Thanks Richard, I am not sure where to look ...
# pwd /etc/puppetlabs/puppet/environments/production/modules # ls apache apt concat firewall inifile keystone mysql openstacklib postgresql rabbitmq staging stdlib # find . -type f -exec grep -i SECURE_PROXY_SSL_HEADER {} \; no output. :) On Thu, Jan 14, 2016 at 1:01 PM, Richard Raseley <rich...@raseley.com> wrote: > If you’re terminating SSL at HAproxy, look into the > ‘SECURE_PROXY_SSL_HEADER’ and related parameters. > > > On Jan 14, 2016, at 9:50 AM, Russell Cecala <red.cricket.b...@gmail.com> > wrote: > > > > Thanks for helping out. I hope that I am not being too much of a pest, > but I really want my group to adopt the Openstack community's puppet > modules for deploying Openstack. Now that I have keystone working on one > node I want to expand on that. I have an HAProxy cluster and I have a > signed certificate. I want to use ssl and use my HAProxy cluster. I > assume that I need to change my POC puppet manifest like so ... > > > > class { '::keystone::endpoint': > > > > public_url => "https://${controller_vip_name}:5000", > > > > admin_url => "https://${controller_vip_name}:35357", > > > > internal_url => "https://${controller_vip_name}:5000", > > > > region => 'example-1', > > > > } > > > > Where $controller_vip_name is the hostname (or IP address) of the > virtual interface for my HAProxy > > > > > > > > In my haproxy.cfg I have these lines: > > > > frontend keystone-admin-vip > > > > bind 10.29.103.39:35357 ssl crt /etc/haproxy/svl-ost-el7.cisco.com > no-sslv3 ciphers AES128-SHA:AES256-SHA > > > > default_backend keystone-admin-api > > > > > > > > frontend keystone-public-vip > > > > bind 10.29.103.39:5000 ssl crt /etc/haproxy/svl-ost-el7.cisco.com > no-sslv3 ciphers AES128-SHA:AES256-SHA > > > > > > default_backend keystone-public-api > > > > So I guess my question is, "Is there any thing else I need to do besides > changing the values I pass to my keystone::endpoint resource?". > > > > > > > > Thanks! > > > > > > On Fri, Jan 8, 2016 at 10:13 AM, Russell Cecala < > red.cricket.b...@gmail.com> wrote: > > oops. I figured it out ... > > > > MariaDB [keystone_db_name]> select * from project; > > > > > +----------------------------------+-----------+-------+-----------------------------------+---------+-----------+-----------+ > > > > | id | name | extra | description > | enabled | domain_id | parent_id | > > > > > +----------------------------------+-----------+-------+-----------------------------------+---------+-----------+-----------+ > > > > | af4e7a8966fb4665aaac22a8b9687c8f | openstack | {} | admin tenant > | 1 | default | NULL | > > > > | b83b33cc7d314181af50a2a80c995b0c | services | {} | Tenant for the > openstack services | 1 | default | NULL | > > > > > +----------------------------------+-----------+-------+-----------------------------------+---------+-----------+-----------+ > > > > 2 rows in set (0.01 sec) > > > > > > > > MariaDB [keystone_db_name]> quit > > > > Bye > > > > [root@ost-services-centos-001 ~]# exit > > > > logout > > > > Connection to ost-services-centos-001 closed. > > > > [root@ost-mgmt-centos-001 ~]# openstack --os-auth-url > http://127.0.0.1:35357 --os-project-name openstack --os-username admin > --os-auth-type password token issue > > > > Password: > > > > +------------+----------------------------------+ > > > > | Field | Value | > > > > +------------+----------------------------------+ > > > > | expires | 2016-01-08T19:12:14Z | > > > > | id | 581a5c2e8a074740a510cbadebf17815 | > > > > | project_id | af4e7a8966fb4665aaac22a8b9687c8f | > > > > | user_id | b3f1f4bcfb114559a05378bd6ce39e55 | > > > > +------------+----------------------------------+ > > > > > > On Fri, Jan 8, 2016 at 10:09 AM, Russell Cecala < > red.cricket.b...@gmail.com> wrote: > > Hi Rich, > > > > Thanks for all your help so far. > > I am getting clean puppet runs (I still get depreciation warnings) but > "puppet agent -t" is running without error now: > > > > [root@ost-mgmt-centos-001 ~]# puppet agent -t > > > > Info: Retrieving pluginfacts > > > > Info: Retrieving plugin > > > > Info: Loading facts > > > > Error: NetworkManager is not running. > > > > Info: Caching catalog for ost-mgmt-centos-001.example.com > > > > Warning: The tenant parameter is deprecated and will be removed in the > future. Please use keystone_user_role to assign a user to a project. > > > > Warning: The ignore_default_tenant parameter is deprecated and will be > removed in the future. > > > > Info: Applying configuration version '1452275612' > > > > Notice: /Stage[main]/Wrapcontroller/Exec[/usr/bin/curl > http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo > | /usr/bin/tee /var/www/cgi-bin/keystone/main > /var/www/cgi-bin/keystone/admin]/returns: executed successfully > > > > Notice: Finished catalog run in 11.53 seconds > > > > > > Here is the puppet module I am using currently: > > > > class wrapcontroller( > > > > ... long list of parameters I am not using yet ... > > > > ) { > > > > class {'my-openstack::disable_firewall':} -> > > > > class {'my-openstack::disable_selinux':} -> > > > > class {'my-openstack::disable_network_manager':} -> > > > > > > > > exec { '/bin/yum -y install > http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm': > unless => '/bin/rpm -q epel-release', } > > > > exec { '/bin/yum -y install > http://rdo.fedorapeople.org/openstack-kilo/rdo-release-kilo.rpm': unless > => '/bin/rpm -q rdo-release', } > > > > exec { '/usr/bin/curl > http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo > | /usr/bin/tee /var/www/cgi-bin/keystone/main > /var/www/cgi-bin/keystone/admin':} > > > > $packages = ['mariadb', 'mod_wsgi', 'memcached', 'python-memcached'] > > > > package { $packages : ensure => present, } > > > > > > > > exec { 'keystone_database_init': > > > > command => '/usr/bin/keystone-manage db_sync', > > > > onlyif => [ > > > > "/usr/bin/mysql -u$keystone_db_user -p$keystone_db_pass > -h$db_host -P$db_port $keystone_db_name -e 'show tables'", > > > > "/usr/bin/test -z \"`/usr/bin/mysql -u$keystone_db_user > -p$keystone_db_pass -h$db_host -P$db_port $keystone_db_name -e 'show > tables'`\"" > > > > ], > > > > require => Package['mariadb'], > > > > } > > > > $services = ['memcached'] > > > > service { $services : ensure => running, enable => true, } > > > > # found out that you shouldn't create the wsgi-ketstone.conf file as > it prevents httpd from starting > > > > file { '/etc/httpd/conf.d/wsgi-keystone.conf': > > > > ensure => absent, > > > > # content => template( "wrapcontroller/wsgi-keystone.conf.erb" ), > > > > } > > > > class {'::keystone': > > > > admin_token => $keystone_auth_token, > > > > catalog_type => 'sql', > > > > database_connection => > "mysql://${keystone_db_user}:${keystone_db_pass}@ > ${db_host}:${db_port}/${keystone_db_name}", > > > > debug => $debug, > > > > verbose => $debug, > > > > } > > > > > > > > # include ::apache > > > > # class { '::keystone::wsgi::apache': ssl => false, } > > > > class { '::keystone::roles::admin': > > > > email => $keystone_admin_email, > > > > password => $keystone_admin_password, > > > > } > > > > class { '::keystone::endpoint': > > > > public_url => "http://127.0.0.1:5000", > > > > admin_url => "http://127.0.0.1:35357", > > > > internal_url => "http://127.0.0.1:5000", > > > > region => 'example-1', > > > > } > > > > } > > > > The above runs but I am unable to verify that keystone is working as per > the docs here: > > > > > http://docs.openstack.org/kilo/install-guide/install/yum/content/keystone-verify.html > > > > [root@ost-mgmt-centos-001 ~]# openstack --os-auth-url > http://127.0.0.1:35357 --os-project-name admin --os-username admin > --os-auth-type password token issue > > > > Password: > > > > ERROR: openstack Invalid user / password (Disable debug mode to suppress > these details.) (HTTP 401) (Request-ID: > req-7c9b4b3b-dfe8-48a9-98eb-668b18e9b3bb) > > > > [root@ost-mgmt-centos-001 ~]# openstack --os-auth-url > http://127.0.0.1:35357 --os-project-name admin --os-username admin > --os-auth-type password token issue > > > > Password: > > > > ERROR: openstack Could not find project: admin (Disable debug mode to > suppress these details.) (HTTP 401) (Request-ID: > req-c42ee03c-eb7b-4858-9743-a376fda0dc1f) > > > > > > > > > > > > openstack Could not find project: admin > > > > Hmm what is the project's name? How can I figure that out? > > > > > > > > Thanks, > > > > Russ > > > > > > On Tue, Jan 5, 2016 at 2:22 PM, Rich Megginson <rmegg...@redhat.com> > wrote: > > On 01/05/2016 02:42 PM, Russell Cecala wrote: > >> Hi Rich, > >> > >> I guess I am kind of confused. I thought "class { > '::keystone::roles::admin':" was suppose to create the "admin" user and set > the password to $keystone_admin_password. If class { > '::keystone::roles::admin' doesn't create the admin user what does? > > > > It either creates it, or ensures that it has the specified properties, > if it already exists. In this case, it seems that it already exists, so it > attempts to ensure that it has the specified properties. > > > >> And what kind of user are we talking about? A user that shows up in > the /etc/passwd file or an mysql user or a keystone user of some sort? > > > > a keystone user - a user that shows up when you do "$ openstack user > list" as an admin user. > > > > > >> Sorry I am pretty confused :) > >> > >> After I truncate my /var/log/keystone/keystone.log and run puppet agent > -t I get this output to my keystone.log > >> > >> 2016-01-05 16:28:38.342 10596 DEBUG keystone.middleware.core [-] RBAC: > auth_context: {} process_request > /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239 > >> > >> 2016-01-05 16:28:38.346 10596 INFO keystone.common.wsgi [-] GET > /projects? > >> > >> 2016-01-05 16:28:38.347 10596 WARNING keystone.common.controller [-] > RBAC: Bypassing authorization > >> > >> 2016-01-05 16:28:38.352 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - > - [05/Jan/2016 16:28:38] "GET /v3/projects HTTP/1.1" 200 884 0.011000 > >> > >> 2016-01-05 16:28:39.144 10596 DEBUG keystone.middleware.core [-] RBAC: > auth_context: {} process_request > /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239 > >> > >> 2016-01-05 16:28:39.147 10596 INFO keystone.common.wsgi [-] GET > /domains? > >> > >> 2016-01-05 16:28:39.148 10596 WARNING keystone.common.controller [-] > RBAC: Bypassing authorization > >> > >> 2016-01-05 16:28:39.152 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - > - [05/Jan/2016 16:28:39] "GET /v3/domains HTTP/1.1" 200 702 0.009214 > >> > >> 2016-01-05 16:28:39.929 10596 DEBUG keystone.middleware.core [-] RBAC: > auth_context: {} process_request > /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239 > >> > >> 2016-01-05 16:28:39.932 10596 INFO keystone.common.wsgi [-] GET /roles? > >> > >> 2016-01-05 16:28:39.933 10596 WARNING keystone.common.controller [-] > RBAC: Bypassing authorization > >> > >> 2016-01-05 16:28:39.938 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - > - [05/Jan/2016 16:28:39] "GET /v3/roles HTTP/1.1" 200 615 0.009210 > >> > >> 2016-01-05 16:28:40.712 10596 DEBUG keystone.middleware.core [-] RBAC: > auth_context: {} process_request > /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239 > >> > >> 2016-01-05 16:28:40.716 10596 INFO keystone.common.wsgi [-] GET /users? > >> > >> 2016-01-05 16:28:40.716 10596 WARNING keystone.common.controller [-] > RBAC: Bypassing authorization > >> > >> 2016-01-05 16:28:40.721 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - > - [05/Jan/2016 16:28:40] "GET /v3/users HTTP/1.1" 200 820 0.008919 > >> > >> 2016-01-05 16:28:41.562 10596 DEBUG keystone.middleware.core [-] RBAC: > auth_context: {} process_request > /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239 > >> > >> 2016-01-05 16:28:41.565 10596 INFO keystone.common.wsgi [-] GET > /domains? > >> > >> 2016-01-05 16:28:41.566 10596 WARNING keystone.common.controller [-] > RBAC: Bypassing authorization > >> > >> 2016-01-05 16:28:41.571 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - > - [05/Jan/2016 16:28:41] "GET /v3/domains HTTP/1.1" 200 702 0.009300 > >> > >> 2016-01-05 16:28:42.331 10596 DEBUG keystone.middleware.core [-] RBAC: > auth_context: {} process_request > /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239 > >> > >> 2016-01-05 16:28:42.335 10596 INFO keystone.common.wsgi [-] GET > /users/5ec5abf83d164d439b603d72606b99fd? > >> > >> 2016-01-05 16:28:42.335 10596 WARNING keystone.common.controller [-] > RBAC: Bypassing authorization > >> > >> 2016-01-05 16:28:42.340 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - > - [05/Jan/2016 16:28:42] "GET /v3/users/5ec5abf83d164d439b603d72606b99fd > HTTP/1.1" 200 472 0.009393 > >> > >> 2016-01-05 16:28:42.353 10596 DEBUG keystone.middleware.core [-] RBAC: > auth_context: {} process_request > /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239 > >> > >> 2016-01-05 16:28:42.356 10596 INFO keystone.common.wsgi [-] GET > /users/5ec5abf83d164d439b603d72606b99fd/projects? > >> > >> 2016-01-05 16:28:42.357 10596 WARNING keystone.common.controller [-] > RBAC: Bypassing authorization > >> > >> 2016-01-05 16:28:42.370 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - > - [05/Jan/2016 16:28:42] "GET > /v3/users/5ec5abf83d164d439b603d72606b99fd/projects HTTP/1.1" 200 632 > 0.016973 > >> > >> 2016-01-05 16:28:43.217 10599 DEBUG keystone.middleware.core [-] Auth > token not in the request header. Will not build auth context. > process_request > /usr/lib/python2.7/site-packages/keystone/middleware/core.py:229 > >> > >> 2016-01-05 16:28:43.220 10599 INFO eventlet.wsgi.server [-] > 10.29.103.19 - - [05/Jan/2016 16:28:43] "POST /v2.0/auth/tokens HTTP/1.1" > 404 318 0.002948 > >> > >> 2016-01-05 16:28:43.318 10599 DEBUG keystone.middleware.core [-] Auth > token not in the request header. Will not build auth context. > process_request > /usr/lib/python2.7/site-packages/keystone/middleware/core.py:229 > >> > >> 2016-01-05 16:28:43.321 10599 INFO eventlet.wsgi.server [-] > 10.29.103.19 - - [05/Jan/2016 16:28:43] "POST /v2.0/auth/tokens HTTP/1.1" > 404 318 0.002887 > >> > > > > This is strange. /v2.0/auth/tokens does not exist. It is /v2.0/tokens > for v2, and /v3/auth/tokens for v3. This would indicate that perhaps your > openrc setting with the "/v2.0" suffix is polluting the puppet run? > > > > > >> 2016-01-05 16:28:44.076 10596 DEBUG keystone.middleware.core [-] RBAC: > auth_context: {} process_request > /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239 > >> > >> 2016-01-05 16:28:44.079 10596 INFO keystone.common.wsgi [-] GET > /services? > >> > >> 2016-01-05 16:28:44.079 10596 WARNING keystone.common.controller [-] > RBAC: Bypassing authorization > >> > >> 2016-01-05 16:28:44.084 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - > - [05/Jan/2016 16:28:44] "GET /v3/services HTTP/1.1" 200 558 0.008541 > >> > >> 2016-01-05 16:28:44.871 10596 DEBUG keystone.middleware.core [-] RBAC: > auth_context: {} process_request > /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239 > >> > >> 2016-01-05 16:28:44.873 10596 INFO keystone.common.wsgi [-] GET > /endpoints? > >> > >> 2016-01-05 16:28:44.878 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - > - [05/Jan/2016 16:28:44] "GET /v2.0/endpoints HTTP/1.1" 200 764 0.006931 > >> > >> 2016-01-05 16:28:44.891 10596 DEBUG keystone.middleware.core [-] RBAC: > auth_context: {} process_request > /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239 > >> > >> 2016-01-05 16:28:44.892 10596 INFO keystone.common.wsgi [-] GET > /OS-KSADM/services/07622af16010436aadb463adffff4099? > >> > >> 2016-01-05 16:28:44.896 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - > - [05/Jan/2016 16:28:44] "GET > /v2.0/OS-KSADM/services/07622af16010436aadb463adffff4099 HTTP/1.1" 200 385 > 0.005287 > >> > >> 2016-01-05 16:28:44.899 10596 DEBUG keystone.middleware.core [-] RBAC: > auth_context: {} process_request > /usr/lib/python2.7/site-packages/keystone/middleware/core.py:239 > >> > >> 2016-01-05 16:28:44.900 10596 INFO keystone.common.wsgi [-] GET > /OS-KSADM/services/07622af16010436aadb463adffff4099? > >> > >> 2016-01-05 16:28:44.904 10596 INFO eventlet.wsgi.server [-] 127.0.0.1 - > - [05/Jan/2016 16:28:44] "GET > /v2.0/OS-KSADM/services/07622af16010436aadb463adffff4099 HTTP/1.1" 200 385 > 0.005030 > >> > >> > >> On Mon, Jan 4, 2016 at 3:22 PM, Rich Megginson <rmegg...@redhat.com> > wrote: > >> On 01/04/2016 03:07 PM, Russell Cecala wrote: > >>> Thank you for the reply Rich, > >>> > >>> Here are the versions of my puppet modules: > >>> > >>> [root@ost-puppet-centos-001 keystone]# puppet module list > >>> > >>> /etc/puppetlabs/puppet/environments/production/modules > >>> > >>> ├── nanliu-staging (v1.0.3) > >>> > >>> ├── openstack-keystone (v6.1.0) > >>> > >>> ├── openstack-openstacklib (v6.1.0) > >>> > >>> ├── puppetlabs-apache (v1.7.0) > >>> > >>> ├── puppetlabs-apt (v1.8.0) > >>> > >>> ├── puppetlabs-concat (v1.2.4) > >>> > >>> ├── puppetlabs-firewall (v1.7.1) > >>> > >>> ├── puppetlabs-inifile (v1.4.2) > >>> > >>> ├── puppetlabs-mysql (v3.6.1) > >>> > >>> ├── puppetlabs-postgresql (v3.4.2) > >>> > >>> ├── puppetlabs-rabbitmq (v5.3.1) > >>> > >>> └── puppetlabs-stdlib (v4.9.0) > >>> > >>> /etc/puppetlabs/puppet/modules > >>> > >>> ├── cisco-gis-openstack (???) > >>> > >>> ├── haproxy (???) > >>> > >>> ├── keepalived (???) > >>> > >>> ├── mikduart-unnamed (v0.1.0) > >>> > >>> ├── mikduart-unnamed (v0.1.0) > >>> > >>> ├── mikduart-unnamed (v0.1.0) > >>> > >>> ├── puppetlabs-mongodb (v0.10.0) > >>> > >>> ├── saz-memcached (v2.4.0) > >>> > >>> ├── setup_mariadb_script (???) > >>> > >>> ├── sysctl (???) > >>> > >>> └── wrapmongodb (???) > >>> > >>> /opt/puppet/share/puppet/modules > >>> > >>> ├── puppetlabs-pe_accounts (v2.0.2-8-g8acc04e) > >>> > >>> ├── puppetlabs-pe_concat (v1.1.2-4-g2b7bba2) > >>> > >>> ├── puppetlabs-pe_console_prune (v0.1.1-4-g293f45b) > >>> > >>> ├── puppetlabs-pe_inifile (v1.1.4-16-gcb39966) > >>> > >>> ├── puppetlabs-pe_java_ks (v1.2.4-35-g44fbb26) > >>> > >>> ├── puppetlabs-pe_postgresql (v3.4.4-15-g32e56ed) > >>> > >>> ├── puppetlabs-pe_razor (v0.2.1-9-g8d78ec2) > >>> > >>> ├── puppetlabs-pe_repo (v0.7.7-59-g4514315) > >>> > >>> ├── puppetlabs-pe_staging (v0.3.3-6-gbd9db2b) > >>> > >>> └── puppetlabs-puppet_enterprise (v3.7.1-117-g9c48e73) > >>> > >>> > >>> I am not sure I have the right values in my openrc but I have been > using: > >>> > >>> > >>> # cat openrc.localhost > >>> > >>> export OS_AUTH_URL=http://127.0.0.1:5000/v2.0 > >>> > >>> export OS_PASSWORD=xxxxxxxxxxxxxxxx > >>> > >>> export OS_TENANT_NAME=admin > >>> > >>> > >>> export OS_USERNAME=admin > >>> > >> > >> Is this sourced into the environment where puppet is running? It > should not be. > >> > >> > >>> > >>> I believe this is the openstackclient version I am using: > >>> > >>> > >>> [root@ost-mgmt-centos-001 ~]# rpm -qa | grep openstackclient > >>> > >>> > >>> python-openstackclient-1.0.3-2.el7.noarch > >>> > >>> > >>> On Mon, Jan 4, 2016 at 1:19 PM, Rich Megginson <rmegg...@redhat.com> > wrote: > >>> On 01/04/2016 02:06 PM, Russell Cecala wrote: > >>>> Hi Emilien, > >>>> > >>>> > >>>> I am trying to use https://github.com/openstack/puppet-keystone to > set up a Kilo keystone node. > >>> > >>> I'm assuming you're using the kilo branch there? > >>> > >>>> I was hoping to could help me out so I can get my team to adopt > puppet for setting up OpenStack. > >>>> > >>>> On my keystone node I am running centos7 with selinux disabled ... > >>> > >>> What version of openstackclient are you using? > >>> > >>> Do you have a $HOME/openrc or /root/openrc, or are you otherwise > defining OS_* environment variables in the environment before running > puppet? > >>> > >>>> > >>>> [root@svl-ost-mgmt-centos-001 ~]# sestatus > >>>> > >>>> SELinux status: disabled > >>>> > >>>> ... and I have flushed my iptables ... > >>>> > >>>> > >>>> [root@svl-ost-mgmt-centos-001 ~]# iptables -L > >>>> > >>>> Chain INPUT (policy ACCEPT) > >>>> > >>>> target prot opt source destination > >>>> > >>>> > >>>> Chain FORWARD (policy ACCEPT) > >>>> > >>>> target prot opt source destination > >>>> > >>>> > >>>> Chain OUTPUT (policy ACCEPT) > >>>> > >>>> > >>>> target prot opt source destination > >>>> > >>>> > >>>> Yet when I run "puppet agent -t" I get these errors: > >>>> > >>>> > >>>> [root@ost-mgmt-centos-001 ~]# puppet agent -t > >>>> > >>>> Info: Retrieving pluginfacts > >>>> > >>>> Info: Retrieving plugin > >>>> > >>>> Info: Loading facts > >>>> > >>>> Error: NetworkManager is not running. > >>>> > >>>> Info: Caching catalog for ost-mgmt-centos-001.example.com > >>>> > >>>> Warning: The tenant parameter is deprecated and will be removed in > the future. Please use keystone_user_role to assign a user to a project. > >>>> > >>>> Warning: The ignore_default_tenant parameter is deprecated and will > be removed in the future. > >>>> > >>>> Info: Applying configuration version '1451940682' > >>>> > >>>> Error: /Stage[main]/Keystone::Roles::Admin/Keystone_user[admin]: > Could not evaluate: Execution of '/usr/bin/openstack token issue --format > value' returned 1: ERROR: openstack The resource could not be found. (HTTP > 404) (Request-ID: req-ca2a6dd1-fdb6-48f4-94fe-8f736fcc01dd) > >>>> > >> > >> This usually indicates that it is trying to ensure that the user > "admin" exists but the password is incorrect. That is, the class { > '::keystone::roles::admin': password => $keystone_admin_password > is not correct. > >> > >> If you are sure it is correct, then it could be a mismatch between the > identity api version used by the puppet module and the one specified in the > environment. Check the keystone access logs to see what URL this is trying > to access - something with /token or /tokens, or something with /auth/token > or /auth/tokens > >> > >>>> Notice: > /Stage[main]/Keystone::Roles::Admin/Keystone_user_role[admin@openstack]: > Dependency Keystone_user[admin] has failures: true > >>>> > >>>> Warning: > /Stage[main]/Keystone::Roles::Admin/Keystone_user_role[admin@openstack]: > Skipping because of failed dependencies > >>>> > >>>> > >>>> Notice: Finished catalog run in 12.38 seconds > >>>> > >>>> Here's code I am using on my puppet master ... > >>>> > >>>> class wrapcontroller( > >>>> > >>>> > >>>> ... big list of parameters I am not using until I can get keystone > going ... > >>>> > >>>> ) { > >>>> > >>>> > >>>> exec { '/bin/yum -y install > http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm': > unless => '/bin/rpm -q epel-release', } > >>>> > >>>> exec { '/bin/yum -y install > http://rdo.fedorapeople.org/openstack-kilo/rdo-release-kilo.rpm': unless > => '/bin/rpm -q rdo-release', } > >>>> > >>>> > >>>> package { 'mariadb': ensure => present, } > >>>> > >>>> exec { 'keystone_database_init': > >>>> > >>>> command => '/usr/bin/keystone-manage db_sync', > >>>> > >>>> onlyif => [ > >>>> > >>>> "/usr/bin/mysql -u$keystone_db_user -p$keystone_db_pass > -h$db_host -P$db_port $keystone_db_name -e 'show tables'", > >>>> > >>>> "/usr/bin/test -z \"`/usr/bin/mysql -u$keystone_db_user > -p$keystone_db_pass -h$db_host -P$db_port $keystone_db_name -e 'show > tables'`\"" > >>>> > >>>> ], > >>>> > >>>> require => Package['mariadb'], > >>>> > >>>> } > >>>> > >>>> > >>>> class {'::keystone': > >>>> > >>>> admin_token => $keystone_auth_token, > >>>> > >>>> database_connection => > "mysql://${keystone_db_user}:${keystone_db_pass}@ > ${db_host}:${db_port}/${keystone_db_name}", > >>>> > >>>> debug => $debug, > >>>> > >>>> enabled => true, > >>>> > >>>> enable_ssl => false, > >>>> > >>>> service_name => 'httpd', # this is a kilo thing > >>>> > >>>> verbose => $debug, > >>>> > >>>> } > >>>> > >>>> > >>>> include ::apache > >>>> > >>>> class { '::keystone::wsgi::apache': ssl => false, } > >>>> > >>>> class { '::keystone::roles::admin': > >>>> > >>>> email => $keystone_admin_email, > >>>> > >>>> password => $keystone_admin_password, > >>>> > >>>> } > >>>> > >>>> class { '::keystone::endpoint': > >>>> > >>>> public_url => "http://127.0.0.1:5000", > >>>> > >>>> admin_url => "http://127.0.0.1:35357", > >>>> > >>>> default_domain => 'admin', > >>>> > >>>> } > >>>> > >>>> > >>>> } > >>>> > >>>> Thanks! And Happy New Year to you :) > >>>> Red > >>>> > >>>> > >>>> > >>>> On Tue, Nov 24, 2015 at 2:38 PM, Emilien Macchi <emil...@redhat.com> > wrote: > >>>> > >>>> > >>>> On 11/24/2015 11:21 PM, Russell Cecala wrote: > >>>> > I am trying to use the OpenStack community puppet modules. Here's > the > >>>> > keystone module I am using: > https://github.com/openstack/puppet-keystone > >>>> > I am using the stable juno branch. I have in my puppet manifest > for my > >>>> > controller nodes this resource definition: > >>>> > > >>>> > class { '::keystone::roles::admin': > >>>> > admin => $keystone_admin_user, > >>>> > email => $keystone_admin_email, > >>>> > password => $keystone_admin_password, > >>>> > } -> > >>>> > > >>>> > And when puppet runs that code I get this error: > >>>> > > >>>> > Error: > >>>> > > /Stage[main]/Keystone::Roles::Admin/Keystone_user_role[keystone_admin_user@openstack > ]: > >>>> > Could not evaluate: Execution of '/usr/bin/openstack domain show > >>>> > --format shell' returned 2: usage: openstack domain show [-h] [-f > >>>> > {shell,table,value}] [-c COLUMN] > >>>> > [--max-width <integer>] [--prefix > PREFIX] > >>>> > <domain> > >>>> > openstack domain show: error: too few arguments > >>>> > >>>> Sounds like an issue with your version of openstackclient, can you > >>>> provide it? > >>>> > >>>> > > >>>> > Can anyone help me? Are these Puppet modules still being supported? > >>>> > >>>> Yes :-) > >>>> > >>>> > Does anyone use them? Thanks! > >>>> > >>>> Double yes. > >>>> -- > >>>> Emilien Macchi > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> _______________________________________________ > >>>> OpenStack-operators mailing list > >>>> > >>>> OpenStack-operators@lists.openstack.org > >>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > >>> > >>> > >>> _______________________________________________ > >>> OpenStack-operators mailing list > >>> OpenStack-operators@lists.openstack.org > >>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > >>> > >>> > >> > >> > > > > > > > > > > _______________________________________________ > > OpenStack-operators mailing list > > OpenStack-operators@lists.openstack.org > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > >
_______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators