Re: [Openstack] Keystone client, user belongs to many tenants?
Guang, I think you need to re-read the code. The association between a user and tenant is what the role represents, and its inaccurate to assert that a user is aligned only with a single tenant ever, that is not the case. A role is no longer global, specifically to avoid the tremendous confusion and inaccuracy of implementation about how to apply a role that relates a tenant and user along with a potential global role concept that was in the earliest implementations of Keystone. The current implementation is simpler and far more specific and clear in it's implementation. -joe On May 9, 2012, at 10:22 PM, Yee, Guang wrote: I think this use case underscores one of the key differences between the fat Keystone (Diablo - E3) and KSL (Essex final). In fat Keystone, users and tenants are loosely coupled. They are bind together by role assignments. In KSL, users and tenants are tightly coupled, and IMHO very inflexible. Maybe the following example would further clarify this … Suppose you have tenants Dodgers, Giants, and Brewers, user Bud Selid, roles Commissioner and Minority Owner, and service MLB. And you want Bud Selid to have the Commissioner role for Dodgers, Giants, and Brewers, but Minority Owner role for Brewers only. In fat Keystone, there a couple of ways you can accomplish this. 1) Make Commissioner a “global role” (unscoped) and assign it to user Bud Selid. Assign the Minority Owner role to Bud Selid for tenant Brewers by creating a role reference. When Bud Selid tries to access MLB with his unscoped token, MLB will get his Commissioner role back from Keystone. When Bud Selid tries to access MLB with his token scoped to Brewers, MLB will get both his Commissioner and Minority Owner roles back from Keystone. When Bud Selid tries to acess MLB with his token scoped to Giants or Dodgers, MLB will only get his Commissioner role back from Keystone. 2) Assign the Commissioner role to Bud Selid to tenants Giants, Dodgers, and Brewers individually by creating the respective role references. Assign the Minority Owner role to Bud Selid for tenant Brewers by creating another role reference. In this scenario, Bud Selid will always need a scoped token to access MLB. In KSL, there really aren’t any effective ways to accomplish the same thing. Global roles are no longer supported. A given user must assign to exactly one tenant. I suppose you can have Bud Selid under the “Default Tenant”, and assign both Commissioner and Minority Owner roles to him. But there are two major side effects. 1) Bud Selid must access MLB with the token scoped to the “Default Tenant” in order for MLB to recognize him as Commissioner. Which means he IS ALSO the Minority Owner for Dodgers, Giants, and Brewers. J 2) If Bud Selid tries to access MLB with the token scoped to either Giants, Dodgers, or Brewers, his a NOBODY. J The upcoming Domains blueprint (to be implemented for Folsom), which offers true multitenancy, should support these types of use cases. https://blueprints.launchpad.net/keystone/+spec/keystone-domains With Domains, you can create a MLB domain with tenants Dodgers, Giants, and Brewers. And have Bud Selid under the MLB domain. Notice that users will no longer be assigned to tenants. They will be under a domain. Create roles Commissioner and Minority Owner in the MLB domain. Assign the Commissioner role to Bud Selid, and the Minority Owner role scoped to Brewers. Suppose you have another domain NFL, Bud Selid will not be able to access any tenants in the NFL domain, unless the NFL domain administrator explicitly assign NFL roles to Bud Selid. Guang From: openstack-bounces+guang.yee=hp@lists.launchpad.net [mailto:openstack-bounces+guang.yee=hp@lists.launchpad.net] On Behalf Of Dolph Mathews Sent: Wednesday, May 09, 2012 4:34 PM To: Joshua Harlow Cc: openstack Subject: Re: [Openstack] Keystone client, user belongs to many tenants? The user create command is actually creating discrete users, each with a default tenant reference. While that's fine for a lot of simple use cases, it doesn't directly support a user accessing multiple tenants at all. Instead, create a role, and grant that role to a user-tenant pair, creating an explicit relationship between the two. Using default tenants is optional with this method, but will affect how users must auth. -Dolph Mathews On May 9, 2012, at 3:46 PM, Joshua Harlow harlo...@yahoo-inc.com wrote: A question, I am using anvil to setup the keystone roles/users/tenants. It seems like the python keystone client has the following command: client.users.create Which seems to take in the following: create(self, name, password, email, tenant_id=None, enabled=True): I would assume a user name can be used in multiple tenants but when I am trying to create a user that spans tenants and it
Re: [Openstack] Keystone client, user belongs to many tenants?
+1 The second way to accomplish this is exactly what keystone currently supports (explicit role grants), which didn't change between diablo and essex at all. The first method (using global unscopedness) was dropped because its just as confusing as you describe it. -Dolph Mathews On May 10, 2012, at 2:35 AM, Joseph Heck he...@mac.com wrote: Guang, I think you need to re-read the code. The association between a user and tenant is what the role represents, and its inaccurate to assert that a user is aligned only with a single tenant ever, that is not the case. A role is no longer global, specifically to avoid the tremendous confusion and inaccuracy of implementation about how to apply a role that relates a tenant and user along with a potential global role concept that was in the earliest implementations of Keystone. The current implementation is simpler and far more specific and clear in it's implementation. -joe On May 9, 2012, at 10:22 PM, Yee, Guang wrote: I think this use case underscores one of the key differences between the fat Keystone (Diablo - E3) and KSL (Essex final). In fat Keystone, users and tenants are loosely coupled. They are bind together by role assignments. In KSL, users and tenants are tightly coupled, and IMHO very inflexible. Maybe the following example would further clarify this … Suppose you have tenants Dodgers, Giants, and Brewers, user Bud Selid, roles Commissioner and Minority Owner, and service MLB. And you want Bud Selid to have the Commissioner role for Dodgers, Giants, and Brewers, but Minority Owner role for Brewers only. In fat Keystone, there a couple of ways you can accomplish this. 1) Make Commissioner a “global role” (unscoped) and assign it to user Bud Selid. Assign the Minority Owner role to Bud Selid for tenant Brewers by creating a role reference. When Bud Selid tries to access MLB with his unscoped token, MLB will get his Commissioner role back from Keystone. When Bud Selid tries to access MLB with his token scoped to Brewers, MLB will get both his Commissioner and Minority Owner roles back from Keystone. When Bud Selid tries to acess MLB with his token scoped to Giants or Dodgers, MLB will only get his Commissioner role back from Keystone. 2) Assign the Commissioner role to Bud Selid to tenants Giants, Dodgers, and Brewers individually by creating the respective role references. Assign the Minority Owner role to Bud Selid for tenant Brewers by creating another role reference. In this scenario, Bud Selid will always need a scoped token to access MLB. In KSL, there really aren’t any effective ways to accomplish the same thing. Global roles are no longer supported. A given user must assign to exactly one tenant. I suppose you can have Bud Selid under the “Default Tenant”, and assign both Commissioner and Minority Owner roles to him. But there are two major side effects. 1) Bud Selid must access MLB with the token scoped to the “Default Tenant” in order for MLB to recognize him as Commissioner. Which means he IS ALSO the Minority Owner for Dodgers, Giants, and Brewers. J 2) If Bud Selid tries to access MLB with the token scoped to either Giants, Dodgers, or Brewers, his a NOBODY. J The upcoming Domains blueprint (to be implemented for Folsom), which offers true multitenancy, should support these types of use cases. https://blueprints.launchpad.net/keystone/+spec/keystone-domains With Domains, you can create a MLB domain with tenants Dodgers, Giants, and Brewers. And have Bud Selid under the MLB domain. Notice that users will no longer be assigned to tenants. They will be under a domain. Create roles Commissioner and Minority Owner in the MLB domain. Assign the Commissioner role to Bud Selid, and the Minority Owner role scoped to Brewers. Suppose you have another domain NFL, Bud Selid will not be able to access any tenants in the NFL domain, unless the NFL domain administrator explicitly assign NFL roles to Bud Selid. Guang From: openstack-bounces+guang.yee=hp@lists.launchpad.net [mailto:openstack-bounces+guang.yee=hp@lists.launchpad.net] On Behalf Of Dolph Mathews Sent: Wednesday, May 09, 2012 4:34 PM To: Joshua Harlow Cc: openstack Subject: Re: [Openstack] Keystone client, user belongs to many tenants? The user create command is actually creating discrete users, each with a default tenant reference. While that's fine for a lot of simple use cases, it doesn't directly support a user accessing multiple tenants at all. Instead, create a role, and grant that role to a user-tenant pair, creating an explicit relationship between the two. Using default tenants is optional with this method, but will affect how users must auth. -Dolph Mathews On May 9, 2012, at 3:46 PM, Joshua Harlow harlo...@yahoo-inc.com wrote: A question, I am using anvil to setup the
Re: [Openstack] [Metering] Bootstrapping, first counter implementation
On Wed, May 09 2012, Doug Hellmann wrote: I'm not sure what you mean. I was able to use nova.service to create a metering server and a simple manager that subscribes to the notification events. See https://github.com/dhellmann/metering-prototype (metering-test is the main program and testmanager.py is the manager class). I borrowed your Connection code. Actually, the Service class is supposed to handle the AMQP (or whatever backend) connection itself and bind it to a set of topics. But it uses the nova.rpc.impl_kombu.Connection class that uses ProxyCallback and that one obviously fails to decode notification. This is why I say I failed to the Service class. You cheated since you opened another AMQP connection in your Manager class, rendering the connection from the Service class useless. I wish we could access the connection from the Service from the Manager so we can reuse it at least, but that does not seem possible neither. On the other hand, even if it's not the cleanest way to do things, I kind of like using the Service class so I'll probably grab your code anyway. :-) Thanks Doug, -- Julien Danjou // eNovance http://enovance.com // ✉ julien.dan...@enovance.com ☎ +33 1 49 70 99 81 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Metering] schema and counter definitions
On 05/09/2012 11:11 PM, Doug Hellmann wrote: On Wed, May 9, 2012 at 3:07 PM, Tomasz Paszkowski ss7...@gmail.com mailto:ss7...@gmail.com wrote: On Wed, May 9, 2012 at 8:02 PM, Doug Hellmann doug.hellm...@dreamhost.com mailto:doug.hellm...@dreamhost.com wrote: Nice! For production code I think we are going to want to separate collection from storage, aren't we? We don't want each compute node to require access to the database server (that's an issue with nova that they are trying to fix during the folsom release, IIRC). Yes. Part of the code responsible for amqp support is not functional yet :( OK, that's what I thought. We all seem to be reinventing different parts of the services that we will eventually need, which is good for education but may be wasting a bit of energy. Is it premature to start talking a little more about architecture so we can start splitting up the implementation work and focusing that energy differently? There is a lot of work we can do independently of the remaining decisions outlined in http://wiki.openstack.org/Meetings/MeteringAgenda. Hi, It looks like the architecture of metering is indeed always implemented in similar ways. I had discussions with a company yesterday about their own metering implementation (which will be used in production soon) and it also has an architecture matching what has been proposed so far in ceilometer. I added a few points to the architecture chapter in the wiki: http://wiki.openstack.org/EfficientMetering#Architecture including a note summarizing the conclusions of the discussion regarding need for an independent ceilometer agent in addition to the existing meters provided by the OpenStack components. What do you think ? -- Tomasz Paszkowski SS7, Asterisk, SAN, Datacenter, Cloud Computing +48500166299 tel:%2B48500166299 ___ Mailing list: https://launchpad.net/~openstack https://launchpad.net/%7Eopenstack Post to : openstack@lists.launchpad.net mailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack https://launchpad.net/%7Eopenstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- Loïc Dachary Chief Research Officer // eNovance labs http://labs.enovance.com // ? l...@enovance.com ? +33 1 49 70 99 82 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Improving Xen support in the libvirt driver
On Wed, May 09, 2012 at 11:08:13PM -0600, Jim Fehlig wrote: Hi, I've been tinkering with improving Xen support in the libvirt driver and wanted to discuss a few issues before submitting patches. Even the latest upstream release of Xen (4.1.x) contains a rather old qemu, version 0.10.2, which rejects qcow2 images with cluster size 64K. The libvirt driver creates the COW image with cluster size of 2M. Is this for performance reasons? Any objections to removing that option and going with 'qemu-img create' default of 64K? In general larger cluster size does improve the performance of qcow2. I'm not sure how much of a delta we get by going from 64k to 2M though. If there's any doubt then I guess it could be made into a configuration parameter. In a setup with both Xen and KVM compute nodes, I've found a few options for controlling scheduling of an instance to the correct node. One option uses availability zones, e.g. # nova.conf on Xen compute nodes node_availability_zone=xen-hosts # launching a Xen PV instance nova boot --image xen-pv-image --availability_zone xen-hosts ... The other involves a recent commit adding additional capabilities for compute nodes [1] and the vm_mode image property [2] used by the XenServer driver to distinguish HVM vs PV images. E.g. # nova.conf on Xen compute nodes additional_compute_capabilities=pv,hvm # Set vm_mode property on Xen image glance update image-uuid vm_mode=pv I prefer that latter approach since vm_mode will be needed in the libvirt driver anyhow to create proper config for PV vs HVM instances. Currently, the driver creates usable config for PV instances, but needs some adjustments for HVM. Yes, tagging the image with details of its required guest ABI does seem like something we need to do to be able to properly support a choice betweeen PV HVM images. It is not very good the way we currently just hardcode PV only for Xen usage in the libvirt driver. Regards, Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Improving Xen support in the libvirt driver
Il 10/05/2012 07:08, Jim Fehlig ha scritto: Hi, I've been tinkering with improving Xen support in the libvirt driver and wanted to discuss a few issues before submitting patches. Even the latest upstream release of Xen (4.1.x) contains a rather old qemu, version 0.10.2, which rejects qcow2 images with cluster size 64K. The libvirt driver creates the COW image with cluster size of 2M. Is this for performance reasons? Any objections to removing that option and going with 'qemu-img create' default of 64K? If I remember correctly, the qcow images are not the only problem with xen, but I'm far from the code for too long time. In the past (diablo), the method for counting the ram (and cpu perhaps?) did not work with xen and this affected the choices of the scheduler. I have no idea if this happens in essex/folsom. Regards, Muriel ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Improving Xen support in the libvirt driver
On Thu, May 10, 2012 at 09:06:58AM +0100, Daniel P. Berrange wrote: On Wed, May 09, 2012 at 11:08:13PM -0600, Jim Fehlig wrote: Hi, I've been tinkering with improving Xen support in the libvirt driver and wanted to discuss a few issues before submitting patches. Even the latest upstream release of Xen (4.1.x) contains a rather old qemu, version 0.10.2, which rejects qcow2 images with cluster size 64K. The libvirt driver creates the COW image with cluster size of 2M. Is this for performance reasons? Any objections to removing that option and going with 'qemu-img create' default of 64K? In general larger cluster size does improve the performance of qcow2. I'm not sure how much of a delta we get by going from 64k to 2M though. If there's any doubt then I guess it could be made into a configuration parameter. I had a quick chat with Kevin Wolf who's the upstream QEMU qcow2 maintainer and he said that 64k is the current recommended cluster size for qcow2. Above this size, the cost of COW becomes higher causing an overall drop in performance. Looking at GIT history, Nova has used cluster_size=2M since Vish first added qcow2 support, and there's no mention of why in the commit message. So unless further info comes to light, I'd say we ought to just switch to use qemu-img's default setting of 64K for both Xen and KVM. Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] i18n of log message
I18N is an architecture decision. Besides developers, we should also consult customers' options. I18N is a very big scope. It includes not only translation, but also Date/time format, number format, or even the input of non-English characters. Surely I18N will take some efforts. But considering OpenStack may have a long history, it deserve us to pay some time to work on it. We need to consider it carefully. Maybe we can just pick out several very popular locales/languages and work on these localization firstly. It will ensure we have a correct architecture to suppor I18N, with a not very big effort. I'd like to help on the process documenting. Regards Daisy openstack-bounces+guoyingc=cn.ibm@lists.launchpad.net wrote on 05/09/2012 12:55:48 AM: Thierry Carrez thie...@openstack.org Sent by: openstack-bounces+guoyingc=cn.ibm@lists.launchpad.net 05/09/2012 12:55 AM To openstack@lists.launchpad.net, cc Subject Re: [Openstack] i18n of log message Ying Chun Guo wrote: [...] So I prefer option 2. As it is said that option 3 being not significantly more work than option 2, so option 3 is also acceptable for me. So there is no strong consensus so far :) One important prerequisite of whatever solution we end up choosing is that it should be the same level across all OpenStack core projects. Consistency is important... So we should definitely ask PTLs which options they are ready to support, as it may seriously reduce our options. We should also have a I18N advocacy czar that will push whatever option is chosen to completion by documenting the process, encouraging CI / translators / devs to do any needed work. Anyone up to it ? -- Thierry Carrez (ttx) Release Manager, OpenStack ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Improving Xen support in the libvirt driver
On Thu 10 May 2012 (10:41), Muriel wrote: If I remember correctly, the qcow images are not the only problem with xen, but I'm far from the code for too long time. In the past (diablo), the method for counting the ram (and cpu perhaps?) did not work with xen and this affected the choices of the scheduler. I have no idea if this happens in essex/folsom. I've sent to review some code [1] that tries to fix this issue [2]. [1] https://review.openstack.org/#/c/7296/ [2] https://bugs.launchpad.net/nova/+bug/997014 Regards, -- Álvaro López García al...@ifca.unican.es ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] Cannot get ssh-key in instance
I running an instance(ubuntu or centos), and it cannot get keypair. In ubuntu12.04, I have install cloud-init and in centos I have add some command into /etc/rc.local There is some of instance's logs about cloud-init: cloud-init start-local running: Thu, 10 May 2012 10:17:33 +. up 4.47 seconds no instance data found in start-local ci-info: lo: 1 127.0.0.1 255.0.0.0 . ci-info: eth0 : 1 10.0.200.5 255.255.255.224 fa:16:3e:6a:30:7c ci-info: route-0: 0.0.0.0 10.0.200.1 0.0.0.0 eth0 UG ci-info: route-1: 10.0.200.0 0.0.0.0 255.255.255.224 eth0 U cloud-init start running: Thu, 10 May 2012 10:17:33 +. up 5.00 seconds no instance data found in start I think it maybe some missing in nova host, How to fix it? -- 非淡薄无以明志,非宁静无以致远 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Cannot get ssh-key in instance
Hey livememon, is it possible to see the content of the rc.local. Also, are other instances able to reach the metadata server ? livemoon 10 mai 2012 12:24I running an instance(ubuntu or centos), and it cannot get keypair.In ubuntu12.04, I have install cloud-init and in centos I have add some command into /etc/rc.local There is some of instance's logs about cloud-init:cloud-init start-local running: Thu, 10 May 2012 10:17:33 +. up 4.47 seconds no instance data found in start-local ci-info: lo : 1 127.0.0.1 255.0.0.0. ci-info: eth0 : 1 10.0.200.5 255.255.255.224 fa:16:3e:6a:30:7c ci-info: route-0: 0.0.0.0 10.0.200.1 0.0.0.0 eth0 UG ci-info: route-1: 10.0.200.0 0.0.0.0 255.255.255.224 eth0 U cloud-init start running: Thu, 10 May 2012 10:17:33 +. up 5.00 seconds no instance data found in start I think it maybe some missing in nova host, How to fix it? -- 非淡薄无以明志,非宁静无以致远 ___Mailing list: https://launchpad.net/~openstackPost to : openstack@lists.launchpad.netUnsubscribe : https://launchpad.net/~openstackMore help : https://help.launchpad.net/ListHelp-- Razique Mahroua Nuage Co - Razique Mahroua razique.mahr...@gmail.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] [devstack] Quantum support
Hi, https://review.openstack.org/#/c/7169/ ensures that all of the open source agents have uniform database access. This requires a minor change to the devstack code. In addition to this I have added in some minor chnages which ensure that the devstack user is able to run Quantum Plugins and agents on separate hosts. The original code would not work if they were on different hosts - both need to access the data connection. This is addressed in https://review.openstack.org/7300. Can someone please review. Thanks Gary ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] [Metering] Meeting agenda for today 16:00 UTC (May 10th, 2012)
Hi, The metering project team holds a meeting in #openstack-meeting, Thursdays at 1600 UTC http://www.timeanddate.com/worldclock/fixedtime.html?hour=16min=0sec=0. Everyone is welcome. I propose an agenda based on the discussions we had on this list. http://wiki.openstack.org/Meetings/MeteringAgenda Topic: external API definition * API defaults and API extensions * API extension * extension= loads the python module * method query is called with the * QUERY_STRING * a handler to the storage * a pointer to the configuration * API calls common arguments * Datetime range : start and end * Transparent cache for aggregation * API defaults http://wiki.openstack.org/EfficientMetering#API * GET list components * GET list components meters (argument : name of the component) * GET list accounts * GET list of meter_type * GET list of events per account * GET sum of (meter_volume, meter_duration) for meter_type and account_id * other ? * open discussion Cheers -- Loïc Dachary Chief Research Officer // eNovance labs http://labs.enovance.com // ? l...@enovance.com ? +33 1 49 70 99 82 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Cannot get ssh-key in instance
have you started the instance with keypair?-openstack-bounces+gongysh=cn.ibm@lists.launchpad.net wrote: -To: livemoon mwjpi...@gmail.comFrom: Razique Mahroua razique.mahr...@gmail.comSent by: openstack-bounces+gongysh=cn.ibm@lists.launchpad.netDate: 05/10/2012 06:29PMCc: openstack@lists.launchpad.netSubject: Re: [Openstack] Cannot get ssh-key in instance Hey livememon, is it possible to see the content of the rc.local. Also, are other instances able to reach the metadata server ? livemoon 10 mai 2012 12:24I running an instance(ubuntu or centos), and it cannot get keypair.In ubuntu12.04, I have install cloud-init and in centos I have add some command into /etc/rc.local There is some of instance's logs about cloud-init:cloud-init start-local running: Thu, 10 May 2012 10:17:33 +. up 4.47 seconds no instance data found in start-local ci-info: lo : 1 127.0.0.1 255.0.0.0. ci-info: eth0 : 1 10.0.200.5 255.255.255.224 fa:16:3e:6a:30:7c ci-info: route-0: 0.0.0.0 10.0.200.1 0.0.0.0 eth0 UG ci-info: route-1: 10.0.200.0 0.0.0.0 255.255.255.224 eth0 U cloud-init start running: Thu, 10 May 2012 10:17:33 +. up 5.00 seconds no instance data found in start I think it maybe some missing in nova host, How to fix it?-- 非淡薄无以明志,非宁静无以致远 ___Mailing list: https://launchpad.net/~openstackPost to : openstack@lists.launchpad.netUnsubscribe : https://launchpad.net/~openstackMore help : https://help.launchpad.net/ListHelp-- Razique Mahroua Nuage Co - Razique Mahroua razique.mahr...@gmail.com ___Mailing list: https://launchpad.net/~openstackPost to : openstack@lists.launchpad.netUnsubscribe : https://launchpad.net/~openstackMore help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Metering] Meeting agenda for today 16:00 UTC (May 10th, 2012)
On 05/10/2012 02:14 PM, Loic Dachary wrote: Hi, The metering project team holds a meeting in #openstack-meeting, Thursdays at 1600 UTC http://www.timeanddate.com/worldclock/fixedtime.html?hour=16min=0sec=0. Everyone is welcome. I propose an agenda based on the discussions we had on this list. http://wiki.openstack.org/Meetings/MeteringAgenda Topic: external API definition * API defaults and API extensions * API extension * extension= loads the python module * method query is called with the * QUERY_STRING * a handler to the storage * a pointer to the configuration * API calls common arguments * Datetime range : start and end * Transparent cache for aggregation * API defaults http://wiki.openstack.org/EfficientMetering#API * GET list components * GET list components meters (argument : name of the component) * GET list accounts * GET list of meter_type * GET list of events per account * GET sum of (meter_volume, meter_duration) for meter_type and account_id Based on the discussions on the list I changed the list to: #info GET list components #info GET list components meters (argument : name of the component) #info GET list [user_id|project_id|source] #info GET list of meter_type #info GET list of events per [user_id|project_id|source] ( allow to specify user_id or project_id or both ) #info GET sum of (meter_volume, meter_duration) for meter_type and [user_id|project_id|source] #info other ? * other ? * open discussion Cheers -- Loïc Dachary Chief Research Officer // eNovance labs http://labs.enovance.com // ? l...@enovance.com ? +33 1 49 70 99 82 -- Loïc Dachary Chief Research Officer // eNovance labs http://labs.enovance.com // ? l...@enovance.com ? +33 1 49 70 99 82 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] Accessing VMs in Flat DHCP mode with multiple host
Hello, I'm running into troubles accessing my instances. I have 3 nodes: 1. proxmox that virtualizes in KVM my controller node 1.1 the controller node (10.10.200.50) runs keystone, nova-api, network, scheduler, vncproxy and volumes but NOT compute as it is already a VM 2. glance in a physical node 3. compute in a physical node my nova.conf network config is: --dhcpbridge_flagfile=/etc/nova/nova.conf --dhcpbridge=/usr/bin/nova-dhcpbridge --routing_source_ip=10.10.200.50 --libvirt_use_virtio_for_bridges=true --network_manager=nova.network.manager.FlatDHCPManager --public_interface=eth0 --flat_interface=eth1 --flat_network_bridge=br100 --fixed_range=192.168.200.0/24 --floating_range=10.10.200.0/24 --network_size=256 --flat_network_dhcp_start=192.168.200.5 --flat_injected=False --force_dhcp_release --network_host=10.10.200.50 I even explicitly allows icmp and tcp port 22 traffic like this: euca-authorize -P icmp -t -1:-1 default euca-authorize -P tcp -p 22 default before setting these rules, I was getting 'Operation not permitted' when pinging the VM from the compute node. After setting these, I just get no output at all (not even 'Destination Host Unreachable') The network was created like this: nova-manage network create private --fixed_range_v4=192.168.200.0/24 --bridge=br100 --bridge_interface=eth1 --num_networks=1 --network_size=256 However I cannot ping or ssh my instances once they're active. I have already set up such an Essex environment but the controller node was physical. Morevover, every examples in the doc presents a controller node that runs nova-compute. So I'm wondering if either: - having the controller in a VM - or not running compute on the controller would prevent things to work properly. What can I check? iptables? is dnsmasq unable to give the VM an address? I'm running out of ideas. Any suggestion would be highly appreciated. Thank you, michaël -- Michaël Van de Borne RD Engineer, SOA team, CETIC Phone: +32 (0)71 49 07 45 Mobile: +32 (0)472 69 57 16, Skype: mikemowgli www.cetic.be, rue des Frères Wright, 29/3, B-6041 Charleroi ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Glance] Replication implementations
BTW that patch is up for review as: https://review.openstack.org/7302 Cheers, eoghan I'm working on a patch to at least make the glance UUID - S3 image ID not totally depend on an on-demand insertion order as it does now. Agreed, collisions are inevitable given the relative domain and range sizes (122 unique bit UUID versus 32-bit hex string) - in testing, the first colliding UUID tends to occur after ~75k-80k images IDs have been generated. So at least it would be useful for smaller deployments to have a semi-predictable ID mapping (modulo collisions). For larger deployments, the mapping data to be replicated could be much reduced by limiting it to the colliding IDs. Cheers, Eoghan Alternatively, we could just consider the ec2 mapping layer to be global data that must be replicated somehow across the system. I don't think we can really ensure no collisions mapping from uuid - ec2_id deterministically, and I don't see a clear path forward when we do get a collision. Vish On May 8, 2012, at 12:24 AM, Michael Still wrote: On 04/05/12 20:31, Eoghan Glynn wrote: Sorry for the slow reply, I've been trapped in meetings. [snip] So the way things currently stand, the EC2 image ID isn't really capable of migration. I was thinking however that we should change the EC2 image generation logic, so that there is a reproducible glance UUID - EC2 mapping (with a small chance of collision). This change would allow the same EC2 ID to be generated in multiple regions for a given glance UUID (modulo collisions). Would that be helpful in your migration use-case? I do think this is a good idea. Or even if the column wasn't auto-increment, but just picked a random number or something (because that would be marginally less likely to clash). Without somehow making these ec2 ids more global, replication between regions is going to suffer from ec2 api users having to somehow perform a lookup out of band. Now, my use case is a bit special, because I can enforce that images are only ever uploaded to one master region, and then copied to all others. I think that's probably not true for other users though. Mikal ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Improving Xen support in the libvirt driver
Il 10/05/2012 11:48, Alvaro Lopez ha scritto: On Thu 10 May 2012 (10:41), Muriel wrote: If I remember correctly, the qcow images are not the only problem with xen, but I'm far from the code for too long time. In the past (diablo), the method for counting the ram (and cpu perhaps?) did not work with xen and this affected the choices of the scheduler. I have no idea if this happens in essex/folsom. I've sent to review some code [1] that tries to fix this issue [2]. [1] https://review.openstack.org/#/c/7296/ [2] https://bugs.launchpad.net/nova/+bug/997014 Regards, Great! But there is a reason if are you using /proc/meminfo instead of getInfo when calculating the memory used? You know if there is a way to get, using libvirt, the reserved memory for dom0? Or the only solution is to read the configuration file of xen? Thanks, Muriel ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Metering] API Extensibility (was: External API definition)
Another item that we need to discuss is extensibility of this API. Hi, Here is a proposal, which we could discuss further during the meeting. GET extension=param1=fooparam2=bar The API looks up /usr/share/ceilometer/extensions/.py and loads it. The module defines a query function that takes the following arguments: * QUERY_STRING (i.e. extension=param1=fooparam2=bar ) * a handler to the storage * a pointer to the configuration (assuming there is a /etc/ceilometer.ini file, for instance) The query function would return the result. For instance { 'in': 20001, 'out': 489324 } if asked for aggregated network usage. Multiple extensions directories could be specified and searched, allowing a mixture of extensions provided in ceilometer and custom extensions to address specific needs or to mature an new extension. The primary benefit of defining extensions in this way is to avoid complex conventions for aggregations or other advanced operations. If the API was to impose a syntax or conventions to say sum this field and this one and display the result ordered in this way and grouped by this field and this one, it would be redundant with the query language of the underlying data. For instance, if using mongodb, it would be difficult to expose all the features provided by http://www.mongodb.org/display/DOCS/Aggregation or http://www.mongodb.org/display/DOCS/MapReduce Cheers -- Loïc Dachary Chief Research Officer // eNovance labs http://labs.enovance.com // ✉ l...@enovance.com ☎ +33 1 49 70 99 82 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Cannot get ssh-key in instance
I am sure image is ok since of I use the same image in both older version installed via devstack on ubuntu11.10 and new version installed on ubuntu12.04. In older version, it can work well. but now it cannot. Am I missing something in nova.conf ? On Thu, May 10, 2012 at 8:29 PM, Yong Sheng Gong gong...@cn.ibm.com wrote: have you started the instance with keypair? -openstack-bounces+gongysh=cn.ibm@lists.launchpad.net wrote: - To: livemoon mwjpi...@gmail.com mwjpi...@gmail.com From: Razique Mahroua razique.mahr...@gmail.comrazique.mahr...@gmail.com Sent by: openstack-bounces+gongysh=cn.ibm@lists.launchpad.net Date: 05/10/2012 06:29PM Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot get ssh-key in instance Hey livememon, is it possible to see the content of the rc.local. Also, are other instances able to reach the metadata server ? livemoon mwjpi...@gmail.com 10 mai 2012 12:24 I running an instance(ubuntu or centos), and it cannot get keypair. In ubuntu12.04, I have install cloud-init and in centos I have add some command into /etc/rc.local There is some of instance's logs about cloud-init: cloud-init start-local running: Thu, 10 May 2012 10:17:33 +. up 4.47 seconds no instance data found in start-local ci-info: lo: 1 127.0.0.1 255.0.0.0 . ci-info: eth0 : 1 10.0.200.5 255.255.255.224 fa:16:3e:6a:30:7c ci-info: route-0: 0.0.0.0 10.0.200.1 0.0.0.0 eth0 UG ci-info: route-1: 10.0.200.0 0.0.0.0 255.255.255.224 eth0 U cloud-init start running: Thu, 10 May 2012 10:17:33 +. up 5.00 seconds no instance data found in start I think it maybe some missing in nova host, How to fix it? -- 非淡薄无以明志,非宁静无以致远 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- Razique Mahroua Nuage Co - Razique Mahroua razique.mahr...@gmail.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- 非淡薄无以明志,非宁静无以致远 Image.part2.03000908.03060208@gmail.com.jpgImage.part1.05070209.09030403@gmail.com.jpg___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] Help with security groups (in use error) in juju/openstack.
Hi all! I'm having some problems with juju and security groups in openstack. When I try to instantiate about 10 instances, some of them generate an error related to the security groups. The log below is from nova-api.log. I'm using versions from ubuntu 12.04 LTS packages (nova*, keystone etc). 2012-05-10 09:31:04 DEBUG nova.api.ec2.apirequest [req-2c360b59-311d-4792-a730-e14a750220e9 de0bba964c7b4948bef8bb04d7111cae fed67a76052340e6b225879aed674846] ?xml version=1.0 ?DescribeSecurityGroupsResponse xmlns= http://ec2.amazonaws.com/doc/2008-12-01/ requestIdreq-2c360b59-311d-4792-a730-e14a750220e9/requestIdsecurityGroupInfoitemipPermissionsitemtoPort65535/toPortipProtocoltcp/ipProtocolipRangesitemcidrIp 0.0.0.0/0 /cidrIp/item/ipRangesgroups/fromPort1/fromPort/item/ipPermissionsgroupNamedefault/groupNamegroupDescriptiondefault/groupDescriptionownerIdfed67a76052340e6b225879aed674846/ownerId/itemitemipPermissionsitemtoPort22/toPortipProtocoltcp/ipProtocolipRangesitemcidrIp 0.0.0.0/0/cidrIp/item/ipRangesgroups/fromPort22/fromPort/itemitemtoPort-1/toPortipProtocolicmp/ipProtocolipRanges/groupsitemgroupNamejuju-sample/groupNameuserIdfed67a76052340e6b225879aed674846/userId/item/groupsfromPort-1/fromPort/itemitemtoPort65535/toPortipProtocoltcp/ipProtocolipRanges/groupsitemgroupNamejuju-sample/groupNameuserIdfed67a76052340e6b225879aed674846/userId/item/groupsfromPort1/fromPort/itemitemtoPort65535/toPortipProtocoludp/ipProtocolipRanges/groupsitemgroupNamejuju-sample/groupNameuserIdfed67a76052340e6b225879aed674846/userId/item/groupsfromPort1/fromPort/item/ipPermissionsgroupNamejuju-sample/groupNamegroupDescriptionjuju group for sample/groupDescriptionownerIdfed67a76052340e6b225879aed674846/ownerId/itemitemipPermissions/groupNamejuju-sample-0/groupNamegroupDescriptionjuju group for sample machine 0/groupDescriptionownerIdfed67a76052340e6b225879aed674846/ownerId/itemitemipPermissions/groupNamejuju-sample-1/groupNamegroupDescriptionjuju group for sample machine 1/groupDescriptionownerIdfed67a76052340e6b225879aed674846/ownerId/itemitemipPermissions/groupNamejuju-sample-10/groupNamegroupDescriptionjuju group for sample machine 10/groupDescriptionownerIdfed67a76052340e6b225879aed674846/ownerId/itemitemipPermissions/groupNamejuju-sample-11/groupNamegroupDescriptionjuju group for sample machine 11/groupDescriptionownerIdfed67a76052340e6b225879aed674846/ownerId/itemitemipPermissions/groupNamejuju-sample-2/groupNamegroupDescriptionjuju group for sample machine 2/groupDescriptionownerIdfed67a76052340e6b225879aed674846/ownerId/itemitemipPermissions/groupNamejuju-sample-3/groupNamegroupDescriptionjuju group for sample machine 3/groupDescriptionownerIdfed67a76052340e6b225879aed674846/ownerId/itemitemipPermissions/groupNamejuju-sample-4/groupNamegroupDescriptionjuju group for sample machine 4/groupDescriptionownerIdfed67a76052340e6b225879aed674846/ownerId/itemitemipPermissions/groupNamejuju-sample-5/groupNamegroupDescriptionjuju group for sample machine 5/groupDescriptionownerIdfed67a76052340e6b225879aed674846/ownerId/itemitemipPermissions/groupNamejuju-sample-6/groupNamegroupDescriptionjuju group for sample machine 6/groupDescriptionownerIdfed67a76052340e6b225879aed674846/ownerId/itemitemipPermissions/groupNamejuju-sample-7/groupNamegroupDescriptionjuju group for sample machine 7/groupDescriptionownerIdfed67a76052340e6b225879aed674846/ownerId/itemitemipPermissions/groupNamejuju-sample-8/groupNamegroupDescriptionjuju group for sample machine 8/groupDescriptionownerIdfed67a76052340e6b225879aed674846/ownerId/itemitemipPermissions/groupNamejuju-sample-9/groupNamegroupDescriptionjuju group for sample machine 9/groupDescriptionownerIdfed67a76052340e6b225879aed674846/ownerId/item/securityGroupInfo/DescribeSecurityGroupsResponse from (pid=4973) _render_response /usr/lib/python2.7/dist-packages/nova/api/ec2/apirequest.py:105 2012-05-10 09:31:04 INFO nova.api.ec2 [req-2c360b59-311d-4792-a730-e14a750220e9 de0bba964c7b4948bef8bb04d7111cae fed67a76052340e6b225879aed674846] 0.296059s 172.16.0.3 GET /services/Cloud CloudController:DescribeSecurityGroups 200 [Twisted PageGetter] text/plain text/xml 2012-05-10 09:31:04 DEBUG nova.api.ec2 [req-02334bdb-0fd2-4cc1-a4e6-449e61f954b1 de0bba964c7b4948bef8bb04d7111cae fed67a76052340e6b225879aed674846] action: DeleteSecurityGroup from (pid=4973) __call__ /usr/lib/python2.7/dist-packages/nova/api/ec2/__init__.py:435 2012-05-10 09:31:04 DEBUG nova.api.ec2 [req-02334bdb-0fd2-4cc1-a4e6-449e61f954b1 de0bba964c7b4948bef8bb04d7111cae fed67a76052340e6b225879aed674846] arg: GroupName val: juju-sample-11 from (pid=4973) __call__ /usr/lib/python2.7/dist-packages/nova/api/ec2/__init__.py:437 2012-05-10 09:31:04 ERROR nova.api.ec2 [req-02334bdb-0fd2-4cc1-a4e6-449e61f954b1 de0bba964c7b4948bef8bb04d7111cae fed67a76052340e6b225879aed674846] Unexpected error raised: Group not valid. Reason: In Use 2012-05-10 09:31:04 TRACE nova.api.ec2 Traceback (most recent call last): 2012-05-10 09:31:04 TRACE nova.api.ec2
Re: [Openstack] Accessing VMs in Flat DHCP mode with multiple host
HI,First you have to make sure the network between your control node's br100 and your compute node's br100 are connected. and then can you show the output on control node:ps -ef | grep dnsmasqbrctl showifconfig2. can you login to your vm by vnc to see the eth0 configuration and then try to run udhcpc?Thanks-openstack-bounces+gongysh=cn.ibm@lists.launchpad.net wrote: -To: "openstack@lists.launchpad.net" openstack@lists.launchpad.netFrom: Michaël Van de Borne michael.vandebo...@cetic.beSent by: openstack-bounces+gongysh=cn.ibm@lists.launchpad.netDate: 05/10/2012 09:03PMSubject: [Openstack] Accessing VMs in Flat DHCP mode with multiple host Hello, I'm running into troubles accessing my instances. I have 3 nodes: 1. proxmox that virtualizes in KVM my controller node 1.1 the controller node (10.10.200.50) runs keystone, nova-api, network, scheduler, vncproxy and volumes but NOT compute as it is already a VM 2. glance in a physical node 3. compute in a physical node my nova.conf network config is: --dhcpbridge_flagfile=/etc/nova/nova.conf --dhcpbridge=/usr/bin/nova-dhcpbridge --routing_source_ip=10.10.200.50 --libvirt_use_virtio_for_bridges=true --network_manager=nova.network.manager.FlatDHCPManager --public_interface=eth0 --flat_interface=eth1 --flat_network_bridge=br100 --fixed_range=192.168.200.0/24 --floating_range=10.10.200.0/24 --network_size=256 --flat_network_dhcp_start=192.168.200.5 --flat_injected=False --force_dhcp_release --network_host=10.10.200.50 I even explicitly allows icmp and tcp port 22 traffic like this: euca-authorize -P icmp -t -1:-1 defaulteuca-authorize -P tcp -p 22 default before setting these rules, I was getting 'Operation not permitted' when pinging the VM from the compute node. After setting these, I just get no output at all (not even 'Destination Host Unreachable') The network was created like this: nova-manage network create private --fixed_range_v4=192.168.200.0/24 --bridge=br100 --bridge_interface=eth1 --num_networks=1 --network_size=256 However I cannot ping or ssh my instances once they're active. I have already set up such an Essex environment but the controller node was physical. Morevover, every examples in the doc presents a controller node that runs nova-compute. So I'm wondering if either: - having the controller in a VM - or not running compute on the controller would prevent things to work properly. What can I check? iptables? is dnsmasq unable to give the VM an address? I'm running out of ideas. Any suggestion would be highly appreciated. Thank you, michaël -- Michaël Van de BorneRD Engineer, SOA team, CETICPhone: +32 (0)71 49 07 45 Mobile: +32 (0)472 69 57 16, Skype: mikemowgliwww.cetic.be, rue des Frères Wright, 29/3, B-6041 Charleroi ___Mailing list: https://launchpad.net/~openstackPost to : openstack@lists.launchpad.netUnsubscribe : https://launchpad.net/~openstackMore help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Improving Xen support in the libvirt driver
On Thu, May 10, 2012 at 03:17:59PM +0200, Muriel wrote: Il 10/05/2012 11:48, Alvaro Lopez ha scritto: On Thu 10 May 2012 (10:41), Muriel wrote: If I remember correctly, the qcow images are not the only problem with xen, but I'm far from the code for too long time. In the past (diablo), the method for counting the ram (and cpu perhaps?) did not work with xen and this affected the choices of the scheduler. I have no idea if this happens in essex/folsom. I've sent to review some code [1] that tries to fix this issue [2]. [1] https://review.openstack.org/#/c/7296/ [2] https://bugs.launchpad.net/nova/+bug/997014 Regards, Great! But there is a reason if are you using /proc/meminfo instead of getInfo when calculating the memory used? You know if there is a way to get, using libvirt, the reserved memory for dom0? Or the only solution is to read the configuration file of xen? Dom0 appears as just another guest in Xen/libvirt, so you can query its memory allocation using normal libvirt APIs Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone client, user belongs to many tenants?
Are there any documented examples out there of how to use roles? I still have a hard time building a mental model of how the system works. In particular: Do I need to create a new role for every user-tenant pair? Or can I reuse the same role? Where are the semantics of roles specified? What I mean is, what determines what a role allows a user to do with a specific service? The examples I see always create a magical admin role, but how does, say, nova, know that this role is associated with admin privileges? Is it because the label is admin? What if I want to create a role that allows users in a tenant to have regular access to nova, but not to swift? How do I do that? Do I need to create a novaUser role? Where do I describe what a novaUser role means? In nova? In keystone? How? Pointer to an example here would be really helpful, would love to add this to the docs. Take care, Lorin -- Lorin Hochstein Lead Architect - Cloud Services Nimbis Services, Inc. www.nimbisservices.com On May 10, 2012, at 3:50 AM, Dolph Mathews wrote: +1 The second way to accomplish this is exactly what keystone currently supports (explicit role grants), which didn't change between diablo and essex at all. The first method (using global unscopedness) was dropped because its just as confusing as you describe it. -Dolph Mathews On May 10, 2012, at 2:35 AM, Joseph Heck he...@mac.com wrote: Guang, I think you need to re-read the code. The association between a user and tenant is what the role represents, and its inaccurate to assert that a user is aligned only with a single tenant ever, that is not the case. A role is no longer global, specifically to avoid the tremendous confusion and inaccuracy of implementation about how to apply a role that relates a tenant and user along with a potential global role concept that was in the earliest implementations of Keystone. The current implementation is simpler and far more specific and clear in it's implementation. -joe On May 9, 2012, at 10:22 PM, Yee, Guang wrote: I think this use case underscores one of the key differences between the fat Keystone (Diablo - E3) and KSL (Essex final). In fat Keystone, users and tenants are loosely coupled. They are bind together by role assignments. In KSL, users and tenants are tightly coupled, and IMHO very inflexible. Maybe the following example would further clarify this … Suppose you have tenants Dodgers, Giants, and Brewers, user Bud Selid, roles Commissioner and Minority Owner, and service MLB. And you want Bud Selid to have the Commissioner role for Dodgers, Giants, and Brewers, but Minority Owner role for Brewers only. In fat Keystone, there a couple of ways you can accomplish this. 1) Make Commissioner a “global role” (unscoped) and assign it to user Bud Selid. Assign the Minority Owner role to Bud Selid for tenant Brewers by creating a role reference. When Bud Selid tries to access MLB with his unscoped token, MLB will get his Commissioner role back from Keystone. When Bud Selid tries to access MLB with his token scoped to Brewers, MLB will get both his Commissioner and Minority Owner roles back from Keystone. When Bud Selid tries to acess MLB with his token scoped to Giants or Dodgers, MLB will only get his Commissioner role back from Keystone. 2) Assign the Commissioner role to Bud Selid to tenants Giants, Dodgers, and Brewers individually by creating the respective role references. Assign the Minority Owner role to Bud Selid for tenant Brewers by creating another role reference. In this scenario, Bud Selid will always need a scoped token to access MLB. In KSL, there really aren’t any effective ways to accomplish the same thing. Global roles are no longer supported. A given user must assign to exactly one tenant. I suppose you can have Bud Selid under the “Default Tenant”, and assign both Commissioner and Minority Owner roles to him. But there are two major side effects. 1) Bud Selid must access MLB with the token scoped to the “Default Tenant” in order for MLB to recognize him as Commissioner. Which means he IS ALSO the Minority Owner for Dodgers, Giants, and Brewers. J 2) If Bud Selid tries to access MLB with the token scoped to either Giants, Dodgers, or Brewers, his a NOBODY. J The upcoming Domains blueprint (to be implemented for Folsom), which offers true multitenancy, should support these types of use cases. https://blueprints.launchpad.net/keystone/+spec/keystone-domains With Domains, you can create a MLB domain with tenants Dodgers, Giants, and Brewers. And have Bud Selid under the MLB domain. Notice that users will no longer be assigned to tenants. They will be under a domain. Create roles Commissioner and Minority Owner in the MLB domain. Assign the Commissioner role to Bud Selid, and the Minority Owner role scoped to Brewers. Suppose you have
Re: [Openstack] Improving Xen support in the libvirt driver
On Thu 10 May 2012 (15:17), Muriel wrote: Great! But there is a reason if are you using /proc/meminfo instead of getInfo when calculating the memory used? You know if there is a way to get, using libvirt, the reserved memory for dom0? Or the only solution is to read the configuration file of xen? I calculated the memory looking into /proc/meminfo because if the memory is not limited (i.e. no dom0_mem option) the dom0 might take all the memory available, that then will be ballooned out. For example, in a machine with 16GB RAM you could have: # xm li NameID Mem VCPUs State Time(s) Domain-0 0 15030 8 r- 1312.8 If you query libvirt for the dom0 mem, the free memory will be around 1GB, but you can create a machine with more RAM (since ballooning is enabled): # xm li NameID Mem VCPUs State Time(s) Domain-0 0 9188 8 r- 1328.6 test 4 7000 4 -b 3.5 If the dom0 memory is fixed and ballooning is disabled, then yes, you can query libvirt directly. Regards, -- Álvaro López García al...@ifca.unican.es ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone client, user belongs to many tenants?
