[Openstack] Reply: [openstack-dev] Release naming for P and Q open for nominations

[Lizhonghua (C)]

2016-6-22 4:50 Monty Taylor [mailto:mord...@inaugust.com] wrote:
> Hey everyone!
> 
> It's time to pick a name for the P and Q releases.
> 
> If you have a name you'd like us to vote on, please add it here:
> 
> https://wiki.openstack.org/wiki/Release_Naming/P_Proposals
> 
> https://wiki.openstack.org/wiki/Release_Naming/Q_Proposals
> 
> The nominations will be open until 2016-06-28 23:59:59 UTC.
> 
> If you don't remember the rules, they're here:
> 
> http://governance.openstack.org/reference/release-naming.html
> 
> Names which do not meet these criteria but otherwise sound really cool should 
> be added to a separate section of the wiki page and the TC may make an 
> exception for one or more of them to be considered in the Condorcet poll. The 
> naming official is responsible for presenting the list of exceptional names 
> for consideration to the TC before the poll opens.

I propose "Panda"[1] as a nominated name of P.
though it doesn't meet the criteria, I think it is a cool word, may it be made 
an exception?

[1] https://en.wikipedia.org/wiki/Giant_panda 
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

[Openstack] Ironic node information including credentials exposed to unathenticated users

[Jim Rollenhagen]

=
Ironic node information including credentials exposed to unathenticated users
=

:Date: June 21, 2016
:CVE: CVE-2016-4985


Affects
~~~
- Ironic: >=2014.2, >=4.0.0 <=4.2.4, >=4.3.0 <=5.1.1


Description
~~~
Devananda van der Veen (IBM) reported the following vulnerability in Ironic.

A client with network access to the ironic-api service can bypass Keystone
authentication and retrieve all information about any Node registered with
Ironic, if they know (or are able to guess) the MAC address of a network card
belonging to that Node, by sending a crafted POST request to the
/v1/drivers/$DRIVER_NAME/vendor_passthru resource.

The response will include the full Node details, including management
passwords, even when /etc/ironic/policy.json is configured to hide passwords in
API responses.

This vulnerability has been verified in all currently supported branches
(liberty, mitaka, master) and traced back to code introduced in commit
3e568fbbbcc5748035c1448a0bdb26306470797c during the Juno development cycle.
Therefore, it is likely that both juno and kilo braches (and their releases)
are also affected.


Patches
~~~
https://review.openstack.org/332195 (Newton)
https://review.openstack.org/332196 (Mitaka)
https://review.openstack.org/332197 (Liberty)


Credits
~~~
- Devananda van der Veen from IBM (CVE-2016-4985)

References
~~
- https://bugs.launchpad.net/ironic/+bug/1572796
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4985

Notes
~
- This fix is included in the upcoming 4.2.5 (Liberty), 5.1.2 (Mitaka), and
  6.0.0 (Newton) releases of Ironic.


--
Jim Rollenhagen
OpenStack Ironic Project Team Lead



pgp9tl4VCR1lm.pgp
Description: PGP signature
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

[Openstack] Release naming for P and Q open for nominations

[Monty Taylor]

Hey everyone!

It's time to pick a name for the P and Q releases.

If you have a name you'd like us to vote on, please add it here:

https://wiki.openstack.org/wiki/Release_Naming/P_Proposals

https://wiki.openstack.org/wiki/Release_Naming/Q_Proposals

The nominations will be open until 2016-06-28 23:59:59 UTC.

If you don't remember the rules, they're here:

http://governance.openstack.org/reference/release-naming.html

But I'll paste in the text here:

The following rules are designed to provide some consistency in the
pattern used to select release names, provide a fun challenge in finding
names that meet the criteria, and prevent unwieldy names from being chosen.

  1  Each release name must start with the letter of the ISO basic Latin
alphabet following the initial letter of the previous release, starting
with the initial release of “Austin”. After “Z”, the next name should
start with “A” again.

  2  The name must be composed only of the 26 characters of the ISO
basic Latin alphabet. Names which can be transliterated into this
character set are also acceptable.

  3  The name must refer to the physical or human geography of the
region encompassing the location of the OpenStack design summit for the
corresponding release.

  4  The name must be a single word with a maximum of 10 characters.
Words that describe the feature should not be included, so “Foo City” or
“Foo Peak” would both be eligible as “Foo”.

Names which do not meet these criteria but otherwise sound really cool
should be added to a separate section of the wiki page and the TC may
make an exception for one or more of them to be considered in the
Condorcet poll. The naming official is responsible for presenting the
list of exceptional names for consideration to the TC before the poll opens.

Monty

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Openstack Mitaka Domain question

[Brad Pokorny]

When you said "I use the same file for both horizon and keystone", I'm
wondering if that means your Keystone policy file in Horizon is called
policy.json. By default, it will need to be called keystone_policy.json.
And if you installed everything with devstack, it will need to be in
/opt/stack/horizon/openstack_dashboard/conf. Is that the case?

Also, could you attach your local_settings.py file from Horizon?

Thanks,
Brad

On 6/21/16, 12:01 AM, "Eugen Block"  wrote:

>> Could you attach copies of your Keystone policy.json file and your
>>Horizon
>> keystone_policy.json file?
>
>I use the same file for both horizon and keystone, it's attached to
>this email. Please note that I changed the cloud_admin rule to use the
>user_id of my admin user because domain_id didn't work.
>
>> What method did you use to find out the ID of the domain named Default?
>
>control1:/etc/keystone # openstack domain list
>+--+-+-++
>| ID   | Name| Enabled | Description|
>+--+-+-++
>| 696819fc8d8d40129ca3a7b54145ba9e | heat| True| Stack projects |
>| d17c72d57ef344da922500b4f69de4b2 | users   | True||
>| default  | Default | True||
>+--+-+-++
>
>> What method did you use to check whether the cloud_admin user has the
>> admin role on the Default domain?
>
>I followed your link in your previous answer
>http://www.symantec.com/connect/blogs/domain-support-horizon-here.
>Here's the CLI output to show the role assignment:
>
>control1:/etc/keystone # openstack role list | grep admin
>| 465e2e9e201948668289ceb013277a50 | admin|
>
>control1:/etc/keystone # openstack user list | grep admin
>| 89c5dcc8793d4867bae22d50e51e16b3 | admin  |
>
>control1:/etc/keystone # openstack role assignment list | grep default
>+--+--+---
>---+-+-+---+
>| Role | User
>| Group| Project | Domain  | Inherited |
>+--+--+---
>---+-+-+---+
>| 465e2e9e201948668289ceb013277a50 | 89c5dcc8793d4867bae22d50e51e16b3
>|  | | default | False |
>+--+--+---
>---+-+-+---+
>
>Regards,
>Eugen
>
>Zitat von Brad Pokorny :
>
>> Could you attach copies of your Keystone policy.json file and your
>>Horizon
>> keystone_policy.json file?
>>
>> What method did you use to find out the ID of the domain named Default?
>>
>> What method did you use to check whether the cloud_admin user has the
>> admin role on the Default domain?
>>
>> Thanks,
>> Brad
>>
>> On 6/20/16, 8:05 AM, "Eugen Block"  wrote:
>>
>>> Referring to the invisible domain field in the sidebar-accordion, I
>>> tried to investigate Horizon with Firebug. If I get it right, the
>>> identity panel is constructed in
>>> 
>>>/usr/lib/python2.7/site-packages/horizon/templates/horizon/_sidebar.html
>>>.
>>> But
>>> only four panels are built, projects, users, groups and roles. How can
>>> I find out why the domain panel is not built here?
>>>
>>> I'm logged in as the cloud_admin, in the apache logs I don't see
>>> permission errors or anything, so that shouldn't be an issue.
>>>
>>> Here's some information on the dashboard version I'm using:
>>>
>>> control1:/etc/keystone # rpm -qi
>>> openstack-dashboard-9.0.2~a0~dev6-1.1.noarch
>>> Name: openstack-dashboard
>>> Version : 9.0.2~a0~dev6
>>> Release : 1.1
>>> Architecture: noarch
>>> Install Date: Fr 17 Jun 2016 16:08:08 CEST
>>> Group   : Development/Languages/Python
>>> Size: 50738471
>>> License : Apache-2.0
>>> Signature   : RSA/SHA256, Fr 17 Jun 2016 05:08:31 CEST, Key ID
>>> 893a90dad85f9316
>>> Source RPM  : openstack-dashboard-9.0.2~a0~dev6-1.1.src.rpm
>>> Build Date  : Fr 17 Jun 2016 05:07:19 CEST
>>> Build Host  : build33
>>> Relocations : (not relocatable)
>>> Vendor  : obs://build.opensuse.org/Cloud:OpenStack
>>> URL : http://wiki.openstack.org/OpenStackDashboard
>>> Summary : OpenStack Dashboard (Horizon)
>>>
>>>
>>> Any idea what goes wrong here?
>>>
>>> Regards,
>>> Eugen
>>>
>>>
>>> Zitat von Brad Pokorny :
>>>
 I added a "Common Issues" section to this blog post with some things
 I've
 seen that have tripped people up:
 http://www.symantec.com/connect/blogs/domain-support-horizon-here

 Resolving those things should at least get the Domains dashboard to
show
 up in Horizon. If everything is properly set up, it will show up under
 the
 Identity left nav.

 That may also resolve your second issue with CLI commands. If not, it
 could be that you're getting a p

Re: [Openstack] Projects deals tricky job

[Timothy Symanczyk]

We implemented something here at Symantec that sounds very similar to what
you¹re both talking about. We have three levels of Admin - Cloud, Domain,
and Project. If you¹re interested in checking it out, we actually
presented on this topic in Austin.

