Open simonpie opened 8 years ago
Ugh, looking back at this I see how poorly I wrote this. Sorry.
I'm wondering which keystone_user module is being used? The one that comes with swiftacular or are you getting it from somewhere else? If somewhere else it'd need to support insecure.
I have a .library directory that contains the keystone_user. I would guess that thats the one being used. Notice that the calls immediately before work just fine (the one calling keystone_service).
Any way to debug that ? The logs on the keystone server are not very helpful.
Simon Pierre
Le 24 févr. 2016 à 16:57, curtis notifications@github.com a écrit :
Ugh, looking back at this I see how poorly I wrote this. Sorry.
I'm wondering which keystone_user module is being used? The one that comes with swiftacular or are you getting it from somewhere else? If somewhere else it'd need to support insecure.
— Reply to this email directly or view it on GitHub https://github.com/ccollicutt/swiftacular/issues/33#issuecomment-188470501.
Oh,
I did try it with and without the SWIFTCLIENT_INSECURE variable.
Simon Pierre
I am running on macosx 10.11.3 ansible 1.9.4 Vagrant 1.7.4 Virtual box 5.0.14r105127
Simon Pierre
Le 24 févr. 2016 à 16:57, curtis notifications@github.com a écrit :
Ugh, looking back at this I see how poorly I wrote this. Sorry.
I'm wondering which keystone_user module is being used? The one that comes with swiftacular or are you getting it from somewhere else? If somewhere else it'd need to support insecure.
— Reply to this email directly or view it on GitHub https://github.com/ccollicutt/swiftacular/issues/33#issuecomment-188470501.
Yeah but it's the first task using the keystone_user module. The prior tasks are keystone_service.
We agree.
Le 24 févr. 2016 à 17:47, curtis notifications@github.com a écrit :
Yeah but it's the first task using the keystone_user module. The prior tasks are keystone_service.
— Reply to this email directly or view it on GitHub https://github.com/ccollicutt/swiftacular/issues/33#issuecomment-188494473.
Could it be that by default, now days, apt-get
will install liberty and the installation defers somewhat with what you did at the time ? For example, the url seems to be (http://controller:35357/v3) now. Or we need to create a project before we add user ? http://docs.openstack.org/liberty/install-guide-ubuntu/keystone-users.html
I suppose it's possible. I'm pretty sure ubuntu sticks with the default openstack version being the original version deployed with that particular ubuntu release, and that to get newer openstack releases you need to enable that archive specifically.
You are right, its havana which is installed.
Le 25 févr. 2016 à 16:14, curtis notifications@github.com a écrit :
I suppose it's possible. I'm pretty sure ubuntu sticks with the default openstack version being the original version deployed with that particular ubuntu release, and that to get newer openstack releases you need to enable that archive specifically.
— Reply to this email directly or view it on GitHub https://github.com/ccollicutt/swiftacular/issues/33#issuecomment-188991842.
I can run the command by hand on the identity server and it works well.
I exported two variables :
OS_SERVICE_TOKEN=blablaredacted
OS_SERVICE_ENDPOINT=https://127.0.0.1:35357/v2.0
as prescribed here http://docs.openstack.org/icehouse/install-guide/install/apt/content/keystone-users.html.
Then I can run the command to add a tenant or a user :
root@swift-keystone-01:~# keystone --insecure tenant-create --name=admin --description="Admin Tenant"
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Admin Tenant |
| enabled | True |
| id | ee64e124bdfb42feaa6be39a5a875ba1 |
| name | admin |
+-------------+----------------------------------+
root@swift-keystone-01:~# keystone --insecure user-create --name=admin --pass=CHANGEME --email=sp.desrosiers@ville.montreal.qc.ca
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------+------------------------------------+
| Property | Value |
+----------+------------------------------------+
| email | sp.desrosiers@ville.montreal.qc.ca |
| enabled | True |
| id | e5db74a5c2e845ff88e5688092556d1c |
| name | admin |
+----------+------------------------------------+
root@swift-keystone-01:~#
And they works just fine. I have installed python using brew. It calls the brew versions now (well according to which
) and yet I still get the message :
TASK: [authentication | create service keystone tenant] ***********************
failed: [swift-keystone-01] => {"failed": true}
msg: exception: <attribute 'message' of 'exceptions.BaseException' objects> (HTTP Unable to establish connection to https://127.0.0.1:35357/v2.0/tenants)
FATAL: all hosts have already failed -- aborting
PLAY RECAP ********************************************************************
Which uses the same endpoint as my environment varible. Here is the task from the playbook :
- name: create service keystone tenant
keystone_user: token={{ keystone_admin_token}} tenant=service tenant_description="Service Tenant" endpoint="https://127.0.0.1:35357/v2.0"
I get the exact same message if I remove the --insecure
flag when running on the identity server :
root@swift-keystone-01:~# keystone tenant-create --name=admin --description="Admin Tenant"
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
<attribute 'message' of 'exceptions.BaseException' objects> (HTTP Unable to establish connection to https://127.0.0.1:35357/v2.0/tenants)
root@swift-keystone-01:~#
If I load python, the brew one or the mac one, the keystoneclient.v2_0
always is the apple one. But it seems to support the insecure flag if I look at the code :
> python
Python 2.7.11 (default, Feb 26 2016, 10:49:13)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import keystoneclient.v2_0
>>> keystoneclient.v2_0.__file__
'/Library/Python/2.7/site-packages/keystoneclient/v2_0/__init__.pyc'
>>>
I have tried with both SWIFTCLIENT_INSECURE
set or unset.
Finally, I have check that token is the same in the groupe_vars/all
and in my environment variable.
What else can I do or test ? Any help would be welcome.
I believe I hacked the keystone_user in the library of swiftacular to use insecure. Double check that is the module being used.
Please check that swift-ansible-modules/keystone_user is included: $ grep library ansible.cfg library = ~/swiftacular/library/
./library/ ├── openstack │ ├── cinder_manage ... │ ├── README.md │ └── tests ... └── swift-ansible-modules └── keystone_user
Yes it is. It's actually pull together with the rest of the playbook when you run git. But my problem got worse since I installed python with brew and rebooted. Now, even the keystone_service
will not work anymore.
I got tired and replace everything by shell command using the command
module. I know this is not the way to go as I have lost idempotency, but I needed to move forward. I will try to update that role with the newer os_project and os_users. I still have to figure out a few things like connecting using the --insecure
flag and roles management.
Small update.
I added spurious python line and I could confirm that the keystone_service module from the library directory of swiftacular was indeed used correctly. I guess it was not working correctly because of some weird interaction between environment variable and the clouds.yml
file.
As for the keystone_user
, file, the same test reveal that the file from the library was not used but the one from the brew python installation.
I moved the file out of
/usr/local/Cellar/ansible/1.9.4/libexec/lib/python2.7/site-packages/ansible/modules/core/cloud/openstack
to /tmp
and there you go. It seems to work.
How can I force ansible to use the module in the library without removing the bundled version ?
I think you could rename it, and change the name used in the playbook/task.
I'm sorry you're having so much trouble with this, unfortunately I don't have much time to take a look. This code is getting quite old.
Your code is fine. I have suffered from the problem that ansible is supposed to solve once and for all. Multiple versions.
My last question really has to do with forcing ansible to use a specific version of a module. I had to remove the bundled version of brew for the script to run.
On my way to use your script with Liberty now. Thanks for your work, it really has bootstraped my work.
Ok great, best of luck. :)
I had this same problem -- I ended up having to rename 'keystone_user' to something else so that it would work. Maybe this needs to become "official" in this repo, so that it doesn't happen to anyone else?
I am trying to deploy swiftacular. Everything runs smoothly until the step to create a service keystone tenant where it fails with the error :
Everything else works as intended. Yet, if I do a wget on the host, I can see that it does answer.
I did use the
SWIFTCLIENT_INSECURE
shell variable. Adding -vvv does not really help. Any idea ?