OpenStack-Ansible

/etc/keystone/ssl empty

Bug #1653483 reported by Tadas Ustinavičius
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Expired
Undecided
Unassigned

Bug Description

Hello, I'm trying to integrate Rados GW to openstack.
According to http://docs.ceph.com/docs/giant/radosgw/keystone/ I need to generate nss certificate database for ceph.
Problem is, that there is nothing in the /etc/keystone/ssl directory of the keystone container.
It seems that openstack-ansible does not create certificates there.

Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

Hello,

Could you clarify what you're doing and expecting?
What version of openstack-ansible are you using?
Do you want to deploy with keystone PKI tokens?

Thank you in advance.

Changed in openstack-ansible:
status: New → Incomplete
Revision history for this message
Tadas Ustinavičius (tadas-u) wrote :

Hello,
according to:
http://docs.ceph.com/docs/giant/radosgw/keystone/
RadosGW must query Keystone to get list of revoked tokens. For it be able to decode tokens, certificate files from Keystone must be converted to nss db format. But since there are no certificates, I cannot create nss db.
I think this causes RadosGW to spam these errors:

2017-01-04 11:17:21.720271 7f5aaf7d6700 0 Keystone token parse error: missing mandatory field access
2017-01-04 11:17:21.720297 7f5aaf7d6700 0 ERROR: keystone revocation processing returned error r=-22

Please note, that object storage works fine - I can put data to ceph via Openstack Horizon dashboard.
Its just these errors that makes me think, that not everything is configured properly.

I'm using Openstack Ansible 14.0.3
Thank you for the support.

Revision history for this message
Travis Truman (travis-truman) wrote :

These may offer related and useful context:

https://github.com/openstack/puppet-ceph/commit/26333fd8735a7402d89367099a2a1d9fc1b0cdd8

http://tracker.ceph.com/issues/17186

Revision history for this message
Travis Truman (travis-truman) wrote :

Also, looks like Logan may have run into the same issue previously: https://<email address hidden>/msg30881.html

Revision history for this message
Travis Truman (travis-truman) wrote :

Can you share your Ceph config? I'm particularly curious if you've set: rgw keystone admin domain and rgw keystone admin project

Revision history for this message
Travis Truman (travis-truman) wrote :

After a read through the Ceph source code around support for Keystone v3, it appears that token revocation fetching is only designed to work when using PKI tokens.

According to HPE here: https://docs.hpcloud.com/hos-3.x/helion/releasenotes30.html "The below error encountered (periodically) in Rados Gateway logs can be safely ignored and does not require any corrective action.
ERROR: keystone revocation processing returned error r=-22"

Revision history for this message
Tadas Ustinavičius (tadas-u) wrote :

Hello,
so I will also ignore these errors it this causes no additional issues.
Thank you.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openstack-ansible because there has been no activity for 60 days.]

Changed in openstack-ansible:
status: Incomplete → Expired
Revision history for this message
Christian Zunker (christian-zunker) wrote :

Just in case some else will find this bug on his search.

This problem also filled our keystone logs with traces. Our setup uses keystone fernet tokens. According to the docs, the revocation part is only used for PKI tokens.

The RedHat bug report suggest to disable revocation fetching:
https://bugzilla.redhat.com/show_bug.cgi?id=1438965

This worked in our case.

Revision history for this message
Christian Zunker (christian-zunker) wrote :

In the long run, this could help:
http://tracker.ceph.com/issues/19499

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.