[SRU] glance sync: need keystone v3 auth support

Bug #1686437 reported by Scott Moser on 2017-04-26
34
This bug affects 3 people
Affects Status Importance Assigned to Milestone
simplestreams
High
Unassigned
simplestreams (Ubuntu)
Medium
Unassigned
Xenial
Medium
Felipe Reyes
Zesty
Medium
Unassigned

Bug Description

[Impact]

simplestreams can't sync images when keystone is configured to use v3, keystone v2 is deprecated since mitaka[0] (the version shipped with xenial)

The OpenStack Keystone charm supports v3 only since Queens and later[1]

[Test Case]

* deploy a openstack environment with keystone v3 enabled
  - get a copy of the bundle available at http://paste.ubuntu.com/p/hkhsHKqt4h/ , this bundle deploys a minimal version of xenial-mitaka.

Expected result:

- "glance image-list" lists trusty and xenial images
- the file glance-simplestreams-sync/0:/var/log/glance-simplestreams-sync.log contains details of the images pulled from cloud-images.u.c (example: https://pastebin.ubuntu.com/p/RWG8QrkVDz/ )

Actual result:

- "glance image-list" is empty
- the file glance-simplestreams-sync/0:/var/log/glance-simplestreams-sync.log contains the following stacktrace
INFO * 04-09 22:04:06 [PID:14571] * root * Calling DryRun mirror to get item list
ERROR * 04-09 22:04:06 [PID:14571] * root * Exception during syncing:
Traceback (most recent call last):
  File "/usr/share/glance-simplestreams-sync/glance-simplestreams-sync.py", line 471, in main
    do_sync(charm_conf, status_exchange)
  File "/usr/share/glance-simplestreams-sync/glance-simplestreams-sync.py", line 232, in do_sync
    objectstore=store)
  File "/usr/lib/python2.7/dist-packages/simplestreams/mirrors/glance.py", line 374, in __init__
    super(ItemInfoDryRunMirror, self).__init__(config, objectstore)
  File "/usr/lib/python2.7/dist-packages/simplestreams/mirrors/glance.py", line 126, in __init__
    self.keystone_creds = openstack.load_keystone_creds()
  File "/usr/lib/python2.7/dist-packages/simplestreams/openstack.py", line 61, in load_keystone_creds
    raise ValueError("(tenant_id or tenant_name)")
ValueError: (tenant_id or tenant_name)

[Regression Potential]

* A possible regression will manifest itself figuring out if v2 or v3 should be used, after the connection is made there are no further changes introduced by this SRU

[Other Info]

When trying to test my changes for bug 1686086, I was unable to auth
to keystone, which means glance image sync just doesn't work with
a v3 keystone.

Related bugs:
 * bug 1719879: swift client needs to use v1 auth prior to ocata
 * bug 1728982: openstack mirror with keystone v3 always imports new images
 * bug 1611987: glance-simplestreams-sync charm doesn't support keystone v3

[0] https://docs.openstack.org/releasenotes/keystone/mitaka.html#deprecation-notes
[1] https://docs.openstack.org/charm-guide/latest/1802.html#keystone-support-is-v3-only-for-queens-and-later

Related branches

Scott Moser (smoser) on 2017-04-26
Changed in simplestreams:
status: New → Confirmed
importance: Undecided → High
Scott Moser (smoser) wrote :

i've linked a work-in-progress branch.
https://code.launchpad.net/~smoser/simplestreams/trunk.openstack-v3-auth
there i had keystone auth working.

Scott Moser (smoser) on 2017-09-14
Changed in simplestreams (Ubuntu):
importance: Undecided → Medium
status: New → In Progress
assignee: nobody → Scott Moser (smoser)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package simplestreams - 0.1.0~bzr450-0ubuntu1

---------------
simplestreams (0.1.0~bzr450-0ubuntu1) artful; urgency=medium

  * New upstream snapshot.
    - Keystone v3 Support [David Ames] (LP: #1686437)
    - flake8/pycodestyle updates.
    - tests: change to having http server select its own port
    - Support filters that contain a '-' in the tag name
    - Improvements for running flake8 in different Ubuntu release
      environments.
    - add running of tox.
    - json2streams: Accept items with no size.
    - tools changes (not related to package functionality)
      - tools/ubuntu_versions.py: Exclude old versions by version not name
      - Update default LTS alias to point to Xenial (LP: #1606606)
      - Create chksum for LXD metadata+root for squashfs (LP: #1577922)

 -- Scott Moser <email address hidden> Thu, 14 Sep 2017 10:38:07 -0400

Changed in simplestreams (Ubuntu):
status: In Progress → Fix Released
Felipe Reyes (freyes) wrote :

Scott, will 0.1.0~bzr450-0ubuntu1 be backported to xenial?

