[Openstack-operators] New project creation fails because of a Nova check in a multi-region cloud
Matt Riedemann
mriedemos at gmail.com
Thu May 10 13:52:00 UTC 2018
On 5/9/2018 8:11 PM, Jean-Philippe Méthot wrote:
> I currently operate a multi-region cloud split between 2 geographic
> locations. I have updated it to Pike not too long ago, but I've been
> running into a peculiar issue. Ever since the Pike release, Nova now
> asks Keystone if a new project exists in Keystone before configuring the
> project’s quotas. However, there doesn’t seem to be any region
> restriction regarding which endpoint Nova will query Keystone on. So,
> right now, if I create a new project in region one, Nova will query
> Keystone in region two. Because my keystone databases are not synched in
> real time between each region, the region two Keystone will tell it that
> the new project doesn't exist, while it exists in region one Keystone.
>
> Thinking that this could be a configuration error, I tried setting the
> region_name in keystone_authtoken, but that didn’t change much of
> anything. Right now I am thinking this may be a bug. Could someone
> confirm that this is indeed a bug and not a configuration error?
>
> To circumvent this issue, I am considering either modifying the database
> by hand or trying to implement realtime replication between both
> Keystone databases. Would there be another solution? (beside modifying
> the code for the Nova check)
This is the specific code you're talking about:
https://github.com/openstack/nova/blob/stable/pike/nova/api/openstack/identity.py#L35
I don't see region_name as a config option for talking to keystone in Pike:
https://docs.openstack.org/nova/pike/configuration/config.html#keystone
But it is in Queens:
https://docs.openstack.org/nova/queens/configuration/config.html#keystone
That was added in this change:
https://review.openstack.org/#/c/507693/
But I think what you're saying is, since you have multiple regions, the
project could be in any of them at any given time until they synchronize
so configuring nova for a specific region isn't probably going to help
in this case, right?
Isn't this somehow resolved with keystone federation? Granted, I'm not
at all a keystone person, but I'd think this isn't a unique problem.
--
Thanks,
Matt
More information about the OpenStack-operators
mailing list