mode to suppress
> these details.) (HTTP 401) (Request-ID:
> req-7c9b4b3b-dfe8-48a9-98eb-668b18e9b3bb)
> >
> > [root at ost-mgmt-centos-001 ~]# openstack --os-auth-url
> http://127.0.0.1:35357    --os-project-name admin --os-username admin
> --os-auth-type password   token issue
> >
> > Password:
> >
> > ERROR: openstack Could not find project: admin (Disable debug mode to
> suppress these details.) (HTTP 401) (Request-ID:
> req-c42ee03c-eb7b-4858-9743-a376fda0dc1f)
> >
> >
> >
> >
> >
> > openstack Could not find project: admin
> >
> > Hmm what is the project's name?  How can I figure that out?
> >
> >
> >
> > Thanks,
> >
> > Russ
> >
> >
> > On Tue, Jan 5, 2016 at 2:22 PM, Rich Megginson <rmeggins at redhat.com>
> wrote:
> > On 01/05/2016 02:42 PM, Russell Cecala wrote:
> >> Hi Rich,
> >>
> >> I guess I am kind of confused. I thought "class {
> '::keystone::roles::admin':" was suppose to create the "admin" user and set
> the password to $keystone_admin_password.  If class {
> '::keystone::roles::admin' doesn't create the admin user what does?
> >
> > It either creates it, or ensures that it has the specified properties,
> if it already exists.  In this case, it seems that it already exists, so it
> attempts to ensure that it has the specified properties.
> >
> >> And what kind of user are we talking about?  A user that shows up in
> the /etc/passwd file or an mysql user or a keystone user of some sort?
> >
> > a keystone user - a user that shows up when you do "$ openstack user
> list" as an admin user.
> >
> >
> >> Sorry I am pretty confused :)
> >>
> >> After I truncate my /var/log/keystone/keystone.log and run puppet agent
> -t I get this output to my keystone.log
> >>
> >> 2016-01-05 16:28:38.342 10596 DEBUG keystone.middleware.core [-] RBAC:
> auth_context: {} process_request
> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
> >>
> >> 2016-01-05 16:28:38.346 10596 INFO keystone.common.wsgi [-] GET
> /projects?
> >>
> >> 2016-01-05 16:28:38.347 10596 WARNING keystone.common.controller [-]
> RBAC: Bypassing authorization
> >>
> >> 2016-01-05 16:28:38.352 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
> - [05/Jan/2016 16:28:38] "GET /v3/projects HTTP/1.1" 200 884 0.011000
> >>
> >> 2016-01-05 16:28:39.144 10596 DEBUG keystone.middleware.core [-] RBAC:
> auth_context: {} process_request
> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
> >>
> >> 2016-01-05 16:28:39.147 10596 INFO keystone.common.wsgi [-] GET
> /domains?
> >>
> >> 2016-01-05 16:28:39.148 10596 WARNING keystone.common.controller [-]
> RBAC: Bypassing authorization
> >>
> >> 2016-01-05 16:28:39.152 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
> - [05/Jan/2016 16:28:39] "GET /v3/domains HTTP/1.1" 200 702 0.009214
> >>
> >> 2016-01-05 16:28:39.929 10596 DEBUG keystone.middleware.core [-] RBAC:
> auth_context: {} process_request
> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
> >>
> >> 2016-01-05 16:28:39.932 10596 INFO keystone.common.wsgi [-] GET /roles?
> >>
> >> 2016-01-05 16:28:39.933 10596 WARNING keystone.common.controller [-]
> RBAC: Bypassing authorization
> >>
> >> 2016-01-05 16:28:39.938 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
> - [05/Jan/2016 16:28:39] "GET /v3/roles HTTP/1.1" 200 615 0.009210
> >>
> >> 2016-01-05 16:28:40.712 10596 DEBUG keystone.middleware.core [-] RBAC:
> auth_context: {} process_request
> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
> >>
> >> 2016-01-05 16:28:40.716 10596 INFO keystone.common.wsgi [-] GET /users?
> >>
> >> 2016-01-05 16:28:40.716 10596 WARNING keystone.common.controller [-]
> RBAC: Bypassing authorization
> >>
> >> 2016-01-05 16:28:40.721 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
> - [05/Jan/2016 16:28:40] "GET /v3/users HTTP/1.1" 200 820 0.008919
> >>
> >> 2016-01-05 16:28:41.562 10596 DEBUG keystone.middleware.core [-] RBAC:
> auth_context: {} process_request
> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
> >>
> >> 2016-01-05 16:28:41.565 10596 INFO keystone.common.wsgi [-] GET
> /domains?
> >>
> >> 2016-01-05 16:28:41.566 10596 WARNING keystone.common.controller [-]
> RBAC: Bypassing authorization
> >>
> >> 2016-01-05 16:28:41.571 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
> - [05/Jan/2016 16:28:41] "GET /v3/domains HTTP/1.1" 200 702 0.009300
> >>
> >> 2016-01-05 16:28:42.331 10596 DEBUG keystone.middleware.core [-] RBAC:
> auth_context: {} process_request
> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
> >>
> >> 2016-01-05 16:28:42.335 10596 INFO keystone.common.wsgi [-] GET
> /users/5ec5abf83d164d439b603d72606b99fd?
> >>
> >> 2016-01-05 16:28:42.335 10596 WARNING keystone.common.controller [-]
> RBAC: Bypassing authorization
> >>
> >> 2016-01-05 16:28:42.340 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
> - [05/Jan/2016 16:28:42] "GET /v3/users/5ec5abf83d164d439b603d72606b99fd
> HTTP/1.1" 200 472 0.009393
> >>
> >> 2016-01-05 16:28:42.353 10596 DEBUG keystone.middleware.core [-] RBAC:
> auth_context: {} process_request
> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
> >>
> >> 2016-01-05 16:28:42.356 10596 INFO keystone.common.wsgi [-] GET
> /users/5ec5abf83d164d439b603d72606b99fd/projects?
> >>
> >> 2016-01-05 16:28:42.357 10596 WARNING keystone.common.controller [-]
> RBAC: Bypassing authorization
> >>
> >> 2016-01-05 16:28:42.370 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
> - [05/Jan/2016 16:28:42] "GET
> /v3/users/5ec5abf83d164d439b603d72606b99fd/projects HTTP/1.1" 200 632
> 0.016973
> >>
> >> 2016-01-05 16:28:43.217 10599 DEBUG keystone.middleware.core [-] Auth
> token not in the request header. Will not build auth context.
> process_request
> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:229
> >>
> >> 2016-01-05 16:28:43.220 10599 INFO eventlet.wsgi.server [-]
> 10.29.103.19 - - [05/Jan/2016 16:28:43] "POST /v2.0/auth/tokens HTTP/1.1"
> 404 318 0.002948
> >>
> >> 2016-01-05 16:28:43.318 10599 DEBUG keystone.middleware.core [-] Auth
> token not in the request header. Will not build auth context.
> process_request
> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:229
> >>
> >> 2016-01-05 16:28:43.321 10599 INFO eventlet.wsgi.server [-]
> 10.29.103.19 - - [05/Jan/2016 16:28:43] "POST /v2.0/auth/tokens HTTP/1.1"
> 404 318 0.002887
> >>
> >
> > This is strange.  /v2.0/auth/tokens does not exist.  It is /v2.0/tokens
> for v2, and /v3/auth/tokens for v3.  This would indicate that perhaps your
> openrc setting with the "/v2.0" suffix is polluting the puppet run?
> >
> >
> >> 2016-01-05 16:28:44.076 10596 DEBUG keystone.middleware.core [-] RBAC:
> auth_context: {} process_request
> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
> >>
> >> 2016-01-05 16:28:44.079 10596 INFO keystone.common.wsgi [-] GET
> /services?
