The svc_monitor is pinging the api_server without adding an X-Auth-Token header. (strace from svc_monitor.py below). The question is how to fix it: make svc_monitor send an auth header, or make the api_server ignore the absence for the "/" url?
[pid 14246] connect(11, {sa_family=AF_INET, sin_port=htons(8082), sin_addr=inet_addr("10.14.2.11")}, 16) = 0
[pid 14246] sendto(11, "GET / HTTP/1.1\r\nHost: 10.14.2.11:8082\r\nX-Tenant-Name: service\r\nContent-type: application/json; charset=\"UTF-8\"\r\nAccept-Encoding: gzip, deflate, compress\r\nAccept: */*\r\nUser-Agent: python-requests/1.2.3 CPython/2.7.5 Linux/3.10.35\r\n\r\n", 232, 0, NULL, 0) = 232
The api server log is full of this:
contrail-api.log: WARNING:keystoneclient.middleware.auth_token:Unable to find authentication token in headers
contrail-api.log: 10.14.2.4 - - [2014-04-03 17:02:39] "GET / HTTP/1.1" 401 565 0.000491
I straced vnc_cfg_api_server.py. It looks like the api server is actually doing an HTTP request to itself, but its not passing keystone creds. Why?
[pid 3915] socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 124
[pid 3915] connect(124, {sa_family=AF_INET, sin_port=htons(8082), sin_addr=inet_addr("10.14.2.11")}, 16) = 0
[pid 3915] sendto(124, "GET / HTTP/1.1\r\nHost: 10.14.2.11:8082\r\nX-Tenant-Name: service\r\nContent-type: application/json; charset=\"UTF-8\"\r\nAccept-Encoding: gzip, deflate, compress\r\nAccept: */*\r\nUser-Agent: python-requests/1.2.3 CPython/2.7.5 Linux/3.10.35\r\n\r\n", 232, 0, NULL, 0) = 232
[pid 3915] accept(24, {sa_family=AF_INET, sin_port=htons(62900), sin_addr=inet_addr("10.14.2.4")}, [16]) = 126
[pid 3915] recvfrom(126, "GET / HTTP/1.1\r\nHost: 10.14.2.11:8082\r\nX-Tenant-Name: service\r\nContent-type: application/json; charset=\"UTF-8\"\r\nAccept-Encoding: gzip, deflate, compress\r\nAccept: */*\r\nUser-Agent: python-requests/1.2.3 CPython/2.7.5 Linux/3.10.35\r\n\r\n", 8192, 0, NULL, NULL) = 232
[pid 3915] write(2, "WARNING:keystoneclient.middleware.auth_token:Unable to find authentication token in headers\n", 92) = 92
[pid 3915] sendto(126, "HTTP/1.1 401 Unauthorized\r\nWWW-Authenticate: Keystone uri='http://10.14.2.3:35357'\r\nContent-Length: 381\r\nContent-Type: text/html; charset=UTF-8\r\nDate: Thu, 03 Apr 2014 16:54:48 GMT\r\n\r\n<html>\n <head>\n <title>401 Unauthorized</title>\n </head>\n <body>\n <h1>401 Unauthorized</h1>\n This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required.<br /><br />\nAuthentication required\n\n\n </body>\n</html>", 565, 0, NULL, 0) = 565
Please also see: https:/ /bugs.launchpad .net/opencontra il/+bug/ 1301600