octavia create loadbalancer failed due service_auth
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | kolla-ansible |
High
|
Mark Goddard | ||
| | Stein |
High
|
Radosław Piliszek | ||
| | Train |
High
|
Mark Goddard | ||
| | Ussuri |
High
|
Mark Goddard | ||
| | Victoria |
High
|
Mark Goddard | ||
Bug Description
i have configured octavia with kolla manual.
but when create loadbalancer it raises an eroor.
(openstack) loadbalancer create --vip-network-id 92ac19a4-
The request you have made requires authentication. (HTTP 401) (Request-ID: req-8e2f5af7-
it is because octavia use has removed from admin project.[1]
octavia use service_auth section config to create neutroncleint[
related bug: https:/
[1]https:/
[2]https:/
[3]https:/
solution:
1. like devstack, use admin user in service_auth section
2. add octavia to admin project(but we have remove it)
| Changed in kolla-ansible: | |
| assignee: | nobody → wu.chunyang (wuchunyang) |
| Changed in kolla-ansible: | |
| status: | New → In Progress |
| summary: |
- octavia create loadbalancer failed + octavia create loadbalancer failed due service_auth |
| Changed in kolla-ansible: | |
| assignee: | wu.chunyang (wuchunyang) → Mark Goddard (mgoddard) |
Change abandoned by Radosław Piliszek (<email address hidden>) on branch: master
Review: https:/
Reason: I'm abandoning this as we decided on the alternative
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit c2037885e756b4d
Author: Xing Zhang <email address hidden>
Date: Tue May 12 19:07:30 2020 +0800
Switch octavia to use service project in service_auth
Recently a patch [1] was merged to stop adding the octavia user to the
admin project, and remove it on upgrade. However, the octavia
configuration was not updated to use the service project, causing load
balancer creation to fail.
There is also an issue for existing deployments in simply switching to
the service project. While existing load balancers appear to continue to
work, creating new load balancers fails due to the security group
belonging to the admin project. At a minimum, the deployer needs to
create a security group in the service project, and update
'octavia_
network would also be recreated in the service project, although this
does not seem to impact operation and will result in downtime for
existing Amphorae.
This change adds a new variable, 'octavia_
can be used to set the project. The default in Ussuri is 'service',
switching to the new behaviour. For backports of this patch it should be
switched to 'admin' to maintain compatibility.
If a deployer sets 'octavia_
octavia user will be assigned the admin role in the admin project, as
was done previously.
Closes-Bug: #1882643
Related-Bug: #1873176
[1] https:/
Co-Authored-By: Mark Goddard <email address hidden>
Change-Id: I1efd0154ebaee6
| Changed in kolla-ansible: | |
| status: | In Progress → Fix Released |
Fix proposed to branch: stable/ussuri
Review: https:/
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/ussuri
commit f81dcc8e963c7c4
Author: Xing Zhang <email address hidden>
Date: Tue May 12 19:07:30 2020 +0800
Switch octavia to use service project in service_auth
Recently a patch [1] was merged to stop adding the octavia user to the
admin project, and remove it on upgrade. However, the octavia
configuration was not updated to use the service project, causing load
balancer creation to fail.
There is also an issue for existing deployments in simply switching to
the service project. While existing load balancers appear to continue to
work, creating new load balancers fails due to the security group
belonging to the admin project. At a minimum, the deployer needs to
create a security group in the service project, and update
'octavia_
network would also be recreated in the service project, although this
does not seem to impact operation and will result in downtime for
existing Amphorae.
This change adds a new variable, 'octavia_
can be used to set the project. The default in Ussuri is 'service',
switching to the new behaviour. For backports of this patch it should be
switched to 'admin' to maintain compatibility.
If a deployer sets 'octavia_
octavia user will be assigned the admin role in the admin project, as
was done previously.
Closes-Bug: #1882643
Related-Bug: #1873176
[1] https:/
Co-Authored-By: Mark Goddard <email address hidden>
Change-Id: I1efd0154ebaee6
(cherry picked from commit c2037885e756b4d
Fix proposed to branch: stable/train
Review: https:/
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/train
commit 1851d881261bc07
Author: Xing Zhang <email address hidden>
Date: Tue May 12 19:07:30 2020 +0800
Make octavia service_auth project configurable
(Renamed and adapted from Switch octavia to use service project in
service_auth on master and stable/ussuri)
Recently a patch [1] was merged to stop adding the octavia user to the
admin project, and remove it on upgrade. However, the octavia
configuration was not updated to use the service project, causing load
balancer creation to fail.
There is also an issue for existing deployments in simply switching to
the service project. While existing load balancers appear to continue to
work, creating new load balancers fails due to the security group
belonging to the admin project. At a minimum, the deployer needs to
create a security group in the service project, and update
'octavia_
network would also be recreated in the service project, although this
does not seem to impact operation and will result in downtime for
existing Amphorae.
This change adds a new variable, 'octavia_
can be used to set the project. The default in Ussuri is 'service',
switching to the new behaviour. For backports of this patch to Train and
earlier branches it should be switched to 'admin' to maintain
compatibility.
In Train and earlier, if a deployer keeps the default
'octavia_
assigned the admin role in the admin project, as was done previously.
They may also set 'octavia_
new behaviour, and avoid a breaking change when later upgrading to
Ussuri.
Closes-Bug: #1882643
Related-Bug: #1873176
[1] https:/
Co-Authored-By: Mark Goddard <email address hidden>
Change-Id: I1efd0154ebaee6
(cherry picked from commit c2037885e756b4d
Fix proposed to branch: stable/stein
Review: https:/
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit a0868027ff02b97
Author: Xing Zhang <email address hidden>
Date: Tue May 12 19:07:30 2020 +0800
Make octavia service_auth project configurable
(Renamed and adapted from Switch octavia to use service project in
service_auth on master and stable/ussuri)
Recently a patch [1] was merged to stop adding the octavia user to the
admin project, and remove it on upgrade. However, the octavia
configuration was not updated to use the service project, causing load
balancer creation to fail.
There is also an issue for existing deployments in simply switching to
the service project. While existing load balancers appear to continue to
work, creating new load balancers fails due to the security group
belonging to the admin project. At a minimum, the deployer needs to
create a security group in the service project, and update
'octavia_
network would also be recreated in the service project, although this
does not seem to impact operation and will result in downtime for
existing Amphorae.
This change adds a new variable, 'octavia_
can be used to set the project. The default in Ussuri is 'service',
switching to the new behaviour. For backports of this patch to Train and
earlier branches it should be switched to 'admin' to maintain
compatibility.
In Train and earlier, if a deployer keeps the default
'octavia_
assigned the admin role in the admin project, as was done previously.
They may also set 'octavia_
new behaviour, and avoid a breaking change when later upgrading to
Ussuri.
Closes-Bug: #1882643
Related-Bug: #1873176
[1] https:/
Co-Authored-By: Mark Goddard <email address hidden>
Change-Id: I1efd0154ebaee6
(cherry picked from commit c2037885e756b4d
(cherry picked from commit 1851d881261bc07
Fix proposed to branch: master
Review: https:/