When Upgrading from Newton to Ocata far going extensions and restructuring of nova/nova_api db is carried out to provide the mandatory cellV2 and placement api extensions. Beside the fact that this is not at all reflected appropriately in the documentation of Ocata so far (sic!), at least in my case, the update of compute completely messed up. Even a complete new installation of the nova from scratch does NOT create the nova_cell0 db NOR is a hint in docs.openstack.org that this step is to be done manually... Anyhow ...
The behavior of the nova-manage command has changed with Ocata: With the far going changes around database structure with cells and placement, it is no longer possible that passwords for the nova, nova_api db contain reserved characters for URL/URI. Creating the cell db with
nova-manage cell_v2 simple_cell_setup
and having a password for nova_api db in /etc/nova.conf
before nova-manage stops with the "access denied for 'nova'@'controller' " message
As it could be seen, the URL string in the cell0 db is malformatted. With the incomplete nova-manage command, also 'openstack server list' will fail for the same reasons.
If the password contains indeed special, but no reserved characters, all is fine:
Again /etc/nova.conf contains
with this, also finally cell1 is correctly configured in the database.
Note that when following the openstack doc recommendation to make mysql secure, special characters in passwords are mandatory ...
Being with these reserved character passwords since Kilo, the increasing amount of transitions towards URL based communication definition (same is e.g. also true for transport_url for rabbit: Also this one does not allow reserved characters anymore in passwords) requires from my point of view:
EITHER
- A consequent consideration through the entire workflow when doing upgrades from e.g. Newton to Ocata
- A consequent inclusion in the documentation
OR
- The old behavior of nova-manage until Newton is re-established.
Note that cinder-manage still accepts passwords with reserved characters.
Would be highly interested what kind of solution direction will be chosen
I believe I found the reason behind:
When Upgrading from Newton to Ocata far going extensions and restructuring of nova/nova_api db is carried out to provide the mandatory cellV2 and placement api extensions. Beside the fact that this is not at all reflected appropriately in the documentation of Ocata so far (sic!), at least in my case, the update of compute completely messed up. Even a complete new installation of the nova from scratch does NOT create the nova_cell0 db NOR is a hint in docs.openstack.org that this step is to be done manually... Anyhow ...
The behavior of the nova-manage command has changed with Ocata: With the far going changes around database structure with cells and placement, it is no longer possible that passwords for the nova, nova_api db contain reserved characters for URL/URI. Creating the cell db with
nova-manage cell_v2 simple_cell_setup
and having a password for nova_api db in /etc/nova.conf
connection = mysql+pymysql: //nova: abcd0123? AB@controller/ nova_api //nova: abcd0123? AB@controller/ nova
connection = mysql+pymysql:
leads to
mysql> select * from cell_mappings; ------- ------- -+----- ------- +----+- ------- ------- ------- ------- ------- --+---- ---+--- ------- -----+- ------- ------- ------- ------- ------- ------- ------- ------- + ------- ------- -+----- ------- +----+- ------- ------- ------- ------- ------- --+---- ---+--- ------- -----+- ------- ------- ------- ------- ------- ------- ------- ------- + 0000-0000- 0000-0000000000 00 | cell0 | none:/// | mysql+pymysql: //nova: abcd0123/ _cell0? AB@controller/ nova | ------- ------- -+----- ------- +----+- ------- ------- ------- ------- ------- --+---- ---+--- ------- -----+- ------- ------- ------- ------- ------- ------- ------- ------- +
+------
| created_at | updated_at | id | uuid | name | transport_url | database_connection |
+------
| 2017-03-17 21:53:32 | NULL | 1 | 00000000-
+------
before nova-manage stops with the "access denied for 'nova'@'controller' " message
As it could be seen, the URL string in the cell0 db is malformatted. With the incomplete nova-manage command, also 'openstack server list' will fail for the same reasons.
If the password contains indeed special, but no reserved characters, all is fine:
Again /etc/nova.conf contains
connection = mysql+pymysql: //nova: abcd0123! AB@controller/ nova_api //nova: abcd0123! AB@controller/ nova
connection = mysql+pymysql:
executing nova-manage cell_v2 simple_cell_setup
counts bravely up to: versioning. api [req-d98c4c1d- 1305-4209- 8aba-ca79861507 7b - - - - -] 346 -> 347... versioning. api [req-d98c4c1d- 1305-4209- 8aba-ca79861507 7b - - - - -] done
(...)
2017-03-18 10:29:14.628 25357 INFO migrate.
2017-03-18 10:29:14.978 25357 INFO migrate.
and leads to:
mysql> select * from cell_mappings; ------- ------- -+----- ------- +----+- ------- ------- ------- ------- ------- --+---- ---+--- ------- ------- ------- ------- ------- -----+- ------- ------- ------- ------- ------- ------- ------- ------+ ------- ------- -+----- ------- +----+- ------- ------- ------- ------- ------- --+---- ---+--- ------- ------- ------- ------- ------- -----+- ------- ------- ------- ------- ------- ------- ------- ------+ 0000-0000- 0000-0000000000 00 | cell0 | none:/// | mysql+pymysql: //nova: novK9iuz! 09@controller/ nova_cell0 | 3476-40f7- 9b26-82c9658d08 a9 | NULL | rabbit: //openstack: rabblabla@ controller | mysql+pymysql: //nova: abcd0123! AB@controller/ nova | ------- ------- -+----- ------- +----+- ------- ------- ------- ------- ------- --+---- ---+--- ------- ------- ------- ------- ------- -----+- ------- ------- ------- ------- ------- ------- ------- ------+
+------
| created_at | updated_at | id | uuid | name | transport_url | database_connection |
+------
| 2017-03-18 09:27:51 | NULL | 1 | 00000000-
| 2017-03-18 09:29:15 | NULL | 2 | 2860d46c-
+------
2 rows in set (0,00 sec)
with this, also finally cell1 is correctly configured in the database.
Note that when following the openstack doc recommendation to make mysql secure, special characters in passwords are mandatory ...
Being with these reserved character passwords since Kilo, the increasing amount of transitions towards URL based communication definition (same is e.g. also true for transport_url for rabbit: Also this one does not allow reserved characters anymore in passwords) requires from my point of view:
EITHER
- A consequent consideration through the entire workflow when doing upgrades from e.g. Newton to Ocata
- A consequent inclusion in the documentation
OR
- The old behavior of nova-manage until Newton is re-established.
Note that cinder-manage still accepts passwords with reserved characters.
Would be highly interested what kind of solution direction will be chosen
Thanks!