devstack

Bad response code while validating token: 502

Bug #1681866 reported by Jordan Pittier
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
devstack
Expired
Undecided
Unassigned

Bug Description

Found this while investigating a gate failure [1].

Tempest logs say "2017-04-11 10:07:02,765 23082 INFO [tempest.lib.common.rest_client] Request (TestSecurityGroupsBasicOps:_run_cleanups): 503 DELETE https://198.72.124.138:8774/v2.1/servers/f736a878-2ac4-4c37-b6a8-e5cd8df5a7fd 0.018s"

That 503 looks suspicious. So I go to the nova-api logs. Which gives

2017-04-11 10:07:02.762 32191 ERROR keystonemiddleware.auth_token [...] Bad response code while validating token: 502
2017-04-11 10:07:02.763 32191 WARNING keystonemiddleware.auth_token [...] Identity response: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>502 Proxy Error</title>
</head><body>
<h1>Proxy Error</h1>
<p>The proxy server received an invalid
response from an upstream server.<br />
The proxy server could not handle the request <em><a href="/identity_admin/v3/auth/tokens">GET&nbsp;/identity_admin/v3/auth/tokens</a></em>.<p>
Reason: <strong>Error reading from remote server</strong></p></p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 198.72.124.138 Port 443</address>
</body></html>

2017-04-11 10:07:02.763 32191 CRITICAL keystonemiddleware.auth_token [...] Unable to validate token: Failed to fetch token data from identity server

So Apache is complaining, some network connection issue, related to proxy-ing. So I open "logs/apache/tls-proxy_error.txt.gz" and find

[Tue Apr 11 10:07:02.761420 2017] [proxy_http:error] [pid 7136:tid 140090189690624] (20014)Internal error (specific information not available): [client 198.72.124.138:38722] [frontend 198.72.124.138:443] AH01102: error reading status line from remote server 198.72.124.138:80
[Tue Apr 11 10:07:02.761454 2017] [proxy:error] [pid 7136:tid 140090189690624] [client 198.72.124.138:38722] [frontend 198.72.124.138:443] AH00898: Error reading from remote server returned by /identity_admin/v3/auth/tokens

Interesting. Google says that adding "proxy-initial-not-pooled" to the apache2 vhost config could help.

Anyway, a good elasticsearch query for this is

message:"Bad response code while validating token: 502"

8 hits, no worries.

[1] : http://logs.openstack.org/03/455303/2/check/gate-tempest-dsvm-neutron-full-ubuntu-xenial/aa8c7fd/console.html

Ken'ichi Ohmichi (oomichi)
Changed in tempest:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Ihar Hrachyshka (ihar-hrachyshka) wrote :

Just hit it in Newton: http://logs.openstack.org/30/470330/1/check/gate-tempest-dsvm-neutron-full-ubuntu-xenial/115af9e/logs/screen-n-api.txt.gz?level=TRACE

Revision history for this message
Ihar Hrachyshka (ihar-hrachyshka) wrote :

Happening in Ocata too: http://logs.openstack.org/86/474286/1/gate/gate-tempest-dsvm-neutron-dvr-ubuntu-xenial/2b247e0/logs/screen-q-svc.txt.gz#_2017-06-26_21_16_20_582

Changed in tempest:
importance: Medium → High
Revision history for this message
Ihar Hrachyshka (ihar-hrachyshka) wrote :

I don't think it's a tempest issue, but probably something in the way keystone is deployed in gate. I added both devstack and keystone to affected projects to raise visibility. Feel free to mark the tempest bug as Invalid/Incomplete if you agree with my reasoning.

Revision history for this message
Matthew Treinish (treinish) wrote :

This isn't a tempest bug, it's also likely not a bug in keystone. It looks like a configuration bug, apache returns 502 if mod_proxy is unable to reach the server it's proxying to (or some other issue with connecting to the proxy) This honestly looks like a dup of the bug that: https://review.openstack.org/#/q/437092518172770c549dabafaf9f81e3766719ce fixed

no longer affects: tempest
Revision history for this message
Lance Bragstad (lbragstad) wrote :

After double checking the keystone source, I'm not seeing any places where keystone raises a 502. I'm going to remove keystone from the affected projects based on comment #4.

no longer affects: keystone
Revision history for this message
Dr. Jens Harbott (j-harbott) wrote :

Currently seeing 2 hits for this in the last 7d. I'm assuming that this is due to some very sporadic timeout happening in the gate environment, which I think would be acceptable. Please comment if you think otherwise or have a way to reproduce outside of the gate.

Changed in devstack:
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for devstack because there has been no activity for 60 days.]

Changed in devstack:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.