2017-05-31 22:55:35 |
Bruce Basil Mathews |
description |
Juniper confirmed with their Engineering team that this issue (admin credentials in /etc/contrail/contrail-keystone-auth.conf file ) should be fixed by Mirantis. Its a Fuel provisioning issue. Please request their support team to raise a bug with their engineering.
MOS versions tested: MOS 8.0 -> MOS 9.2
OS: Ubuntu 14.04 and 16.04
Network Model: OpenContrail/Contrail
Deploy a cloud with the OpenContrail or Contrail Plugin and change the 'admin' password. The deployment will fail as the credentials in /etc/contrail/contrail-keystone-auth.conf file are not updated to reflect the change.
Workaround: Edit the /etc/contrail/contrail-keystone-auth.conf manually and change the password to reflect the new password. |
Juniper confirmed with their Engineering team that this issue (admin credentials in /etc/contrail/contrail-keystone-auth.conf file ) should be fixed by Mirantis. Its a Fuel provisioning issue. Please request their support team to raise a bug with their engineering.
MOS versions tested: MOS 8.0 -> MOS 9.2 -> Affects keystone v3 only.
OS: Ubuntu 14.04 and 16.04
Network Model: OpenContrail/Contrail
Deploy a cloud with the OpenContrail or Contrail Plugin and change the 'admin' password. The deployment will fail as the credentials in /etc/contrail/contrail-keystone-auth.conf file are not updated to reflect the change.
Workaround: Edit the /etc/contrail/contrail-keystone-auth.conf manually and change the password to reflect the new password.
The issue is only when using keystone v3, using v2 with local users works fine.
When using v3 project, user in Contrail UI with admin rights can’t create network or create router.
User can create network in horizon then edit network in contrail UI to add route-targets, policies etc
User can add router in horizon, but can’t bind interface to router (error is given that domain and project don’t exist). After viewing the Security Group for the project (only need to view it no changes need to be made), then you can bind interface to router. Everything appears to work fine after that.
The default keystone config on the contrail config node after deployment is using the services tenant and neutron user. Note this wasn’t a problem in MOS9 with Contrail 3.1, I don’t have this setup anymore to compare if the .conf file is the same or not. There seems to be some v3 domain changes from 3.1 to 3.2 and I suspect that is the difference.
# default .conf file on contrail config node
admin_tenant_name=services
admin_user=neutron
admin_password=<removed>
Changing this to the admin user/tenant and adding v3 auth url (all changes in bold) then restarting contrail fixes all the above issues.
root@contrail1:~# more /etc/contrail/contrail-keystone-auth.conf
[KEYSTONE]
auth_url=http://192.168.0.2:35357/v3
auth_host=192.168.0.2
#admin_tenant_name=services
auth_port=35357
#admin_user=neutron
auth_protocol=http
insecure=True
#admin_password=<removed>
memcache_servers=127.0.0.1:11211
admin_user=admin
admin_password=<removed>
admin_tenant_name=admin |
|