[Openstack] EC2-API in Ocata - Help wanted

Georgios Dimitrakakis giorgis at acmac.uoc.gr
Sat Apr 1 09:00:26 UTC 2017


 For people dealing with the same problem I was able to overcome the 
 problem by installing the "openstack-ec2-api" package from the 
 centos-openstack-ocata repository.

 Although the binaries were exactly the same as mine (did a checksum) 
 installing the package revealed a much more detailed configuration file, 
 which helped a lot.

 In there I found that the "metadata_shared_secret" should be under the 
 "[metadata]" section instead of just putting it in the default as I was 
 doing since there was no configuration.

 I believe that the documentation on EC2-API should be definitely 
 updated for two reasons: 1) To instruct users to install the available 
 package instead of letting them to build everything manually and 2) To 
 inform them on the settings that should be present in the configuration 
 file in order for it to work with the current OpenStack specifications 
 and requirements.


 Regards,

 G.




 On Mon, 20 Mar 2017 00:27:35 +0200, Georgios Dimitrakakis wrote:
> Just to post an update.
>
> These are two different issues.
>
> The first one
>
> # aws --endpoint-url http://controller:8788 ec2 describe-images
>
> An error occurred (AuthFailure) when calling the DescribeImages
> operation: Not Found
>
>
> was because of this line
>
> keystone_ec2_tokens_url = 
> http://nefelus-controller:35357/v3/v3/ec2token
>
> in the "ec2api.conf" file.
>
> Obviously they shouldn't be two "v3" there.
>
> This is coming from the "install.sh" script because of this:
>
> iniset $CONF_FILE DEFAULT keystone_ec2_tokens_url 
> "$OS_AUTH_URL/v3/ec2tokens"
>
>
> but in the new versions of OpenStack (I am on Ocata) the recommended
> way for "admin.rc" is to have
>
> OS_AUTH_URL=http://controller:35357/v3
>
> So there is already a "v3" plus another from "install.sh" you have 
> two.
>
> This sounds like a bug to me or at least is not compatible with the
> latest versions.
> What does the community think? Should I file a bug?
>
>
>
> The second one although not solved yet I believe is coming from the
> incorrect usage of "metadata_shared_secret" but I am not quiet sure
> yet how to make it work.
>
> I would really like some help here people......
>
> Looking forward for your answers and help.
>
> All the best,
>
>
> G.
>
>
>> Furthermore,
>>
>> now all my instances FAIL to get their metadata!
>>
>> This is the error in "ec2-metadata-api.log"
>>
>>
>> 2017-03-19 17:04:16.689 13635 WARNING ec2api.metadata [-]
>> X-Instance-ID-Signature:
>> b80302f1bd7d744c40cabc35908d8f70f49093d5cd07763cdd769d90b925db62 
>> does
>> not match the expected value:
>> 5188ed2e0813d6cfc007ed8695c8684ba2bbd18ee3e4376187f2ba82d17297dc for
>> id: 2d632701-7ae7-45cc-9cdd-9cea382b3342. Request From: 172.16.1.11
>> 2017-03-19 17:04:16.690 13635 ERROR ec2api.metadata [-] Unexpected 
>> error.
>> 2017-03-19 17:04:16.690 13635 ERROR ec2api.metadata Traceback (most
>> recent call last):
>> 2017-03-19 17:04:16.690 13635 ERROR ec2api.metadata   File
>> "/home/giorgis/EC2-GIT/ec2-api/ec2api/metadata/__init__.py", line 
>> 90,
>> in __call__
>> 2017-03-19 17:04:16.690 13635 ERROR ec2api.metadata     requester =
>> self._get_requester(req)
>> 2017-03-19 17:04:16.690 13635 ERROR ec2api.metadata   File
>> "/home/giorgis/EC2-GIT/ec2-api/ec2api/metadata/__init__.py", line 
>> 182,
>> in _get_requester
>> 2017-03-19 17:04:16.690 13635 ERROR ec2api.metadata
>> self._unpack_neutron_request(req))
>> 2017-03-19 17:04:16.690 13635 ERROR ec2api.metadata   File
>> "/home/giorgis/EC2-GIT/ec2-api/ec2api/metadata/__init__.py", line 
>> 223,
>> in _unpack_neutron_request
>> 2017-03-19 17:04:16.690 13635 ERROR ec2api.metadata
>> self._validate_signature(signature, os_instance_id, remote_ip)
>> 2017-03-19 17:04:16.690 13635 ERROR ec2api.metadata   File
>> "/home/giorgis/EC2-GIT/ec2-api/ec2api/metadata/__init__.py", line 
>> 263,
>> in _validate_signature
>> 2017-03-19 17:04:16.690 13635 ERROR ec2api.metadata     raise
>> webob.exc.HTTPForbidden(explanation=msg)
>> 2017-03-19 17:04:16.690 13635 ERROR ec2api.metadata HTTPForbidden:
>> Invalid proxy request signature.
>> 2017-03-19 17:04:16.690 13635 ERROR ec2api.metadata
>> 2017-03-19 17:04:16.691 13635 INFO ec2api.api [-] 0.1595s
>> 10.140.6.181 GET /2009-04-04/meta-data/instance-id None 500
>> [Python-httplib2/0.9.2 (gzip)] text/plain text/plain
>> 2017-03-19 17:04:16.691 13635 INFO ec2api.wsgi.server [-]
>> 172.16.1.11,10.140.6.181 "GET /2009-04-04/meta-data/instance-id
>> HTTP/1.1" status: 500 len: 229 time: 0.0022879
>>
>>
>>
>> while in the Dashboard LOG I see:
>>
>> checking http://169.254.169.254/2009-04-04/instance-id
>> failed 1/20: up 0.81. request failed
>> failed 2/20: up 3.05. request failed
>> failed 3/20: up 5.25. request failed
>> failed 4/20: up 7.27. request failed
>> failed 5/20: up 9.49. request failed
>> failed 6/20: up 11.51. request failed
>> failed 7/20: up 13.54. request failed
>> failed 8/20: up 15.92. request failed
>> failed 9/20: up 17.94. request failed
>> failed 10/20: up 20.36. request failed
>> failed 11/20: up 22.69. request failed
>> failed 12/20: up 24.72. request failed
>> failed 13/20: up 26.97. request failed
>> failed 14/20: up 29.00. request failed
>> failed 15/20: up 31.25. request failed
>> failed 16/20: up 33.57. request failed
>> failed 17/20: up 35.73. request failed
>> failed 18/20: up 38.00. request failed
>> failed 19/20: up 40.21. request failed
>> failed 20/20: up 42.54. request failed
>> failed to read iid from metadata. tried 20
>> no results found for mode=net. up 44.98. searched: nocloud 
>> configdrive ec2
>> failed to get instance-id of datasource
>>
>>
>> Could you please help??
>>
>>
>> Regards,
>>
>> George
>>
>>
>>> Hello,
>>>
>>> I desperately need your help in order to set up EC2-API in Ocata.
>>>
>>> I have installed and started the services but I am not sure how to
>>> configure the endpoints since the manual is refering to ports as 
>>> XXXX
>>> and to version as Y.
>>>
>>> I have guessed that these are XXXX=8788 and Y=2 but without 
>>> success.
>>>
>>>
>>> When I am trying to check the configuration I am getting this:
>>>
>>> # aws --endpoint-url http://controller:8788 ec2 describe-images
>>>
>>> An error occurred (AuthFailure) when calling the DescribeImages
>>> operation: Not Found
>>>
>>>
>>> I am 100% that the /root/.aws/config file has the correct 
>>> credentials.
>>>
>>>
>>> In the logs there aren't any information worthing except this:
>>>
>>> 2017-03-18 20:26:44.299 6717 INFO ec2api.api [-] 0.18514s
>>> 10.140.6.181 POST / None 404 [aws-cli/1.11.63 Python/2.7.5
>>> Linux/3.10.0-514.10.2.el7.x86_64 botocore/1.5.26]
>>> application/x-www-form-urlencoded text/xml
>>> 2017-03-18 20:26:44.300 6717 INFO ec2api.wsgi.server [-] 
>>> 10.140.6.181
>>> "POST / HTTP/1.1" status: 404 len: 298 time: 0.0193572
>>>
>>>
>>> I desperately looking for your help...So please help!
>>>
>>>
>>> Best regards,
>>>
>>>
>>> George
>>>
>>> _______________________________________________
>>> Mailing list: 
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>> Post to     : openstack at lists.openstack.org
>>> Unsubscribe : 
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>> _______________________________________________
>> Mailing list: 
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to     : openstack at lists.openstack.org
>> Unsubscribe : 
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
> _______________________________________________
> Mailing list: 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack






More information about the Openstack mailing list