openstack orchestration service list fails to return endpoint

Bug #1623327 reported by Billy Olsen
28
This bug affects 6 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Invalid
Undecided
Unassigned
python-heatclient
Invalid
Undecided
Unassigned
python-openstackclient
Invalid
Undecided
Unassigned

Bug Description

OpenStack service endpoints are created for the heat service, but the openstack client cannot find the endpoints to issue the query against. I suspect this is due to the domain auth tokens included in the initial authentication doesn't include any endpoints with the $(tenant_id)s in the output there.

I'm not sure whether this should be a bug against the openstack client or against keystone. I believe its intentional to exclude the endpoints with a tenant_id substitution in the endpoint, but it doesn't make any sense to me as it seems the openstack catalog list command uses this catalog query in order to list endpoints and services, which it only gets the service but not the endpoints.

Here's some output collected:

> openstack catalog list
+--------------+-----------------+----------------------------------------+
| Name | Type | Endpoints |
+--------------+-----------------+----------------------------------------+
| heat | orchestration | |
| heat-cfn | cloudformation | RegionOne |
| | | public: http://10.5.20.176:8000/v1 |
| | | RegionOne |
| | | admin: http://10.5.20.176:8000/v1 |
| | | RegionOne |
| | | internal: http://10.5.20.176:8000/v1 |
| | | |

...

> openstack endpoint list | grep heat
| 85ee6b6e8f814856a3a547982f6b2835 | RegionOne | heat | orchestration | True | internal | http://10.5.20.176:8004/v1/$(tenant_id)s |
| 895cb2e4e5d1492e9e40c205f6b0c508 | RegionOne | heat | orchestration | True | public | http://10.5.20.176:8004/v1/$(tenant_id)s |
| ad63a139c90749ff9d98a704200d2e49 | RegionOne | heat | orchestration | True | admin | http://10.5.20.176:8004/v1/$(tenant_id)s |

> openstack orchestration service list
public endpoint for orchestration service not found

tags: added: canonical-bootstack
Revision history for this message
Steve Martinelli (stevemar) wrote :

I added heatclient since that's where the "openstack orchestration service list" comes from: https://github.com/openstack/python-heatclient/blob/master/setup.cfg#L36 -- heatclient is an OpenStackClient plugin, and the code is maintained there

Revision history for this message
Steve Martinelli (stevemar) wrote :

Can you add the output of `openstack orchestration service list --debug` as well, so we can see what routes the command is using.

Revision history for this message
Brad Marshall (brad-marshall) wrote :

To be clear, this isn't just happening for heat. Every other service that has $(tenant_id) in the endpoint isn't showing up in the catalog either. Cinder has empty endpoints, swift only has the admin endpoint listed and nova compute and heat orchestration is empty, when heat cloudformation has data.

Revision history for this message
Peter Sabaini (peter-sabaini) wrote :
Download full text (13.0 KiB)

Steve, output of openstack orchestration service list --debug is similar to this:

START with options: ['orchestration', 'service', 'list', '--debug']
options: Namespace(access_token_endpoint='', auth_type='', auth_url='http://10.5.20.240:35357/v3', cacert='', cert='', client_id='', client_secret='***', cloud='', debug=True, default_domain='default', deferred_help=False, domain_id='', domain_name='admin_domain', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='', key='', log_file=None, os_beta_command=False, os_compute_api_version='', os_identity_api_version='3', os_image_api_version='', os_network_api_version='', os_object_api_version='', os_orchestration_api_version='1', os_project_id=None, os_project_name=None, os_volume_api_version='', password='***', project_domain_id='', project_domain_name='', project_id='', project_name='', protocol='', region_name='RegionOne', scope='', service_provider_endpoint='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='admin_domain', user_id='', username='admin', verbose_level=3, verify=None)
defaults: {u'auth_type': 'password', u'status': u'active', u'compute_api_version': u'2', 'key': None, u'database_api_version': u'1.0', 'api_timeout': None, u'baremetal_api_version': u'1', u'image_api_version': u'2', u'metering_api_version': u'2', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', u'orchestration_api_version': u'1', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', u'key_manager_api_version': u'v1', 'verify': True, u'identity_api_version': u'2.0', u'volume_api_version': u'2', 'cert': None, u'secgroup_source': u'neutron', u'container_api_version': u'1', u'dns_api_version': u'2', u'object_store_api_version': u'1', u'interface': None, u'disable_vendor_agent': {}}
cloud cfg: {'auth_type': 'password', 'beta_command': False, u'compute_api_version': u'2', u'orchestration_api_version': '1', u'database_api_version': u'1.0', u'metering_api_version': u'2', 'auth_url': 'http://10.5.20.240:35357/v3', u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], u'image_api_version': u'2', 'verify': True, u'dns_api_version': u'2', u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', 'api_timeout': None, u'baremetal_api_version': u'1', 'auth': {'username': 'admin', 'user_domain_name': 'admin_domain', 'password': '***', 'auth_url': 'http://10.5.20.240:35357/v3', 'domain_name': 'admin_domain'}, 'default_domain': 'default', u'container_api_version': u'1', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'password': '***', 'cacert': None, u'key_manager_api_version': u'v1', 'deferred_help': False, u'identity_api_version': '3', u'volume_api_version': u'2', 'username': 'admin', 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': None, u'disable_vendor_agent': {}}
compute API version 2, cmd group openstack.compute.v2
network API version 2, cmd group openstack.network.v2
image API version 2, cmd group openstack.image.v2
volume API version 2, cmd group...

Revision history for this message
David Ames (thedac) wrote :

Regarding heat, has the domain-setup action been run? This is required for heat
with keystone v3.

https://github.com/openstack/charm-heat/blob/master/README.md#usage
https://github.com/openstack/charm-heat/blob/master/actions.yaml#L5

@bradm Regarding catalogue entries note the difference between domain and
project auth:
http://pastebin.ubuntu.com/23183661/
http://pastebin.ubuntu.com/23183668/
Is there something more than that going on?

Revision history for this message
David Ames (thedac) wrote :

Domain vs project auth has a similar effect on heat:

$ . novarcv3_domain
2016-09-15 21:40:22 Service: keystone address: 10.5.21.236
$ openstack orchestration service list
public endpoint for orchestration service not found
$ . novarcv3_project
2016-09-15 21:40:33 Service: keystone address: 10.5.21.236
$ openstack orchestration service list
+-----------------------+-------------+--------------------------------------+------+--------+----------------------------+--------+
| hostname | binary | engine_id | host | topic | updated_at | status |
+-----------------------+-------------+--------------------------------------+------+--------+----------------------------+--------+
| juju-thedac-machine-7 | heat-engine | 47ea9ccc-c26b-40ab-9fd9-26e8d89ac0ad | heat | engine | 2016-09-15T21:00:05.000000 | down |
| juju-thedac-machine-7 | heat-engine | 14a05064-0c24-4da8-ae57-2140d8a20725 | heat | engine | 2016-09-15T21:00:05.000000 | down |
| juju-thedac-machine-7 | heat-engine | 009fd615-7d9f-489e-b693-8876ebd6c14f | heat | engine | 2016-09-15T21:40:14.000000 | up |
| juju-thedac-machine-7 | heat-engine | d6098e65-a2d0-4ace-a84b-015eea743847 | heat | engine | 2016-09-15T21:40:14.000000 | up |
+-----------------------+-------------+--------------------------------------+------+--------+----------------------------+--------+

Revision history for this message
Brad Marshall (brad-marshall) wrote :

@thedac, it appears you are right, I was trying with some project details set, but apparently not the right set. Is there any documentation available that details what is needed where? I took a look around and couldn't find anything obvious.

I can now get an output from both openstack orchestration service list and heat stack-list, so I take it that means that heat is working correctly with keystone v3.

Revision history for this message
Brad Marshall (brad-marshall) wrote :

To be clear, I'm using the following variables:

OS_AUTH_URL=http://keystone:35357/v3
OS_USERNAME=username
OS_PASSWORD=password
OS_REGION_NAME=region
OS_USER_DOMAIN_NAME=user_domain
OS_PROJECT_NAME=user
OS_PROJECT_DOMAIN_NAME=default
API_VERSION=3
OS_IDENTITY_API_VERSION=3

And when doing domain auth, replace OS_PROJECT_NAME with OS_DOMAIN_NAME=user_domain and drop OS_PROJECT_DOMAIN_NAME.

Revision history for this message
Liam Young (gnuoy) wrote :
Revision history for this message
Steve Baker (steve-stevebaker) wrote :

The openstack deployment tool you used is not setting up the endpoints correctly for endpoints which require tenants in the path - if you used a particular deployment tool this bug should be raised there.

Changed in python-heatclient:
status: New → Invalid
Revision history for this message
Billy Olsen (billy-olsen) wrote :

Based on Brad's comment in #9, there were actions that were missing for the openstack orchestration service. I believe this to no longer be a valid bug, therefore I'm marking remaining tasks as invalid.

Changed in python-openstackclient:
status: New → Invalid
Changed in keystone:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.