> >>
> >> 2016-01-05 16:28:44.079 10596 WARNING keystone.common.controller [-]
> RBAC: Bypassing authorization
> >>
> >> 2016-01-05 16:28:44.084 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
> - [05/Jan/2016 16:28:44] "GET /v3/services HTTP/1.1" 200 558 0.008541
> >>
> >> 2016-01-05 16:28:44.871 10596 DEBUG keystone.middleware.core [-] RBAC:
> auth_context: {} process_request
> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
> >>
> >> 2016-01-05 16:28:44.873 10596 INFO keystone.common.wsgi [-] GET
> /endpoints?
> >>
> >> 2016-01-05 16:28:44.878 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
> - [05/Jan/2016 16:28:44] "GET /v2.0/endpoints HTTP/1.1" 200 764 0.006931
> >>
> >> 2016-01-05 16:28:44.891 10596 DEBUG keystone.middleware.core [-] RBAC:
> auth_context: {} process_request
> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
> >>
> >> 2016-01-05 16:28:44.892 10596 INFO keystone.common.wsgi [-] GET
> /OS-KSADM/services/07622af16010436aadb463adffff4099?
> >>
> >> 2016-01-05 16:28:44.896 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
> - [05/Jan/2016 16:28:44] "GET
> /v2.0/OS-KSADM/services/07622af16010436aadb463adffff4099 HTTP/1.1" 200 385
> 0.005287
> >>
> >> 2016-01-05 16:28:44.899 10596 DEBUG keystone.middleware.core [-] RBAC:
> auth_context: {} process_request
> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239
> >>
> >> 2016-01-05 16:28:44.900 10596 INFO keystone.common.wsgi [-] GET
> /OS-KSADM/services/07622af16010436aadb463adffff4099?
> >>
> >> 2016-01-05 16:28:44.904 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 -
> - [05/Jan/2016 16:28:44] "GET
> /v2.0/OS-KSADM/services/07622af16010436aadb463adffff4099 HTTP/1.1" 200 385
> 0.005030
> >>
> >>
> >> On Mon, Jan 4, 2016 at 3:22 PM, Rich Megginson <rmeggins at redhat.com>
> wrote:
> >> On 01/04/2016 03:07 PM, Russell Cecala wrote:
> >>> Thank you for the reply Rich,
> >>>
> >>> Here are the versions of my puppet modules:
> >>>
> >>> [root at ost-puppet-centos-001 keystone]# puppet module list
> >>>
> >>> /etc/puppetlabs/puppet/environments/production/modules
> >>>
> >>> ├── nanliu-staging (v1.0.3)
> >>>
> >>> ├── openstack-keystone (v6.1.0)
> >>>
> >>> ├── openstack-openstacklib (v6.1.0)
> >>>
> >>> ├── puppetlabs-apache (v1.7.0)
> >>>
> >>> ├── puppetlabs-apt (v1.8.0)
> >>>
> >>> ├── puppetlabs-concat (v1.2.4)
> >>>
> >>> ├── puppetlabs-firewall (v1.7.1)
> >>>
> >>> ├── puppetlabs-inifile (v1.4.2)
> >>>
> >>> ├── puppetlabs-mysql (v3.6.1)
> >>>
> >>> ├── puppetlabs-postgresql (v3.4.2)
> >>>
> >>> ├── puppetlabs-rabbitmq (v5.3.1)
> >>>
> >>> └── puppetlabs-stdlib (v4.9.0)
> >>>
> >>> /etc/puppetlabs/puppet/modules
> >>>
> >>> ├── cisco-gis-openstack (???)
> >>>
> >>> ├── haproxy (???)
> >>>
> >>> ├── keepalived (???)
> >>>
> >>> ├── mikduart-unnamed (v0.1.0)
> >>>
> >>> ├── mikduart-unnamed (v0.1.0)
> >>>
> >>> ├── mikduart-unnamed (v0.1.0)
> >>>
> >>> ├── puppetlabs-mongodb (v0.10.0)
> >>>
> >>> ├── saz-memcached (v2.4.0)
> >>>
> >>> ├── setup_mariadb_script (???)
> >>>
> >>> ├── sysctl (???)
> >>>
> >>> └── wrapmongodb (???)
> >>>
> >>> /opt/puppet/share/puppet/modules
> >>>
> >>> ├── puppetlabs-pe_accounts (v2.0.2-8-g8acc04e)
> >>>
> >>> ├── puppetlabs-pe_concat (v1.1.2-4-g2b7bba2)
> >>>
> >>> ├── puppetlabs-pe_console_prune (v0.1.1-4-g293f45b)
> >>>
> >>> ├── puppetlabs-pe_inifile (v1.1.4-16-gcb39966)
> >>>
> >>> ├── puppetlabs-pe_java_ks (v1.2.4-35-g44fbb26)
> >>>
> >>> ├── puppetlabs-pe_postgresql (v3.4.4-15-g32e56ed)
> >>>
> >>> ├── puppetlabs-pe_razor (v0.2.1-9-g8d78ec2)
> >>>
> >>> ├── puppetlabs-pe_repo (v0.7.7-59-g4514315)
> >>>
> >>> ├── puppetlabs-pe_staging (v0.3.3-6-gbd9db2b)
> >>>
> >>> └── puppetlabs-puppet_enterprise (v3.7.1-117-g9c48e73)
> >>>
> >>>
> >>> I am not sure I have the right values in my openrc but I have been
> using:
> >>>
> >>>
> >>> # cat openrc.localhost
> >>>
> >>> export OS_AUTH_URL=http://127.0.0.1:5000/v2.0
> >>>
> >>> export OS_PASSWORD=xxxxxxxxxxxxxxxx
> >>>
> >>> export OS_TENANT_NAME=admin
> >>>
> >>>
> >>> export OS_USERNAME=admin
> >>>
> >>
> >> Is this sourced into the environment where puppet is running?  It
> should not be.
> >>
> >>
> >>>
> >>> I believe this is the openstackclient version I am using:
> >>>
> >>>
> >>> [root at ost-mgmt-centos-001 ~]# rpm -qa | grep openstackclient
> >>>
> >>>
> >>> python-openstackclient-1.0.3-2.el7.noarch
> >>>
> >>>
> >>> On Mon, Jan 4, 2016 at 1:19 PM, Rich Megginson <rmeggins at redhat.com>
> wrote:
> >>> On 01/04/2016 02:06 PM, Russell Cecala wrote:
> >>>> Hi Emilien,
> >>>>
> >>>>
> >>>> I am trying to use https://github.com/openstack/puppet-keystone to
> set up a Kilo keystone node.
> >>>
> >>> I'm assuming you're using the kilo branch there?
> >>>
> >>>> I was hoping to could help me out so I can get my team to adopt
> puppet for setting up OpenStack.
> >>>>
> >>>> On my keystone node I am running centos7 with selinux disabled ...
> >>>
> >>> What version of openstackclient are you using?
> >>>
> >>> Do you have a $HOME/openrc or /root/openrc, or are you otherwise
> defining OS_* environment variables in the environment before running
> puppet?
> >>>
> >>>>
> >>>> [root at svl-ost-mgmt-centos-001 ~]# sestatus
> >>>>
> >>>> SELinux status:                 disabled
> >>>>
> >>>> ... and I have flushed my iptables ...