On Thu, May 10, 2012 at 9:00 AM, Lorin Hochstein lo...@nimbisservices.comwrote: Are there any documented examples out there of how to use roles? I still have a hard time building a mental model of how the system works. In particular: Do I need to create a new role for every user-tenant pair? Or can I reuse the same role? You can recycle roles. Role names are also unique. A member role is frequently used in the docs, where you can grant membership to a user on a specific tenant. Creating and granting this role to two users on different tenants using keystoneclient looks something like: # create two tenants $ keystone tenant-create --name=Tenant A tenant-id-a $ keystone tenant-create --name=Tenant B tenant-id-b # create two users $ keystone user-create --name=User A user-id-a $ keystone user-create --name=User B user-id-b # create a membership role $ keystone role-create --name=member role-id # (Neither user can access either tenant at this point.) # grant User A membership on Tenant A $ keystone user-role-add --role_id=role-id --tenant_id=tenant-id-a --user_id=user-id-a # User A is now a member of Tenant A. # (User B still has access to nothing at this point.) # grant User B membership on Tenant B $ keystone user-role-add --role_id=role-id --tenant_id=tenant-id-b --user_id=user-id-b # User B is now a member of Tenant B, but not Tenant A. # (and User A is still a member of Tenant A, but not Tenant B.) Where are the semantics of roles specified? What I mean is, what determines what a role allows a user to do with a specific service? Right now, that's entirely managed by each service's policy.json -- keystone does nothing but provide the role names to each OpenStack service. This will change a bit during folsom, with the introduction of RBAC (bp https://blueprints.launchpad.net/keystone/+spec/rbac-keystone). The contents of each service's policy.json will be centrally managed in keystone, and the meaning of the roles a user has (the user's set of capabilities in the current authentication context) will be provided to OpenStack services -- so service's will no longer need to understand role names. The examples I see always create a magical admin role, but how does, say, nova, know that this role is associated with admin privileges? Is it because the label is admin? Today, this is configurable via Nova's policy.json: https://github.com/openstack/nova/blob/master/etc/nova/policy.json What if I want to create a role that allows users in a tenant to have regular access to nova, but not to swift? How do I do that? Do I need to create a novaUser role? Where do I describe what a novaUser role means? In nova? In keystone? How? See above; not sure about swift's status, though. Pointer to an example here would be really helpful, would love to add this to the docs. Let me know if you find the above useful; or feel free to revise and submit :) Take care, Lorin -- Lorin Hochstein Lead Architect - Cloud Services Nimbis Services, Inc. www.nimbisservices.com On May 10, 2012, at 3:50 AM, Dolph Mathews wrote: +1 The second way to accomplish this is exactly what keystone currently supports (explicit role grants), which didn't change between diablo and essex at all. The first method (using global unscopedness) was dropped because its just as confusing as you describe it. -Dolph Mathews On May 10, 2012, at 2:35 AM, Joseph Heck he...@mac.com wrote: Guang, I think you need to re-read the code. The association between a user and tenant is what the role represents, and its inaccurate to assert that a user is aligned only with a single tenant ever, that is not the case. A role is no longer global, specifically to avoid the tremendous confusion and inaccuracy of implementation about how to apply a role that relates a tenant and user along with a potential global role concept that was in the earliest implementations of Keystone. The current implementation is simpler and far more specific and clear in it's implementation. -joe On May 9, 2012, at 10:22 PM, Yee, Guang wrote: I think this use case underscores one of the key differences between the fat Keystone (Diablo - E3) and KSL (Essex final). In fat Keystone, users and tenants are loosely coupled. They are bind together by role assignments. In KSL, users and tenants are tightly coupled, and IMHO very inflexible. Maybe the following example would further clarify this … ** ** Suppose you have tenants Dodgers, Giants, and Brewers, user Bud Selid, roles Commissioner and Minority Owner, and service MLB. And you want Bud Selid to have the Commissioner role for Dodgers, Giants, and Brewers, but Minority Owner role for Brewers only. ** ** In fat Keystone, there a couple of ways you can accomplish this. ** ** 1) Make Commissioner a “global role” (unscoped) and assign it to user Bud Selid. Assign the Minority Owner role to Bud Selid for tenant Brewers by creating a role
[Openstack] Openstack Beginners guide for Ubuntu 12.04/Essex
Hi all, We at Csscorp have been publishing series of beginners guide on Ubuntu/Openstack (versions), in continuation with that we have released the latest version of our book with Essex and Ubuntu 12.04. http://cssoss.wordpress.com/2012/05/07/openstack-beginners-guide-v3-0-for-essex-on-ubuntu-12-04-precise-pangolin/ The code can be found at https://code.launchpad.net/openstackbook We would love to see the book localized in some other languages too, say Chinese/Japanese/German to reach to as many people as possible. :) Suggestion/criticism would be highly appreciated. Cheers!! Atul Jha Application Specialist Csscorp pvt ltd, Chennai, India http://www.csscorp.com/common/email-disclaimer.php ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Metering] External API definition
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Daniel Dyer dan.dye...@gmail.com wrote: One per installation, at least, since the source field could allow to aggregate informations from multiple installations. Is it your assumption that there will be one metering service per installation or one per service (i.e swift, nova)? My assumption would be a single metering service, so the API would need to handle some additional use cases: -list services supported -list metrics for a service type -get metric details One per installation, at least, since the source field could allow to aggregate information from multiple installations. Can't See any reason why not to offer what you list above, even though one may deduce the component from the counter name. I would also consider separate use cases for accessing raw events vs. aggregated metrics. I think the extension proposal from Loic would cover that and more. Dan Dyer dan.d...@hp.com On Wed, May 9, 2012 at 10:44 AM, Nick Barcet nick.bar...@canonical.comwrote: Doug Hellmann doug.hellm...@dreamhost.com wrote: On Wed, May 9, 2012 at 11:27 AM, Nick Barcet nick.bar...@canonical.comwrote: On 05/08/2012 08:27 AM, Nick Barcet wrote: [..] Thinking about this, I think we need to expend the API a bit to reflect the evolutions of the schema that we decided last week. Here are my proposals: * Requests allow to GET account_id list change to: GET [user_id|project_id|source] list Does the [value|value] syntax mean choose one or combine? I assume choose one and you are using square brackets because parens are used in some of the other queries. You assumed correctly :) GET list of counter_type GET list of events per account optional start and end for counter_datetime optional counter_type change to: GET list of events per [user_id|project_id|source] optional start and end for counter_datetime optional counter_type Users may cross projects, so I'm not sure it makes sense to ask for the events generated by a user without restricting it by the project. At the very least we may need to allow them to specify user_id or project_id or both. Good point. Thanks for catching this. GET sum of (counter_volume, counter_duration) for counter_type and account_id optional start and end for counter_datetime GET sum of (counter_volume, counter_duration) for counter_type and [user_id|project_id|source] optional start and end for counter_datetime Hope this makes sense. Another item that we need to discuss is extensibility of this API. Nick ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp - -- Nick Barcet nick.bar...@canonical.com aka: nicolas, nijaba -BEGIN PGP SIGNATURE- Version: APG v1.0.8 iGsEAREIACsFAk+r0yYkHE5pY29sYXMgQmFyY2V0IDxuaWNvbGFzQGJhcmNldC5j b20+AAoJEFiD3l2iIpt4+w0AmgIBEBQUXHAeOiTko3X5lYcGjqi4AKCQcUC9DyPe FBhL9NxeTMtAv1xsJg== =7Udb -END PGP SIGNATURE- ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Accessing VMs in Flat DHCP mode with multiple host
ok I'm gonna check this and I'll keep you posted. By the way, how could I check the network between the control node's br100 and the compute node's br100? I guess I can do this by checking that each bridge knows the other in the ARP table. Or did you have another idea? Michaël Van de Borne RD Engineer, SOA team, CETIC Phone: +32 (0)71 49 07 45 Mobile: +32 (0)472 69 57 16, Skype: mikemowgli www.cetic.be, rue des Frères Wright, 29/3, B-6041 Charleroi Le 10/05/2012 15:31, Yong Sheng Gong a écrit : HI, First you have to make sure the network between your control node's br100 and your compute node's br100 are connected. and then can you show the output on control node: ps -ef | grep dnsmasq brctl show ifconfig 2. can you login to your vm by vnc to see the eth0 configuration and then try to run udhcpc? Thanks -openstack-bounces+gongysh=cn.ibm@lists.launchpad.net wrote: - To: openstack@lists.launchpad.net openstack@lists.launchpad.net From: Michaël Van de Borne michael.vandebo...@cetic.be Sent by: openstack-bounces+gongysh=cn.ibm@lists.launchpad.net Date: 05/10/2012 09:03PM Subject: [Openstack] Accessing VMs in Flat DHCP mode with multiple host Hello, I'm running into troubles accessing my instances. I have 3 nodes: 1. proxmox that virtualizes in KVM my controller node 1.1 the controller node (10.10.200.50) runs keystone, nova-api, network, scheduler, vncproxy and volumes but NOT compute as it is already a VM 2. glance in a physical node 3. compute in a physical node my nova.conf network config is: --dhcpbridge_flagfile=/etc/nova/nova.conf --dhcpbridge=/usr/bin/nova-dhcpbridge --routing_source_ip=10.10.200.50 --libvirt_use_virtio_for_bridges=true --network_manager=nova.network.manager.FlatDHCPManager --public_interface=eth0 --flat_interface=eth1 --flat_network_bridge=br100 --fixed_range=192.168.200.0/24 --floating_range=10.10.200.0/24 --network_size=256 --flat_network_dhcp_start=192.168.200.5 --flat_injected=False --force_dhcp_release --network_host=10.10.200.50 I even explicitly allows icmp and tcp port 22 traffic like this: euca-authorize -P icmp -t -1:-1 default euca-authorize -P tcp -p 22 default before setting these rules, I was getting 'Operation not permitted' when pinging the VM from the compute node. After setting these, I just get no output at all (not even 'Destination Host Unreachable') The network was created like this: nova-manage network create private --fixed_range_v4=192.168.200.0/24 --bridge=br100 --bridge_interface=eth1 --num_networks=1 --network_size=256 However I cannot ping or ssh my instances once they're active. I have already set up such an Essex environment but the controller node was physical. Morevover, every examples in the doc presents a controller node that runs nova-compute. So I'm wondering if either: - having the controller in a VM - or not running compute on the controller would prevent things to work properly. What can I check? iptables? is dnsmasq unable to give the VM an address? I'm running out of ideas. Any suggestion would be highly appreciated. Thank you, michaël -- Michaël Van de Borne RD Engineer, SOA team, CETIC Phone: +32 (0)71 49 07 45 Mobile: +32 (0)472 69 57 16, Skype: mikemowgli www.cetic.be, rue des Frères Wright, 29/3, B-6041 Charleroi ___ Mailing list: https://launchpad.net/~openstack https://launchpad.net/%7Eopenstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack https://launchpad.net/%7Eopenstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Cannot get ssh-key in instance
Hi, First, check if nova-api is running on the host where your nova-network runs (same as nova-compute if using a multi_host=true setup). Second, using the console of the instance check if your instance can access the API service by doing a: GET http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key You can also read this doc for more info about the metadata service: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html George From: openstack-bounces+george.mihaiescu=q9@lists.launchpad.net [mailto:openstack-bounces+george.mihaiescu=q9@lists.launchpad.net] On Behalf Of livemoon Sent: Thursday, May 10, 2012 9:26 AM To: Yong Sheng Gong Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot get ssh-key in instance I am sure image is ok since of I use the same image in both older version installed via devstack on ubuntu11.10 and new version installed on ubuntu12.04. In older version, it can work well. but now it cannot. Am I missing something in nova.conf ? On Thu, May 10, 2012 at 8:29 PM, Yong Sheng Gong gong...@cn.ibm.com wrote: have you started the instance with keypair? -openstack-bounces+gongysh=cn.ibm@lists.launchpad.net wrote: - To: livemoon mwjpi...@gmail.com mailto:mwjpi...@gmail.com From: Razique Mahroua razique.mahr...@gmail.com mailto:razique.mahr...@gmail.com Sent by: openstack-bounces+gongysh=cn.ibm@lists.launchpad.net Date: 05/10/2012 06:29PM Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot get ssh-key in instance Hey livememon, is it possible to see the content of the rc.local. Also, are other instances able to reach the metadata server ? livemoon mailto:mwjpi...@gmail.com 10 mai 2012 12:24 I running an instance(ubuntu or centos), and it cannot get keypair. In ubuntu12.04, I have install cloud-init and in centos I have add some command into /etc/rc.local There is some of instance's logs about cloud-init: cloud-init start-local running: Thu, 10 May 2012 10:17:33 +. up 4.47 seconds no instance data found in start-local ci-info: lo: 1 127.0.0.1 255.0.0.0 . ci-info: eth0 : 1 10.0.200.5 255.255.255.224 fa:16:3e:6a:30:7c ci-info: route-0: 0.0.0.0 10.0.200.1 0.0.0.0 eth0 UG ci-info: route-1: 10.0.200.0 0.0.0.0 255.255.255.224 eth0 U cloud-init start running: Thu, 10 May 2012 10:17:33 +. up 5.00 seconds no instance data found in start I think it maybe some missing in nova host, How to fix it? -- 非淡薄无以明志,非宁静无以致远 ___ Mailing list: https://launchpad.net/~openstack https://launchpad.net/%7Eopenstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack https://launchpad.net/%7Eopenstack More help : https://help.launchpad.net/ListHelp -- Razique Mahroua Nuage Co - Razique Mahroua razique.mahr...@gmail.com ___ Mailing list: https://launchpad.net/~openstack https://launchpad.net/%7Eopenstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack https://launchpad.net/%7Eopenstack More help : https://help.launchpad.net/ListHelp -- 非淡薄无以明志,非宁静无以致远 Image.part1.05070209.09030403@gmail.com.jpgImage.part2.03000908.03060208@gmail.com.jpg___ Mailing list: https://launchpad.net/~openstack Post to :
Re: [Openstack] i18n of log message
we are here talking about I18N of log information i prefer to English only log: 1. easy to search and share 2. easy to maintain 2012/5/10 Ying Chun Guo guoyi...@cn.ibm.com: I18N is an architecture decision. Besides developers, we should also consult customers' options. I18N is a very big scope. It includes not only translation, but also Date/time format, number format, or even the input of non-English characters. Surely I18N will take some efforts. But considering OpenStack may have a long history, it deserve us to pay some time to work on it. We need to consider it carefully. Maybe we can just pick out several very popular locales/languages and work on these localization firstly. It will ensure we have a correct architecture to suppor I18N, with a not very big effort. I'd like to help on the process documenting. Regards Daisy openstack-bounces+guoyingc=cn.ibm@lists.launchpad.net wrote on 05/09/2012 12:55:48 AM: Thierry Carrez thie...@openstack.org Sent by: openstack-bounces+guoyingc=cn.ibm@lists.launchpad.net 05/09/2012 12:55 AM To openstack@lists.launchpad.net, cc Subject Re: [Openstack] i18n of log message Ying Chun Guo wrote: [...] So I prefer option 2. As it is said that option 3 being not significantly more work than option 2, so option 3 is also acceptable for me. So there is no strong consensus so far :) One important prerequisite of whatever solution we end up choosing is that it should be the same level across all OpenStack core projects. Consistency is important... So we should definitely ask PTLs which options they are ready to support, as it may seriously reduce our options. We should also have a I18N advocacy czar that will push whatever option is chosen to completion by documenting the process, encouraging CI / translators / devs to do any needed work. Anyone up to it ? -- Thierry Carrez (ttx) Release Manager, OpenStack ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- 彭勇 (Peng Yong) 常州贝特康姆(BitComm)软件技术有限公司 地址:常州市科教城信息产业园南4楼 电话:+86.519.68887168 传真:+86.519.68887169 手机:+86.18915883399 邮箱:p...@pubyun.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Metering] Meeting agenda for today 16:00 UTC (May 3rd, 2012)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Daniel Dyer dan.dye...@gmail.com wrote: A question/comment about the scope of the schema or maybe the architecture. Assuming the services will provide the instrumentation to populate the raw metric data, it seems likely that you will need to define an interface between the services/agents that are providing the data and the metering system which stores the generated metric data in the database (as opposed to having the services write directly to the DB). Is the schema intended to be this kind of interop format between the services and the meter's datastore or just the end result of the storage? Just the end result, we have a discussion and decision on May 24th regarding the internal API for the agents to use when communicating on the queue. http://wiki.openstack.org/Meetings/MeteringAgenda#Meeting%20topics Thanks, Dan Dyer On Thu, May 3, 2012 at 11:10 AM, Loic Dachary l...@enovance.com wrote: On 05/03/2012 02:22 PM, Loic Dachary wrote: Hi, The metering project team holds a meeting in #openstack-meeting, Thursdays at 1600 UTChttp://www.timeanddate.com/worldclock/fixedtime.html?hour=16min=0sec=0. Everyone is welcome. I propose an agenda based on the discussions we had on this list. http://wiki.openstack.org/Meetings/MeteringAgenda Topic : schema and counter definitions * counter definitions * Proposed http://wiki.openstack.org/EfficientMetering#Counters * schema definition * Proposed http://wiki.openstack.org/EfficientMetering#Storage * discuss storage assumptions * the storage will store all events * no aggregated value is permanently stored * discuss API assumptions * the API provide a sum() function to aggregate values * the API may transparently store results of the sum function in a cache * discuss event collection * events are collected from a components when possible * ceilometer agent is installed on a node when the a component does not provide the value * contribute to the component instead of developping a ceilometer agent plugin * engaging discussions with core components * nova * cinder * glance * swift * quantum * open discussion For the record, the first two points used all the time but that was the goal of the meeting. The other points would have been nice to discuss but can each be turned into a mailing list thread ;-) == #openstack-meeting Meeting == Meeting started by dachary at 16:00:16 UTC. The full logs are available athttp://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-05-03-16.00.log.html . Meeting summary --- * actions from previous meetings (dachary, 16:00:36) * creation of the ceilometer project (dachary, 16:00:36) * The repository for the ceilometer project has been created (dachary, 16:00:36) * LINK: https://github.com/stackforge/ceilometer (dachary, 16:00:36) * and the first commit was successfully reviewed and merged today https://review.stackforge.org/#/c/25/ (dachary, 16:00:37) * meeting organisation (dachary, 16:01:03) * This is 1/5 meetings to decide the architecture of the Metering project https://launchpad.net/ceilometer (dachary, 16:01:03) * Today's focus is on the definition of the counters / meters and the associated schema for the storage (dachary, 16:01:03) * It is the conclusion of the discussions held on the mailing list and the goal is to make a final choice that will then be implemented. (dachary, 16:01:03) * The meeting is time boxed and there will not be enough time to introduce inovative ideas and research for solutions. (dachary, 16:01:03) * The debate will be about the pro and cons of the options already discussed on the mailing list. (dachary, 16:01:03) * LINK: https://lists.launchpad.net/openstack/msg10810.html (dachary, 16:01:03) * counter definitions (dachary, 16:02:10) * Proposed http://wiki.openstack.org/EfficientMetering#Counters (dachary, 16:02:10) * ACTION: dachary fix the note for net_float still talks about number of floating IPs (dachary, 16:09:18) * ACTION: jd___ include Number of object in Swift, Number of containers in Swift, Number of GET/HEAD/PUT/POST requests in Swift in the table (dachary, 16:10:11) * ACTION: dachary add note about the fact that the resource_id for the object count is the container_id (dachary, 16:21:44) * LINK: http://wiki.openstack.org/EfficientMetering#Counters is agreed on, provided the actions listed above are carried out. (dachary, 16:25:35) * ACTION: jd___ document the resource_id for each counter (dachary, 16:30:33) * ACTION: jd___ describes the general table schema and then something that says for each counter exactly what goes in the fields of that table and show how secondary field counters
[Openstack] Keystone 2012.1 - global and private endpoints
Hi all, I was wondering if is there any way to create private and global endpoints in Keystone essex final, what for ? I have users defined for specific applications, for example i want that the images user, just to have access to the SWIFT endpoint, but no to nova, and etc In previous versions of Keystone, you can define is_global attribute for an endpoint, or create a direct relationship between a tenant and an endpoint if your endpoint was previously defined as non global. Is there any way to do this on the new Essex Final Keystone ? If not, how do i avoid the swift users to create instances on nova? Regards Lele ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Glance][Nova] Can't list images
Can anyone pinpoint what exactly is wrong with this. I've been stuck here for the past three days, and nothing i do seems to be working :/ On Tue, May 8, 2012 at 12:11 PM, Leander Bessa leande...@gmail.com wrote: I fixed the swift ip and i'm still getting the same error. Here are the log files and the config files: nova-api http://paste.openstack.org/show/16176/ glance-api.log 2012-05-08 11:39:55 6143 INFO [eventlet.wsgi.server] Starting single process server 2012-05-08 11:40:01 6255 INFO [eventlet.wsgi.server] Starting single process server glance-registery.log http://paste.openstack.org/show/16180/ glance-api.conf http://paste.openstack.org/show/16184/ glance-registry.conf http://paste.openstack.org/show/16185/ glance-api-paste.ini http://paste.openstack.org/show/16186/ glance-registry-pastet-ini http://paste.openstack.org/show/16187/ keystone log is empty. Regards, Leander On Mon, May 7, 2012 at 4:51 PM, Dolph Mathews dolph.math...@gmail.comwrote: There's not enough information in those logs to say (check your glance config and glance/keystone logs) -- but you'll definitely need to recreate that endpoint with SWIFT_HOST defined in your env to use swift through your service catalog. -Dolph On Mon, May 7, 2012 at 9:11 AM, Leander Bessa leande...@gmail.comwrote: Does that mean that glance is somehow configured to use swift as storage instead of the local file system or is does the error simply occur due to the a parsing error because of ${SWIFT_HOST}? On Mon, May 7, 2012 at 2:59 PM, Dolph Mathews dolph.math...@gmail.comwrote: Your swift endpoint appears to be literally configured in keystone as http://${SWIFT_HOST}:8080/v1/...; -- I'm guessing that's unreachable :) Based on your logs, I'm not certain that will fix your 500, however. -Dolph On Mon, May 7, 2012 at 5:23 AM, Leander Bessa leande...@gmail.comwrote: This is as much as i can capture at the moment. http://paste.openstack.org/show/15899/ For some reason, nothing is written to the logs, am i forgetting a flag or something? On Fri, May 4, 2012 at 11:30 PM, Yuriy Taraday yorik@gmail.comwrote: Please post to http://paste.openstack.org error text and backtrace from nova-api.log. Kind regards, Yuriy. On Fri, May 4, 2012 at 6:13 PM, Leander Bessa leande...@gmail.com wrote: Hello, I seem to be unable to list the images available in glance. I'm not sure why this is happening. I've check the logs for nova-api, glance-api and glance-registry and am unable to found anything out of the ordinary. Below is an output from the command 'nova image-list' REQ: curl -i http://192.168.164.128:5000/v2.0/tokens -X POST -H Content-Type: application/json -H Accept: application/json -H User-Agent: python-novaclient REQ BODY: {auth: {tenantName: admin, passwordCredentials: {username: admin, password: nova}}} RESP:{'date': 'Fri, 04 May 2012 14:08:53 GMT', 'transfer-encoding': 'chunked', 'status': '200', 'vary': 'X-Auth-Token', 'content-type': 'application/json'} {access: {token: {expires: 2012-05-05T14:08:53Z, id: c6d3145f1e924982982b54e52b97bec9, tenant: {description: null, enabled: true, id: 765a2012198f4751b8457c49932ec80d, name: admin}}, serviceCatalog: [{endpoints: [{adminURL: http://192.168.164.128:8776/v2/765a2012198f4751b8457c49932ec80d;, region: nova, internalURL: http://192.168.164.128:8776/v2/765a2012198f4751b8457c49932ec80d;, publicURL: http://192.168.164.128:8776/v2/765a2012198f4751b8457c49932ec80d }], endpoints_links: [], type: volume, name: volume}, {endpoints: [{adminURL: http:// ${SWIFT_HOST}:8080/v1/AUTH_765a2012198f4751b8457c49932ec80d, region: nova, internalURL: http://127.0.0.1:8080;, publicURL: http:// ${SWIFT_HOST}:8080/v1/AUTH_765a2012198f4751b8457c49932ec80d}], endpoints_links: [], type: storage, name: swift}, {endpoints: [{adminURL: http://192.168.164.128:9292/v1;, region: nova, internalURL: http://192.168.164.128:9292/v1;, publicURL: http://192.168.164.128:9292/v1}], endpoints_links: [], type: image, name: glance}, {endpoints: [{adminURL: http://192.168.164.128:8774/v2/765a2012198f4751b8457c49932ec80d;, region: nova, internalURL: http://192.168.164.128:8774/v2/765a2012198f4751b8457c49932ec80d;, publicURL: http://192.168.164.128:8774/v2/765a2012198f4751b8457c49932ec80d }], endpoints_links: [], type: compute, name: nova}, {endpoints: [{adminURL: http://192.168.164.128:5000/v2.0;, region: nova, internalURL: http://192.168.164.128:5000/v2.0;, publicURL: http://192.168.164.128:35357/v2.0}], endpoints_links: [], type: identity, name: keystone}], user: {username: admin, roles_links: [], id: 842c74e5daa246239426f92b6f5c5dba, roles: [{id: d6d2f681acbf4f91a3bd3522e1c006ae, name: admin}, {id: e1428c3c9403494494b53393660a930a, name: KeystoneServiceAdmin}, {id: f2a9436d68974a049547c08324a37aed, name: KeystoneAdmin}], name: admin}}} REQ: curl -i
Re: [Openstack] Keystone client, user belongs to many tenants?
Hey guys, Just wanted to say that I'm deep, deep into some Keystone right now (auth'ing against DreamHost's existing infrastructure and granting access to tenants, etc.) and this email just saved me about a week of work :-) Thanks! d On Thu, May 10, 2012 at 10:25 AM, Dolph Mathews dolph.math...@gmail.com wrote: On Thu, May 10, 2012 at 9:00 AM, Lorin Hochstein lo...@nimbisservices.com wrote: Are there any documented examples out there of how to use roles? I still have a hard time building a mental model of how the system works. In particular: Do I need to create a new role for every user-tenant pair? Or can I reuse the same role? You can recycle roles. Role names are also unique. A member role is frequently used in the docs, where you can grant membership to a user on a specific tenant. Creating and granting this role to two users on different tenants using keystoneclient looks something like: # create two tenants $ keystone tenant-create --name=Tenant A tenant-id-a $ keystone tenant-create --name=Tenant B tenant-id-b # create two users $ keystone user-create --name=User A user-id-a $ keystone user-create --name=User B user-id-b # create a membership role $ keystone role-create --name=member role-id # (Neither user can access either tenant at this point.) # grant User A membership on Tenant A $ keystone user-role-add --role_id=role-id --tenant_id=tenant-id-a --user_id=user-id-a # User A is now a member of Tenant A. # (User B still has access to nothing at this point.) # grant User B membership on Tenant B $ keystone user-role-add --role_id=role-id --tenant_id=tenant-id-b --user_id=user-id-b # User B is now a member of Tenant B, but not Tenant A. # (and User A is still a member of Tenant A, but not Tenant B.) Where are the semantics of roles specified? What I mean is, what determines what a role allows a user to do with a specific service? Right now, that's entirely managed by each service's policy.json -- keystone does nothing but provide the role names to each OpenStack service. This will change a bit during folsom, with the introduction of RBAC (bp https://blueprints.launchpad.net/keystone/+spec/rbac-keystone). The contents of each service's policy.json will be centrally managed in keystone, and the meaning of the roles a user has (the user's set of capabilities in the current authentication context) will be provided to OpenStack services -- so service's will no longer need to understand role names. The examples I see always create a magical admin role, but how does, say, nova, know that this role is associated with admin privileges? Is it because the label is admin? Today, this is configurable via Nova's policy.json: https://github.com/openstack/nova/blob/master/etc/nova/policy.json What if I want to create a role that allows users in a tenant to have regular access to nova, but not to swift? How do I do that? Do I need to create a novaUser role? Where do I describe what a novaUser role means? In nova? In keystone? How? See above; not sure about swift's status, though. Pointer to an example here would be really helpful, would love to add this to the docs. Let me know if you find the above useful; or feel free to revise and submit :) Take care, Lorin -- Lorin Hochstein Lead Architect - Cloud Services Nimbis Services, Inc. www.nimbisservices.com On May 10, 2012, at 3:50 AM, Dolph Mathews wrote: +1 The second way to accomplish this is exactly what keystone currently supports (explicit role grants), which didn't change between diablo and essex at all. The first method (using global unscopedness) was dropped because its just as confusing as you describe it. -Dolph Mathews On May 10, 2012, at 2:35 AM, Joseph Heck he...@mac.com wrote: Guang, I think you need to re-read the code. The association between a user and tenant is what the role represents, and its inaccurate to assert that a user is aligned only with a single tenant ever, that is not the case. A role is no longer global, specifically to avoid the tremendous confusion and inaccuracy of implementation about how to apply a role that relates a tenant and user along with a potential global role concept that was in the earliest implementations of Keystone. The current implementation is simpler and far more specific and clear in it's implementation. -joe On May 9, 2012, at 10:22 PM, Yee, Guang wrote: I think this use case underscores one of the key differences between the fat Keystone (Diablo - E3) and KSL (Essex final). In fat Keystone, users and tenants are loosely coupled. They are bind together by role assignments. In KSL, users and tenants are tightly coupled, and IMHO very inflexible. Maybe the following example would further clarify this … Suppose you have tenants Dodgers, Giants, and Brewers, user Bud Selid, roles Commissioner and Minority Owner, and service MLB. And you want Bud Selid to have
Re: [Openstack] Openstack Beginners guide for Ubuntu 12.04/Essex
As usual, amazing work.Congratulations to all the team sir :) Atul Jha 10 mai 2012 16:33Hi all,We at Csscorp have been publishing series of beginners guide on Ubuntu/Openstack (versions), in continuation with that we have released the latest version of our book with Essex and Ubuntu 12.04.http://cssoss.wordpress.com/2012/05/07/openstack-beginners-guide-v3-0-for-essex-on-ubuntu-12-04-precise-pangolin/The code can be found at https://code.launchpad.net/openstackbookWe would love to see the book localized in some other languages too, say Chinese/Japanese/German to reach to as many people as possible. :)Suggestion/criticism would be highly appreciated.Cheers!!Atul JhaApplication SpecialistCsscorp pvt ltd, Chennai, Indiahttp://www.csscorp.com/common/email-disclaimer.php___Mailing list: https://launchpad.net/~openstackPost to : openstack@lists.launchpad.netUnsubscribe : https://launchpad.net/~openstackMore help : https://help.launchpad.net/ListHelp-- Razique Mahroua Nuage Co - Razique Mahroua razique.mahr...@gmail.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Glance][Nova] Can't list images
Concerning your keystone.log being empty (empty for the duration of the request, or completely empty?)... is logging to a specific file configured in your keystone.conf? If not, keystone just logs to stdout. -Dolph On Thu, May 10, 2012 at 10:20 AM, Leander Bessa Beernaert leande...@gmail.com wrote: Can anyone pinpoint what exactly is wrong with this. I've been stuck here for the past three days, and nothing i do seems to be working :/ On Tue, May 8, 2012 at 12:11 PM, Leander Bessa leande...@gmail.comwrote: I fixed the swift ip and i'm still getting the same error. Here are the log files and the config files: nova-api http://paste.openstack.org/show/16176/ glance-api.log 2012-05-08 11:39:55 6143 INFO [eventlet.wsgi.server] Starting single process server 2012-05-08 11:40:01 6255 INFO [eventlet.wsgi.server] Starting single process server glance-registery.log http://paste.openstack.org/show/16180/ glance-api.conf http://paste.openstack.org/show/16184/ glance-registry.conf http://paste.openstack.org/show/16185/ glance-api-paste.ini http://paste.openstack.org/show/16186/ glance-registry-pastet-ini http://paste.openstack.org/show/16187/ keystone log is empty. Regards, Leander On Mon, May 7, 2012 at 4:51 PM, Dolph Mathews dolph.math...@gmail.comwrote: There's not enough information in those logs to say (check your glance config and glance/keystone logs) -- but you'll definitely need to recreate that endpoint with SWIFT_HOST defined in your env to use swift through your service catalog. -Dolph On Mon, May 7, 2012 at 9:11 AM, Leander Bessa leande...@gmail.comwrote: Does that mean that glance is somehow configured to use swift as storage instead of the local file system or is does the error simply occur due to the a parsing error because of ${SWIFT_HOST}? On Mon, May 7, 2012 at 2:59 PM, Dolph Mathews dolph.math...@gmail.comwrote: Your swift endpoint appears to be literally configured in keystone as http://${SWIFT_HOST}:8080/v1/...; -- I'm guessing that's unreachable :) Based on your logs, I'm not certain that will fix your 500, however. -Dolph On Mon, May 7, 2012 at 5:23 AM, Leander Bessa leande...@gmail.comwrote: This is as much as i can capture at the moment. http://paste.openstack.org/show/15899/ For some reason, nothing is written to the logs, am i forgetting a flag or something? On Fri, May 4, 2012 at 11:30 PM, Yuriy Taraday yorik@gmail.comwrote: Please post to http://paste.openstack.org error text and backtrace from nova-api.log. Kind regards, Yuriy. On Fri, May 4, 2012 at 6:13 PM, Leander Bessa leande...@gmail.com wrote: Hello, I seem to be unable to list the images available in glance. I'm not sure why this is happening. I've check the logs for nova-api, glance-api and glance-registry and am unable to found anything out of the ordinary. Below is an output from the command 'nova image-list' REQ: curl -i http://192.168.164.128:5000/v2.0/tokens -X POST -H Content-Type: application/json -H Accept: application/json -H User-Agent: python-novaclient REQ BODY: {auth: {tenantName: admin, passwordCredentials: {username: admin, password: nova}}} RESP:{'date': 'Fri, 04 May 2012 14:08:53 GMT', 'transfer-encoding': 'chunked', 'status': '200', 'vary': 'X-Auth-Token', 'content-type': 'application/json'} {access: {token: {expires: 2012-05-05T14:08:53Z, id: c6d3145f1e924982982b54e52b97bec9, tenant: {description: null, enabled: true, id: 765a2012198f4751b8457c49932ec80d, name: admin}}, serviceCatalog: [{endpoints: [{adminURL: http://192.168.164.128:8776/v2/765a2012198f4751b8457c49932ec80d;, region: nova, internalURL: http://192.168.164.128:8776/v2/765a2012198f4751b8457c49932ec80d , publicURL: http://192.168.164.128:8776/v2/765a2012198f4751b8457c49932ec80d }], endpoints_links: [], type: volume, name: volume}, {endpoints: [{adminURL: http:// ${SWIFT_HOST}:8080/v1/AUTH_765a2012198f4751b8457c49932ec80d, region: nova, internalURL: http://127.0.0.1:8080;, publicURL: http:// ${SWIFT_HOST}:8080/v1/AUTH_765a2012198f4751b8457c49932ec80d}], endpoints_links: [], type: storage, name: swift}, {endpoints: [{adminURL: http://192.168.164.128:9292/v1;, region: nova, internalURL: http://192.168.164.128:9292/v1;, publicURL: http://192.168.164.128:9292/v1}], endpoints_links: [], type: image, name: glance}, {endpoints: [{adminURL: http://192.168.164.128:8774/v2/765a2012198f4751b8457c49932ec80d;, region: nova, internalURL: http://192.168.164.128:8774/v2/765a2012198f4751b8457c49932ec80d , publicURL: http://192.168.164.128:8774/v2/765a2012198f4751b8457c49932ec80d }], endpoints_links: [], type: compute, name: nova}, {endpoints: [{adminURL: http://192.168.164.128:5000/v2.0;, region: nova, internalURL: http://192.168.164.128:5000/v2.0;, publicURL: http://192.168.164.128:35357/v2.0}], endpoints_links: [], type: identity, name: keystone}],
Re: [Openstack] Improving Xen support in the libvirt driver
Il 10/05/2012 16:08, Alvaro Lopez ha scritto: On Thu 10 May 2012 (15:17), Muriel wrote: Great! But there is a reason if are you using /proc/meminfo instead of getInfo when calculating the memory used? You know if there is a way to get, using libvirt, the reserved memory for dom0? Or the only solution is to read the configuration file of xen? I calculated the memory looking into /proc/meminfo because if the memory is not limited (i.e. no dom0_mem option) the dom0 might take all the memory available, that then will be ballooned out. For example, in a machine with 16GB RAM you could have: # xm li NameID Mem VCPUs State Time(s) Domain-0 0 15030 8 r- 1312.8 If you query libvirt for the dom0 mem, the free memory will be around 1GB, but you can create a machine with more RAM (since ballooning is enabled): # xm li NameID Mem VCPUs State Time(s) Domain-0 0 9188 8 r- 1328.6 test 4 7000 4 -b 3.5 If the dom0 memory is fixed and ballooning is disabled, then yes, you can query libvirt directly. Regards, Thank you for remarking this point, sometimes I forget the balooning system :). I messed up the question: if you consider the case where the memory is limited (dom0_mem) the value of MemTotal in meminfo is wrong. Do you think it makes sense to take the total memory value from libvirt and from meminfo the rest? Thus it should work in both cases. Thanks, M. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Glance][Nova] Can't list images
Both. The log file is completely empty and the stdout only prints deprecation warnings :/ On Thu, May 10, 2012 at 4:32 PM, Dolph Mathews dolph.math...@gmail.comwrote: Concerning your keystone.log being empty (empty for the duration of the request, or completely empty?)... is logging to a specific file configured in your keystone.conf? If not, keystone just logs to stdout. -Dolph On Thu, May 10, 2012 at 10:20 AM, Leander Bessa Beernaert leande...@gmail.com wrote: Can anyone pinpoint what exactly is wrong with this. I've been stuck here for the past three days, and nothing i do seems to be working :/ On Tue, May 8, 2012 at 12:11 PM, Leander Bessa leande...@gmail.comwrote: I fixed the swift ip and i'm still getting the same error. Here are the log files and the config files: nova-api http://paste.openstack.org/show/16176/ glance-api.log 2012-05-08 11:39:55 6143 INFO [eventlet.wsgi.server] Starting single process server 2012-05-08 11:40:01 6255 INFO [eventlet.wsgi.server] Starting single process server glance-registery.log http://paste.openstack.org/show/16180/ glance-api.conf http://paste.openstack.org/show/16184/ glance-registry.conf http://paste.openstack.org/show/16185/ glance-api-paste.ini http://paste.openstack.org/show/16186/ glance-registry-pastet-ini http://paste.openstack.org/show/16187/ keystone log is empty. Regards, Leander On Mon, May 7, 2012 at 4:51 PM, Dolph Mathews dolph.math...@gmail.comwrote: There's not enough information in those logs to say (check your glance config and glance/keystone logs) -- but you'll definitely need to recreate that endpoint with SWIFT_HOST defined in your env to use swift through your service catalog. -Dolph On Mon, May 7, 2012 at 9:11 AM, Leander Bessa leande...@gmail.comwrote: Does that mean that glance is somehow configured to use swift as storage instead of the local file system or is does the error simply occur due to the a parsing error because of ${SWIFT_HOST}? On Mon, May 7, 2012 at 2:59 PM, Dolph Mathews dolph.math...@gmail.com wrote: Your swift endpoint appears to be literally configured in keystone as http://${SWIFT_HOST}:8080/v1/...; -- I'm guessing that's unreachable :) Based on your logs, I'm not certain that will fix your 500, however. -Dolph On Mon, May 7, 2012 at 5:23 AM, Leander Bessa leande...@gmail.comwrote: This is as much as i can capture at the moment. http://paste.openstack.org/show/15899/ For some reason, nothing is written to the logs, am i forgetting a flag or something? On Fri, May 4, 2012 at 11:30 PM, Yuriy Taraday yorik@gmail.comwrote: Please post to http://paste.openstack.org error text and backtrace from nova-api.log. Kind regards, Yuriy. On Fri, May 4, 2012 at 6:13 PM, Leander Bessa leande...@gmail.com wrote: Hello, I seem to be unable to list the images available in glance. I'm not sure why this is happening. I've check the logs for nova-api, glance-api and glance-registry and am unable to found anything out of the ordinary. Below is an output from the command 'nova image-list' REQ: curl -i http://192.168.164.128:5000/v2.0/tokens -X POST -H Content-Type: application/json -H Accept: application/json -H User-Agent: python-novaclient REQ BODY: {auth: {tenantName: admin, passwordCredentials: {username: admin, password: nova}}} RESP:{'date': 'Fri, 04 May 2012 14:08:53 GMT', 'transfer-encoding': 'chunked', 'status': '200', 'vary': 'X-Auth-Token', 'content-type': 'application/json'} {access: {token: {expires: 2012-05-05T14:08:53Z, id: c6d3145f1e924982982b54e52b97bec9, tenant: {description: null, enabled: true, id: 765a2012198f4751b8457c49932ec80d, name: admin}}, serviceCatalog: [{endpoints: [{adminURL: http://192.168.164.128:8776/v2/765a2012198f4751b8457c49932ec80d;, region: nova, internalURL: http://192.168.164.128:8776/v2/765a2012198f4751b8457c49932ec80d , publicURL: http://192.168.164.128:8776/v2/765a2012198f4751b8457c49932ec80d }], endpoints_links: [], type: volume, name: volume}, {endpoints: [{adminURL: http:// ${SWIFT_HOST}:8080/v1/AUTH_765a2012198f4751b8457c49932ec80d, region: nova, internalURL: http://127.0.0.1:8080;, publicURL: http:// ${SWIFT_HOST}:8080/v1/AUTH_765a2012198f4751b8457c49932ec80d}], endpoints_links: [], type: storage, name: swift}, {endpoints: [{adminURL: http://192.168.164.128:9292/v1;, region: nova, internalURL: http://192.168.164.128:9292/v1;, publicURL: http://192.168.164.128:9292/v1}], endpoints_links: [], type: image, name: glance}, {endpoints: [{adminURL: http://192.168.164.128:8774/v2/765a2012198f4751b8457c49932ec80d;, region: nova, internalURL: http://192.168.164.128:8774/v2/765a2012198f4751b8457c49932ec80d , publicURL: http://192.168.164.128:8774/v2/765a2012198f4751b8457c49932ec80d }], endpoints_links: [], type: compute, name: nova}, {endpoints: [{adminURL:
Re: [Openstack] [Metering] Meeting agenda for today 16:00 UTC (May 3rd, 2012)
On Thu, May 10, 2012 at 12:17 AM, Daniel Dyer dan.dye...@gmail.com wrote: A question/comment about the scope of the schema or maybe the architecture. Assuming the services will provide the instrumentation to populate the raw metric data, it seems likely that you will need to define an interface between the services/agents that are providing the data and the metering system which stores the generated metric data in the database (as opposed to having the services write directly to the DB). Is the schema intended to be this kind of interop format between the services and the meter's datastore or just the end result of the storage? It may be both, at first, but we also may find some benefit to letting them diverge later so I don't think we need to make it a hard requirement. Thanks, Dan Dyer On Thu, May 3, 2012 at 11:10 AM, Loic Dachary l...@enovance.com wrote: On 05/03/2012 02:22 PM, Loic Dachary wrote: Hi, The metering project team holds a meeting in #openstack-meeting, Thursdays at 1600 UTChttp://www.timeanddate.com/worldclock/fixedtime.html?hour=16min=0sec=0. Everyone is welcome. I propose an agenda based on the discussions we had on this list. http://wiki.openstack.org/Meetings/MeteringAgenda Topic : schema and counter definitions * counter definitions * Proposed http://wiki.openstack.org/EfficientMetering#Counters * schema definition * Proposed http://wiki.openstack.org/EfficientMetering#Storage * discuss storage assumptions * the storage will store all events * no aggregated value is permanently stored * discuss API assumptions * the API provide a sum() function to aggregate values * the API may transparently store results of the sum function in a cache * discuss event collection * events are collected from a components when possible * ceilometer agent is installed on a node when the a component does not provide the value * contribute to the component instead of developping a ceilometer agent plugin * engaging discussions with core components * nova * cinder * glance * swift * quantum * open discussion For the record, the first two points used all the time but that was the goal of the meeting. The other points would have been nice to discuss but can each be turned into a mailing list thread ;-) == #openstack-meeting Meeting == Meeting started by dachary at 16:00:16 UTC. The full logs are available athttp://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-05-03-16.00.log.html . Meeting summary --- * actions from previous meetings (dachary, 16:00:36) * creation of the ceilometer project (dachary, 16:00:36) * The repository for the ceilometer project has been created (dachary, 16:00:36) * LINK: https://github.com/stackforge/ceilometer (dachary, 16:00:36) * and the first commit was successfully reviewed and merged today https://review.stackforge.org/#/c/25/ (dachary, 16:00:37) * meeting organisation (dachary, 16:01:03) * This is 1/5 meetings to decide the architecture of the Metering project https://launchpad.net/ceilometer (dachary, 16:01:03) * Today's focus is on the definition of the counters / meters and the associated schema for the storage (dachary, 16:01:03) * It is the conclusion of the discussions held on the mailing list and the goal is to make a final choice that will then be implemented. (dachary, 16:01:03) * The meeting is time boxed and there will not be enough time to introduce inovative ideas and research for solutions. (dachary, 16:01:03) * The debate will be about the pro and cons of the options already discussed on the mailing list. (dachary, 16:01:03) * LINK: https://lists.launchpad.net/openstack/msg10810.html (dachary, 16:01:03) * counter definitions (dachary, 16:02:10) * Proposed http://wiki.openstack.org/EfficientMetering#Counters (dachary, 16:02:10) * ACTION: dachary fix the note for net_float still talks about number of floating IPs (dachary, 16:09:18) * ACTION: jd___ include Number of object in Swift, Number of containers in Swift, Number of GET/HEAD/PUT/POST requests in Swift in the table (dachary, 16:10:11) * ACTION: dachary add note about the fact that the resource_id for the object count is the container_id (dachary, 16:21:44) * LINK: http://wiki.openstack.org/EfficientMetering#Counters is agreed on, provided the actions listed above are carried out. (dachary, 16:25:35) * ACTION: jd___ document the resource_id for each counter (dachary, 16:30:33) * ACTION: jd___ describes the general table schema and then something that says for each counter exactly what goes in the fields of that table and show how secondary field counters are recorded in the in the schema too (dachary, 16:33:27) *
Re: [Openstack] [Glance][Nova] Can't list images
Can you paste those deprecation warnings, your keystone.conf, and logging.conf? -Dolph Mathews On May 10, 2012, at 10:37 AM, Leander Bessa Beernaert leande...@gmail.com wrote: Both. The log file is completely empty and the stdout only prints deprecation warnings :/ On Thu, May 10, 2012 at 4:32 PM, Dolph Mathews dolph.math...@gmail.com wrote: Concerning your keystone.log being empty (empty for the duration of the request, or completely empty?)... is logging to a specific file configured in your keystone.conf? If not, keystone just logs to stdout. -Dolph On Thu, May 10, 2012 at 10:20 AM, Leander Bessa Beernaert leande...@gmail.com wrote: Can anyone pinpoint what exactly is wrong with this. I've been stuck here for the past three days, and nothing i do seems to be working :/ On Tue, May 8, 2012 at 12:11 PM, Leander Bessa leande...@gmail.com wrote: I fixed the swift ip and i'm still getting the same error. Here are the log files and the config files: nova-api http://paste.openstack.org/show/16176/ glance-api.log 2012-05-08 11:39:55 6143 INFO [eventlet.wsgi.server] Starting single process server 2012-05-08 11:40:01 6255 INFO [eventlet.wsgi.server] Starting single process server glance-registery.log http://paste.openstack.org/show/16180/ glance-api.conf http://paste.openstack.org/show/16184/ glance-registry.conf http://paste.openstack.org/show/16185/ glance-api-paste.ini http://paste.openstack.org/show/16186/ glance-registry-pastet-ini http://paste.openstack.org/show/16187/ keystone log is empty. Regards, Leander On Mon, May 7, 2012 at 4:51 PM, Dolph Mathews dolph.math...@gmail.com wrote: There's not enough information in those logs to say (check your glance config and glance/keystone logs) -- but you'll definitely need to recreate that endpoint with SWIFT_HOST defined in your env to use swift through your service catalog. -Dolph On Mon, May 7, 2012 at 9:11 AM, Leander Bessa leande...@gmail.com wrote: Does that mean that glance is somehow configured to use swift as storage instead of the local file system or is does the error simply occur due to the a parsing error because of ${SWIFT_HOST}? On Mon, May 7, 2012 at 2:59 PM, Dolph Mathews dolph.math...@gmail.com wrote: Your swift endpoint appears to be literally configured in keystone as http://${SWIFT_HOST}:8080/v1/...; -- I'm guessing that's unreachable :) Based on your logs, I'm not certain that will fix your 500, however. -Dolph On Mon, May 7, 2012 at 5:23 AM, Leander Bessa leande...@gmail.com wrote: This is as much as i can capture at the moment. http://paste.openstack.org/show/15899/ For some reason, nothing is written to the logs, am i forgetting a flag or something? On Fri, May 4, 2012 at 11:30 PM, Yuriy Taraday yorik@gmail.com wrote: Please post to http://paste.openstack.org error text and backtrace from nova-api.log. Kind regards, Yuriy. On Fri, May 4, 2012 at 6:13 PM, Leander Bessa leande...@gmail.com wrote: Hello, I seem to be unable to list the images available in glance. I'm not sure why this is happening. I've check the logs for nova-api, glance-api and glance-registry and am unable to found anything out of the ordinary. Below is an output from the command 'nova image-list' REQ: curl -i http://192.168.164.128:5000/v2.0/tokens -X POST -H Content-Type: application/json -H Accept: application/json -H User-Agent: python-novaclient REQ BODY: {auth: {tenantName: admin, passwordCredentials: {username: admin, password: nova}}} RESP:{'date': 'Fri, 04 May 2012 14:08:53 GMT', 'transfer-encoding': 'chunked', 'status': '200', 'vary': 'X-Auth-Token', 'content-type': 'application/json'} {access: {token: {expires: 2012-05-05T14:08:53Z, id: c6d3145f1e924982982b54e52b97bec9, tenant: {description: null, enabled: true, id: 765a2012198f4751b8457c49932ec80d, name: admin}}, serviceCatalog: [{endpoints: [{adminURL: http://192.168.164.128:8776/v2/765a2012198f4751b8457c49932ec80d;, region: nova, internalURL: http://192.168.164.128:8776/v2/765a2012198f4751b8457c49932ec80d;, publicURL: http://192.168.164.128:8776/v2/765a2012198f4751b8457c49932ec80d}], endpoints_links: [], type: volume, name: volume}, {endpoints: [{adminURL: http://${SWIFT_HOST}:8080/v1/AUTH_765a2012198f4751b8457c49932ec80d;, region: nova, internalURL: http://127.0.0.1:8080;, publicURL: http://${SWIFT_HOST}:8080/v1/AUTH_765a2012198f4751b8457c49932ec80d}], endpoints_links: [], type: storage, name: swift}, {endpoints: [{adminURL: http://192.168.164.128:9292/v1;, region: nova, internalURL: http://192.168.164.128:9292/v1;, publicURL: http://192.168.164.128:9292/v1}], endpoints_links: [], type: image, name: glance}, {endpoints: [{adminURL: http://192.168.164.128:8774/v2/765a2012198f4751b8457c49932ec80d;, region: nova, internalURL:
Re: [Openstack] [Metering] API Extensibility (was: External API definition)
On Thu, May 10, 2012 at 9:22 AM, Loic Dachary l...@enovance.com wrote: Another item that we need to discuss is extensibility of this API. Hi, Here is a proposal, which we could discuss further during the meeting. GET extension=param1=fooparam2=bar The API looks up /usr/share/ceilometer/extensions/.py and loads it. The module defines a query function that takes the following arguments: Andrew Bogott is doing some work with a standardized plugin mechanism for Nova which will eventually be put in the common lib for all of the projects. We should look at his work and use it, rather than inventing something else. I think it will eventually use setuptools entrypoints, which eliminates the need to worry about search paths. Why would the extension be a query parameter, rather than a URL component? That is, why wouldn't the extension just add new endpoints that could be queried directly using their own API? Maybe I don't understand the types of extensions you are thinking of. * QUERY_STRING (i.e. extension=param1=fooparam2=bar ) * a handler to the storage * a pointer to the configuration (assuming there is a /etc/ceilometer.ini file, for instance) The query function would return the result. For instance { 'in': 20001, 'out': 489324 } if asked for aggregated network usage. Multiple extensions directories could be specified and searched, allowing a mixture of extensions provided in ceilometer and custom extensions to address specific needs or to mature an new extension. The primary benefit of defining extensions in this way is to avoid complex conventions for aggregations or other advanced operations. If the API was to impose a syntax or conventions to say sum this field and this one and display the result ordered in this way and grouped by this field and this one, it would be redundant with the query language of the underlying data. For instance, if using mongodb, it would be difficult to expose all the features provided by http://www.mongodb.org/display/DOCS/Aggregation or http://www.mongodb.org/display/DOCS/MapReduce Cheers -- Loïc Dachary Chief Research Officer // eNovance labs http://labs.enovance.com // ✉ l...@enovance.com ☎ +33 1 49 70 99 82 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Improving Xen support in the libvirt driver
On Thu 10 May 2012 (17:33), Muriel wrote: I messed up the question: if you consider the case where the memory is limited (dom0_mem) the value of MemTotal in meminfo is wrong. Do you think it makes sense to take the total memory value from libvirt and from meminfo the rest? Thus it should work in both cases. Yes, you're totally right, I missed that! I'll fix it ASAP and submit it again. Thank you for pointing it out, -- Álvaro López García al...@ifca.unican.es ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] [Documentation] Missing section in documentation
Hi, In Admin installation document guide of Ubuntu 12.04 in the section 5. Installing OpenStack Compute and Image Service Following settings are missing. [filter:authtoken] paste.filter_factory = keystone.middleware.auth_token:filter_factory service_protocol = http service_host = *IP* service_port = 5000 auth_host = *IP* auth_port = *35357 * auth_protocol = http auth_uri = http://*IP*:5000/ admin_token = 012345SECRET99TOKEN012345 This is very much annoying because lot of people are getting error when they try to upload image in glance and get the following error which also has type *Unavilable* *The request returned 503 Service Unavilable. This generally occurs on service overload or other transient outage. * Regards, Milind Patil +919890119176 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] OpenStack Install Understand Guide by Me :)
Hi everyone , i proudly present 30 days of work.30 days ago , i was an OpenStack Noobie, Today i have much more knowledge about this awesome project.I wanted to share this work with those who are still taking the fist steps into the world of cloud computing.It's a one host install guide, pretty simple and covers almost everything. take a look, help me out with comments to enhance my work and if you want to participate join me at : https://github.com/mseknibilel/OpenStack-Install-and-Understand-Guide#openstack-install-and-understand-guide ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] [OpenStack][Keystone] Blueprint to store quota data in Keystone
Hi All, I've started a blueprinthttps://blueprints.launchpad.net/keystone/+spec/store-quota-dataand spec http://wiki.openstack.org/KeystoneStoreQuotaData to store quota data in Keystone. Please have a look if you're interested and any feedback is welcome. Of course, writing up the spec brought up number of questions for me. You can find more detail in the spec but here they are to get some more exposure. 1. For the keystone CLI I'm proposing using JSON for batch create, update, and delete of quotas. I don't believe this is done anywhere else in OpenStack. Good idea? Bad idea? My plan is to go with the JSON. 2. For the RESTful API, do we have just one DELETE with details of what to delete in the body of the request? My plan is to go with just one DELETE. 3. For the implementation I'm proposing two options. 1. Store the data in the current metadata table. 2. Store the data in a new metadata_per_tenant table. Thoughts? My plan is to use option 2. 4. If you change the word quota to the word metadata in the User Stories and the Design sections, this becomes a generic mechanism for accessing metadata per tenant. Do we want a generic metadata service for keystone or stick with a service specific to quotas, while keeping the underlying implementation generic? I'm on the fence about this one. On one hand, it's very clear to have a well defined API that's just used for quotas. On the other hand, it's very flexible to have a generic API that can be used for any metadata (although maybe that promotes abuse of the feature). Regards, Everett ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] 'nova flavor-list' fails with ERROR: string indices must be integers, not str, but 'nova-manage flavor list' succeeds.
Unfortunately there's something wrong with my logging configuration. Nova-api doesn't log anything after it starts up. I've got debug enabled, and verbose=true. But once it finished binding that last port.. Nothing. I've tried grabbing the sample logging.conf and using that, but it doesn't get me anywhere. Running strace on nova-api, I can see the clients connecting. So I'm pretty sure my endpoint is configured correctly. Anyhow, short-story long: I don't have the trace from nova-api :( -James From: Chris Behrens cbehr...@codestud.commailto:cbehr...@codestud.com To: James R Penick pen...@yahoo-inc.commailto:pen...@yahoo-inc.com Cc: Vishvananda Ishaya vishvana...@gmail.commailto:vishvana...@gmail.com, openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Subject: Re: [Openstack] 'nova flavor-list' fails with ERROR: string indices must be integers, not str, but 'nova-manage flavor list' succeeds. That's the traceback from novaclient. If you're getting a 503, there's likely a traceback in the nova-api service logs. - Chris On May 9, 2012, at 5:38 PM, James R Penick pen...@yahoo-inc.commailto:pen...@yahoo-inc.com wrote: Sorry, forgot to include that: bash-4.1$ nova —debug image-list connect: (127.0.0.1, 5000) send: 'POST /v2.0/tokens HTTP/1.1\r\nHost: 127.0.0.1:5000\r\nAccept-Encoding: identity\r\nContent-Length: 101\r\ncontent-type: application/json\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n' send: '{auth: {tenantName: vmops, passwordCredentials: {username: penick, password: tacos}}}' reply: 'HTTP/1.1 200 OK\r\n' header: Content-Type: application/json header: Vary: X-Auth-Token header: Content-Length: 1903 header: Date: Thu, 10 May 2012 00:37:02 GMT connect: (208.67.66.91, 8774) send: u'GET /v2/c9d7f45d980d494fab3d69d9fc57547c/images/detail HTTP/1.1\r\nHost: 208.67.66.91:8774\r\nx-auth-project-id: vmops\r\nx-auth-token: 3261ef74e6494561830949780838\r\naccept-encoding: compress, gzip\r\naccept: application/json\r\nuser-agent: python-novaclient\r\n\r\n' reply: 'HTTP/1.1 503 Service Unavailable\r\n' header: Content-Length: 100 header: Content-Type: text/plain; charset=UTF-8 header: Date: Thu, 10 May 2012 00:37:02 GMT DEBUG (shell:415) string indices must be integers, not str Traceback (most recent call last): File /usr/lib/python2.6/site-packages/novaclient/shell.py, line 412, in main OpenStackComputeShell().main(sys.argv[1:]) File /usr/lib/python2.6/site-packages/novaclient/shell.py, line 363, in main args.func(self.cs, args) File /usr/lib/python2.6/site-packages/novaclient/v1_1/shell.py, line 350, in do_image_list image_list = cs.images.list() File /usr/lib/python2.6/site-packages/novaclient/v1_1/images.py, line 47, in list return self._list(/images/detail, images) File /usr/lib/python2.6/site-packages/novaclient/base.py, line 80, in _list data = body[response_key] TypeError: string indices must be integers, not str ERROR: string indices must be integers, not str bash-4.1$ From: Vishvananda Ishaya vishvana...@gmail.commailto:vishvana...@gmail.com To: James R Penick pen...@yahoo-inc.commailto:pen...@yahoo-inc.com Cc: openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Subject: Re: [Openstack] 'nova flavor-list' fails with ERROR: string indices must be integers, not str, but 'nova-manage flavor list' succeeds. Is there a traceback from nova-api? ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Glance][Nova] Can't list images
Glance isn't able to authenticate who you are. What happens if you speak to glance directly? On May 10, 2012, at 8:20 AM, Leander Bessa Beernaert wrote: Can anyone pinpoint what exactly is wrong with this. I've been stuck here for the past three days, and nothing i do seems to be working :/ On Tue, May 8, 2012 at 12:11 PM, Leander Bessa leande...@gmail.com wrote: I fixed the swift ip and i'm still getting the same error. Here are the log files and the config files: nova-api http://paste.openstack.org/show/16176/ glance-api.log 2012-05-08 11:39:55 6143 INFO [eventlet.wsgi.server] Starting single process server 2012-05-08 11:40:01 6255 INFO [eventlet.wsgi.server] Starting single process server glance-registery.log http://paste.openstack.org/show/16180/ glance-api.conf http://paste.openstack.org/show/16184/ glance-registry.conf http://paste.openstack.org/show/16185/ glance-api-paste.ini http://paste.openstack.org/show/16186/ glance-registry-pastet-ini http://paste.openstack.org/show/16187/ keystone log is empty. Regards, Leander On Mon, May 7, 2012 at 4:51 PM, Dolph Mathews dolph.math...@gmail.com wrote: There's not enough information in those logs to say (check your glance config and glance/keystone logs) -- but you'll definitely need to recreate that endpoint with SWIFT_HOST defined in your env to use swift through your service catalog. -Dolph On Mon, May 7, 2012 at 9:11 AM, Leander Bessa leande...@gmail.com wrote: Does that mean that glance is somehow configured to use swift as storage instead of the local file system or is does the error simply occur due to the a parsing error because of ${SWIFT_HOST}? On Mon, May 7, 2012 at 2:59 PM, Dolph Mathews dolph.math...@gmail.com wrote: Your swift endpoint appears to be literally configured in keystone as http://${SWIFT_HOST}:8080/v1/...; -- I'm guessing that's unreachable :) Based on your logs, I'm not certain that will fix your 500, however. -Dolph On Mon, May 7, 2012 at 5:23 AM, Leander Bessa leande...@gmail.com wrote: This is as much as i can capture at the moment. http://paste.openstack.org/show/15899/ For some reason, nothing is written to the logs, am i forgetting a flag or something? On Fri, May 4, 2012 at 11:30 PM, Yuriy Taraday yorik@gmail.com wrote: Please post to http://paste.openstack.org error text and backtrace from nova-api.log. Kind regards, Yuriy. On Fri, May 4, 2012 at 6:13 PM, Leander Bessa leande...@gmail.com wrote: Hello, I seem to be unable to list the images available in glance. I'm not sure why this is happening. I've check the logs for nova-api, glance-api and glance-registry and am unable to found anything out of the ordinary. Below is an output from the command 'nova image-list' REQ: curl -i http://192.168.164.128:5000/v2.0/tokens -X POST -H Content-Type: application/json -H Accept: application/json -H User-Agent: python-novaclient REQ BODY: {auth: {tenantName: admin, passwordCredentials: {username: admin, password: nova}}} RESP:{'date': 'Fri, 04 May 2012 14:08:53 GMT', 'transfer-encoding': 'chunked', 'status': '200', 'vary': 'X-Auth-Token', 'content-type': 'application/json'} {access: {token: {expires: 2012-05-05T14:08:53Z, id: c6d3145f1e924982982b54e52b97bec9, tenant: {description: null, enabled: true, id: 765a2012198f4751b8457c49932ec80d, name: admin}}, serviceCatalog: [{endpoints: [{adminURL: http://192.168.164.128:8776/v2/765a2012198f4751b8457c49932ec80d;, region: nova, internalURL: http://192.168.164.128:8776/v2/765a2012198f4751b8457c49932ec80d;, publicURL: http://192.168.164.128:8776/v2/765a2012198f4751b8457c49932ec80d}], endpoints_links: [], type: volume, name: volume}, {endpoints: [{adminURL: http://${SWIFT_HOST}:8080/v1/AUTH_765a2012198f4751b8457c49932ec80d;, region: nova, internalURL: http://127.0.0.1:8080;, publicURL: http://${SWIFT_HOST}:8080/v1/AUTH_765a2012198f4751b8457c49932ec80d}], endpoints_links: [], type: storage, name: swift}, {endpoints: [{adminURL: http://192.168.164.128:9292/v1;, region: nova, internalURL: http://192.168.164.128:9292/v1;, publicURL: http://192.168.164.128:9292/v1}], endpoints_links: [], type: image, name: glance}, {endpoints: [{adminURL: http://192.168.164.128:8774/v2/765a2012198f4751b8457c49932ec80d;, region: nova, internalURL: http://192.168.164.128:8774/v2/765a2012198f4751b8457c49932ec80d;, publicURL: http://192.168.164.128:8774/v2/765a2012198f4751b8457c49932ec80d}], endpoints_links: [], type: compute, name: nova}, {endpoints: [{adminURL: http://192.168.164.128:5000/v2.0;, region: nova, internalURL: http://192.168.164.128:5000/v2.0;, publicURL: http://192.168.164.128:35357/v2.0}], endpoints_links: [], type: identity, name: keystone}], user: {username: admin, roles_links: [], id: 842c74e5daa246239426f92b6f5c5dba, roles: [{id: d6d2f681acbf4f91a3bd3522e1c006ae,
Re: [Openstack] Improving Xen support in the libvirt driver
On May 10, 2012, at 1:56 AM, Daniel P. Berrange wrote: On Thu, May 10, 2012 at 09:06:58AM +0100, Daniel P. Berrange wrote: I had a quick chat with Kevin Wolf who's the upstream QEMU qcow2 maintainer and he said that 64k is the current recommended cluster size for qcow2. Above this size, the cost of COW becomes higher causing an overall drop in performance. Looking at GIT history, Nova has used cluster_size=2M since Vish first added qcow2 support, and there's no mention of why in the commit message. So unless further info comes to light, I'd say we ought to just switch to use qemu-img's default setting of 64K for both Xen and KVM. This is good info. Sounds like we should switch to 64K Vish___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Improving Xen support in the libvirt driver
On May 9, 2012, at 10:08 PM, Jim Fehlig wrote: Hi, I've been tinkering with improving Xen support in the libvirt driver and wanted to discuss a few issues before submitting patches. Awesome! Even the latest upstream release of Xen (4.1.x) contains a rather old qemu, version 0.10.2, which rejects qcow2 images with cluster size 64K. The libvirt driver creates the COW image with cluster size of 2M. Is this for performance reasons? Any objections to removing that option and going with 'qemu-img create' default of 64K? As per other email, 64K seems correct. In a setup with both Xen and KVM compute nodes, I've found a few options for controlling scheduling of an instance to the correct node. One option uses availability zones, e.g. # nova.conf on Xen compute nodes node_availability_zone=xen-hosts # launching a Xen PV instance nova boot --image xen-pv-image --availability_zone xen-hosts ... The other involves a recent commit adding additional capabilities for compute nodes [1] and the vm_mode image property [2] used by the XenServer driver to distinguish HVM vs PV images. E.g. # nova.conf on Xen compute nodes additional_compute_capabilities=pv,hvm # Set vm_mode property on Xen image glance update image-uuid vm_mode=pv I prefer that latter approach since vm_mode will be needed in the libvirt driver anyhow to create proper config for PV vs HVM instances. Currently, the driver creates usable config for PV instances, but needs some adjustments for HVM. Agree that this is best. Once general host aggregates[1] is done, the capabilities and the availability zone will move into aggregate metadata and it will just be making sure that we have reasonable image properties to help the scheduler place the guest correctly. Vish [1] https://blueprints.launchpad.net/nova/+spec/general-host-aggregates ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] questions on the dynamic loading of virt drivers in nova
You might want to talk to Soren and fix it within: https://blueprints.launchpad.net/nova/+spec/hypervisor-code-consolidation since this will also result in refactoring in the same area. Vishvananda Ishaya wrote: No this is mostly just legacy stuff that was never refactored. Vish On May 9, 2012 3:33 PM, Sean Dague sda...@linux.vnet.ibm.com mailto:sda...@linux.vnet.ibm.com wrote: I'm familiarizing myself with the nova code and trying to reconcile that while there is dynamic class based loading in ComputeManager using import_utils in __init__() there is also a defaulting to the nova.virt.connection.get_ connection function. That's actually got a big if / else statement of string literals of known virt drivers, and then loads specific virt drivers from there. Is there a reason for both approaches? Can we refactor to a point where we don't need need of a common file with driver specific imports and string literals? Is there a reason not to? Thanks, -Sean -- Sean Dague IBM Linux Technology Center email: sda...@linux.vnet.ibm.com mailto:sda...@linux.vnet.ibm.com alt-email: slda...@us.ibm.com mailto:slda...@us.ibm.com __ _ Mailing list: https://launchpad.net/~ openstack https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net mailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~ openstack https://launchpad.net/~openstack More help : https://help.launchpad.net/ ListHelp https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- Thierry Carrez (ttx) Release Manager, OpenStack ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Translation and Internationalization in OpenStack
Thanks Gabriel for the work. I agree with Thierry: On 05/08/2012 09:56 PM, Thierry Carrez wrote: Great! I'm happy to defer the tool decision to the people that will own and push that work forward ;) I like the basic reporting offered by Transifex. Do you know if there is a way to identify the people that do the translations? I couldn't find a way. thanks, stef ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Openstack Beginners guide for Ubuntu 12.04/Essex
