Hello berendt, Thanks for looking into it. Please find the reply to your below query: >>> Have you sourced the admin-openrc.sh file prior to running nova service-list? Yes, I did but still have the same issue. Here is some out put for your reference: root@controller:~# source admin-openrc.sh root@controller:~# nova service-list ERROR (Unauthorized): Unauthorized (HTTP 401) (Request-ID: req-eea32c7c-2454-4d5d-89fd-ded137cb56b6) root@controller:~# cat admin-openrc.sh export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_PROJECT_NAME=admin export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=xxxxxxxx export OS_AUTH_URL=http://controller:35357/v3 export OS_IMAGE_API_VERSION=2 root@controller:~# nova endpoints WARNING: nova has no endpoint in ! Available endpoints for this service: +-----------+------------------------------------------------------------+ | nova | Value | +-----------+------------------------------------------------------------+ | id | 91c2845bfd784bdaa430612a91bf9377 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | url | http://controller:8774/v2/e7491bb2026e4b12bdfb938820f2c3c6 | +-----------+------------------------------------------------------------+ +-----------+------------------------------------------------------------+ | nova | Value | +-----------+------------------------------------------------------------+ | id | afccc48848bd4bf681913a4c0bdd0f81 | | interface | internal | | region | RegionOne | | region_id | RegionOne | | url | http://controller:8774/v2/e7491bb2026e4b12bdfb938820f2c3c6 | +-----------+------------------------------------------------------------+ +-----------+------------------------------------------------------------+ | nova | Value | +-----------+------------------------------------------------------------+ | id | f048d6dd60eb410297e1e7548129de36 | | interface | public | | region | RegionOne | | region_id | RegionOne | | url | http://controller:8774/v2/e7491bb2026e4b12bdfb938820f2c3c6 | +-----------+------------------------------------------------------------+ WARNING: glance has no endpoint in ! Available endpoints for this service: +-----------+----------------------------------+ | glance | Value | +-----------+----------------------------------+ | id | 951d2b81685e4c3385af5048ae21c0a7 | | interface | public | | region | RegionOne | | region_id | RegionOne | | url | http://controller:9292 | +-----------+----------------------------------+ +-----------+----------------------------------+ | glance | Value | +-----------+----------------------------------+ | id | d7f76f0da0034062b6c7d75ce9b03db9 | | interface | internal | | region | RegionOne | | region_id | RegionOne | | url | http://controller:9292 | +-----------+----------------------------------+ +-----------+----------------------------------+ | glance | Value | +-----------+----------------------------------+ | id | e22dd0a4ebe1439b8fd4ab460e3a9a6b | | interface | admin | | region | RegionOne | | region_id | RegionOne | | url | http://controller:9292 | +-----------+----------------------------------+ WARNING: keystone has no endpoint in ! Available endpoints for this service: +-----------+----------------------------------+ | keystone | Value | +-----------+----------------------------------+ | id | 1fdf9b5eee174b1a9f9ce48eb5709e38 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | url | http://controller:35357/v2.0 | +-----------+----------------------------------+ +-----------+----------------------------------+ | keystone | Value | +-----------+----------------------------------+ | id | 2dc35c1a37874059aedfaad6ef55bfb8 | | interface | internal | | region | RegionOne | | region_id | RegionOne | | url | http://controller:5000/v2.0 | +-----------+----------------------------------+ +-----------+----------------------------------+ | keystone | Value | +-----------+----------------------------------+ | id | ae194fb099f14cef8732d382a48e1357 | | interface | public | | region | RegionOne | | region_id | RegionOne | | url | http://controller:5000/v2.0 | +-----------+----------------------------------+ >>> Have you checked the nova logfile (/var/log/nova) ? Yes, its showing the authentication issue. Please find the below logs. I followed the docs and did this configuration. ---- 2015-08-05 08:03:25.165 1857 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}} 2015-08-05 08:03:25.238 1857 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}} 2015-08-05 08:03:25.238 1857 WARNING keystonemiddleware.auth_token [-] Authorization failed for token 2015-08-05 08:03:25.240 1857 INFO nova.osapi_compute.wsgi.server [-] 192.168.122.150 "GET /v2/e7491bb2026e4b12bdfb938820f2c3c6/os-services HTTP/1.1" status: 401 len: 280 time: 0.1506732 2015-08-05 08:03:25.396 1857 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}} 2015-08-05 08:03:25.467 1857 WARNING keystonemiddleware.auth_token [-] Identity response: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}} 2015-08-05 08:03:25.468 1857 WARNING keystonemiddleware.auth_token [-] Authorization failed for token 2015-08-05 08:03:25.472 1857 INFO nova.osapi_compute.wsgi.server [-] 192.168.122.150 "GET /v2/e7491bb2026e4b12bdfb938820f2c3c6/os-services HTTP/1.1" status: 401 len: 280 time: 0.1449728 ---- >>> the keystone logfile (/var/log/keystone) ? Keystone is also showing the authentication issue: ---- 2015-08-05 08:05:56.567 1994 INFO keystone.common.wsgi [-] GET /? 2015-08-05 08:05:56.572 1993 INFO keystone.common.wsgi [-] POST /auth/tokens? 2015-08-05 08:05:56.652 1992 INFO keystone.common.wsgi [-] POST /auth/tokens? 2015-08-05 08:05:56.773 1992 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 192.168.122.150 2015-08-05 08:05:56.782 1995 INFO keystone.common.wsgi [-] POST /auth/tokens? 2015-08-05 08:05:56.857 1995 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 192.168.122.150 2015-08-05 08:05:56.866 1991 INFO keystone.common.wsgi [-] POST /auth/tokens? 2015-08-05 08:05:56.951 1994 INFO keystone.common.wsgi [-] POST /auth/tokens? 2015-08-05 08:05:57.010 1994 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 192.168.122.150 2015-08-05 08:05:57.016 1993 INFO keystone.common.wsgi [-] POST /auth/tokens? 2015-08-05 08:05:57.076 1993 WARNING keystone.common.wsgi [-] Authorization failed. The request you have made requires authentication. from 192.168.122.150 ---- >>> Have you checked the nova configuration file (/etc/nova/nova.conf) for the correct credentials? credentials seems to be correct. Still I am sending you the complete config from both controller and compute. Hope you will find something in it: ---- from controller ---- # cat /etc/nova/nova.conf [DEFAULT] dhcpbridge_flagfile=/etc/nova/nova.conf dhcpbridge=/usr/bin/nova-dhcpbridge logdir=/var/log/nova state_path=/var/lib/nova lock_path=/var/lock/nova force_dhcp_release=True libvirt_use_virtio_for_bridges=True verbose=True ec2_private_dns_show_ip=True api_paste_config=/etc/nova/api-paste.ini enabled_apis=ec2,osapi_compute,metadata rpc_backend = rabbit auth_strategy = keystone my_ip = 192.168.122.150 vncserver_listen = 192.168.122.150 vncserver_proxyclient_address = 192.168.122.150 [oslo_concurrency] lock_path = /var/lib/nova/tmp [glance] host = controller [keystone_authtoken] auth_uri = http://controller:5000 auth_url = http://controller:35357 auth_plugin = password project_domain_id = default user_domain_id = default project_name = service username = nova password = xxxx [oslo_messaging_rabbit] rabbit_host = controller rabbit_userid = openstack rabbit_password = xxxx [database] connection = mysql://nova:xxxx@controller/nova ---- from compute ---- # cat /etc/nova/nova.conf [DEFAULT] dhcpbridge_flagfile=/etc/nova/nova.conf dhcpbridge=/usr/bin/nova-dhcpbridge logdir=/var/log/nova state_path=/var/lib/nova lock_path=/var/lock/nova force_dhcp_release=True libvirt_use_virtio_for_bridges=True verbose=True ec2_private_dns_show_ip=True api_paste_config=/etc/nova/api-paste.ini enabled_apis=ec2,osapi_compute,metadata rpc_backend = rabbit auth_strategy = keystone my_ip = 192.168.122.151 vnc_enabled = True vncserver_listen = 0.0.0.0 vncserver_proxyclient_address = 192.168.122.151 novncproxy_base_url = http://192.168.122.150:6080/vnc_auto.html [oslo_messaging_rabbit] rabbit_host = controller rabbit_userid = openstack rabbit_password = xxxx [keystone_authtoken] auth_uri = http://controller:5000 auth_url = http://controller:35357 auth_plugin = password