Hey Justin,
On Thu, Nov 10, 2016 at 8:48 AM, Justin Cattle <j...@ocado.com> wrote: > Hi, > > > I was looking at this class in the keystone module: > > keystone::disable_admin_token_auth > > ..which suggests: > > # After this class is run, > # future puppet runs must have an openrc file with valid keystone v3 > # admin credentials in /root/openrc available > > > > So when I change the openrc file from the v2 to v3 keystone endpoint, puppet > runs then fail with various openstack provider errors. > > e.g. > > Error: Could not prefetch keystone_service provider 'openstack': Execution > of '/usr/bin/openstack service list --quiet --format csv --long' returned 2: > openstack: 'service' is not an openstack command. See 'openstack --help'. > Did you mean one of these? > resource member create > resource member delete > resource member list > resource member show > resource member update > server add security group > server add volume > server create > server delete > server dump create > server image create > server list > server lock > server migrate > server pause > server reboot > server rebuild > server remove security group > server remove volume > server rescue > server resize > server resume > server set > server shelve > server show > server ssh > server start > server stop > server suspend > server unlock > server unpause > server unrescue > server unset > server unshelve (tried 44, for a total of 170 seconds) > > > ..and.. > > Error: > /Stage[main]/Neutron::Keystone::Auth/Keystone::Resource::Service_identity[neutron]/Keystone_user[neutron]: > Could not evaluate: Execution of '/usr/bin/openstack domain list --quiet > --format csv' returned 2: openstack: 'domain' is not an openstack command. > See 'openstack --help'. > Did you mean one of these? > command list > container create > container delete > container list > container save > container set > container show > container unset (tried 44, for a total of 170 seconds) > > These errors seem to point to an outdated openstackclient. What version are you using? > > The v3 openrc file I have in place, works fine when just using the openstack > cli, which makes the situation all the more strange :) Here it is for > reference: > > #!/bin/sh > export OS_NO_CACHE='true' > export OS_TENANT_NAME='admin' > export OS_USERNAME='admin' > export OS_PASSWORD='supersecret' > export OS_AUTH_URL='http://1.2.3.4:5000/v3/' > export OS_AUTH_STRATEGY='keystone' > export OS_IDENTITY_API_VERSION="3" > export OS_REGION_NAME='openstack' > export OS_USER_DOMAIN_NAME='default' > export OS_PROJECT_DOMAIN_NAME='default' > export CINDER_ENDPOINT_TYPE='publicURL' > export GLANCE_ENDPOINT_TYPE='publicURL' > export KEYSTONE_ENDPOINT_TYPE='publicURL' > export NOVA_ENDPOINT_TYPE='publicURL' > export NEUTRON_ENDPOINT_TYPE='publicURL' > > This looks ok, but it's OS_PROJECT_NAME now. All our CI uses v3 now and here's an example file from a recent CI run. #!/bin/sh export OS_NO_CACHE='true' export OS_PROJECT_NAME='openstack' export OS_USERNAME='admin' export OS_PASSWORD='a_big_secret' export OS_AUTH_URL='https://[::1]:5000/v3/' export OS_AUTH_STRATEGY='keystone' export OS_REGION_NAME='RegionOne' export OS_PROJECT_DOMAIN_NAME='default' export OS_USER_DOMAIN_NAME='default' export CINDER_ENDPOINT_TYPE='publicURL' export GLANCE_ENDPOINT_TYPE='publicURL' export KEYSTONE_ENDPOINT_TYPE='publicURL' export NOVA_ENDPOINT_TYPE='publicURL' export NEUTRON_ENDPOINT_TYPE='publicURL' export OS_IDENTITY_API_VERSION='3' We actually have an openstack_extras module that we use to generate ours in our CI runs. https://github.com/openstack/puppet-openstack_extras/blob/master/manifests/auth_file.pp Thanks, -Alex > > Can anyone advise how the openrc file should be formatted ? > > Thanks! > > > > > Cheers, > Just > > Notice: This email is confidential and may contain copyright material of > members of the Ocado Group. Opinions and views expressed in this message may > not necessarily reflect the opinions and views of the members of the Ocado > Group. > > > > If you are not the intended recipient, please notify us immediately and > delete all copies of this message. Please note that it is your > responsibility to scan this message for viruses. > > > > Fetch and Sizzle are trading names of Speciality Stores Limited and Fabled > is a trading name of Marie Claire Beauty Limited, both members of the Ocado > Group. > > > > References to the “Ocado Group” are to Ocado Group plc (registered in > England and Wales with number 7098618) and its subsidiary undertakings (as > that expression is defined in the Companies Act 2006) from time to time. > The registered office of Ocado Group plc is Titan Court, 3 Bishops Square, > Hatfield Business Park, Hatfield, Herts. AL10 9NE. > > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators