Playbook Runs Fail in Multi-Domain Environments
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Invalid
|
Medium
|
Nolan Brubaker | ||
Trunk |
Invalid
|
Medium
|
Nolan Brubaker |
Bug Description
Playbook runs for any of the OpenStack services fail in Mitaka environments with multiple domains and the Keystone v3 sample policy in place found here:
https:/
root@beans-
...
TASK: [os_keystone | Ensure service tenant] *******
failed: [aio1_keystone_
Task failed as maximum retries was encountered
FATAL: all hosts have already failed -- aborting
PLAY RECAP *******
to retry, use: --limit @/root/
aio1_keystone_
Steps to reproduce:
* Stand up an environment using openstack-ansible current stable/mitaka branch
* Add policy overrides for Keystone in /etc/openstack_
* Attempt to run any of the openstack service playbooks.
In my output above, this appears to be due to the playbooks authenticating with project scoping instead of domain scoping during the task:
# Create a service tenant
- name: Ensure service tenant
keystone:
command: "ensure_tenant"
login_user: "{{ keystone_
login_password: "{{ keystone_
login_
endpoint: "{{ keystone_
tenant_name: "{{ keystone_
description: "{{ keystone_
insecure: "{{ keystone_
register: add_service
until: add_service|success
retries: 5
delay: 10
tags:
- keystone-api-setup
- keystone-setup
I believe https:/ /review. openstack. org/#/c/ 309690/ adds the ability to scope the login the the domain, but it hasn't been backported to Mitaka.