On 05/10/2012 07:33 AM, Atul Jha wrote: Suggestion/criticism would be highly appreciated. Tried a few times to send this directly to Atul and the css.ossbo...@csscorp.com address in the paper, but was getting rejected content for Atul's email destination and no such user for the css.ossbooks email. So, some feedback, mostly little things, wording/format/etc: 11th Page - List of Tables - This is a tutorial style beginner’s guide for OpenStackTM on Ubuntu 12.04, Precise Pangolin. The aim is to help the reader in setting up a minimal installation of OpenStack. doesn't seem like a list of tables. 13th page, section 1.1 - since it is a beginners guide, a short sentence describing IaaS, PaaS and SaaS would be a good thing to include. 13th page, section 1.2 - similar to previous, a short sentence describing what a Compute, Storage, Imaging, Identity and UI service are/do would be goodness. 14th page - Perhaps a dialect thing but should it be The diagram below rather than The below diagram? Also, I would put the overall diagram before the Nova-specific one and then call them Overall Architecture and Nova Architecture respectively. Show the beginner the overall first before hitting him with the complex :) Also, in the overall diagram, should Glance be called STORE or should that be IMAGE to maintain consistency with previous discussion - someone seeing Glance:Store and Swift:Storage will wonder about the difference. 15th page - section 1.2.1.2.2 - I think that should start with OpenStack components communicate section 1.2.1.2.3 - Compute workers deal with the instance management life cycle... and I might add based on the scheduling algorithm used by nova-scheduler. Section 1.2.1.2.4 - security groups are mentioned without prior definition. 16th page - section 1.2.1.2.6 - previously, it was said that OpenStack Nova provides EC2 apis and the native was mentioned just as an aside. Now though we read The scheduler maps the nova-API calls to the ... - what has become of EC2? section 1.2.2 - might it be worthwhile to include the Swift project name along with Open Stack Object Store in the second bullet item? 22nd page - section 2.2.2 - should there be some sort of caveat about using IP addresses appropriate for the admin's specific situation? Section 2.2.3 - the NTP gods are quite adamant about configuring at least four sources of time. That allows the bad clock detection heuristics to operate even if one of the time sources is unavailable. IP addresses of the servers are resolvable sounds like asking for PTR records to go from IP to name, but I think you mean to verify that the names can be resolved to IPs no? Perhaps Ensure that the hostnames can be resolved to their respective IP addresses. If they are not resolvable via DNS, you can add entries to the /etc/hosts file. Some discussion of how long it will take Server1 to get its time synchronized and so be willing to serve time to others is probably in order. 27th page - it might be an artifact of document viewer, but it isn't possible to cut-and-paste the keystone commands from the document. And even if it was, where I'd expect to find a backslash '\' there is an arrow with a curled shaft - is that something bash et all will recognize and deal with properly as a continued on the next line indication? 40th page - why is Server2 a child of Server1 section 2.2 instead of its own section 2.3? Also, the interfaces file seems to be the first indication that Server2 needs to have two NICs. 42nd page - same sort of question about Client1 56th page - 5.2.1 Instances - the text is on this page, but the image is on the 57th page. And that continues with the other sections. Something should be done to force the text and image to be on the same page. 58th page - section 5.2.3 - Flavors as a term just sort of magically appears for the first time here. 80th page - section 8.1 - not an issue with the document per-se but with the terms nova chose. To someone with much knowledge of TCP From Port sounds like the source port number and To Port sounds like the destination port number. That is very different from what they are in this context, which are the Beginning and Ending port numbers of an instance-local range of ports being opened. Some verbiage about that might be goodness. Also the example description for adding port 22 is incomplete - it isn't allowing tcp traffic traffic generally. It is allowing ssh/scp traffic specifically hope that helps, rick jones ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] ERROR: Malformed request url (HTTP 400)
Hi Dolph and Kevin, thank you for your attention and sorry for delay reply. Here are what I have in nova-api.log : 2012-05-10 14:40:08 INFO nova.api.openstack.wsgi [req-c6b9ea76-bbe1-4796-a231-41fc41c7695f 50be127b9b7f49dcbf5ffea06d23d83a ebf29e67cbd445daa5ad09f76cdf69f9] GET http://192.168.1.71:8774/v2/7033300637bc4964a8d0a43649fcf898/images/detail 2012-05-10 14:40:08 DEBUG nova.api.openstack.wsgi [req-c6b9ea76-bbe1-4796-a231-41fc41c7695f 50be127b9b7f49dcbf5ffea06d23d83a ebf29e67cbd445daa5ad09f76cdf69f9] Unrecognized Content-Type provided in request from (pid=1005) get_body /usr/lib/python2.7/dist-packages/nova/api/openstack/wsgi.py:697 On Thu, May 10, 2012 at 2:27 AM, Dolph Mathews dolph.math...@gmail.com wrote: Hrm, good catch! I see no problems with that request at all... -Dolph Mathews On May 9, 2012, at 5:58 PM, Kevin L. Mitchell kevin.mitch...@rackspace.com wrote: On Wed, 2012-05-09 at 15:32 -0500, Dolph Mathews wrote: It also just occurred to me that perhaps you're using a *very* old novaclient against a more recent version of keystone? Actually, if you look a little more closely: $ nova --debug image-list connect: (192.168.1.71, 5000) send: 'POST /v2.0/tokens HTTP/1.1\r\nHost: 192.168.1.71:5000\r\nContent-Length: 117\r \ncontent-type: application/json\r\naccept-encoding: gzip, deflate\r \naccept: application/json\r\nuser-agent: python-novaclient\r\n \r\n{auth: {tenantName: labSpaceDemo, passwordCredentials: {username: adminUser, password: lfplhfgthvf}}}' The request body for Keystone is not, in fact, malformed. It would be interesting to look at the nova-api logs for this request… -- Kevin L. Mitchell kevin.mitch...@rackspace.com -- Igor Laskovy ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Help with security groups (in use error) in juju/openstack.
Hi! Thank you for the reply. I'm not trying to delete de secgroup manually. All the tasks are made by juju and nova. I've made a detailed description of the problem. Take a look at: http://pastebin.com/SnC4GLEi Thanks! On Thu, May 10, 2012 at 12:57 PM, Russell Bryant rbry...@redhat.com wrote: On 05/10/2012 09:28 AM, Jorge Luiz Correa wrote: Hi all! I'm having some problems with juju and security groups in openstack. When I try to instantiate about 10 instances, some of them generate an error related to the security groups. The log below is from nova-api.log. I'm using versions from ubuntu 12.04 LTS packages (nova*, keystone etc). snip log As we can see it says that a group in invalid because is in use. This error occurs when you try to delete a security group that is still in use by an instance. If this is an automated tear down, it could be that the instances were stopped, but it hadn't actually completed yet when the request to delete the security groups came in. You have to wait until the instances are gone before the security groups can be deleted. -- Russell Bryant ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- - MSc. Correa, J.L. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] [client] Event handling
How are we doing event handling in the client? Is there a blueprint on this somewhere? -Matt ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] 'admin' role hard-coded in keystone and nova, and policy.json
I was also wondering about this, it seems there are lots of policy.json files with hard coded roles in them, which is weird since keystone supports the creation of roles and such, but if u create a role which isn't in a policy.json then u have just caused yourself a problem, which isn't very apparent... On 5/10/12 2:32 PM, Salman A Baset saba...@us.ibm.com wrote: It seems that 'admin' role is hard-coded cross nova and horizon. As a result if I want to define 'myadmin' role, and grant it all the admin privileges, it does not seem possible. Is this a recognized limitation? Further, is there some good documentation on policy.json for nova, keystone, and glance? Thanks. Best Regards, Salman A. Baset Research Staff Member, IBM T. J. Watson Research Center Tel: +1-914-784-6248 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Cannot get ssh-key in instance
George: I can GET http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key in instance. Now I found some error about key injecting when launching instance: 2012-05-11 10:30:41 INFO nova.virt.libvirt.connection [req-e9463bab-044f-4a79-a0a4-40499894fd51 faa39ad681294b8097070541cb62e91f 1b11ffe707ea44c49ba829a5b6859b00] [instance: 2977ba83-17b5-43d4-8a95-4a97fb6ab9dd] Injecting key into image ea9903d1-098b-4f61-b87f-30d96778202f 2012-05-11 10:30:42 WARNING nova.virt.libvirt.connection [req-e9463bab-044f-4a79-a0a4-40499894fd51 faa39ad681294b8097070541cb62e91f 1b11ffe707ea44c49ba829a5b6859b00] [instance: 2977ba83-17b5-43d4-8a95-4a97fb6ab9dd] Ignoring error injecting data into image ea9903d1-098b-4f61-b87f-30d96778202f ( -- Failed to mount filesystem: Unexpected error while running command. Command: sudo nova-rootwrap mount /dev/nbd15 /tmp/tmpYGGWcf Exit code: 32 Stdout: '' Stderr: 'mount: /dev/nbd15 already mounted or /tmp/tmpYGGWcf busy\n' -- Failed to mount filesystem: Unexpected error while running command. Command: sudo nova-rootwrap guestmount --rw -a /data/openstack/nova/instances/instance-0014/disk -m /dev/sda /tmp/tmpYGGWcf Exit code: 1 Stdout: '' Stderr: 'Traceback (most recent call last):\n File /usr/bin/nova-rootwrap, line 69, in module\n env=filtermatch.get_environment(userargs))\n File /usr/lib/python2.7/subprocess.py, line 679, in __init__\nerrread, errwrite)\n File /usr/lib/python2.7/subprocess.py, line 1249, in _execute_child\nraise child_exception\nOSError: [Errno 2] No such file or directory\n') ^C On Thu, May 10, 2012 at 10:42 PM, George Mihaiescu george.mihaie...@q9.comwrote: ** Hi, First, check if nova-api is running on the host where your nova-network runs (same as nova-compute if using a multi_host=true setup). Second, using the console of the instance check if your instance can access the API service by doing a: *GET http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key* You can also read this doc for more info about the metadata service: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html George -- *From:* openstack-bounces+george.mihaiescu=q9@lists.launchpad.net[mailto: openstack-bounces+george.mihaiescu=q9@lists.launchpad.net] *On Behalf Of *livemoon *Sent:* Thursday, May 10, 2012 9:26 AM *To:* Yong Sheng Gong *Cc:* openstack@lists.launchpad.net *Subject:* Re: [Openstack] Cannot get ssh-key in instance I am sure image is ok since of I use the same image in both older version installed via devstack on ubuntu11.10 and new version installed on ubuntu12.04. In older version, it can work well. but now it cannot. Am I missing something in nova.conf ? On Thu, May 10, 2012 at 8:29 PM, Yong Sheng Gong gong...@cn.ibm.comwrote: have you started the instance with keypair? -openstack-bounces+gongysh=cn.ibm@lists.launchpad.net wrote: - To: livemoon mwjpi...@gmail.com mwjpi...@gmail.com From: Razique Mahroua razique.mahr...@gmail.comrazique.mahr...@gmail.com Sent by: openstack-bounces+gongysh=cn.ibm@lists.launchpad.net Date: 05/10/2012 06:29PM Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Cannot get ssh-key in instance Hey livememon, is it possible to see the content of the rc.local. Also, are other instances able to reach the metadata server ? livemoon mwjpi...@gmail.com 10 mai 2012 12:24 I running an instance(ubuntu or centos), and it cannot get keypair. In ubuntu12.04, I have install cloud-init and in centos I have add some command into /etc/rc.local There is some of instance's logs about cloud-init: cloud-init start-local running: Thu, 10 May 2012 10:17:33 +. up 4.47 seconds no instance data found in start-local ci-info: lo: 1 127.0.0.1 255.0.0.0 . ci-info: eth0 : 1 10.0.200.5 255.255.255.224 fa:16:3e:6a:30:7c ci-info: route-0: 0.0.0.0 10.0.200.1 0.0.0.0 eth0 UG ci-info: route-1: 10.0.200.0 0.0.0.0 255.255.255.224 eth0 U cloud-init start running: Thu, 10 May 2012 10:17:33 +. up 5.00 seconds no instance data found in start I think it maybe some missing in nova host, How to fix it? -- 非淡薄无以明志,非宁静无以致远 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- Razique Mahroua Nuage Co - Razique Mahroua razique.mahr...@gmail.com ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- 非淡薄无以明志,非宁静无以致远 -- 非淡薄无以明志,非宁静无以致远
Re: [Openstack] [Documentation] Missing section in documentation
There's a very related open review in progress concerning the auth_token docs at http://keystone.openstack.org/ as well. https://review.openstack.org/#/c/7217 -Dolph On Thu, May 10, 2012 at 12:09 AM, Milind milindkpa...@gmail.com wrote: Hi, In Admin installation document guide of Ubuntu 12.04 in the section 5. Installing OpenStack Compute and Image Service Following settings are missing. [filter:authtoken] paste.filter_factory = keystone.middleware.auth_token:filter_factory service_protocol = http service_host = *IP* service_port = 5000 auth_host = *IP* auth_port = *35357 * auth_protocol = http auth_uri = http://*IP*:5000/ admin_token = 012345SECRET99TOKEN012345 This is very much annoying because lot of people are getting error when they try to upload image in glance and get the following error which also has type *Unavilable* *The request returned 503 Service Unavilable. This generally occurs on service overload or other transient outage. * Regards, Milind Patil +919890119176 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] glance keystone authentication problem
Ubuntu 12.04 Essex. # glance index Failed to show index. Got error: You are not authenticated. Details: 401 Unauthorized This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required. Authentication required # glance --os_username=glance --os_password=glance --os_tenant=service --os_auth_url=http://127.0.0.1:5000/v2.0 index Failed to show index. Got error: You are not authenticated. Details: 401 Unauthorized This server could not verify that you are authorized to access the document you requested. Either you supplied the wrong credentials (e.g., bad password), or your browser does not understand how to supply the credentials required. Authentication required --- In the keystone log file i see the error bellow. 2012-05-11 10:03:11 18461 INFO [keystone.middleware.auth_token] Retrying validation 2012-05-11 10:03:11 18461 INFO [keystone.middleware.auth_token] Keystone rejected admin token {'X-Auth-Token': u'6f220a2e7e324bf4bd7a96040f364316'}, resetting 2012-05-11 10:03:11 18461 WARNING [keystone.middleware.auth_token] Invalid user token: 238dc305de1e418b8b81bee4f648f984. Keystone response: {u'error': {u'message': u'The request you have made requires authentication.', u'code': 401, u'title': u'Not Authorized'}}. 2012-05-11 10:03:11 18461 INFO [keystone.middleware.auth_token] Invalid user token - rejecting request Not understanding where could be the problem. glace user is mapped to admin role in the service tenant. glance endpoint is created. I have specified glance user name, password and the service tenant in glance-api/registry files, and keystone authentication specified. Anyone tell me what could be the problem? Thank you. -- Thanks Regards, Shashi Kanth ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] VM loses network conectivity
Hi all. I am using ubuntu 12.04 essex. 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux. After a while, with high traffic, the instances loses network and they end being unreachables, only being able to connect using terminal. My network/interfaces are auto lo iface lo inet loopback # The primary network interface auto bond0 iface bond0 inet manual slaves eth0 eth1 bond_mode 4 bond_miimon 100 bond_downdelay 200 bond_updelay 200 bond_lacp_rate 1 auto vlan11 iface vlan11 inet static address 10.1.8.13 netmask 255.255.255.0 gateway 10.1.8.1 dns-search despexds.net vlan-raw-device bond0 auto vlan55 iface vlan55 inet manual vlan-raw-device bond0 I've seen this, https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/584048 but it is quite old and I think the patches are merged in the distribution I am using. Also, as far as I understand, there they talk about bridge changing mac address and I don't see it is happening. Also, I've seen this, http://bugs.centos.org/view.php?id=5526 which matches my case except I am using ubuntu. Sorry if it is not the right list to post. Thanks. Carlos. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp