This issue was posted to openstack-operators, where some responders said they were unable to duplicate the problem, and that's a big concern of mine. If it is a misconfiguration of my cluster, I still want to understand what went wrong and how to fix it, because this is a pretty serious problem. To shed a little light on our installation procedure, what we do is we provision our bare metal using xCAT, after which we apply RPM packages from the CentOS Cloud repo (http://mirror.centos.org/centos/7/cloud/x86_64/openstack-queens/) and configure services strictly according to the openstack docs (e.g. https://docs.openstack.org/glance/queens/install/install-rdo.html). We tweak the config files to use HTTPS and speak to our endpoints, etc, but there is really nothing exotic about our setup. We were running glance under uwsgi, behind apache+mod_proxy, but as part of our troubleshooting we reverted to using the openstack-glance-api systemd unit file that launches the old python2 eventlet -- there was no change in the exhibited behavior though.
This issue was posted to openstack- operators, where some responders said they were unable to duplicate the problem, and that's a big concern of mine. If it is a misconfiguration of my cluster, I still want to understand what went wrong and how to fix it, because this is a pretty serious problem. To shed a little light on our installation procedure, what we do is we provision our bare metal using xCAT, after which we apply RPM packages from the CentOS Cloud repo (http:// mirror. centos. org/centos/ 7/cloud/ x86_64/ openstack- queens/) and configure services strictly according to the openstack docs (e.g. https:/ /docs.openstack .org/glance/ queens/ install/ install- rdo.html). We tweak the config files to use HTTPS and speak to our endpoints, etc, but there is really nothing exotic about our setup. We were running glance under uwsgi, behind apache+mod_proxy, but as part of our troubleshooting we reverted to using the openstack- glance- api systemd unit file that launches the old python2 eventlet -- there was no change in the exhibited behavior though.
This is our /etc/glance/ glance- api.conf:
[DEFAULT] direct_ url = true locations = true glance/ images/ image-cache /var/lib/ glance/ images/ tmp /keystone. gpcprod: 5000/v3 socket_ timeout = 900 ssl/glance. pem ssl/glance. key glance/ api.log //user@ <email address hidden> :5671,user: <email address hidden> :5671,user: <email address hidden>:5671/
show_image_
show_multiple_
location_strategy = store_type
enable_v1_api = false
enable_v2_api = true
enable_v1_registry = false
image_cache_dir = /var/lib/
node_staging_uri = file://
use_user_token = true
auth_url = https:/
bind_host = 10.2.3.123
bind_port = 9292
workers = 6
http_keepalive = true
client_
backlog = 4096
cert_file = /etc/glance/
key_file = /etc/glance/
debug = true
log_file = /var/log/
log_dir = /var/log/glance
use_syslog = False
publish_errors = true
syslog_log_facility = LOG_USER
transport_url = rabbit:
[cors]
[database] //glance: <email address hidden>/glance recycle_ time=200
connection = mysql+pymysql:
connection_
[glance_store] certificates_ file = /etc/openldap/ cacerts/ gpcprod_ root_ca. pem cinderv3: publicURL os_region_ name = RegionOne ca_certificates _file = /etc/openldap/ cacerts/ gpcprod_ root_ca. pem store_metadata_ file = /etc/glance/ metadata. json store_datadir = /var/lib/ glance/ images store_file_ perm = 0644 name=RegionOne
stores = file,http
default_store = file
https_ca_
https_insecure = false
cinder_catalog_info = volumev3:
cinder_
cinder_
cinder_api_insecure = false
filesystem_
filesystem_
filesystem_
os_region_
[image_format] aki,bare, ovf,ova aki,vhd, vmdk,raw, qcow2,vdi, iso
container_formats = ami,ari,
disk_formats = ami,ari,
[keystone_ authtoken] /keystone. gpcprod: 5000/v3 /keystone. gpcprod: 5000/v3 cacerts/ gpcprod_ root_ca. pem 117:11211, 10.2.3. 118:11211, 10.2.3. 119:11211 cache_time = 1800 security_ strategy = None pool_dead_ retry = 300 pool_socket_ timeout = 3 XXXXXXXXXXXXXX /keystone. gpcprod: 5000/v3
auth_uri = https:/
auth_url = https:/
cafile = /etc/openldap/
insecure = false
region_name = RegionOne
memcached_servers = 10.2.3.
token_cache_time = 1800
revocation_
memcache_
memcache_
memcache_
auth_type=password
username = glance
password = XXXXXXXXXXXXXXX
project_domain_name = default
user_domain_name = default
project_name = service
identity_uri=https:/
[matchmaker_redis] _amqp] _kafka] _notifications]
[oslo_concurrency]
[oslo_messaging
[oslo_messaging
[oslo_messaging
driver = messagingv2
topics = notifications
[oslo_messaging _rabbit] ssl/rabbitmq. key ssl/rabbitmq. pem cacerts/ gpcprod_ root_ca. pem timeout_ threshold = 0 persistence = false notification_ exchange = ${control_ exchange} _notification listener_ prefetch_ count = 100 notification_ retry_attempts = -1 retry_delay = 0.25 expiration = 60 rpc_exchange = ${control_ exchange} _rpc exchange} _rpc_reply prefetch_ count = 100 listener_ prefetch_ count = 100 retry_attempts = -1 retry_delay = 0.25 rpc_retry_ attempts = -1 notification_ exchange= glance notification_ topic=notificat ions
amqp_durable_queues = false
ssl_version = TLSv1_2
ssl_key_file = /etc/glance/
ssl_cert_file = /etc/glance/
ssl_ca_file = /etc/openldap/
ssl = true
rabbit_login_method = AMQPLAIN
rabbit_ha_queues = true
heartbeat_
heartbeat_rate = 2
notification_
default_
notification_
default_
notification_
rpc_queue_
default_
rpc_reply_exchange = ${control_
rpc_listener_
rpc_reply_
rpc_reply_
rpc_reply_
default_
rabbit_
rabbit_
[oslo_messaging _zmq]
[oslo_middleware]
[oslo_policy]
policy_file = policy.json
enforce_scope = true
policy_default_rule = default
[paste_deploy] type_location_ strategy] preference = file,http
[profiler]
[store_
store_type_
[task]
[taskflow_executor]