[Openstack] [ironic]ironic-python-agent fails to lookup node with 401 status code

Pavlo Shchelokovskyy pshchelokovskyy at mirantis.com
Thu Jan 12 15:06:48 UTC 2017


Hi,

I'm pretty sure one can, via overriding source_repository element settings
[0] with

export DIB_REPOREF_ironic_agent=stable/mitaka

[0[
https://github.com/openstack/diskimage-builder/blob/7fc4856c6a0f5d63cdba2ee30ea7c7d762676bb6/elements/source-repositories/README.rst#override-per-source

Cheers,

Dr. Pavlo Shchelokovskyy
Senior Software Engineer
Mirantis Inc
www.mirantis.com

On Thu, Jan 12, 2017 at 4:46 PM, int32bit <krystism at gmail.com> wrote:

> Thanks Pavlo! After downgrade my IPA to Mitaka branch, my ironic seems
> work fine now. But another problem, can we specify IPA version when we
> create image via DIB?
>
> On Thu, Jan 12, 2017 at 3:42 PM, Pavlo Shchelokovskyy <
> pshchelokovskyy at mirantis.com> wrote:
>
>> Hi,
>>
>> you shouldn't use the latest master IPA version with ironic as of Mitaka
>> release.
>> The ironic API endpoint it tries to contact (v1/lookup...) was introduced
>> during Newton development and thus is present in ironic API from Newton
>> release onwards. The fallback to the old lookup endpoint (implemented as
>> vendor driver passthru) was removed recently from IPA in master branch
>> (after Newton release). That means your IPA version tries to contact the
>> ironic API via endpoint that does not exist in this ironic version. Use
>> ramdisk with IPA built from stable/mitaka or stable/newton branches.
>>
>> As for the "without any authentication" point - yes, that's the way it
>> currently works, all communications between IPA and ironic API are not
>> using Keystone tokens as we still have to figure out a reliable and secure
>> way to pass tokens or credentials to get them into the ramdisk.
>>
>> Cheers,
>>
>> Dr. Pavlo Shchelokovskyy
>> Senior Software Engineer
>> Mirantis Inc
>> www.mirantis.com
>>
>> On Thu, Jan 12, 2017 at 5:13 AM, int32bit <krystism at gmail.com> wrote:
>>
>>> Hi, All,
>>>
>>> I'm a newcomer to Openstack Ironic. Recently, I'm work on deploy ironic
>>> manually, and I found that the node status 100% *blocked in `callback
>>> wait` status* until timeout. The ironic-api  log shows that:
>>>
>>> 2017-01-12 10:21:00.626 158262 INFO keystonemiddleware.auth_token [-]
>>> Rejecting request
>>> 2017-01-12 10:21:00.627 158262 INFO ironic_api [-] 10.0.81.31 "GET
>>> /v1/lookup?addresses=xxx HTTP/1
>>>
>>> I guess the problem is IPA, so I dug into IPA source and traced the
>>> request process and  found that the IPA client request *without any
>>> authentication* [1].
>>>
>>> [1] https://github.com/openstack/ironic-python-agent/blob/ma
>>> ster/ironic_python_agent/ironic_api_client.py#L109-L111
>>>
>>>
>>> My ironic version is *5.1.1-1(mitaka) *and *IPA has updated to newest
>>> version from master branch*.
>>>
>>> My config as follows:
>>>
>>> ```
>>> [keystone_authtoken]
>>> auth_uri=http://xxxx:5000/
>>> auth_version=v3.0
>>> identity_uri=http://xxxx:35357/
>>> admin_user=ironic
>>> admin_password=IRONIC_PASSWORD
>>> admin_tenant_name=service
>>>
>>> [conductor]
>>> api_url=http://201.0.0.120:6385 # ensure the node can access
>>> ```
>>>
>>> I'm really not sure if I miss something or something wrong in config.
>>>
>>> Thanks for any help!
>>> krystism
>>>
>>> _______________________________________________
>>> Mailing list: http://lists.openstack.org/cgi
>>> -bin/mailman/listinfo/openstack
>>> Post to     : openstack at lists.openstack.org
>>> Unsubscribe : http://lists.openstack.org/cgi
>>> -bin/mailman/listinfo/openstack
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170112/d182d408/attachment.html>


More information about the Openstack mailing list