Felipe Reyes (freyes) on 2017-09-20
tags: added: sts
Scott Moser (smoser) on 2017-09-26
Changed in simplestreams (Ubuntu Xenial):
status: New → Confirmed
Changed in simplestreams (Ubuntu Zesty):
status: New → Confirmed
Changed in simplestreams (Ubuntu Xenial):
importance: Undecided → Medium
Changed in simplestreams (Ubuntu Zesty):
importance: Undecided → Medium
Changed in simplestreams:
status: Confirmed → Fix Committed
Eric Desrochers (slashd) wrote :

Felipe,

I just talked to smoser this morning and he agreed on backporting this into supported stable release.
We already set the release nominations accordingly.

There is a few details that smoser and thedac need to review together and they will keep us posted.

- Eric

Scott Moser (smoser) on 2017-09-27
description: updated
Eric Desrochers (slashd) on 2017-10-10
tags: added: sts-sru-needed
Eric Desrochers (slashd) on 2017-11-01
tags: removed: sts-sru-needed
Scott Moser (smoser) on 2017-11-02
description: updated
Scott Moser (smoser) on 2018-04-09
description: updated
Scott Moser (smoser) on 2018-04-09
Changed in simplestreams (Ubuntu Zesty):
status: Confirmed → Won't Fix
Scott Moser (smoser) on 2018-04-09
description: updated
Felipe Reyes (freyes) on 2018-04-09
description: updated
Felipe Reyes (freyes) on 2018-04-09
summary: - glance sync: need keystone v3 auth support
+ [SRU] glance sync: need keystone v3 auth support
David Ames (thedac) wrote :

Noting here the released version on xenial does not currently support Keystone v3 and blocks Bug #1611987.

For the record, we have been running a bzr branch @455 on serverstack (a Keystone v3 cloud) for months now. So the code in simplestreams works, it just needs to get to xenial.

Changed in simplestreams (Ubuntu):
assignee: Scott Moser (smoser) → nobody
Changed in simplestreams (Ubuntu Xenial):
assignee: nobody → Eric Desrochers (slashd)
Eric Desrochers (slashd) on 2018-04-10
Changed in simplestreams (Ubuntu Xenial):
assignee: Eric Desrochers (slashd) → Felipe Reyes (freyes)
Ryan Beisner (1chb1n) wrote :

I believe there is a ksv2 regression in the dev ppa of simplestreams, but I can also confirm that the ksv3 scenario is resolved with the dev ppa.

#### PASS:
ksv2 + 0.1.0~bzr426-0ubuntu1.2 (distro) + xenial-pike

ksv3 + 0.1.0~bzr459~trunk-0ubuntu1~ubuntu16.04.1 (dev ppa) + xenial-queens

#### FAIL:
ksv2 + 0.1.0~bzr459~trunk-0ubuntu1~ubuntu16.04.1 (dev ppa) + xenial-pike

ksv3 + 0.1.0~bzr426-0ubuntu1.2 (distro) + xenial-queens

https://paste.ubuntu.com/p/HxttSNpfc8/

Ryan Beisner (1chb1n) wrote :

Also, exercising the SRU ppa, I see xenial-pike fail similarly with ksv2:

https://launchpad.net/~smoser/+archive/ubuntu/sstream-ks3

https://paste.ubuntu.com/p/kVnFqsj8Gj/

Hello Scott, or anyone else affected,

Accepted simplestreams into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/simplestreams/0.1.0~bzr426-0ubuntu1.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in simplestreams (Ubuntu Xenial):
status: Confirmed → Fix Committed
tags: added: verification-needed verification-needed-xenial
Scott Moser (smoser) wrote :

Hi,
I've marked this verification-failed as we had found some issues and forgotten that there was an upload in the xenial queue.

tags: added: verification-failed verification-failed-xenial
removed: verification-needed verification-needed-xenial
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers