settingsLogin | Registersettings

[Openstack-operators] [puppet] openstack provider errors with openrc and keystone v3

0 votes

Hi,

I was looking at this class in the keystone module:

keystone::disableadmintoken_auth

..which suggests:

After this class is run,

future puppet runs must have an openrc file with valid keystone v3

admin credentials in /root/openrc available

So when I change the openrc file from the v2 to v3 keystone endpoint,
puppet runs then fail with various openstack provider errors.

e.g.

Error: Could not prefetch keystone_service provider 'openstack': Execution
of '/usr/bin/openstack service list --quiet --format csv --long' returned
2: openstack: 'service' is not an openstack command. See 'openstack --help'.
Did you mean one of these?
resource member create
resource member delete
resource member list
resource member show
resource member update
server add security group
server add volume
server create
server delete
server dump create
server image create
server list
server lock
server migrate
server pause
server reboot
server rebuild
server remove security group
server remove volume
server rescue
server resize
server resume
server set
server shelve
server show
server ssh
server start
server stop
server suspend
server unlock
server unpause
server unrescue
server unset
server unshelve (tried 44, for a total of 170 seconds)

..and..

Error:
/Stage[main]/Neutron::Keystone::Auth/Keystone::Resource::Serviceidentity[neutron]/Keystoneuser[neutron]:
Could not evaluate: Execution of '/usr/bin/openstack domain list --quiet
--format csv' returned 2: openstack: 'domain' is not an openstack command.
See 'openstack --help'.
Did you mean one of these?
command list
container create
container delete
container list
container save
container set
container show
container unset (tried 44, for a total of 170 seconds)

The v3 openrc file I have in place, works fine when just using the
openstack cli, which makes the situation all the more strange :) Here it
is for reference:

!/bin/sh

export OSNOCACHE='true'
export OSTENANTNAME='admin'
export OSUSERNAME='admin'
export OS
PASSWORD='supersecret'
export OSAUTHURL='http://1.2.3.4:5000/v3/'
export OSAUTHSTRATEGY='keystone'
export OSIDENTITYAPIVERSION="3"
export OS
REGIONNAME='openstack'
export OS
USERDOMAINNAME='default'
export OSPROJECTDOMAINNAME='default'
export CINDER
ENDPOINTTYPE='publicURL'
export GLANCE
ENDPOINTTYPE='publicURL'
export KEYSTONE
ENDPOINTTYPE='publicURL'
export NOVA
ENDPOINTTYPE='publicURL'
export NEUTRON
ENDPOINT_TYPE='publicURL'

Can anyone advise how the openrc file should be formatted ?

Thanks!

Cheers,
Just

--

Notice: This email is confidential and may contain copyright material of
members of the Ocado Group. Opinions and views expressed in this message
may not necessarily reflect the opinions and views of the members of the
Ocado Group.

If you are not the intended recipient, please notify us immediately and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and Fabled
is a trading name of Marie Claire Beauty Limited, both members of the Ocado
Group.

References to the “Ocado Group” are to Ocado Group plc (registered in
England and Wales with number 7098618) and its subsidiary undertakings (as
that expression is defined in the Companies Act 2006) from time to time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
asked Nov 10, 2016 in openstack-operators by Justin_Cattle (620 points)   2 2

7 Responses

0 votes

Hey Justin,

On Thu, Nov 10, 2016 at 8:48 AM, Justin Cattle j@ocado.com wrote:
Hi,

I was looking at this class in the keystone module:

keystone::disableadmintoken_auth

..which suggests:

After this class is run,

future puppet runs must have an openrc file with valid keystone v3

admin credentials in /root/openrc available

So when I change the openrc file from the v2 to v3 keystone endpoint, puppet
runs then fail with various openstack provider errors.

e.g.

Error: Could not prefetch keystone_service provider 'openstack': Execution
of '/usr/bin/openstack service list --quiet --format csv --long' returned 2:
openstack: 'service' is not an openstack command. See 'openstack --help'.
Did you mean one of these?
resource member create
resource member delete
resource member list
resource member show
resource member update
server add security group
server add volume
server create
server delete
server dump create
server image create
server list
server lock
server migrate
server pause
server reboot
server rebuild
server remove security group
server remove volume
server rescue
server resize
server resume
server set
server shelve
server show
server ssh
server start
server stop
server suspend
server unlock
server unpause
server unrescue
server unset
server unshelve (tried 44, for a total of 170 seconds)

..and..

Error:
/Stage[main]/Neutron::Keystone::Auth/Keystone::Resource::Serviceidentity[neutron]/Keystoneuser[neutron]:
Could not evaluate: Execution of '/usr/bin/openstack domain list --quiet
--format csv' returned 2: openstack: 'domain' is not an openstack command.
See 'openstack --help'.
Did you mean one of these?
command list
container create
container delete
container list
container save
container set
container show
container unset (tried 44, for a total of 170 seconds)

These errors seem to point to an outdated openstackclient. What
version are you using?

The v3 openrc file I have in place, works fine when just using the openstack
cli, which makes the situation all the more strange :) Here it is for
reference:

!/bin/sh

export OSNOCACHE='true'
export OSTENANTNAME='admin'
export OSUSERNAME='admin'
export OS
PASSWORD='supersecret'
export OSAUTHURL='http://1.2.3.4:5000/v3/'
export OSAUTHSTRATEGY='keystone'
export OSIDENTITYAPIVERSION="3"
export OS
REGIONNAME='openstack'
export OS
USERDOMAINNAME='default'
export OSPROJECTDOMAINNAME='default'
export CINDER
ENDPOINTTYPE='publicURL'
export GLANCE
ENDPOINTTYPE='publicURL'
export KEYSTONE
ENDPOINTTYPE='publicURL'
export NOVA
ENDPOINTTYPE='publicURL'
export NEUTRON
ENDPOINT_TYPE='publicURL'

This looks ok, but it's OSPROJECTNAME now. All our CI uses v3 now
and here's an example file from a recent CI run.

!/bin/sh

export OSNOCACHE='true'
export OSPROJECTNAME='openstack'
export OSUSERNAME='admin'
export OS
PASSWORD='abigsecret'
export OSAUTHURL='https://[::1]:5000/v3/'
export OSAUTHSTRATEGY='keystone'
export OSREGIONNAME='RegionOne'
export OSPROJECTDOMAINNAME='default'
export OS
USERDOMAINNAME='default'
export CINDERENDPOINTTYPE='publicURL'
export GLANCEENDPOINTTYPE='publicURL'
export KEYSTONEENDPOINTTYPE='publicURL'
export NOVAENDPOINTTYPE='publicURL'
export NEUTRONENDPOINTTYPE='publicURL'
export OSIDENTITYAPI_VERSION='3'

We actually have an openstack_extras module that we use to generate
ours in our CI runs.

https://github.com/openstack/puppet-openstack_extras/blob/master/manifests/auth_file.pp

Thanks,
-Alex

Can anyone advise how the openrc file should be formatted ?

Thanks!

Cheers,
Just

Notice: This email is confidential and may contain copyright material of
members of the Ocado Group. Opinions and views expressed in this message may
not necessarily reflect the opinions and views of the members of the Ocado
Group.

If you are not the intended recipient, please notify us immediately and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and Fabled
is a trading name of Marie Claire Beauty Limited, both members of the Ocado
Group.

References to the “Ocado Group” are to Ocado Group plc (registered in
England and Wales with number 7098618) and its subsidiary undertakings (as
that expression is defined in the Companies Act 2006) from time to time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
responded Nov 10, 2016 by aschultz_at_redhat.c (5,800 points)   2 2 4
0 votes

Hi Alex,

Thanks very much for the response.

We're using python-openstackclient-2.3.0-2~cloud0, which is from ubuntu
cloud archive, trusty-updates/mitaka/main.

What's the minimum version I need do you think?

Actually we haven't been using puppet-openstack_extras, but I'll look at
that for the openrc file at least :)

Cheers,
Just

On 10 November 2016 at 16:32, Alex Schultz aschultz@redhat.com wrote:

Hey Justin,

On Thu, Nov 10, 2016 at 8:48 AM, Justin Cattle j@ocado.com wrote:

Hi,

I was looking at this class in the keystone module:

keystone::disableadmintoken_auth

..which suggests:

After this class is run,

future puppet runs must have an openrc file with valid keystone v3

admin credentials in /root/openrc available

So when I change the openrc file from the v2 to v3 keystone endpoint,
puppet
runs then fail with various openstack provider errors.

e.g.

Error: Could not prefetch keystone_service provider 'openstack':
Execution
of '/usr/bin/openstack service list --quiet --format csv --long'
returned 2:
openstack: 'service' is not an openstack command. See 'openstack --help'.
Did you mean one of these?
resource member create
resource member delete
resource member list
resource member show
resource member update
server add security group
server add volume
server create
server delete
server dump create
server image create
server list
server lock
server migrate
server pause
server reboot
server rebuild
server remove security group
server remove volume
server rescue
server resize
server resume
server set
server shelve
server show
server ssh
server start
server stop
server suspend
server unlock
server unpause
server unrescue
server unset
server unshelve (tried 44, for a total of 170 seconds)

..and..

Error:
/Stage[main]/Neutron::Keystone::Auth/Keystone::
Resource::Serviceidentity[neutron]/Keystoneuser[neutron]:
Could not evaluate: Execution of '/usr/bin/openstack domain list --quiet
--format csv' returned 2: openstack: 'domain' is not an openstack
command.
See 'openstack --help'.
Did you mean one of these?
command list
container create
container delete
container list
container save
container set
container show
container unset (tried 44, for a total of 170 seconds)

These errors seem to point to an outdated openstackclient. What
version are you using?

The v3 openrc file I have in place, works fine when just using the
openstack
cli, which makes the situation all the more strange :) Here it is for
reference:

!/bin/sh

export OSNOCACHE='true'
export OSTENANTNAME='admin'
export OSUSERNAME='admin'
export OS
PASSWORD='supersecret'
export OSAUTHURL='http://1.2.3.4:5000/v3/'
export OSAUTHSTRATEGY='keystone'
export OSIDENTITYAPIVERSION="3"
export OS
REGIONNAME='openstack'
export OS
USERDOMAINNAME='default'
export OSPROJECTDOMAINNAME='default'
export CINDER
ENDPOINTTYPE='publicURL'
export GLANCE
ENDPOINTTYPE='publicURL'
export KEYSTONE
ENDPOINTTYPE='publicURL'
export NOVA
ENDPOINTTYPE='publicURL'
export NEUTRON
ENDPOINT_TYPE='publicURL'

This looks ok, but it's OSPROJECTNAME now. All our CI uses v3 now
and here's an example file from a recent CI run.

!/bin/sh

export OSNOCACHE='true'
export OSPROJECTNAME='openstack'
export OSUSERNAME='admin'
export OS
PASSWORD='abigsecret'
export OSAUTHURL='https://[::1]:5000/v3/'
export OSAUTHSTRATEGY='keystone'
export OSREGIONNAME='RegionOne'
export OSPROJECTDOMAINNAME='default'
export OS
USERDOMAINNAME='default'
export CINDERENDPOINTTYPE='publicURL'
export GLANCEENDPOINTTYPE='publicURL'
export KEYSTONEENDPOINTTYPE='publicURL'
export NOVAENDPOINTTYPE='publicURL'
export NEUTRONENDPOINTTYPE='publicURL'
export OSIDENTITYAPI_VERSION='3'

We actually have an openstack_extras module that we use to generate
ours in our CI runs.

https://github.com/openstack/puppet-openstack_extras/blob/
master/manifests/auth_file.pp

Thanks,
-Alex

Can anyone advise how the openrc file should be formatted ?

Thanks!

Cheers,
Just

Notice: This email is confidential and may contain copyright material of
members of the Ocado Group. Opinions and views expressed in this message
may
not necessarily reflect the opinions and views of the members of the
Ocado
Group.

If you are not the intended recipient, please notify us immediately and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and
Fabled
is a trading name of Marie Claire Beauty Limited, both members of the
Ocado
Group.

References to the “Ocado Group” are to Ocado Group plc (registered in
England and Wales with number 7098618) and its subsidiary undertakings
(as
that expression is defined in the Companies Act 2006) from time to time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops
Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

--

Notice: This email is confidential and may contain copyright material of
members of the Ocado Group. Opinions and views expressed in this message
may not necessarily reflect the opinions and views of the members of the
Ocado Group.

If you are not the intended recipient, please notify us immediately and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and Fabled
is a trading name of Marie Claire Beauty Limited, both members of the Ocado
Group.

References to the “Ocado Group” are to Ocado Group plc (registered in
England and Wales with number 7098618) and its subsidiary undertakings (as
that expression is defined in the Companies Act 2006) from time to time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
responded Nov 10, 2016 by Justin_Cattle (620 points)   2 2
0 votes

On Thu, Nov 10, 2016 at 10:28 AM, Justin Cattle j@ocado.com wrote:
Hi Alex,

Thanks very much for the response.

We're using python-openstackclient-2.3.0-2~cloud0, which is from ubuntu
cloud archive, trusty-updates/mitaka/main.

What's the minimum version I need do you think?

I think that should be good. You might want to try switching out
OSTENANTNAME for OSPROJECTNAME as project name is for v3 which may
be causing the issue. The keystone::disableadmintokenauth had a
dependency on a change[0] to add OS
PROJECT_NAME in. You should be
able to test the underlying commands to see if that fixes the problem.
The root cause seems to be more of the openstack client interactions
(and missing commands) based on the rc file than a puppet issue.

Thanks,
-Alex

[0] https://review.openstack.org/#/c/274296/

Actually we haven't been using puppet-openstack_extras, but I'll look at
that for the openrc file at least :)

Cheers,
Just

On 10 November 2016 at 16:32, Alex Schultz aschultz@redhat.com wrote:

Hey Justin,

On Thu, Nov 10, 2016 at 8:48 AM, Justin Cattle j@ocado.com wrote:

Hi,

I was looking at this class in the keystone module:

keystone::disableadmintoken_auth

..which suggests:

After this class is run,

future puppet runs must have an openrc file with valid keystone v3

admin credentials in /root/openrc available

So when I change the openrc file from the v2 to v3 keystone endpoint,
puppet
runs then fail with various openstack provider errors.

e.g.

Error: Could not prefetch keystone_service provider 'openstack':
Execution
of '/usr/bin/openstack service list --quiet --format csv --long'
returned 2:
openstack: 'service' is not an openstack command. See 'openstack
--help'.
Did you mean one of these?
resource member create
resource member delete
resource member list
resource member show
resource member update
server add security group
server add volume
server create
server delete
server dump create
server image create
server list
server lock
server migrate
server pause
server reboot
server rebuild
server remove security group
server remove volume
server rescue
server resize
server resume
server set
server shelve
server show
server ssh
server start
server stop
server suspend
server unlock
server unpause
server unrescue
server unset
server unshelve (tried 44, for a total of 170 seconds)

..and..

Error:

/Stage[main]/Neutron::Keystone::Auth/Keystone::Resource::Serviceidentity[neutron]/Keystoneuser[neutron]:
Could not evaluate: Execution of '/usr/bin/openstack domain list --quiet
--format csv' returned 2: openstack: 'domain' is not an openstack
command.
See 'openstack --help'.
Did you mean one of these?
command list
container create
container delete
container list
container save
container set
container show
container unset (tried 44, for a total of 170 seconds)

These errors seem to point to an outdated openstackclient. What
version are you using?

The v3 openrc file I have in place, works fine when just using the
openstack
cli, which makes the situation all the more strange :) Here it is for
reference:

!/bin/sh

export OSNOCACHE='true'
export OSTENANTNAME='admin'
export OSUSERNAME='admin'
export OS
PASSWORD='supersecret'
export OSAUTHURL='http://1.2.3.4:5000/v3/'
export OSAUTHSTRATEGY='keystone'
export OSIDENTITYAPIVERSION="3"
export OS
REGIONNAME='openstack'
export OS
USERDOMAINNAME='default'
export OSPROJECTDOMAINNAME='default'
export CINDER
ENDPOINTTYPE='publicURL'
export GLANCE
ENDPOINTTYPE='publicURL'
export KEYSTONE
ENDPOINTTYPE='publicURL'
export NOVA
ENDPOINTTYPE='publicURL'
export NEUTRON
ENDPOINT_TYPE='publicURL'

This looks ok, but it's OSPROJECTNAME now. All our CI uses v3 now
and here's an example file from a recent CI run.

!/bin/sh

export OSNOCACHE='true'
export OSPROJECTNAME='openstack'
export OSUSERNAME='admin'
export OS
PASSWORD='abigsecret'
export OSAUTHURL='https://[::1]:5000/v3/'
export OSAUTHSTRATEGY='keystone'
export OSREGIONNAME='RegionOne'
export OSPROJECTDOMAINNAME='default'
export OS
USERDOMAINNAME='default'
export CINDERENDPOINTTYPE='publicURL'
export GLANCEENDPOINTTYPE='publicURL'
export KEYSTONEENDPOINTTYPE='publicURL'
export NOVAENDPOINTTYPE='publicURL'
export NEUTRONENDPOINTTYPE='publicURL'
export OSIDENTITYAPI_VERSION='3'

We actually have an openstack_extras module that we use to generate
ours in our CI runs.

https://github.com/openstack/puppet-openstack_extras/blob/master/manifests/auth_file.pp

Thanks,
-Alex

Can anyone advise how the openrc file should be formatted ?

Thanks!

Cheers,
Just

Notice: This email is confidential and may contain copyright material
of
members of the Ocado Group. Opinions and views expressed in this message
may
not necessarily reflect the opinions and views of the members of the
Ocado
Group.

If you are not the intended recipient, please notify us immediately and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and
Fabled
is a trading name of Marie Claire Beauty Limited, both members of the
Ocado
Group.

References to the “Ocado Group” are to Ocado Group plc (registered in
England and Wales with number 7098618) and its subsidiary undertakings
(as
that expression is defined in the Companies Act 2006) from time to time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops
Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

Notice: This email is confidential and may contain copyright material of
members of the Ocado Group. Opinions and views expressed in this message may
not necessarily reflect the opinions and views of the members of the Ocado
Group.

If you are not the intended recipient, please notify us immediately and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and Fabled
is a trading name of Marie Claire Beauty Limited, both members of the Ocado
Group.

References to the “Ocado Group” are to Ocado Group plc (registered in
England and Wales with number 7098618) and its subsidiary undertakings (as
that expression is defined in the Companies Act 2006) from time to time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
responded Nov 10, 2016 by aschultz_at_redhat.c (5,800 points)   2 2 4
0 votes

I tried switching the OSTENANTNAME for OSPROJECTNAME as a quick test ,
it didn't seem to fix it.

However, I'll generate the openrc file from the class in openstack_extras
just to make sure it's 100% correct, and report back.

Cheers,
Just

On 10 November 2016 at 17:43, Alex Schultz aschultz@redhat.com wrote:

On Thu, Nov 10, 2016 at 10:28 AM, Justin Cattle j@ocado.com wrote:

Hi Alex,

Thanks very much for the response.

We're using python-openstackclient-2.3.0-2~cloud0, which is from ubuntu
cloud archive, trusty-updates/mitaka/main.

What's the minimum version I need do you think?

I think that should be good. You might want to try switching out
OSTENANTNAME for OSPROJECTNAME as project name is for v3 which may
be causing the issue. The keystone::disableadmintokenauth had a
dependency on a change[0] to add OS
PROJECT_NAME in. You should be
able to test the underlying commands to see if that fixes the problem.
The root cause seems to be more of the openstack client interactions
(and missing commands) based on the rc file than a puppet issue.

Thanks,
-Alex

[0] https://review.openstack.org/#/c/274296/

Actually we haven't been using puppet-openstack_extras, but I'll look at
that for the openrc file at least :)

Cheers,
Just

On 10 November 2016 at 16:32, Alex Schultz aschultz@redhat.com wrote:

Hey Justin,

On Thu, Nov 10, 2016 at 8:48 AM, Justin Cattle j@ocado.com wrote:

Hi,

I was looking at this class in the keystone module:

keystone::disableadmintoken_auth

..which suggests:

After this class is run,

future puppet runs must have an openrc file with valid keystone v3

admin credentials in /root/openrc available

So when I change the openrc file from the v2 to v3 keystone endpoint,
puppet
runs then fail with various openstack provider errors.

e.g.

Error: Could not prefetch keystone_service provider 'openstack':
Execution
of '/usr/bin/openstack service list --quiet --format csv --long'
returned 2:
openstack: 'service' is not an openstack command. See 'openstack
--help'.
Did you mean one of these?
resource member create
resource member delete
resource member list
resource member show
resource member update
server add security group
server add volume
server create
server delete
server dump create
server image create
server list
server lock
server migrate
server pause
server reboot
server rebuild
server remove security group
server remove volume
server rescue
server resize
server resume
server set
server shelve
server show
server ssh
server start
server stop
server suspend
server unlock
server unpause
server unrescue
server unset
server unshelve (tried 44, for a total of 170 seconds)

..and..

Error:

/Stage[main]/Neutron::Keystone::Auth/Keystone::
Resource::Serviceidentity[neutron]/Keystoneuser[neutron]:
Could not evaluate: Execution of '/usr/bin/openstack domain list
--quiet
--format csv' returned 2: openstack: 'domain' is not an openstack
command.
See 'openstack --help'.
Did you mean one of these?
command list
container create
container delete
container list
container save
container set
container show
container unset (tried 44, for a total of 170 seconds)

These errors seem to point to an outdated openstackclient. What
version are you using?

The v3 openrc file I have in place, works fine when just using the
openstack
cli, which makes the situation all the more strange :) Here it is
for
reference:

!/bin/sh

export OSNOCACHE='true'
export OSTENANTNAME='admin'
export OSUSERNAME='admin'
export OS
PASSWORD='supersecret'
export OSAUTHURL='http://1.2.3.4:5000/v3/'
export OSAUTHSTRATEGY='keystone'
export OSIDENTITYAPIVERSION="3"
export OS
REGIONNAME='openstack'
export OS
USERDOMAINNAME='default'
export OSPROJECTDOMAINNAME='default'
export CINDER
ENDPOINTTYPE='publicURL'
export GLANCE
ENDPOINTTYPE='publicURL'
export KEYSTONE
ENDPOINTTYPE='publicURL'
export NOVA
ENDPOINTTYPE='publicURL'
export NEUTRON
ENDPOINT_TYPE='publicURL'

This looks ok, but it's OSPROJECTNAME now. All our CI uses v3 now
and here's an example file from a recent CI run.

!/bin/sh

export OSNOCACHE='true'
export OSPROJECTNAME='openstack'
export OSUSERNAME='admin'
export OS
PASSWORD='abigsecret'
export OSAUTHURL='https://[::1]:5000/v3/'
export OSAUTHSTRATEGY='keystone'
export OSREGIONNAME='RegionOne'
export OSPROJECTDOMAINNAME='default'
export OS
USERDOMAINNAME='default'
export CINDERENDPOINTTYPE='publicURL'
export GLANCEENDPOINTTYPE='publicURL'
export KEYSTONEENDPOINTTYPE='publicURL'
export NOVAENDPOINTTYPE='publicURL'
export NEUTRONENDPOINTTYPE='publicURL'
export OSIDENTITYAPI_VERSION='3'

We actually have an openstack_extras module that we use to generate
ours in our CI runs.

https://github.com/openstack/puppet-openstack_extras/blob/
master/manifests/auth_file.pp

Thanks,
-Alex

Can anyone advise how the openrc file should be formatted ?

Thanks!

Cheers,
Just

Notice: This email is confidential and may contain copyright material
of
members of the Ocado Group. Opinions and views expressed in this
message
may
not necessarily reflect the opinions and views of the members of the
Ocado
Group.

If you are not the intended recipient, please notify us immediately
and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and
Fabled
is a trading name of Marie Claire Beauty Limited, both members of the
Ocado
Group.

References to the “Ocado Group” are to Ocado Group plc (registered in
England and Wales with number 7098618) and its subsidiary undertakings
(as
that expression is defined in the Companies Act 2006) from time to
time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops
Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/
openstack-operators

Notice: This email is confidential and may contain copyright material of
members of the Ocado Group. Opinions and views expressed in this message
may
not necessarily reflect the opinions and views of the members of the
Ocado
Group.

If you are not the intended recipient, please notify us immediately and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and
Fabled
is a trading name of Marie Claire Beauty Limited, both members of the
Ocado
Group.

References to the “Ocado Group” are to Ocado Group plc (registered in
England and Wales with number 7098618) and its subsidiary undertakings
(as
that expression is defined in the Companies Act 2006) from time to time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops
Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.

--

Notice: This email is confidential and may contain copyright material of
members of the Ocado Group. Opinions and views expressed in this message
may not necessarily reflect the opinions and views of the members of the
Ocado Group.

If you are not the intended recipient, please notify us immediately and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and Fabled
is a trading name of Marie Claire Beauty Limited, both members of the Ocado
Group.

References to the “Ocado Group” are to Ocado Group plc (registered in
England and Wales with number 7098618) and its subsidiary undertakings (as
that expression is defined in the Companies Act 2006) from time to time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
responded Nov 10, 2016 by Justin_Cattle (620 points)   2 2
0 votes

There was two problems here!

The puppet libs in use were coming from the wrong environment - so a pretty
terminal issue.
The openrc file wasn't quite correct, as already noted :)

We're still using puppet3, and directory environments on puppet3 have a few
issues around plugin-download with multiple directory environments.
I was already accounting for that, but somehow I missed something and some
of the libs from the production env slipped back in.
Now that is sorted, and the correct openrc file is place, pupping is smooth
again :)

I do notice one further issue.

If I source the openrc file, then run pup in that same shell, some of the
providers fail.

Notice: Puppet::Type::Neutronnetwork::ProviderNeutron: Unable to complete
neutron request due to non-fatal error: "Execution of '/usr/bin/neutron
net-list --format=csv --column=id --quote=none' returned 1: The request you
have made requires authentication. (HTTP 401) (Request-ID:
req-031655a9-3eab-4ac6-b1e8-8840b6b49b4e)". Retrying for 9 sec.
Notice: Puppet::Type::Neutron
network::ProviderNeutron: Unable to complete
neutron request due to non-fatal error: "Execution of '/usr/bin/neutron
net-list --format=csv --column=id --quote=none' returned 1: The request you
have made requires authentication. (HTTP 401) (Request-ID:
req-9d5e6e3e-65ba-4a92-af95-ef0be5fa30f6)". Retrying for 6 sec.
Notice: Puppet::Type::Neutronnetwork::ProviderNeutron: Unable to complete
neutron request due to non-fatal error: "Execution of '/usr/bin/neutron
net-list --format=csv --column=id --quote=none' returned 1: The request you
have made requires authentication. (HTTP 401) (Request-ID:
req-36f18e6a-50e1-464b-b8bd-fc7cb6ee223e)". Retrying for 3 sec.
Notice: Puppet::Type::Neutron
network::ProviderNeutron: Unable to complete
neutron request due to non-fatal error: "Execution of '/usr/bin/neutron
net-list --format=csv --column=id --quote=none' returned 1: The request you
have made requires authentication. (HTTP 401) (Request-ID:
req-35c8125d-7647-49a3-829b-ff485adb2234)". Retrying for 0 sec.

If i don't have the OS_ variables in my shell, then it all works fine.

Is this a bug?

Cheers,
Just

On 10 November 2016 at 21:46, Justin Cattle j@ocado.com wrote:

I tried switching the OSTENANTNAME for OSPROJECTNAME as a quick test
, it didn't seem to fix it.

However, I'll generate the openrc file from the class in openstack_extras
just to make sure it's 100% correct, and report back.

Cheers,
Just

On 10 November 2016 at 17:43, Alex Schultz aschultz@redhat.com wrote:

On Thu, Nov 10, 2016 at 10:28 AM, Justin Cattle j@ocado.com wrote:

Hi Alex,

Thanks very much for the response.

We're using python-openstackclient-2.3.0-2~cloud0, which is from ubuntu
cloud archive, trusty-updates/mitaka/main.

What's the minimum version I need do you think?

I think that should be good. You might want to try switching out
OSTENANTNAME for OSPROJECTNAME as project name is for v3 which may
be causing the issue. The keystone::disableadmintokenauth had a
dependency on a change[0] to add OS
PROJECT_NAME in. You should be
able to test the underlying commands to see if that fixes the problem.
The root cause seems to be more of the openstack client interactions
(and missing commands) based on the rc file than a puppet issue.

Thanks,
-Alex

[0] https://review.openstack.org/#/c/274296/

Actually we haven't been using puppet-openstack_extras, but I'll look at
that for the openrc file at least :)

Cheers,
Just

On 10 November 2016 at 16:32, Alex Schultz aschultz@redhat.com wrote:

Hey Justin,

On Thu, Nov 10, 2016 at 8:48 AM, Justin Cattle j@ocado.com wrote:

Hi,

I was looking at this class in the keystone module:

keystone::disableadmintoken_auth

..which suggests:

After this class is run,

future puppet runs must have an openrc file with valid keystone v3

admin credentials in /root/openrc available

So when I change the openrc file from the v2 to v3 keystone endpoint,
puppet
runs then fail with various openstack provider errors.

e.g.

Error: Could not prefetch keystone_service provider 'openstack':
Execution
of '/usr/bin/openstack service list --quiet --format csv --long'
returned 2:
openstack: 'service' is not an openstack command. See 'openstack
--help'.
Did you mean one of these?
resource member create
resource member delete
resource member list
resource member show
resource member update
server add security group
server add volume
server create
server delete
server dump create
server image create
server list
server lock
server migrate
server pause
server reboot
server rebuild
server remove security group
server remove volume
server rescue
server resize
server resume
server set
server shelve
server show
server ssh
server start
server stop
server suspend
server unlock
server unpause
server unrescue
server unset
server unshelve (tried 44, for a total of 170 seconds)

..and..

Error:

/Stage[main]/Neutron::Keystone::Auth/Keystone::Resource::
Serviceidentity[neutron]/Keystoneuser[neutron]:
Could not evaluate: Execution of '/usr/bin/openstack domain list
--quiet
--format csv' returned 2: openstack: 'domain' is not an openstack
command.
See 'openstack --help'.
Did you mean one of these?
command list
container create
container delete
container list
container save
container set
container show
container unset (tried 44, for a total of 170 seconds)

These errors seem to point to an outdated openstackclient. What
version are you using?

The v3 openrc file I have in place, works fine when just using the
openstack
cli, which makes the situation all the more strange :) Here it is
for
reference:

!/bin/sh

export OSNOCACHE='true'
export OSTENANTNAME='admin'
export OSUSERNAME='admin'
export OS
PASSWORD='supersecret'
export OSAUTHURL='http://1.2.3.4:5000/v3/'
export OSAUTHSTRATEGY='keystone'
export OSIDENTITYAPIVERSION="3"
export OS
REGIONNAME='openstack'
export OS
USERDOMAINNAME='default'
export OSPROJECTDOMAINNAME='default'
export CINDER
ENDPOINTTYPE='publicURL'
export GLANCE
ENDPOINTTYPE='publicURL'
export KEYSTONE
ENDPOINTTYPE='publicURL'
export NOVA
ENDPOINTTYPE='publicURL'
export NEUTRON
ENDPOINT_TYPE='publicURL'

This looks ok, but it's OSPROJECTNAME now. All our CI uses v3 now
and here's an example file from a recent CI run.

!/bin/sh

export OSNOCACHE='true'
export OSPROJECTNAME='openstack'
export OSUSERNAME='admin'
export OS
PASSWORD='abigsecret'
export OSAUTHURL='https://[::1]:5000/v3/'
export OSAUTHSTRATEGY='keystone'
export OSREGIONNAME='RegionOne'
export OSPROJECTDOMAINNAME='default'
export OS
USERDOMAINNAME='default'
export CINDERENDPOINTTYPE='publicURL'
export GLANCEENDPOINTTYPE='publicURL'
export KEYSTONEENDPOINTTYPE='publicURL'
export NOVAENDPOINTTYPE='publicURL'
export NEUTRONENDPOINTTYPE='publicURL'
export OSIDENTITYAPI_VERSION='3'

We actually have an openstack_extras module that we use to generate
ours in our CI runs.

https://github.com/openstack/puppet-openstack_extras/blob/ma
ster/manifests/auth_file.pp

Thanks,
-Alex

Can anyone advise how the openrc file should be formatted ?

Thanks!

Cheers,
Just

Notice: This email is confidential and may contain copyright
material
of
members of the Ocado Group. Opinions and views expressed in this
message
may
not necessarily reflect the opinions and views of the members of the
Ocado
Group.

If you are not the intended recipient, please notify us immediately
and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and
Fabled
is a trading name of Marie Claire Beauty Limited, both members of the
Ocado
Group.

References to the “Ocado Group” are to Ocado Group plc (registered in
England and Wales with number 7098618) and its subsidiary
undertakings
(as
that expression is defined in the Companies Act 2006) from time to
time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops
Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstac
k-operators

Notice: This email is confidential and may contain copyright material
of
members of the Ocado Group. Opinions and views expressed in this
message may
not necessarily reflect the opinions and views of the members of the
Ocado
Group.

If you are not the intended recipient, please notify us immediately and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and
Fabled
is a trading name of Marie Claire Beauty Limited, both members of the
Ocado
Group.

References to the “Ocado Group” are to Ocado Group plc (registered in
England and Wales with number 7098618) and its subsidiary undertakings
(as
that expression is defined in the Companies Act 2006) from time to time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops
Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.

--

Notice: This email is confidential and may contain copyright material of
members of the Ocado Group. Opinions and views expressed in this message
may not necessarily reflect the opinions and views of the members of the
Ocado Group.

If you are not the intended recipient, please notify us immediately and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and Fabled
is a trading name of Marie Claire Beauty Limited, both members of the Ocado
Group.

References to the “Ocado Group” are to Ocado Group plc (registered in
England and Wales with number 7098618) and its subsidiary undertakings (as
that expression is defined in the Companies Act 2006) from time to time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
responded Nov 11, 2016 by Justin_Cattle (620 points)   2 2
0 votes

There is a known issue where some providers fail when you have an openrc
sourced. I remember it being glance that failed. Bug #1524599

On Nov 11, 2016 4:15 AM, "Justin Cattle" j@ocado.com wrote:

There was two problems here!

The puppet libs in use were coming from the wrong environment - so a
pretty terminal issue.
The openrc file wasn't quite correct, as already noted :)

We're still using puppet3, and directory environments on puppet3 have a
few issues around plugin-download with multiple directory environments.
I was already accounting for that, but somehow I missed something and some
of the libs from the production env slipped back in.
Now that is sorted, and the correct openrc file is place, pupping is
smooth again :)

I do notice one further issue.

If I source the openrc file, then run pup in that same shell, some of the
providers fail.

Notice: Puppet::Type::Neutronnetwork::ProviderNeutron: Unable to
complete neutron request due to non-fatal error: "Execution of
'/usr/bin/neutron net-list --format=csv --column=id --quote=none' returned
1: The request you have made requires authentication. (HTTP 401)
(Request-ID: req-031655a9-3eab-4ac6-b1e8-8840b6b49b4e)". Retrying for 9
sec.
Notice: Puppet::Type::Neutron
network::ProviderNeutron: Unable to
complete neutron request due to non-fatal error: "Execution of
'/usr/bin/neutron net-list --format=csv --column=id --quote=none' returned
1: The request you have made requires authentication. (HTTP 401)
(Request-ID: req-9d5e6e3e-65ba-4a92-af95-ef0be5fa30f6)". Retrying for 6
sec.
Notice: Puppet::Type::Neutronnetwork::ProviderNeutron: Unable to
complete neutron request due to non-fatal error: "Execution of
'/usr/bin/neutron net-list --format=csv --column=id --quote=none' returned
1: The request you have made requires authentication. (HTTP 401)
(Request-ID: req-36f18e6a-50e1-464b-b8bd-fc7cb6ee223e)". Retrying for 3
sec.
Notice: Puppet::Type::Neutron
network::ProviderNeutron: Unable to
complete neutron request due to non-fatal error: "Execution of
'/usr/bin/neutron net-list --format=csv --column=id --quote=none' returned
1: The request you have made requires authentication. (HTTP 401)
(Request-ID: req-35c8125d-7647-49a3-829b-ff485adb2234)". Retrying for 0
sec.

If i don't have the OS_ variables in my shell, then it all works fine.

Is this a bug?

Cheers,
Just

On 10 November 2016 at 21:46, Justin Cattle j@ocado.com wrote:

I tried switching the OSTENANTNAME for OSPROJECTNAME as a quick test
, it didn't seem to fix it.

However, I'll generate the openrc file from the class in openstack_extras
just to make sure it's 100% correct, and report back.

Cheers,
Just

On 10 November 2016 at 17:43, Alex Schultz aschultz@redhat.com wrote:

On Thu, Nov 10, 2016 at 10:28 AM, Justin Cattle j@ocado.com wrote:

Hi Alex,

Thanks very much for the response.

We're using python-openstackclient-2.3.0-2~cloud0, which is from
ubuntu
cloud archive, trusty-updates/mitaka/main.

What's the minimum version I need do you think?

I think that should be good. You might want to try switching out
OSTENANTNAME for OSPROJECTNAME as project name is for v3 which may
be causing the issue. The keystone::disableadmintokenauth had a
dependency on a change[0] to add OS
PROJECT_NAME in. You should be
able to test the underlying commands to see if that fixes the problem.
The root cause seems to be more of the openstack client interactions
(and missing commands) based on the rc file than a puppet issue.

Thanks,
-Alex

[0] https://review.openstack.org/#/c/274296/

Actually we haven't been using puppet-openstack_extras, but I'll look
at
that for the openrc file at least :)

Cheers,
Just

On 10 November 2016 at 16:32, Alex Schultz aschultz@redhat.com
wrote:

Hey Justin,

On Thu, Nov 10, 2016 at 8:48 AM, Justin Cattle j@ocado.com wrote:

Hi,

I was looking at this class in the keystone module:

keystone::disableadmintoken_auth

..which suggests:

After this class is run,

future puppet runs must have an openrc file with valid keystone v3

admin credentials in /root/openrc available

So when I change the openrc file from the v2 to v3 keystone
endpoint,
puppet
runs then fail with various openstack provider errors.

e.g.

Error: Could not prefetch keystone_service provider 'openstack':
Execution
of '/usr/bin/openstack service list --quiet --format csv --long'
returned 2:
openstack: 'service' is not an openstack command. See 'openstack
--help'.
Did you mean one of these?
resource member create
resource member delete
resource member list
resource member show
resource member update
server add security group
server add volume
server create
server delete
server dump create
server image create
server list
server lock
server migrate
server pause
server reboot
server rebuild
server remove security group
server remove volume
server rescue
server resize
server resume
server set
server shelve
server show
server ssh
server start
server stop
server suspend
server unlock
server unpause
server unrescue
server unset
server unshelve (tried 44, for a total of 170 seconds)

..and..

Error:

/Stage[main]/Neutron::Keystone::Auth/Keystone::Resource::Ser
viceidentity[neutron]/Keystoneuser[neutron]:
Could not evaluate: Execution of '/usr/bin/openstack domain list
--quiet
--format csv' returned 2: openstack: 'domain' is not an openstack
command.
See 'openstack --help'.
Did you mean one of these?
command list
container create
container delete
container list
container save
container set
container show
container unset (tried 44, for a total of 170 seconds)

These errors seem to point to an outdated openstackclient. What
version are you using?

The v3 openrc file I have in place, works fine when just using the
openstack
cli, which makes the situation all the more strange :) Here it is
for
reference:

!/bin/sh

export OSNOCACHE='true'
export OSTENANTNAME='admin'
export OSUSERNAME='admin'
export OS
PASSWORD='supersecret'
export OSAUTHURL='http://1.2.3.4:5000/v3/'
export OSAUTHSTRATEGY='keystone'
export OSIDENTITYAPIVERSION="3"
export OS
REGIONNAME='openstack'
export OS
USERDOMAINNAME='default'
export OSPROJECTDOMAINNAME='default'
export CINDER
ENDPOINTTYPE='publicURL'
export GLANCE
ENDPOINTTYPE='publicURL'
export KEYSTONE
ENDPOINTTYPE='publicURL'
export NOVA
ENDPOINTTYPE='publicURL'
export NEUTRON
ENDPOINT_TYPE='publicURL'

This looks ok, but it's OSPROJECTNAME now. All our CI uses v3 now
and here's an example file from a recent CI run.

!/bin/sh

export OSNOCACHE='true'
export OSPROJECTNAME='openstack'
export OSUSERNAME='admin'
export OS
PASSWORD='abigsecret'
export OSAUTHURL='https://[::1]:5000/v3/'
export OSAUTHSTRATEGY='keystone'
export OSREGIONNAME='RegionOne'
export OSPROJECTDOMAINNAME='default'
export OS
USERDOMAINNAME='default'
export CINDERENDPOINTTYPE='publicURL'
export GLANCEENDPOINTTYPE='publicURL'
export KEYSTONEENDPOINTTYPE='publicURL'
export NOVAENDPOINTTYPE='publicURL'
export NEUTRONENDPOINTTYPE='publicURL'
export OSIDENTITYAPI_VERSION='3'

We actually have an openstack_extras module that we use to generate
ours in our CI runs.

https://github.com/openstack/puppet-openstack_extras/blob/ma
ster/manifests/auth_file.pp

Thanks,
-Alex

Can anyone advise how the openrc file should be formatted ?

Thanks!

Cheers,
Just

Notice: This email is confidential and may contain copyright
material
of
members of the Ocado Group. Opinions and views expressed in this
message
may
not necessarily reflect the opinions and views of the members of the
Ocado
Group.

If you are not the intended recipient, please notify us immediately
and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and
Fabled
is a trading name of Marie Claire Beauty Limited, both members of
the
Ocado
Group.

References to the “Ocado Group” are to Ocado Group plc (registered
in
England and Wales with number 7098618) and its subsidiary
undertakings
(as
that expression is defined in the Companies Act 2006) from time to
time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops
Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstac
k-operators

Notice: This email is confidential and may contain copyright material
of
members of the Ocado Group. Opinions and views expressed in this
message may
not necessarily reflect the opinions and views of the members of the
Ocado
Group.

If you are not the intended recipient, please notify us immediately and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and
Fabled
is a trading name of Marie Claire Beauty Limited, both members of the
Ocado
Group.

References to the “Ocado Group” are to Ocado Group plc (registered in
England and Wales with number 7098618) and its subsidiary undertakings
(as
that expression is defined in the Companies Act 2006) from time to
time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops
Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.

Notice: This email is confidential and may contain copyright material of
members of the Ocado Group. Opinions and views expressed in this message
may not necessarily reflect the opinions and views of the members of the
Ocado Group.

If you are not the intended recipient, please notify us immediately and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and Fabled
is a trading name of Marie Claire Beauty Limited, both members of the Ocado
Group.

References to the “Ocado Group” are to Ocado Group plc (registered in
England and Wales with number 7098618) and its subsidiary undertakings (as
that expression is defined in the Companies Act 2006) from time to time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
responded Nov 11, 2016 by Matt_Fischer (9,340 points)   1 4 8
0 votes

Ok - I'll review and search, and raise bugs if I think it's relevant.

Thanks for you help.

Cheers,
Just

On 11 November 2016 at 13:54, Matt Fischer matt@mattfischer.com wrote:

There is a known issue where some providers fail when you have an openrc
sourced. I remember it being glance that failed. Bug #1524599

On Nov 11, 2016 4:15 AM, "Justin Cattle" j@ocado.com wrote:

There was two problems here!

The puppet libs in use were coming from the wrong environment - so a
pretty terminal issue.
The openrc file wasn't quite correct, as already noted :)

We're still using puppet3, and directory environments on puppet3 have a
few issues around plugin-download with multiple directory environments.
I was already accounting for that, but somehow I missed something and
some of the libs from the production env slipped back in.
Now that is sorted, and the correct openrc file is place, pupping is
smooth again :)

I do notice one further issue.

If I source the openrc file, then run pup in that same shell, some of the
providers fail.

Notice: Puppet::Type::Neutronnetwork::ProviderNeutron: Unable to
complete neutron request due to non-fatal error: "Execution of
'/usr/bin/neutron net-list --format=csv --column=id --quote=none' returned
1: The request you have made requires authentication. (HTTP 401)
(Request-ID: req-031655a9-3eab-4ac6-b1e8-8840b6b49b4e)". Retrying for 9
sec.
Notice: Puppet::Type::Neutron
network::ProviderNeutron: Unable to
complete neutron request due to non-fatal error: "Execution of
'/usr/bin/neutron net-list --format=csv --column=id --quote=none' returned
1: The request you have made requires authentication. (HTTP 401)
(Request-ID: req-9d5e6e3e-65ba-4a92-af95-ef0be5fa30f6)". Retrying for 6
sec.
Notice: Puppet::Type::Neutronnetwork::ProviderNeutron: Unable to
complete neutron request due to non-fatal error: "Execution of
'/usr/bin/neutron net-list --format=csv --column=id --quote=none' returned
1: The request you have made requires authentication. (HTTP 401)
(Request-ID: req-36f18e6a-50e1-464b-b8bd-fc7cb6ee223e)". Retrying for 3
sec.
Notice: Puppet::Type::Neutron
network::ProviderNeutron: Unable to
complete neutron request due to non-fatal error: "Execution of
'/usr/bin/neutron net-list --format=csv --column=id --quote=none' returned
1: The request you have made requires authentication. (HTTP 401)
(Request-ID: req-35c8125d-7647-49a3-829b-ff485adb2234)". Retrying for 0
sec.

If i don't have the OS_ variables in my shell, then it all works fine.

Is this a bug?

Cheers,
Just

On 10 November 2016 at 21:46, Justin Cattle j@ocado.com wrote:

I tried switching the OSTENANTNAME for OSPROJECTNAME as a quick
test , it didn't seem to fix it.

However, I'll generate the openrc file from the class in
openstack_extras just to make sure it's 100% correct, and report back.

Cheers,
Just

On 10 November 2016 at 17:43, Alex Schultz aschultz@redhat.com wrote:

On Thu, Nov 10, 2016 at 10:28 AM, Justin Cattle j@ocado.com wrote:

Hi Alex,

Thanks very much for the response.

We're using python-openstackclient-2.3.0-2~cloud0, which is from
ubuntu
cloud archive, trusty-updates/mitaka/main.

What's the minimum version I need do you think?

