Canonical Juju

juju bootstrap failed on openstack because of security groups

Bug #1881937 reported by Alexander Jelinek on 2020-06-03

This bug report is a duplicate of: Bug #1806985: Juju might not be recognzing some OpenStack environment variables (see comments). Edit Remove

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Incomplete	Undecided	Unassigned

Bug Description

Created an image stream according to the instructions (https://juju.is/docs/cloud-image-metadata#heading--create-image-metadata-with-juju) and tried to create a juju controller with the following parameters.

juju bootstrap myopenstack mycontroller --debug --config network=<network-id-vxlan> --config external-network=<network-id> --config use-floating-ip=true --metadata-source=~/simplestreams/images

I get the following error message.

18:52:50 ERROR juju.cmd.juju.commands bootstrap.go:776 failed to bootstrap model: cannot start bootstrap instance: cannot set up groups: failed to create a security group with name: juju-47468ac6-71e8-4aa0-83dc-facf398fb649-373f4fc8-ee94-431f-8a7e-d506b815200e
caused by: request (https://neutron.wgs-wnd-01.lkw-walter.com:9696/v2.0/security-groups) returned unexpected status: 400; error info: {"NeutronError": {"type": "HTTPBadRequest", "message": "Running without keystone AuthN requires that tenant_id is specified", "detail": ""}}

Setting the domain-name field in credentials.yaml to zero did not help in this case and also adding the "--config use-default-secgroup=true" doesn't. I use juju in version 2.7.6.

Revision history for this message

Pen Gale (pengale) wrote on 2020-06-08:

Can you create machines, view endpoints, create networks, create security groups, and do other things w/ your openstack cli client on this OpenStack? This could be Juju mishandling a specific configuration of Keystone et al, or it could be an underlying configuration or credential issue in OpenStack.

Pen Gale (pengale) on 2020-08-27

Changed in juju:
status:	New → Incomplete

Revision history for this message

Przemyslaw Hausman (phausman) wrote on 2020-10-06:

juju-bootstrap.txt Edit (116.7 KiB, text/plain)

Download full text (4.5 KiB)

I'm hitting the same error with juju 2.7.8-bionic-amd64.

I'm using the cloud admin account, who is able to perform all actions in OpenStack.

ubuntu@ob80:~/deploy/ussuri/ovn-noha$ . generated/openstack/novarc

ubuntu@ob80:~/deploy/ussuri/ovn-noha$ env | grep OS_
OS_AUTH_URL=http://172.27.80.29:5000/v3
OS_DOMAIN_NAME=admin_domain
OS_REGION_NAME=RegionOne
OS_PROJECT_NAME=admin
OS_PROJECT_DOMAIN_NAME=admin_domain
OS_USER_DOMAIN_NAME=admin_domain
OS_IDENTITY_API_VERSION=3
OS_TENANT_NAME=admin
OS_AUTH_TYPE=password
OS_INTERFACE=public
OS_PASSWORD=<redacted>
OS_USERNAME=admin

ubuntu@ob80:~/deploy/ussuri/ovn-noha$ juju bootstrap --debug --logging-config="<root>=TRACE" --metadata-source /tmp/tmp/simplestreams openstack juju-openstack-controller
[...]
18:16:00 TRACE goose client.go:352 MakeServiceURL: http://neutron.orange.box:9696/v2.0/networks
18:16:00 TRACE goose client.go:352 MakeServiceURL: http://neutron.orange.box:9696/v2.0/security-groups?name=juju-b144130f-4b30-479a-8ca9-0bee2be2e1f1-ecc0d08a-9ab9-49c0-8bb4-f142031aa2e7
18:16:00 TRACE goose client.go:352 MakeServiceURL: http://neutron.orange.box:9696/v2.0/security-groups
18:16:00 ERROR juju.cmd.juju.commands bootstrap.go:776 failed to bootstrap model: cannot start bootstrap instance: cannot set up groups: failed to create a security group with name: juju-b144130f-4b30-479a-8ca9-0bee2be2e1f1-ecc0d08a-9ab9-49c0-8bb4-f142031aa2e7
caused by: request (http://neutron.orange.box:9696/v2.0/security-groups) returned unexpected status: 400; error info: {"NeutronError": {"type": "HTTPBadRequest", "message": "Running without keystone AuthN requires that tenant_id is specified", "detail": ""}}
18:16:00 DEBUG juju.cmd.juju.commands bootstrap.go:777 (error details: [{/build/juju/parts/juju/go/src/github.com/juju/juju/cmd/juju/commands/bootstrap.go:851: failed to bootstrap model} {/build/juju/parts/juju/go/src/github.com/juju/juju/environs/bootstrap/bootstrap.go:611: } {/build/juju/parts/juju/go/src/github.com/juju/juju/environs/bootstrap/bootstrap.go:519: } {/build/juju/parts/juju/go/src/github.com/juju/juju/provider/common/bootstrap.go:57: } {/build/juju/parts/juju/go/src/github.com/juju/juju/provider/common/bootstrap.go:227: cannot start bootstrap instance} {/build/juju/parts/juju/go/src/github.com/juju/juju/provider/openstack/provider.go:1230: } {/build/juju/parts/juju/go/src/github.com/juju/juju/provider/openstack/provider.go:1230: cannot set up groups} {/build/juju/parts/juju/go/src/github.com/juju/juju/provider/openstack/firewaller.go:469: } {failed to create a security group with name: juju-b144130f-4b30-479a-8ca9-0bee2be2e1f1-ecc0d08a-9ab9-49c0-8bb4-f142031aa2e7
caused by: request (http://neutron.orange.box:9696/v2.0/security-groups) returned unexpected status: 400; error info: {"NeutronError": {"type": "HTTPBadRequest", "message": "Running without keystone AuthN requires that tenant_id is specified", "detail": ""}}}])
18:16:00 DEBUG juju.cmd.juju.commands bootstrap.go:1422 cleaning up after failed bootstrap

See full log attached.

This is what I can see in the neutron-api's neutron-server.log:

2020-10-06 18:27:33.270 848 INFO neutron.wsgi [req-2bd179e9-9b48-4087-b3ee-0d63b822fccc 7cb6bcd1...

I'm hitting the same error with juju 2.7.8-bionic-amd64.

I'm using the cloud admin account, who is able to perform all actions in OpenStack.

ubuntu@ob80:~/deploy/ussuri/ovn-noha$ . generated/openstack/novarc

ubuntu@ob80:~/deploy/ussuri/ovn-noha$ juju bootstrap --debug --logging-config="<root>=TRACE"   --metadata-source /tmp/tmp/simplestreams   openstack juju-openstack-controller
[...]
18:16:00 TRACE goose client.go:352 MakeServiceURL: http://neutron.orange.box:9696/v2.0/networks
18:16:00 TRACE goose client.go:352 MakeServiceURL: http://neutron.orange.box:9696/v2.0/security-groups?name=juju-b144130f-4b30-479a-8ca9-0bee2be2e1f1-ecc0d08a-9ab9-49c0-8bb4-f142031aa2e7
18:16:00 TRACE goose client.go:352 MakeServiceURL: http://neutron.orange.box:9696/v2.0/security-groups
18:16:00 ERROR juju.cmd.juju.commands bootstrap.go:776 failed to bootstrap model: cannot start bootstrap instance: cannot set up groups: failed to create a security group with name: juju-b144130f-4b30-479a-8ca9-0bee2be2e1f1-ecc0d08a-9ab9-49c0-8bb4-f142031aa2e7
caused by: request (http://neutron.orange.box:9696/v2.0/security-groups) returned unexpected status: 400; error info: {"NeutronError": {"type": "HTTPBadRequest", "message": "Running without keystone AuthN requires that tenant_id is specified", "detail": ""}}
18:16:00 DEBUG juju.cmd.juju.commands bootstrap.go:777 (error details: [{/build/juju/parts/juju/go/src/github.com/juju/juju/cmd/juju/commands/bootstrap.go:851: failed to bootstrap model} {/build/juju/parts/juju/go/src/github.com/juju/juju/environs/bootstrap/bootstrap.go:611: } {/build/juju/parts/juju/go/src/github.com/juju/juju/environs/bootstrap/bootstrap.go:519: } {/build/juju/parts/juju/go/src/github.com/juju/juju/provider/common/bootstrap.go:57: } {/build/juju/parts/juju/go/src/github.com/juju/juju/provider/common/bootstrap.go:227: cannot start bootstrap instance} {/build/juju/parts/juju/go/src/github.com/juju/juju/provider/openstack/provider.go:1230: } {/build/juju/parts/juju/go/src/github.com/juju/juju/provider/openstack/provider.go:1230: cannot set up groups} {/build/juju/parts/juju/go/src/github.com/juju/juju/provider/openstack/firewaller.go:469: } {failed to create a security group with name: juju-b144130f-4b30-479a-8ca9-0bee2be2e1f1-ecc0d08a-9ab9-49c0-8bb4-f142031aa2e7
caused by: request (http://neutron.orange.box:9696/v2.0/security-groups) returned unexpected status: 400; error info: {"NeutronError": {"type": "HTTPBadRequest", "message": "Running without keystone AuthN requires that tenant_id is specified", "detail": ""}}}])
18:16:00 DEBUG juju.cmd.juju.commands bootstrap.go:1422 cleaning up after failed bootstrap

See full log attached.

This is what I can see in the neutron-api's neutron-server.log:

2020-10-06 18:27:33.270 848 INFO neutron.wsgi [req-2bd179e9-9b48-4087-b3ee-0d63b822fccc 7cb6bcd1a40c45b6be77014f2214bd4b - e0abbb4c47d34a61b749c89b1e569690 e0abbb4c47d34a61b749c89b1e569690 -] 172.27.80.165 "GET /v2.0/security-groups?name=juju-98d62525-0838-4f50-8498-3fd9e595f7c8-f2000669-c974-4a11-84d4-ecdded54b738
HTTP/1.1" status: 200  len: 197 time: 0.0178354
2020-10-06 18:27:33.298 848 DEBUG neutron.api.v2.base [req-26bb4f62-f353-483a-b92f-7d662e786f68 7cb6bcd1a40c45b6be77014f2214bd4b - e0abbb4c47d34a61b749c89b1e569690 e0abbb4c47d34a61b749c89b1e569690 -] Request body: {'security_group': {'name': 'juju-98d62525-0838-4f50-8498-3fd9e595f7c8-f2000669-c974-4a11-84d4-ecdded54
b738', 'description': 'juju group'}} prepare_request_body /usr/lib/python3/dist-packages/neutron/api/v2/base.py:719
2020-10-06 18:27:33.299 848 INFO neutron.api.v2.resource [req-26bb4f62-f353-483a-b92f-7d662e786f68 7cb6bcd1a40c45b6be77014f2214bd4b - e0abbb4c47d34a61b749c89b1e569690 e0abbb4c47d34a61b749c89b1e569690 -] create failed (client error): Running without keystone AuthN requires that tenant_id is specified
2020-10-06 18:27:33.300 848 INFO neutron.wsgi [req-26bb4f62-f353-483a-b92f-7d662e786f68 7cb6bcd1a40c45b6be77014f2214bd4b - e0abbb4c47d34a61b749c89b1e569690 e0abbb4c47d34a61b749c89b1e569690 -] 172.27.80.165 "POST /v2.0/security-groups HTTP/1.1" status: 400  len: 324 time: 0.0288525

I have also tried setting up OS_PROJECT_ID and OS_TENANT_ID with the ID of the project, but the result was the same.

Revision history for this message

Heather Lanigan (hmlanigan) wrote on 2020-10-06:

You may be hitting: https://bugs.launchpad.net/juju/+bug/1806985

Try removing the value of "domain-name" in your ~/.local/share/juju/credentials.yaml.

Revision history for this message

Przemyslaw Hausman (phausman) wrote on 2020-10-06:

Thanks @hmlanigan! It worked. Unsetting OS_DOMAIN_NAME environment variable did the trick. It feels like a duplicate of LP #1806985 indeed.