Hi,
Latest version of mirantis/fuel, https://software.mirantis.com/quick-start/ followed, nodes up and running, instances can be created etc.
We use a machine RedHat with latest clients and connected to 172.16. network.
Env:
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_TENANT_NAME=admin
export OS_AUTH_URL="http://172.16.0.2:5000/v2.0/"
Does not allow to run certain commands against keystone:
$ keystone --debug user-list
DEBUG:keystoneclient.session:REQ: curl -i -X POST http://172.16.0.2:5000/v2.0/tokens -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-keystoneclient" -d '{"auth": {"tenantName": "admin", "passwordCredentials": {"username": "admin", "password": "admin"}}}'
INFO:urllib3.connectionpool:Starting new HTTP connection (1): 172.16.0.2
DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 3058
DEBUG:keystoneclient.session:RESP: [200] {'date': 'Thu, 28 Aug 2014 10:48:10 GMT', 'content-type': 'application/json', 'content-length': '3058', 'vary': 'X-Auth-Token'}
RESP BODY: {"access": {"token": {"issued_at": "2014-08-28T10:48:10.397185", "expires": "2014-08-28T11:48:10Z", "id": "f7e3f6ea9909478eaa7f223a98403f30", "tenant": {"description": "admin tenant", "enabled": true, "id": "4b89376d32d942dd8b2682787a4d8450", "name": "admin"}}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://192.168.0.1:8774/v2/4b89376d32d942dd8b2682787a4d8450", "region": "RegionOne", "internalURL": "http://192.168.0.1:8774/v2/4b89376d32d942dd8b2682787a4d8450", "id": "2771b8033d7c48e98b32cb8122115110", "publicURL": "http://172.16.0.2:8774/v2/4b89376d32d942dd8b2682787a4d8450"}], "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "http://192.168.0.1:9696", "region": "RegionOne", "internalURL": "http://192.168.0.1:9696", "id": "43ecf8cab6f3483e819d15160b84d9b1", "publicURL": "http://172.16.0.2:9696"}], "endpoints_links": [], "type": "network", "name": "neutron"}, {"endpoints": [{"adminURL": "http://192.168.0.1:9292", "region": "RegionOne", "internalURL": "http://192.168.0.1:9292", "id": "4c30ab87aa524f83b60fa4a6f0a7a418", "publicURL": "http://172.16.0.2:9292"}], "endpoints_links": [], "type": "image", "name": "glance"}, {"endpoints": [{"adminURL": "http://192.168.0.1:8777", "region": "RegionOne", "internalURL": "http://192.168.0.1:8777", "id": "251618fbbd8a4037a7af44e3bdee8b58", "publicURL": "http://172.16.0.2:8777"}], "endpoints_links": [], "type": "metering", "name": "ceilometer"}, {"endpoints": [{"adminURL": "http://192.168.0.1:8776/v1/4b89376d32d942dd8b2682787a4d8450", "region": "RegionOne", "internalURL": "http://192.168.0.1:8776/v1/4b89376d32d942dd8b2682787a4d8450", "id": "a6f59b9ca8d5449988df4295b4aa199b", "publicURL": "http://172.16.0.2:8776/v1/4b89376d32d942dd8b2682787a4d8450"}], "endpoints_links": [], "type": "volume", "name": "cinder"}, {"endpoints": [{"adminURL": "http://192.168.0.1:8773/services/Admin", "region": "RegionOne", "internalURL": "http://192.168.0.1:8773/services/Cloud", "id": "44b528d6b7b44e1f809b7516586214d0", "publicURL": "http://172.16.0.2:8773/services/Cloud"}], "endpoints_links": [], "type": "ec2", "name": "nova_ec2"}, {"endpoints": [{"adminURL": "http://192.168.0.1:8004/v1/4b89376d32d942dd8b2682787a4d8450", "region": "RegionOne", "internalURL": "http://192.168.0.1:8004/v1/4b89376d32d942dd8b2682787a4d8450", "id": "6aeade3902064f8b88e7521b6f534c53", "publicURL": "http://172.16.0.2:8004/v1/4b89376d32d942dd8b2682787a4d8450"}], "endpoints_links": [], "type": "orchestration", "name": "heat"}, {"endpoints": [{"adminURL": "http://192.168.0.1:35357/v2.0", "region": "RegionOne", "internalURL": "http://192.168.0.1:5000/v2.0", "id": "2bf12e387cf24bd19e84b8dffe1a20fc", "publicURL": "http://172.16.0.2:5000/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "admin", "roles_links": [], "id": "66da4c2bf8d640e1817bc17344d19806", "roles": [{"name": "_member_"}, {"name": "admin"}], "name": "admin"}, "metadata": {"is_admin": 0, "roles": ["9fe2ff9ee4384b1894a90878d3e92bab", "ef294954a9374443831bc909c4d94e78"]}}}