project_domain_id = default user_domain_id = default project_name = service username = nova password = xxxx [glance] host = controller [oslo_concurrency] lock_path = /var/lib/nova/tmp >>> Normally this error means that the nova service cannot authenticate against the keystone service. Yes, absolutely correct. I believe some issue is there is the api version that we are using here. For example, if I want to use keystone command to list services or users or roles then using same "admin-openrc.sh" I should be able to do it but thats not working. So for key stone to work I have to use it separately with api v2.0 . Here is the example for you: # cat admin-openrc.sh export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_PROJECT_NAME=admin export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=xxxx export OS_AUTH_URL=http://controller:35357/v3 <====== export OS_IMAGE_API_VERSION=2 root@controller:~# source admin-openrc.sh root@controller:~# keystone service-list Authorization Failed: The resource could not be found. (HTTP 404) (Request-ID: req-5ccbb2e6-1d11-400d-865d-d9d4ec15bc1f) root@controller:~# keystone user-list Authorization Failed: The resource could not be found. (HTTP 404) (Request-ID: req-b089bed1-e517-4d5f-9b60-194164d5516f) root@controller:~# cat keystone-openrc.sh export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_PROJECT_NAME=admin export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=xxxx export OS_AUTH_URL=http://controller:35357/v2.0 <===== export OS_IMAGE_API_VERSION=2 root@controller:~# source keystone-openrc.sh root@controller:~# keystone service-list +----------------------------------+----------+----------+-------------------------+ | id | name | type | description | +----------------------------------+----------+----------+-------------------------+ | b8f7ae274bac47eca2ed5b36981fa5ea | glance | image | OpenStack Image service | | e2c81fff8d0f43a781ed3a35a88e1be3 | keystone | identity | OpenStack Identity | | 241f31a69a8e4255a37fc2dba850b997 | nova | compute | OpenStack Compute | +----------------------------------+----------+----------+-------------------------+ root@controller:~# keystone user-list +----------------------------------+--------+---------+-------+ | id | name | enabled | email | +----------------------------------+--------+---------+-------+ | 1f44ac8ee04b4e8c9d49a605c8707b76 | admin | True | | | 03d8fb3618be47c4968f943c6195532d | demo | True | | | 43c68e8d2e5745738886efc10cff0e8f | glance | True | | | e5c7e0e16d424c069bc83a651459c1b5 | nova | True | | +----------------------------------+--------+---------+-------+ The above strange behaviour forced me to think that might be some issue is there in the API version itself which is causing this issue and if so then it needs a fix. Here is the keystone's endpoint list: root@controller:~# keystone endpoint-list +----------------------------------+-----------+-----------------------------------------+-----------------------------------------+-----------------------------------------+----------------------------------+ | id | region | publicurl | internalurl | adminurl | service_id | +----------------------------------+-----------+-----------------------------------------+-----------------------------------------+-----------------------------------------+----------------------------------+ | 05faa47ed2e54ed09ab762e93b6454ee | RegionOne | http://controller:5000/v2.0 | http://controller:5000/v2.0 | http://controller:35357/v2.0 | e2c81fff8d0f43a781ed3a35a88e1be3 | | a1a9861ab14849b0bb271f77713ed2ce | RegionOne | http://controller:8774/v2/%(tenant_id)s | http://controller:8774/v2/%(tenant_id)s | http://controller:8774/v2/%(tenant_id)s | 241f31a69a8e4255a37fc2dba850b997 | | f185c6ff2190442dbe0be8cc93cd4ef0 | RegionOne | http://controller:9292 | http://controller:9292 | http://controller:9292 | b8f7ae274bac47eca2ed5b36981fa5ea | +----------------------------------+-----------+-----------------------------------------+-----------------------------------------+-----------------------------------------+----------------------------------+ do you think anything wrong is there with the adminurl for keystone service ?? Waiting for your response. Thanks, Uday