devstack won't install with http_proxy set

Bug #1015705 reported by Ian Wells on 2012-06-20
28
This bug affects 6 people
Affects Status Importance Assigned to Milestone
devstack
Low
Unassigned

Bug Description

If you set http_proxy, then the keystone CLI appears to respect it. That means that connections intended for the local endpoint go to the proxy and then go wrong.

Further to this, the first failed connections are in keystone_data.sh - but since it doesn't picl up on any problem, the script continues and crashes much later than that with something that appears to be a glance error:

++ glance --os-auth-token --os-image-url http://4.0.0.15:9292 image-create --name cirros-0.3.0-x86_64-uec-kernel --public --container-format aki --disk-format aki
++ get_field 2
++ read data
usage: glance [--os-username OS_USERNAME] [--os-password OS_PASSWORD]
              [--os-tenant-id OS_TENANT_ID] [--os-tenant-name OS_TENANT_NAME]
              [--os-auth-url OS_AUTH_URL] [--os-region-name OS_REGION_NAME]
              [--os-auth-token OS_AUTH_TOKEN] [--os-image-url OS_IMAGE_URL]
              [--os-image-api-version OS_IMAGE_API_VERSION]
              [--os-service-type OS_SERVICE_TYPE]
glance: error: argument --os-auth-token: expected one argument
+ KERNEL_ID=
+ '[' -n /home/localadmin/devstack/files/images/cirros-0.3.0-x86_64-uec/cirros-0.3.0-x86_64-initrd ']'
++ glance --os-auth-token --os-image-url http://4.0.0.15:9292 image-create --name cirros-0.3.0-x86_64-uec-ramdisk --public --container-format ari --disk-format ari
++ grep ' id '
++ get_field 2
++ read data
usage: glance [--os-username OS_USERNAME] [--os-password OS_PASSWORD]
              [--os-tenant-id OS_TENANT_ID] [--os-tenant-name OS_TENANT_NAME]
              [--os-auth-url OS_AUTH_URL] [--os-region-name OS_REGION_NAME]
              [--os-auth-token OS_AUTH_TOKEN] [--os-image-url OS_IMAGE_URL]
              [--os-image-api-version OS_IMAGE_API_VERSION]
              [--os-service-type OS_SERVICE_TYPE]
glance: error: argument --os-auth-token: expected one argument
+ RAMDISK_ID=
+ glance --os-auth-token --os-image-url http://4.0.0.15:9292 image-create --name cirros-0.3.0-x86_64-uec --public --container-format ami --disk-format ami
usage: glance [--os-username OS_USERNAME] [--os-password OS_PASSWORD]
              [--os-tenant-id OS_TENANT_ID] [--os-tenant-name OS_TENANT_NAME]
              [--os-auth-url OS_AUTH_URL] [--os-region-name OS_REGION_NAME]
              [--os-auth-token OS_AUTH_TOKEN] [--os-image-url OS_IMAGE_URL]
              [--os-image-api-version OS_IMAGE_API_VERSION]
              [--os-service-type OS_SERVICE_TYPE]
glance: error: argument --os-auth-token: expected one argument
++ failed
++ local r=2
++ set +o xtrace

The more useful keystone errors are:

    No handlers could be found for logger "keystoneclient.client"
    Unable to communicate with identity service: (502, 'Cannot Connect'). (HTTP 400)

(repeated as it adds users, and tenants, then)

    usage: keystone user-role-add --user_id <user-id> --role_id <role-id>
                                  [--tenant_id <tenant-id>]
    keystone user-role-add: error: argument --user_id: expected one argument

(repeated as it tries to set up things using '' for the ID, because the previous failures didn't kill the script)

The following patch makes it work for me:

diff --git a/stack.sh b/stack.sh
index a9cec3f..4d46b80 100755
@@ -1951,13 +1951,13 @@ if is_service_enabled key; then
     fi

     # keystone_data.sh creates services, admin and demo users, and roles.
- SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0
+ http_proxy= https_proxy= SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUT
     ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TENANT_NAME=$SERVICE_TENANT_NAME SERVICE_PASSWORD=$SERVICE_PAS
         bash $FILES/keystone_data.sh

     # create an access key and secret key for nova ec2 register image
     if is_service_enabled swift && is_service_enabled nova; then
- CREDS=$(keystone --os_auth_url=$SERVICE_ENDPOINT --os_username=nova --os_password=$SERVICE_PASSWO
+ CREDS=$(http_proxy= https_proxy= keystone --os_auth_url=$SERVICE_ENDPOINT --os_username=nova --os
         ACCESS_KEY=$(echo "$CREDS" | awk '/ access / { print $4 }')
         SECRET_KEY=$(echo "$CREDS" | awk '/ secret / { print $4 }')
         add_nova_opt "s3_access_key=$ACCESS_KEY"
@@ -2033,7 +2033,7 @@ if is_service_enabled g-reg; then

     ADMIN_USER=admin
     ADMIN_TENANT=admin
- TOKEN=$(keystone --os_tenant_name $ADMIN_TENANT --os_username $ADMIN_USER --os_password $ADMIN_PASSWO
+ TOKEN=$(http_proxy= https_proxy= keystone --os_tenant_name $ADMIN_TENANT --os_username $ADMIN_USER --

     # Option to upload legacy ami-tty, which works with xenserver
     if [[ -n "$UPLOAD_LEGACY_TTY" ]]; then

[ Additional notes: I've no idea how to make this work nicely if you truly do have a remote keystone server accessible via a proxy. And it appears that only the keystone client is actually affected by http_proxy, which is odd. ]

Dean Troyer (dtroyer) on 2012-06-21
Changed in devstack:
importance: Undecided → Low
Ian Wells (ijw-ubuntu) wrote :

It's worse now - I think everything respects http_proxy rather than just keystone. I have a patch which I will put up when time allows.

yilong (yilongx-y-sun) wrote :

I have had the same problem , and do "unset http_proxy" , it will be ok.

xu hongna (hongnax-xu) wrote :

if unset http_proxy, will encounter another problem which is on https://bugs.launchpad.net/devstack/+bug/1092783, i met it on ubuntu12.10 ubunt11.10 and fedora17, they are all vitual machines.

Simon Pasquier (simon-pasquier) wrote :

I solved the issue by setting the 'no_proxy' variable with the main IP address of the devstack machine.

Michael Beumer (mi-beumer) wrote :

I had the same Error. And the Work A Round works. Thanks Simon.

Dean Troyer (dtroyer) wrote :

I believe the workaround mentioned by Simon is the appropriate solution for handling proxies in general.

Changed in devstack:
status: New → Invalid
Changed in devstack:
status: Invalid → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers