devstack won't install with http_proxy set

If you set http_proxy, then the keystone CLI appears to respect it. That means that connections intended for the local endpoint go to the proxy and then go wrong.

Further to this, the first failed connections are in keystone_data.sh - but since it doesn't picl up on any problem, the script continues and crashes much later than that with something that appears to be a glance error:

++ glance --os-auth-token --os-image-url http://4.0.0.15:9292 image-create --name cirros-0.3.0-x86_64-uec-kernel --public --container-format aki --disk-format aki
++ get_field 2
++ read data
usage: glance [--os-username OS_USERNAME] [--os-password OS_PASSWORD]
              [--os-tenant-id OS_TENANT_ID] [--os-tenant-name OS_TENANT_NAME]
              [--os-auth-url OS_AUTH_URL] [--os-region-name OS_REGION_NAME]
              [--os-auth-token OS_AUTH_TOKEN] [--os-image-url OS_IMAGE_URL]
              [--os-image-api-version OS_IMAGE_API_VERSION]
              [--os-service-type OS_SERVICE_TYPE]
glance: error: argument --os-auth-token: expected one argument
+ KERNEL_ID=
+ '[' -n /home/localadmin/devstack/files/images/cirros-0.3.0-x86_64-uec/cirros-0.3.0-x86_64-initrd ']'
++ glance --os-auth-token --os-image-url http://4.0.0.15:9292 image-create --name cirros-0.3.0-x86_64-uec-ramdisk --public --container-format ari --disk-format ari
++ grep ' id '
++ get_field 2
++ read data
usage: glance [--os-username OS_USERNAME] [--os-password OS_PASSWORD]
              [--os-tenant-id OS_TENANT_ID] [--os-tenant-name OS_TENANT_NAME]
              [--os-auth-url OS_AUTH_URL] [--os-region-name OS_REGION_NAME]
              [--os-auth-token OS_AUTH_TOKEN] [--os-image-url OS_IMAGE_URL]
              [--os-image-api-version OS_IMAGE_API_VERSION]
              [--os-service-type OS_SERVICE_TYPE]
glance: error: argument --os-auth-token: expected one argument
+ RAMDISK_ID=
+ glance --os-auth-token --os-image-url http://4.0.0.15:9292 image-create --name cirros-0.3.0-x86_64-uec --public --container-format ami --disk-format ami
usage: glance [--os-username OS_USERNAME] [--os-password OS_PASSWORD]
              [--os-tenant-id OS_TENANT_ID] [--os-tenant-name OS_TENANT_NAME]
              [--os-auth-url OS_AUTH_URL] [--os-region-name OS_REGION_NAME]
              [--os-auth-token OS_AUTH_TOKEN] [--os-image-url OS_IMAGE_URL]
              [--os-image-api-version OS_IMAGE_API_VERSION]
              [--os-service-type OS_SERVICE_TYPE]
glance: error: argument --os-auth-token: expected one argument
++ failed
++ local r=2
++ set +o xtrace

The more useful keystone errors are:

    No handlers could be found for logger "keystoneclient.client"
    Unable to communicate with identity service: (502, 'Cannot Connect'). (HTTP 400)

(repeated as it adds users, and tenants, then)

    usage: keystone user-role-add --user_id <user-id> --role_id <role-id>
                                  [--tenant_id <tenant-id>]
    keystone user-role-add: error: argument --user_id: expected one argument

(repeated as it tries to set up things using '' for the ID, because the previous failures didn't kill the script)

The following patch makes it work for me:

diff --git a/stack.sh b/stack.sh
index a9cec3f..4d46b80 100755
@@ -1951,13 +1951,13 @@ if is_service_enabled key; then
     fi

     # keystone_data.sh creates services, admin and demo users, and roles.
- SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0
+ http_proxy= https_proxy= SERVICE_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUT
     ADMIN_PASSWORD=$ADMIN_PASSWORD SERVICE_TENANT_NAME=$SERVICE_TENANT_NAME SERVICE_PASSWORD=$SERVICE_PAS
         bash $FILES/keystone_data.sh

     # create an access key and secret key for nova ec2 register image
     if is_service_enabled swift && is_service_enabled nova; then
- CREDS=$(keystone --os_auth_url=$SERVICE_ENDPOINT --os_username=nova --os_password=$SERVICE_PASSWO
+ CREDS=$(http_proxy= https_proxy= keystone --os_auth_url=$SERVICE_ENDPOINT --os_username=nova --os
         ACCESS_KEY=$(echo "$CREDS" | awk '/ access / { print $4 }')
         SECRET_KEY=$(echo "$CREDS" | awk '/ secret / { print $4 }')
         add_nova_opt "s3_access_key=$ACCESS_KEY"
@@ -2033,7 +2033,7 @@ if is_service_enabled g-reg; then

     ADMIN_USER=admin
     ADMIN_TENANT=admin
- TOKEN=$(keystone --os_tenant_name $ADMIN_TENANT --os_username $ADMIN_USER --os_password $ADMIN_PASSWO
+ TOKEN=$(http_proxy= https_proxy= keystone --os_tenant_name $ADMIN_TENANT --os_username $ADMIN_USER --

     # Option to upload legacy ami-tty, which works with xenserver
     if [[ -n "$UPLOAD_LEGACY_TTY" ]]; then

[ Additional notes: I've no idea how to make this work nicely if you truly do have a remote keystone server accessible via a proxy. And it appears that only the keystone client is actually affected by http_proxy, which is odd. ]