> >>>>
> >>>>
> >>>> [root at svl-ost-mgmt-centos-001 ~]# iptables -L
> >>>>
> >>>> Chain INPUT (policy ACCEPT)
> >>>>
> >>>> target     prot opt source               destination
> >>>>
> >>>>
> >>>> Chain FORWARD (policy ACCEPT)
> >>>>
> >>>> target     prot opt source               destination
> >>>>
> >>>>
> >>>> Chain OUTPUT (policy ACCEPT)
> >>>>
> >>>>
> >>>> target     prot opt source               destination
> >>>>
> >>>>
> >>>> Yet when I run "puppet agent -t"  I get these errors:
> >>>>
> >>>>
> >>>> [root at ost-mgmt-centos-001 ~]# puppet agent -t
> >>>>
> >>>> Info: Retrieving pluginfacts
> >>>>
> >>>> Info: Retrieving plugin
> >>>>
> >>>> Info: Loading facts
> >>>>
> >>>> Error: NetworkManager is not running.
> >>>>
> >>>> Info: Caching catalog for ost-mgmt-centos-001.example.com
> >>>>
> >>>> Warning: The tenant parameter is deprecated and will be removed in
> the future. Please use keystone_user_role to assign a user to a project.
> >>>>
> >>>> Warning: The ignore_default_tenant parameter is deprecated and will
> be removed in the future.
> >>>>
> >>>> Info: Applying configuration version '1451940682'
> >>>>
> >>>> Error: /Stage[main]/Keystone::Roles::Admin/Keystone_user[admin]:
> Could not evaluate: Execution of '/usr/bin/openstack token issue --format
> value' returned 1: ERROR: openstack The resource could not be found. (HTTP
> 404) (Request-ID: req-ca2a6dd1-fdb6-48f4-94fe-8f736fcc01dd)
> >>>>
> >>
> >> This usually indicates that it is trying to ensure that the user
> "admin" exists but the password is incorrect.  That is, the class {
> '::keystone::roles::admin':        password     => $keystone_admin_password
> is not correct.
> >>
> >> If you are sure it is correct, then it could be a mismatch between the
> identity api version used by the puppet module and the one specified in the
> environment.  Check the keystone access logs to see what URL this is trying
> to access - something with /token or /tokens, or something with /auth/token
> or /auth/tokens
> >>
> >>>> Notice:
> /Stage[main]/Keystone::Roles::Admin/Keystone_user_role[admin at openstack]:
> Dependency Keystone_user[admin] has failures: true
> >>>>
> >>>> Warning:
> /Stage[main]/Keystone::Roles::Admin/Keystone_user_role[admin at openstack]:
> Skipping because of failed dependencies
> >>>>
> >>>>
> >>>> Notice: Finished catalog run in 12.38 seconds
> >>>>
> >>>> Here's code I am using on my puppet master ...
> >>>>
> >>>> class wrapcontroller(
> >>>>
> >>>>
> >>>> ... big list of parameters I am not using until I can get keystone
> going ...
> >>>>
> >>>> ) {
> >>>>
> >>>>
> >>>>     exec { '/bin/yum -y install
> http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm':
> unless => '/bin/rpm -q epel-release', }
> >>>>
> >>>>     exec { '/bin/yum -y install
> http://rdo.fedorapeople.org/openstack-kilo/rdo-release-kilo.rpm': unless
> => '/bin/rpm -q rdo-release', }
> >>>>
> >>>>
> >>>>     package { 'mariadb': ensure => present, }
> >>>>
> >>>>     exec { 'keystone_database_init':
> >>>>
> >>>>         command => '/usr/bin/keystone-manage db_sync',
> >>>>
> >>>>         onlyif => [
> >>>>
> >>>>             "/usr/bin/mysql -u$keystone_db_user -p$keystone_db_pass
> -h$db_host -P$db_port $keystone_db_name -e 'show tables'",
> >>>>
> >>>>             "/usr/bin/test -z \"`/usr/bin/mysql -u$keystone_db_user
> -p$keystone_db_pass -h$db_host -P$db_port $keystone_db_name -e 'show
> tables'`\""
> >>>>
> >>>>         ],
> >>>>
> >>>>         require => Package['mariadb'],
> >>>>
> >>>>     }
> >>>>
> >>>>
> >>>>     class {'::keystone':
> >>>>
> >>>>         admin_token                => $keystone_auth_token,
> >>>>
> >>>>         database_connection        =>
> "mysql://${keystone_db_user}:${keystone_db_pass}@
> ${db_host}:${db_port}/${keystone_db_name}",
> >>>>
> >>>>         debug                      => $debug,
> >>>>
> >>>>         enabled                    => true,
> >>>>
> >>>>         enable_ssl                 => false,
> >>>>
> >>>>         service_name               => 'httpd', # this is a kilo thing
> >>>>
> >>>>         verbose                    => $debug,
> >>>>
> >>>>     }
> >>>>
> >>>>
> >>>>     include ::apache
> >>>>
> >>>>     class { '::keystone::wsgi::apache': ssl => false, }
> >>>>
> >>>>     class { '::keystone::roles::admin':
> >>>>
> >>>>        email        => $keystone_admin_email,
> >>>>
> >>>>        password     => $keystone_admin_password,
> >>>>
> >>>>     }
> >>>>
> >>>>     class { '::keystone::endpoint':
> >>>>
> >>>>        public_url     => "http://127.0.0.1:5000",
> >>>>
> >>>>        admin_url      => "http://127.0.0.1:35357",
> >>>>
> >>>>        default_domain => 'admin',
> >>>>
> >>>>     }
> >>>>
> >>>>
> >>>> }
> >>>>
> >>>> Thanks! And Happy New Year to you :)
> >>>> Red
> >>>>
> >>>>
> >>>>
> >>>> On Tue, Nov 24, 2015 at 2:38 PM, Emilien Macchi <emilien at redhat.com>
> wrote:
> >>>>
> >>>>
> >>>> On 11/24/2015 11:21 PM, Russell Cecala wrote:
> >>>> > I am trying to use the OpenStack community puppet modules.  Here's
> the
> >>>> > keystone module I am using:
> https://github.com/openstack/puppet-keystone
> >>>> > I am using the stable juno branch.  I have in my puppet manifest
> for my
> >>>> > controller nodes this resource definition:
> >>>> >
> >>>> >     class { '::keystone::roles::admin':
> >>>> >         admin        => $keystone_admin_user,
> >>>> >         email        => $keystone_admin_email,
> >>>> >         password     => $keystone_admin_password,
> >>>> >     } ->
> >>>> >
> >>>> > And when puppet runs that code I get this error:
> >>>> >
> >>>> >     Error:
> >>>> >
> /Stage[main]/Keystone::Roles::Admin/Keystone_user_role[keystone_admin_user at openstack
> ]:
> >>>> > Could not evaluate: Execution of '/usr/bin/openstack domain show
> >>>> > --format shell' returned 2: usage: openstack domain show [-h] [-f
> >>>> > {shell,table,value}] [-c COLUMN]
> >>>> >                                  [--max-width <integer>] [--prefix
> PREFIX]
> >>>> >                                  <domain>
> >>>> >     openstack domain show: error: too few arguments
> >>>>
> >>>> Sounds like an issue with your version of openstackclient, can you
> >>>> provide it?
> >>>>
> >>>> >
> >>>> > Can anyone help me?  Are these Puppet modules still being supported?
> >>>>
> >>>> Yes :-)
> >>>>
> >>>> > Does anyone use them?  Thanks!
> >>>>
> >>>> Double yes.
> >>>> --
> >>>> Emilien Macchi
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> OpenStack-operators mailing list
> >>>>
> >>>> OpenStack-operators at lists.openstack.org
> >>>>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> >>>
> >>>
> >>> _______________________________________________
> >>> OpenStack-operators mailing list
> >>> OpenStack-operators at lists.openstack.org
> >>>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> >>>
> >>>
> >>
> >>
> >
> >
> >
> >
> > _______________________________________________
> > OpenStack-operators mailing list
> > OpenStack-operators at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20160114/a4d53f3a/attachment.html>


More information about the OpenStack-operators mailing list