DEBUG:iso8601.iso8601:Parsed 2014-08-28T11:48:10Z into {'tz_sign': None, 'second_fraction': None, 'hour': u'11', 'daydash': u'28', 'tz_hour': None, 'month': None, 'timezone': u'Z', 'second': u'10', 'tz_minute': None, 'year': u'2014', 'separator': u'T', 'monthdash': u'08', 'day': None, 'minute': u'48'} with default timezone <iso8601.iso8601.Utc object at 0x7d8b90>
DEBUG:iso8601.iso8601:Got u'2014' for 'year' with default None
DEBUG:iso8601.iso8601:Got u'08' for 'monthdash' with default 1
DEBUG:iso8601.iso8601:Got 8 for 'month' with default 8
DEBUG:iso8601.iso8601:Got u'28' for 'daydash' with default 1
DEBUG:iso8601.iso8601:Got 28 for 'day' with default 28
DEBUG:iso8601.iso8601:Got u'11' for 'hour' with default None
DEBUG:iso8601.iso8601:Got u'48' for 'minute' with default None
DEBUG:iso8601.iso8601:Got u'10' for 'second' with default None
DEBUG:keystoneclient.session:REQ: curl -i -X GET http://192.168.0.1:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: f7e3f6ea9909478eaa7f223a98403f30"
INFO:urllib3.connectionpool:Starting new HTTP connection (1): 192.168.0.1
Unable to establish connection to http://192.168.0.1:35357/v2.0/users
>> Even though the first REQ is ok against 172.16., there is a second request at 192.168, that is not public endpoint, thus cannot be reached.
But it will work OK with other commands, like keystone catalog, discover, token-get ...
--------------------------------
If, instead of using credentials, we use the admin token:
export SERVICE_TOKEN=J7frMTFf
export SERVICE_ENDPOINT=http://172.16.0.2:35357/v2.0/
Commands that worked before now fail:
[root@ms1 ~]# keystone token-get
'NoneType' object has no attribute 'has_service_catalog'
[root@ms1 ~]# keystone --debug discover
DEBUG:keystoneclient.session:REQ: curl -i -X GET http://localhost:35357 -H "Accept: application/json" -H "User-Agent: python-keystoneclient"
INFO:urllib3.connectionpool:Starting new HTTP connection (1): localhost
ERROR:keystoneclient.generic.client:Unable to establish connection to http://localhost:35357
Traceback (most recent call last):
File "/usr/lib/python2.6/site-packages/keystoneclient/generic/client.py", line 88, in _check_keystone_versions
'application/json'})
File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 563, in request
resp = super(HTTPClient, self).request(url, method, **kwargs)
File "/usr/lib/python2.6/site-packages/keystoneclient/baseclient.py", line 21, in request
return self.session.request(url, method, **kwargs)
File "/usr/lib/python2.6/site-packages/keystoneclient/utils.py", line 324, in inner
return func(*args, **kwargs)
File "/usr/lib/python2.6/site-packages/keystoneclient/session.py", line 260, in request
resp = self._send_request(url, method, redirect, **kwargs)
File "/usr/lib/python2.6/site-packages/keystoneclient/session.py", line 294, in _send_request
raise exceptions.ConnectionRefused(msg)
ConnectionRefused: Unable to establish connection to http://localhost:35357
DEBUG:keystoneclient.session:REQ: curl -i -X GET https://localhost:35357 -H "Accept: application/json" -H "User-Agent: python-keystoneclient"
INFO:urllib3.connectionpool:Starting new HTTPS connection (1): localhost
ERROR:keystoneclient.generic.client:Unable to establish connection to https://localhost:35357
Traceback (most recent call last):
File "/usr/lib/python2.6/site-packages/keystoneclient/generic/client.py", line 88, in _check_keystone_versions
'application/json'})
File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 563, in request
resp = super(HTTPClient, self).request(url, method, **kwargs)
File "/usr/lib/python2.6/site-packages/keystoneclient/baseclient.py", line 21, in request
return self.session.request(url, method, **kwargs)
File "/usr/lib/python2.6/site-packages/keystoneclient/utils.py", line 324, in inner
return func(*args, **kwargs)
File "/usr/lib/python2.6/site-packages/keystoneclient/session.py", line 260, in request
resp = self._send_request(url, method, redirect, **kwargs)
File "/usr/lib/python2.6/site-packages/keystoneclient/session.py", line 294, in _send_request
raise exceptions.ConnectionRefused(msg)
ConnectionRefused: Unable to establish connection to https://localhost:35357
No Keystone-compatible endpoint found
But, one of the commands that did not work before (user-list), now it works:
[root@ms1 ~]# keystone --debug user-list
DEBUG:keystoneclient.session:REQ: curl -i -X GET http://172.16.0.2:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: J7frMTFf"
INFO:urllib3.connectionpool:Starting new HTTP connection (1): 172.16.0.2
DEBUG:urllib3.connectionpool:"GET /v2.0/users HTTP/1.1" 200 1387
DEBUG:keystoneclient.session:RESP: [200] {'date': 'Thu, 28 Aug 2014 14:03:48 GMT', 'content-type': 'application/json', 'content-length': '1387', 'vary': 'X-Auth-Token'}
RESP BODY: {"users": [{"username": "heat", "name": "heat", "id": "24911c43d0654280b27f7cf4e5f687b5", "enabled": true, "email": "<email address hidden>", "tenantId": "27bf657e0bc942a1bdaff162675fdc31"}, {"username": "cinder", "name": "cinder", "id": "434b810aaeea449aabed39a56ef48245", "enabled": true, "email": "cinder@localhost", "tenantId": "27bf657e0bc942a1bdaff162675fdc31"}, {"username": "ceilometer", "name": "ceilometer", "id": "468215ef59854a97bd1a9364858fd78c", "enabled": true, "email": "ceilometer@localhost", "tenantId": "27bf657e0bc942a1bdaff162675fdc31"}, {"username": "glance", "name": "glance", "id": "5def323031d2428fbe0748ae71aafa98", "enabled": true, "email": "glance@localhost", "tenantId": "27bf657e0bc942a1bdaff162675fdc31"}, {"username": "admin", "name": "admin", "id": "66da4c2bf8d640e1817bc17344d19806", "enabled": true, "email": "<email address hidden>", "tenantId": "4b89376d32d942dd8b2682787a4d8450"}, {"username": "nova", "name": "nova", "id": "6fd1b5d0b7db41cca56ef155f8f58773", "enabled": true, "email": "nova@localhost", "tenantId": "27bf657e0bc942a1bdaff162675fdc31"}, {"username": "neutron", "name": "neutron", "id": "a70cc4723eb9468d8fc16292b1d81360", "enabled": true, "email": "neutron@localhost", "tenantId": "27bf657e0bc942a1bdaff162675fdc31"}, {"username": "litp", "name": "litp", "enabled": true, "email": "<email address hidden>", "id": "c21f0baccfaa49668d05c64e739a3753"}]}
+----------------------------------+------------+---------+----------------------+
| id | name | enabled | email |
+----------------------------------+------------+---------+----------------------+
| 66da4c2bf8d640e1817bc17344d19806 | admin | True | <email address hidden> |
| 468215ef59854a97bd1a9364858fd78c | ceilometer | True | ceilometer@localhost |
| 434b810aaeea449aabed39a56ef48245 | cinder | True | cinder@localhost |
| 5def323031d2428fbe0748ae71aafa98 | glance | True | glance@localhost |
| 24911c43d0654280b27f7cf4e5f687b5 | heat | True | <email address hidden> |
| c21f0baccfaa49668d05c64e739a3753 | litp | True | <email address hidden> |
| a70cc4723eb9468d8fc16292b1d81360 | neutron | True | neutron@localhost |
| 6fd1b5d0b7db41cca56ef155f8f58773 | nova | True | nova@localhost |
+----------------------------------+------------+---------+----------------------+
--------------------------------
Last, setting both credentials and service_token:
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_TENANT_NAME=admin
export OS_AUTH_URL="http://172.16.0.2:5000/v2.0/"
export SERVICE_TOKEN=J7frMTFf
export SERVICE_ENDPOINT=http://172.16.0.2:35357/v2.0/
Will make non-keystone services work (nova, cinder) but some kyestone will still not work:
[root@ms1 ~]# keystone catalog
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
'NoneType' object has no attribute 'has_service_catalog'
We have 3 different mirantis/fuel deployment, with variations in networking, and we see similar behaviour in all of them.
Somehow the admin credentials are not working with keystone using remote clients.
Workaround is to keep switching between credentials/admin_token, depending on the cli.
Related bug opened against keystone: https://bugs.launchpad.net/keystone/+bug/1362630
Thanks!!!
Endpoints:
[root@node-1 tmp]# keystone endpoint-list
+----------------------------------+-----------+-----------------------------------------+------------------------------------------+------------------------------------------+----------------------------------+
| id | region | publicurl | internalurl | adminurl | service_id |
+----------------------------------+-----------+-----------------------------------------+------------------------------------------+------------------------------------------+----------------------------------+
| 3109aec7633f4def8d33f558522a2bb6 | RegionOne | http://172.16.0.2:8004/v1/%(tenant_id)s | http://192.168.0.1:8004/v1/%(tenant_id)s | http://192.168.0.1:8004/v1/%(tenant_id)s | a605cbfa1f3248198a309f94f67ac8a8 |
| 5054e540d48241569be9b193135b9693 | RegionOne | http://172.16.0.2:9292 | http://192.168.0.1:9292 | http://192.168.0.1:9292 | d7599225d26a403e9e738d909b5b4726 |
| 6e0d9794a25f466d97a4607327d19673 | RegionOne | http://172.16.0.2:8777 | http://192.168.0.1:8777 | http://192.168.0.1:8777 | cedee33840bb457e94cacdef8e167d12 |
| 726e6479f8fa483180153adfa235cc1c | RegionOne | http://172.16.0.2:5000/v2.0 | http://192.168.0.1:5000/v2.0 | http://192.168.0.1:35357/v2.0 | 39af888b0ae840b0865490776eaf18e3 |
| 7a87dd44b470484a925f2c9d3a3b993a | RegionOne | http://172.16.0.2:8774/v2/%(tenant_id)s | http://192.168.0.1:8774/v2/%(tenant_id)s | http://192.168.0.1:8774/v2/%(tenant_id)s | e756e858792849fbbfc2de5d67eae361 |
| ac8cc4170c5948feb9fdb5c2555dc473 | RegionOne | http://172.16.0.2:9696 | http://192.168.0.1:9696 | http://192.168.0.1:9696 | 8b2ed390b10b47db9e82f0feffafa266 |
| db61321b69154407817c74801334c2f8 | RegionOne | http://172.16.0.2:8773/services/Cloud | http://192.168.0.1:8773/services/Cloud | http://192.168.0.1:8773/services/Admin | a681dcf28a644ec9b0875892723644a7 |
| e47c4c41210e495b84e0d42a00c1796d | RegionOne | http://172.16.0.2:8776/v1/%(tenant_id)s | http://192.168.0.1:8776/v1/%(tenant_id)s | http://192.168.0.1:8776/v1/%(tenant_id)s | 3575d428a77843a9aa0a8e45db800a79 |
+----------------------------------+-----------+-----------------------------------------+------------------------------------------+------------------------------------------+----------------------------------+
as I remember, part of keystone calls can be executed only through administrative keystone port (35357).