I think that should be good. You might want to try switching out
OSTENANTNAME for OSPROJECTNAME as project name is for v3 which may
be causing the issue. The keystone::disableadmintokenauth had a
dependency on a change[0] to add OS
PROJECT_NAME in. You should be
able to test the underlying commands to see if that fixes the problem.
The root cause seems to be more of the openstack client interactions
(and missing commands) based on the rc file than a puppet issue.

Thanks,
-Alex

[0] https://review.openstack.org/#/c/274296/

Actually we haven't been using puppet-openstack_extras, but I'll look
at
that for the openrc file at least :)

Cheers,
Just

On 10 November 2016 at 16:32, Alex Schultz aschultz@redhat.com
wrote:

Hey Justin,

On Thu, Nov 10, 2016 at 8:48 AM, Justin Cattle j@ocado.com wrote:

Hi,

I was looking at this class in the keystone module:

keystone::disableadmintoken_auth

..which suggests:

After this class is run,

future puppet runs must have an openrc file with valid keystone

v3

admin credentials in /root/openrc available

So when I change the openrc file from the v2 to v3 keystone
endpoint,
puppet
runs then fail with various openstack provider errors.

e.g.

Error: Could not prefetch keystone_service provider 'openstack':
Execution
of '/usr/bin/openstack service list --quiet --format csv --long'
returned 2:
openstack: 'service' is not an openstack command. See 'openstack
--help'.
Did you mean one of these?
resource member create
resource member delete
resource member list
resource member show
resource member update
server add security group
server add volume
server create
server delete
server dump create
server image create
server list
server lock
server migrate
server pause
server reboot
server rebuild
server remove security group
server remove volume
server rescue
server resize
server resume
server set
server shelve
server show
server ssh
server start
server stop
server suspend
server unlock
server unpause
server unrescue
server unset
server unshelve (tried 44, for a total of 170 seconds)

..and..

Error:

/Stage[main]/Neutron::Keystone::Auth/Keystone::Resource::Ser
viceidentity[neutron]/Keystoneuser[neutron]:
Could not evaluate: Execution of '/usr/bin/openstack domain list
--quiet
--format csv' returned 2: openstack: 'domain' is not an openstack
command.
See 'openstack --help'.
Did you mean one of these?
command list
container create
container delete
container list
container save
container set
container show
container unset (tried 44, for a total of 170 seconds)

These errors seem to point to an outdated openstackclient. What
version are you using?

The v3 openrc file I have in place, works fine when just using the
openstack
cli, which makes the situation all the more strange :) Here it
is for
reference:

!/bin/sh

export OSNOCACHE='true'
export OSTENANTNAME='admin'
export OSUSERNAME='admin'
export OS
PASSWORD='supersecret'
export OSAUTHURL='http://1.2.3.4:5000/v3/'
export OSAUTHSTRATEGY='keystone'
export OSIDENTITYAPIVERSION="3"
export OS
REGIONNAME='openstack'
export OS
USERDOMAINNAME='default'
export OSPROJECTDOMAINNAME='default'
export CINDER
ENDPOINTTYPE='publicURL'
export GLANCE
ENDPOINTTYPE='publicURL'
export KEYSTONE
ENDPOINTTYPE='publicURL'
export NOVA
ENDPOINTTYPE='publicURL'
export NEUTRON
ENDPOINT_TYPE='publicURL'

This looks ok, but it's OSPROJECTNAME now. All our CI uses v3 now
and here's an example file from a recent CI run.

!/bin/sh

export OSNOCACHE='true'
export OSPROJECTNAME='openstack'
export OSUSERNAME='admin'
export OS
PASSWORD='abigsecret'
export OSAUTHURL='https://[::1]:5000/v3/'
export OSAUTHSTRATEGY='keystone'
export OSREGIONNAME='RegionOne'
export OSPROJECTDOMAINNAME='default'
export OS
USERDOMAINNAME='default'
export CINDERENDPOINTTYPE='publicURL'
export GLANCEENDPOINTTYPE='publicURL'
export KEYSTONEENDPOINTTYPE='publicURL'
export NOVAENDPOINTTYPE='publicURL'
export NEUTRONENDPOINTTYPE='publicURL'
export OSIDENTITYAPI_VERSION='3'

We actually have an openstack_extras module that we use to generate
ours in our CI runs.

https://github.com/openstack/puppet-openstack_extras/blob/ma
ster/manifests/auth_file.pp

Thanks,
-Alex

Can anyone advise how the openrc file should be formatted ?

Thanks!

Cheers,
Just

Notice: This email is confidential and may contain copyright
material
of
members of the Ocado Group. Opinions and views expressed in this
message
may
not necessarily reflect the opinions and views of the members of
the
Ocado
Group.

If you are not the intended recipient, please notify us
immediately and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and
Fabled
is a trading name of Marie Claire Beauty Limited, both members of
the
Ocado
Group.

References to the “Ocado Group” are to Ocado Group plc (registered
in
England and Wales with number 7098618) and its subsidiary
undertakings
(as
that expression is defined in the Companies Act 2006) from time to
time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops
Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstac
k-operators

Notice: This email is confidential and may contain copyright
material of
members of the Ocado Group. Opinions and views expressed in this
message may
not necessarily reflect the opinions and views of the members of the
Ocado
Group.

If you are not the intended recipient, please notify us immediately
and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and
Fabled
is a trading name of Marie Claire Beauty Limited, both members of the
Ocado
Group.

References to the “Ocado Group” are to Ocado Group plc (registered in
England and Wales with number 7098618) and its subsidiary
undertakings (as
that expression is defined in the Companies Act 2006) from time to
time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops
Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.

Notice: This email is confidential and may contain copyright material of
members of the Ocado Group. Opinions and views expressed in this message
may not necessarily reflect the opinions and views of the members of the
Ocado Group.

If you are not the intended recipient, please notify us immediately and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and
Fabled is a trading name of Marie Claire Beauty Limited, both members of
the Ocado Group.

References to the “Ocado Group” are to Ocado Group plc (registered in
England and Wales with number 7098618) and its subsidiary undertakings (as
that expression is defined in the Companies Act 2006) from time to time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

--

Notice: This email is confidential and may contain copyright material of
members of the Ocado Group. Opinions and views expressed in this message
may not necessarily reflect the opinions and views of the members of the
Ocado Group.

If you are not the intended recipient, please notify us immediately and
delete all copies of this message. Please note that it is your
responsibility to scan this message for viruses.

Fetch and Sizzle are trading names of Speciality Stores Limited and Fabled
is a trading name of Marie Claire Beauty Limited, both members of the Ocado
Group.

References to the “Ocado Group” are to Ocado Group plc (registered in
England and Wales with number 7098618) and its subsidiary undertakings (as
that expression is defined in the Companies Act 2006) from time to time.
The registered office of Ocado Group plc is Titan Court, 3 Bishops Square,
Hatfield Business Park, Hatfield, Herts. AL10 9NE.


OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
responded Nov 11, 2016 by Justin_Cattle (620 points)   2 2
...