The presentation : https://www.youtube.com/watch?v=v79kNddKbLc

All the referenced files can be found in our github here :
https://github.com/Symantec/Openstack_RBAC

Specifically you may want to check out our keystone policy file that
defines cloud_admin domain_admin and project_admin :
https://github.com/Symantec/Openstack_RBAC/blob/master/keystone/policy.json

Tim

On 6/20/16, 5:17 AM, "Eugen Block"  wrote:

>I believe you are trying to accomplish the same configuration as I do,
>so I think domains are the answer. You can devide your cloud into
>different domains and grant admin rights to specific users, which are
>not authorized to see the other domains. Although I'm still not sure
>if I did it correctly and it's not fully resolved yet, here is a
>thread I started a few days ago:
>
>http://lists.openstack.org/pipermail/openstack/2016-June/016454.html
>
>Regards,
>Eugen
>
>Zitat von Venkatesh Kotipalli :
>
>> Hi Folks,
>>
>> Is it possible to create a project admin in openstack.
>>
>> As we identified when ever we created a project admin it will show
>>entire
>> cloud (Like : other users and all services completely admin access).
>>but i
>> want to see the particular project users,admins and control all the
>> services.
>>
>> Guys please help me this part. I am really very confused.
>>
>> Regards,
>> Venkatesh.k
>
>
>
>-- 
>Eugen Block voice   : +49-40-559 51 75
>NDE Netzdesign und -entwicklung AG  fax : +49-40-559 51 77
>Postfach 61 03 15
>D-22423 Hamburg e-mail  : ebl...@nde.ag
>
> Vorsitzende des Aufsichtsrates: Angelika Mozdzen
>   Sitz und Registergericht: Hamburg, HRB 90934
>   Vorstand: Jens-U. Mozdzen
>USt-IdNr. DE 814 013 983
>
>
>___
>Mailing list: 
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>Post to : openstack@lists.openstack.org
>Unsubscribe : 
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Devstack Auth Error in Neutron

[Adam Young]

On 06/17/2016 08:03 AM, Mohan Kumar wrote:

Karun,

Please check q-svc (neutron) service is running or not ! Error 
complaining that  keystone url is not reachable to authenticate ,  IP 
192.168.202.130 should be reachable and keystone service should be 
active .


Maybe you can rerun devstack if you host dhcp ip got changed .



This is a client side warning.  Nothing on the server side is involved. 
You are trying to call the client without a valid Auth plugin 
specified.  Set Env vars or pass command line parameters to use the 
v3password auth plugin




Thanks.,
Mohankumar.N*
*

On Thu, Jun 16, 2016 at 12:18 PM, karun pruthi 
mailto:karun.pruth...@gmail.com>> wrote:


Hi Mohan

Thanks for the reply i did

karun@ubuntu:~/devstack$ source openrc admin admin as using as admin

WARNING: setting legacy OS_TENANT_NAME to support cli tools.

But again on trying to create VIP i get error as below:-

karun@ubuntu:~/devstack$ neutron lbaas-loadbalancer-create --name
lb1 private-subnet
*Unable to establish connection to
http://192.168.202.130:9696/v2.0/subnets.json?fields=id&name=private-subnet
*

do i need to run stack.sh again though i was logged in Horizon URL
as such!!

Is there something still i am missing!!

Thanks & Regards
Karun


On Thu, Jun 16, 2016 at 11:02 AM, Mohan Kumar
mailto:nmohankumar1...@gmail.com>> wrote:

Hi Karun,

You need to set authentication identity plugins ,  It defines
on which user  credential you want to execute open-stack
commands . By default DevStack installs 2 mains users 1. admin
2. demo

This is how you use the credentials of the user demo:

stack@devstack:~/devstack$ source openrc

This is how you use the credentials of the user admin:

stack@devstack:~/devstack$ source openrc admin admin

To go back to the user demo simply do:

stack@devstack:~/devstack$ source openrc demo demo

Thanks.,
Mohankumar.N


On Wed, Jun 15, 2016 at 4:04 PM, karun pruthi
mailto:karun.pruth...@gmail.com>>
wrote:
>
> Hi
>
> I have a devstack running on ubuntu LTS 14.04 and trying to
setup lbaas setup using the url as below:-
>
> https://wiki.openstack.org/wiki/Neutron/LBaaS/HowToRun
>
> But getting error as below when trying to create vip using
neutron lbaas-loadbalancer-create --name lb1 private-subnet
>
> An auth plugin is required to fetch a token
>
> Can someone please guide how to correct this !!
>
> Thanks & Regards
> Karun
>
>
>
> ___
> Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org

> Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>





___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [Tempest] two-node setup verification

[Paul S.]

Thanks, I will try that to see how different repo will affect the tempest
errors that I get!

On Tue, Jun 21, 2016 at 6:59 PM, Remo Mattei  wrote:

>
>- On RHEL:
>
>$ sudo yum install -y https://www.rdoproject.org/repos/rdo-release.rpm
>$ sudo yum update -y
>$ sudo yum install -y openstack-packstack
>$ packstack --allinone
>
>- On CentOS:
>
>$ sudo yum install -y centos-release-openstack-mitaka
>$ sudo yum update -y
>$ sudo yum install -y openstack-packstack
>$ packstack --allinone
>
>
>
>
>
> On Jun 21, 2016, at 08:26, Paul S.  wrote:
>
> >do you use this on RHEL?
> No, actually I was using that on the CentOS 7.2, and I saw that repo as a
> legit one in a lot of openstack guides available on the Internet. So what
> repo should I use instead of it, and what would be the difference that I
> should know of?
>
> On Tue, Jun 21, 2016 at 5:51 PM, Remo Mattei  wrote:
>
>> Hi Paul,
>> do you use this on RHEL? If you do then the rdo repo is ok, if you are
>> using it on CentOS then the packages have changed.
>>
>> My 2 cents.
>>
>> Remo
>>
>> On Jun 21, 2016, at 07:17, Paul S.  wrote:
>>
>> Hi everyone,
>>
>> I've installed the openstack mitaka with packstack on a two-node setup to
>> get some common knowledge for the openstack. I use tempest to verify the
>> openstack components, so as for now I've got a couple of errors I hope you
>> can help me with. I've attached my latest errors log with the errors that I
>> get as I've managed to fix a lot or to find some workarounds, most of which
>> were due to the packstack not setting the configuration files properly.
>>
>> The errors that disappoint me most have "AssertionError: False is not
>> true : Public subnets visible" and "MismatchError" traceback messages. As
>> for the first one, I've found the following link
>>
>> https://bugs.launchpad.net/neutron/+bug/1553595
>>
>> so as far as I can tell that problem is typical for the neutron
>> configuration that I use, and the fix will soon be in the stable neutron
>> packages that I can get from the
>> http://rdo.fedorapeople.org/rdo-release.rpm repository, so soon I
>> wouldn't be experiencing these errors.
>>
>> As for the 2nd one, I don't have any idea, and I was not able to find the
>> solution since I've checked if the cinder services are running on the
>> storage host, and they do indeed have the "active" status, and the basic
>> functionality like the creation and the attachment of a volume to an
>> instance.
>>
>> Thanks in advance for any help here!
>>
>> --
>> sincerely, Paul
>> ___
>> Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to : openstack@lists.openstack.org
>> Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>>
>> !DSPAM:1,57694e8b164681454265375!
>>
>>
>>
>
>
> --
> sincerely, Paul
> !DSPAM:1,57695e67220499680522498!
>
>
>


-- 
sincerely, Paul
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [Tempest] two-node setup verification

[Remo Mattei]

On RHEL:
$ sudo yum install -y https://www.rdoproject.org/repos/rdo-release.rpm
$ sudo yum update -y
$ sudo yum install -y openstack-packstack
$ packstack --allinone
On CentOS:
$ sudo yum install -y centos-release-openstack-mitaka
$ sudo yum update -y
$ sudo yum install -y openstack-packstack
$ packstack --allinone



> On Jun 21, 2016, at 08:26, Paul S.  wrote:
> 
> >do you use this on RHEL?
> No, actually I was using that on the CentOS 7.2, and I saw that repo as a 
> legit one in a lot of openstack guides available on the Internet. So what 
> repo should I use instead of it, and what would be the difference that I 
> should know of?
> 
> On Tue, Jun 21, 2016 at 5:51 PM, Remo Mattei  > wrote:
> Hi Paul, 
> do you use this on RHEL? If you do then the rdo repo is ok, if you are using 
> it on CentOS then the packages have changed. 
> 
> My 2 cents. 
> 
> Remo 
>> On Jun 21, 2016, at 07:17, Paul S. > > wrote:
>> 
>> Hi everyone,
>> 
>> I've installed the openstack mitaka with packstack on a two-node setup to 
>> get some common knowledge for the openstack. I use tempest to verify the 
>> openstack components, so as for now I've got a couple of errors I hope you 
>> can help me with. I've attached my latest errors log with the errors that I 
>> get as I've managed to fix a lot or to find some workarounds, most of which 
>> were due to the packstack not setting the configuration files properly.
>> 
>> The errors that disappoint me most have "AssertionError: False is not true : 
>> Public subnets visible" and "MismatchError" traceback messages. As for the 
>> first one, I've found the following link
>> 
>> https://bugs.launchpad.net/neutron/+bug/1553595 
>> 
>> 
>> so as far as I can tell that problem is typical for the neutron 
>> configuration that I use, and the fix will soon be in the stable neutron 
>> packages that I can get from the http://rdo.fedorapeople.org/rdo-release.rpm 
>>  repository, so soon I wouldn't 
>> be experiencing these errors.
>> 
>> As for the 2nd one, I don't have any idea, and I was not able to find the 
>> solution since I've checked if the cinder services are running on the 
>> storage host, and they do indeed have the "active" status, and the basic 
>> functionality like the creation and the attachment of a volume to an 
>> instance.
>> 
>> Thanks in advance for any help here!
>> 
>> -- 
>> sincerely, Paul
>> ___
>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
>> 
>> Post to : openstack@lists.openstack.org 
>> 
>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
>> 
>> 
>> 
>> !DSPAM:1,57694e8b164681454265375!
> 
> 
> 
> 
> -- 
> sincerely, Paul
> !DSPAM:1,57695e67220499680522498!

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [Tempest] two-node setup verification

[Paul S.]

>do you use this on RHEL?
No, actually I was using that on the CentOS 7.2, and I saw that repo as a
legit one in a lot of openstack guides available on the Internet. So what
repo should I use instead of it, and what would be the difference that I
should know of?

On Tue, Jun 21, 2016 at 5:51 PM, Remo Mattei  wrote:

> Hi Paul,
> do you use this on RHEL? If you do then the rdo repo is ok, if you are
> using it on CentOS then the packages have changed.
>
> My 2 cents.
>
> Remo
>
> On Jun 21, 2016, at 07:17, Paul S.  wrote:
>
> Hi everyone,
>
> I've installed the openstack mitaka with packstack on a two-node setup to
> get some common knowledge for the openstack. I use tempest to verify the
> openstack components, so as for now I've got a couple of errors I hope you
> can help me with. I've attached my latest errors log with the errors that I
> get as I've managed to fix a lot or to find some workarounds, most of which
> were due to the packstack not setting the configuration files properly.
>
> The errors that disappoint me most have "AssertionError: False is not true
> : Public subnets visible" and "MismatchError" traceback messages. As for
> the first one, I've found the following link
>
> https://bugs.launchpad.net/neutron/+bug/1553595
>
> so as far as I can tell that problem is typical for the neutron
> configuration that I use, and the fix will soon be in the stable neutron
> packages that I can get from the
> http://rdo.fedorapeople.org/rdo-release.rpm repository, so soon I
> wouldn't be experiencing these errors.
>
> As for the 2nd one, I don't have any idea, and I was not able to find the
> solution since I've checked if the cinder services are running on the
> storage host, and they do indeed have the "active" status, and the basic
> functionality like the creation and the attachment of a volume to an
> instance.
>
> Thanks in advance for any help here!
>
> --
> sincerely, Paul
> !DSPAM:1,57694e8b164681454265375! 
> ___
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
> !DSPAM:1,57694e8b164681454265375!
>
>
>


-- 
sincerely, Paul
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] [Tempest] two-node setup verification

[Remo Mattei]

Hi Paul, 
do you use this on RHEL? If you do then the rdo repo is ok, if you are using it 
on CentOS then the packages have changed. 

My 2 cents. 

Remo 
> On Jun 21, 2016, at 07:17, Paul S.  wrote:
> 
> Hi everyone,
> 
> I've installed the openstack mitaka with packstack on a two-node setup to get 
> some common knowledge for the openstack. I use tempest to verify the 
> openstack components, so as for now I've got a couple of errors I hope you 
> can help me with. I've attached my latest errors log with the errors that I 
> get as I've managed to fix a lot or to find some workarounds, most of which 
> were due to the packstack not setting the configuration files properly.
> 
> The errors that disappoint me most have "AssertionError: False is not true : 
> Public subnets visible" and "MismatchError" traceback messages. As for the 
> first one, I've found the following link
> 
> https://bugs.launchpad.net/neutron/+bug/1553595 
> 
> 
> so as far as I can tell that problem is typical for the neutron configuration 
> that I use, and the fix will soon be in the stable neutron packages that I 
> can get from the http://rdo.fedorapeople.org/rdo-release.rpm 
>  repository, so soon I wouldn't 
> be experiencing these errors.
> 
> As for the 2nd one, I don't have any idea, and I was not able to find the 
> solution since I've checked if the cinder services are running on the storage 
> host, and they do indeed have the "active" status, and the basic 
> functionality like the creation and the attachment of a volume to an instance.
> 
> Thanks in advance for any help here!
> 
> -- 
> sincerely, Paul
> !DSPAM:1,57694e8b164681454265375! 
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> 
> 
> !DSPAM:1,57694e8b164681454265375!

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Create instance fails on creating block device - Block Device Mapping is Invalid

[Cynthia Lopes]

Hi,

First of all, think dis question did no get answered:

-I'll try that thanx. How do you do that with the "openstack" command?

If not, the command is: openstack volume create --size (size in GB) --image
(image name or id) volume_name

Just for info the cinder command was not exact, it should be: cinder create
--image*-id * *--display-name*  


I agree with Eugen that you should make sure you can create a volume and
attach to a VM to help understand what your problem is.
This guide explains about ephemeral storage options:
https://platform9.com/support/openstack-tutorial-storage-options-and-use-cases/

By default you should be able to create VMs with ephemeral disks (not
cinder one).
Usually you can specify the directory where VM instances disks will be
stored in the compute node on nova.conf option 'instances_path' in
[DEFAULT] session. By default it should point to
'/var/lib/nova/instances/'. It is default option so, even if it is not
there, this should work.
Nova compute config options:
http://docs.openstack.org/liberty/config-reference/content/list-of-compute-config-options.html


The command to create the VM with an ephemeral disk (nova local storage and
not cinder) is:
openstack server create --image (image id or name) --flavor (flavor id or
name) vm_name


Concerning the flavor, I think the flavor you use should have the same disk
size as the disk. At least, for me when I try to boot a VM from a volume
that is not the same size of the flavor, I get BadRequest error.

Let us know if you manage to boot a VM so you can try to attach a volume to
it.

Good luck with all that.

Kind regards,
Cynthia


2016-06-21 13:36 GMT+01:00 Eugen Block :

> If it was the flavor, you would get different errors, something like
> "flavor disk too small" or "out of memory". Again, I recommend to launch an
> instance on local disk to see if that is working, then fix the iscsi issue
> to be able to create volumes at all, first empty volumes, then from an
> image and so on.
>
>
> Zitat von Turbo Fredriksson :
>
> On Jun 21, 2016, at 12:19 PM, Abhishek Shrivastava wrote:
>>
>> ​Have you tried any other flavors?
>>>
>>
>> No, I never saw the point. The resources I specified was well within
>> the flavors rules. And the error was "Block Device Mapping is Invalid"
>> I can not see how changing the flavor would change that.
>> --
>> System administrators motto:
>> You're either invisible or in trouble.
>> - Unknown
>>
>>
>> ___
>> Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to : openstack@lists.openstack.org
>> Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>
>
>
> --
> Eugen Block voice   : +49-40-559 51 75
> NDE Netzdesign und -entwicklung AG  fax : +49-40-559 51 77
> Postfach 61 03 15
> D-22423 Hamburg e-mail  : ebl...@nde.ag
>
> Vorsitzende des Aufsichtsrates: Angelika Mozdzen
>   Sitz und Registergericht: Hamburg, HRB 90934
>   Vorstand: Jens-U. Mozdzen
>USt-IdNr. DE 814 013 983
>
>
> ___
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

[Openstack] [Tempest] two-node setup verification

[Paul S.]

Hi everyone,

I've installed the openstack mitaka with packstack on a two-node setup to
get some common knowledge for the openstack. I use tempest to verify the
openstack components, so as for now I've got a couple of errors I hope you
can help me with. I've attached my latest errors log with the errors that I
get as I've managed to fix a lot or to find some workarounds, most of which
were due to the packstack not setting the configuration files properly.

The errors that disappoint me most have "AssertionError: False is not true
: Public subnets visible" and "MismatchError" traceback messages. As for
the first one, I've found the following link

https://bugs.launchpad.net/neutron/+bug/1553595

so as far as I can tell that problem is typical for the neutron
configuration that I use, and the fix will soon be in the stable neutron
packages that I can get from the http://rdo.fedorapeople.org/rdo-release.rpm
repository, so soon I wouldn't be experiencing these errors.

As for the 2nd one, I don't have any idea, and I was not able to find the
solution since I've checked if the cinder services are running on the
storage host, and they do indeed have the "active" status, and the basic
functionality like the creation and the attachment of a volume to an
instance.

Thanks in advance for any help here!

-- 
sincerely, Paul
tempest.api.network.test_networks.NetworksIpV6Test.test_external_network_visibility[id-af774677-42a9-4e4b-bb58-16fe6a5bc1ec,smoke]
--

Captured traceback:
~~~
Traceback (most recent call last):
  File "/var/lib/tempest/tempest/test.py", line 157, in wrapper
return func(*func_args, **func_kwargs)
  File "/var/lib/tempest/tempest/api/network/test_networks.py", line 391, in test_external_network_visibility
self.assertEmpty(body['subnets'], "Public subnets visible")
  File "/var/lib/tempest/tempest/test.py", line 651, in assertEmpty
self.assertTrue(len(list) == 0, msg)
  File "/var/lib/tempest/.venv/lib/python2.7/site-packages/unittest2/case.py", line 702, in assertTrue
raise self.failureException(msg)
AssertionError: False is not true : Public subnets visible


tempest.api.network.test_extensions.ExtensionsTestJSON.test_list_show_extensions[id-ef28c7e6-e646-4979-9d67-deb207bc5564,smoke]
---

Captured traceback:
~~~
Traceback (most recent call last):
  File "/var/lib/tempest/tempest/api/network/test_extensions.py", line 69, in test_list_show_extensions
self.assertIn(e, actual_alias)
  File "/var/lib/tempest/.venv/lib/python2.7/site-packages/testtools/testcase.py", line 417, in assertIn
self.assertThat(haystack, Contains(needle), message)
  File "/var/lib/tempest/.venv/lib/python2.7/site-packages/testtools/testcase.py", line 498, in assertThat
raise mismatch_error
testtools.matchers._impl.MismatchError: 'metering' not in [u'default-subnetpools', u'network-ip-availability', u'network_availab
ility_zone', u'auto-allocated-topology', u'ext-gw-mode', u'binding', u'agent', u'subnet_allocation', u'l3_agent_scheduler', u'tag',
u'external-net', u'net-mtu', u'availability_zone', u'quotas', u'l3-ha', u'provider', u'multi-provider', u'address-scope', u'extrarou
te', u'timestamp_core', u'router', u'extra_dhcp_opt', u'dns-integration', u'security-group', u'dhcp_agent_scheduler', u'router_avail
ability_zone', u'rbac-policies', u'standard-attr-description', u'port-security', u'allowed-address-pairs', u'dvr']


setUpClass (tempest.api.network.test_metering_extensions.MeteringIpV6TestJSON)
--

Captured traceback:
~~~
Traceback (most recent call last):
  File "/var/lib/tempest/tempest/test.py", line 279, in setUpClass
six.reraise(etype, value, trace)
  File "/var/lib/tempest/tempest/test.py", line 272, in setUpClass
cls.resource_setup()
  File "/var/lib/tempest/tempest/api/network/test_metering_extensions.py", line 39, in resource_setup
cls.metering_label = cls.create_metering_label(name, description)
  File "/var/lib/tempest/tempest/api/network/base.py", line 273, in create_metering_label
name=data_utils.rand_name("metering-label"))
  File "/var/lib/tempest/tempest/lib/services/network/metering_labels_client.py", line 21, in create_metering_label
return self.create_resource(uri, post_data)
  File "/var/lib/tempest/tempest/lib/services/network/base.py", line 60, in create_resource
resp, body = self.post(req_uri, req_post_data)
  File "/var/lib/tempest/tempest/lib/common/rest_client.py", line 270, in post
return self.request('POST', url, extra_headers, headers, body, 

Re: [Openstack] Virtual networking by hardware

[Michael Gale]

Hey,

Cisco has a ML2 plugin, old style that integrates with the Nexus 9K to
offer vxlan hardware support.

Michael

On Mon, Jun 20, 2016 at 7:22 PM Ops Cloud  wrote:

> Hi
>
> Rather than the soft SDN solution in neutron, is there any networking
> solution which is driven by hardware?
> What I meant is, for example, VxLAN networks would be powered by hardware
> switches and routers.
> If you know any Manufacturers who provides the solution, please let me
> know.
>
> Thanks.
>
> --
> Ops Cloud
> o...@19cloud.net
> ___
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Create instance fails on creating block device - Block Device Mapping is Invalid

[Eugen Block]

If it was the flavor, you would get different errors, something like  
"flavor disk too small" or "out of memory". Again, I recommend to  
launch an instance on local disk to see if that is working, then fix  
the iscsi issue to be able to create volumes at all, first empty  
volumes, then from an image and so on.



Zitat von Turbo Fredriksson :


On Jun 21, 2016, at 12:19 PM, Abhishek Shrivastava wrote:


​Have you tried any other flavors?


No, I never saw the point. The resources I specified was well within
the flavors rules. And the error was "Block Device Mapping is Invalid"
I can not see how changing the flavor would change that.
--
System administrators motto:
You're either invisible or in trouble.
- Unknown


___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack




--
Eugen Block voice   : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG  fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail  : ebl...@nde.ag

Vorsitzende des Aufsichtsrates: Angelika Mozdzen
  Sitz und Registergericht: Hamburg, HRB 90934
  Vorstand: Jens-U. Mozdzen
   USt-IdNr. DE 814 013 983


___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Create instance fails on creating block device - Block Device Mapping is Invalid

[Turbo Fredriksson]

On Jun 21, 2016, at 12:19 PM, Abhishek Shrivastava wrote:

> ​Have you tried any other flavors?

No, I never saw the point. The resources I specified was well within
the flavors rules. And the error was "Block Device Mapping is Invalid"
I can not see how changing the flavor would change that.
-- 
System administrators motto:
You're either invisible or in trouble.
- Unknown


___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Create instance fails on creating block device - Block Device Mapping is Invalid

[Abhishek Shrivastava]

​Have you tried any other flavors?

For instance if you are creating a 1GB volume then you can go for flavor
m1.tiny flavor.

So try creating a VM having boot volume size 1GB​ and use flavor m1.tiny
and see if it works.

On Tue, Jun 21, 2016 at 4:36 PM, Turbo Fredriksson  wrote:

> On Jun 21, 2016, at 11:40 AM, Abhishek Shrivastava wrote:
>
> > The first thing I want to know
> >
> >   - Which VM are you creating(i.e; which OS image are you taking)?
>
> I've tried both the CirrOS and Debian GNU/Linux Jessie images.
>
>   http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img
>
> http://cdimage.debian.org/cdimage/openstack/8.5.0/debian-8.5.0-openstack-amd64.qcow2
>
> >   - What size are you using and all?
>
> Size? I've tried creating a volume from those images from 2GB to 20GB.
>
> >   - Which flavor are you using for VM creation.?
>
> My own take on the m1.flavor:
>
>   openstack flavor create --ram  1024 --disk 10 --vcpus 1 --disk  5 m1.tiny
> --
> I love deadlines. I love the whooshing noise they
> make as they go by.
> - Douglas Adams
>
>
> ___
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>



-- 


*Thanks & Regards,*
*Abhishek*
*Cloudbyte Inc. *
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Create instance fails on creating block device - Block Device Mapping is Invalid

[Turbo Fredriksson]

On Jun 21, 2016, at 11:40 AM, Abhishek Shrivastava wrote:

> The first thing I want to know
> 
>   - Which VM are you creating(i.e; which OS image are you taking)?

I've tried both the CirrOS and Debian GNU/Linux Jessie images.

  http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img
  
http://cdimage.debian.org/cdimage/openstack/8.5.0/debian-8.5.0-openstack-amd64.qcow2

>   - What size are you using and all?

Size? I've tried creating a volume from those images from 2GB to 20GB.

>   - Which flavor are you using for VM creation.?

My own take on the m1.flavor:

  openstack flavor create --ram  1024 --disk 10 --vcpus 1 --disk  5 m1.tiny
-- 
I love deadlines. I love the whooshing noise they
make as they go by.
- Douglas Adams


___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Create instance fails on creating block device - Block Device Mapping is Invalid

[Abhishek Shrivastava]

Hi Turbo,

The first thing I want to know

   - Which VM are you creating(i.e; which OS image are you taking)?
   - What size are you using and all?

Secondly,

   - Which flavor are you using for VM creation.?


On Tue, Jun 21, 2016 at 12:56 PM, Eugen Block  wrote:

> Can't you boot an instance without cinder?
>>>
>>
>> Don't know, can I??
>>
>
> Well, you should ;-) How do you try to boot your instance, from CLI or
> Horizon? If it's Horizon, you would have to NOT klick the button "Create a
> new volume --> Yes" ;-) If it's CLI it's sufficient to only execute "nova
> boot --flavor  --image  --nic net-id= (optional:
> only if you have multiple networks available) "
> This way you avoid creating a volume.
>
> You could edit nova.conf
>>>
>> How?
>>
>
> It's usually the default, although I'm really not an expert in Openstack.
> But if you simply try to set up nova on control and compute node following
> an install guide, it should bring you there.
> I followed
> http://docs.openstack.org/mitaka/install-guide-obs/nova-controller-install.html,
> there aren't many options to configure and it defaults to local file
> storage.
>
> From what I can see, it doesn't even start sharing via iSCSI
>>
>
> You should try to fix that before you try to use it with openstack.
>
> Didn't even knew you could do that. Thought you HAD to use cinder/swift..
>>
>> Please point me to a faq/howto/doc on how to do that, thanx!
>>
>
> I used this guide:
>
> http://docs.openstack.org/mitaka/install-guide-obs/environment-networking-storage-cinder.html
> In the section for block storage it says "Block storage node (Optional)",
> so you wouldn't have to, but I guess it makes sense in the longterm. But as
> I already said, first you should try to get an instance running at all
> before using another backend.
>
>
> Regards,
> Eugen
>
> Zitat von Turbo Fredriksson :
>
> On Jun 20, 2016, at 3:27 PM, Eugen Block wrote:
>>
>> Can't you boot an instance without cinder?
>>>
>>
>> Don't know, can I??
>>
>> You could edit nova.conf to use local file system, just to have a running
>>> instance. If that works you can switch to another backend.
>>>
>>
>> How?
>>
>> cinder create --image  --name  
>>>
>>
>> I'll try that thanx. How do you do that with the "openstack" command?
>>
>> Try debugging your iscsi connection, maybe first without openstack.
>>>
>>
>> From what I can see, it doesn't even start sharing via iSCSI..
>>
>> In my environment, I first tried to get all services running and working
>>> without external backends, cinder, glance and nova all ran on local storage.
>>>
>>
>> Didn't even knew you could do that. Thought you HAD to use cinder/swift..
>>
>> Please point me to a faq/howto/doc on how to do that, thanx!
>>
>> Then I tried other backends for cinder (iscsi), now all services use ceph.
>>>
>>
>> ceph?
>> --
>> Life sucks and then you die
>>
>>
>> ___
>> Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to : openstack@lists.openstack.org
>> Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>
>
>
> --
> Eugen Block voice   : +49-40-559 51 75
> NDE Netzdesign und -entwicklung AG  fax : +49-40-559 51 77
> Postfach 61 03 15
> D-22423 Hamburg e-mail  : ebl...@nde.ag
>
> Vorsitzende des Aufsichtsrates: Angelika Mozdzen
>   Sitz und Registergericht: Hamburg, HRB 90934
>   Vorstand: Jens-U. Mozdzen
>USt-IdNr. DE 814 013 983
>
>
> ___
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>



-- 


*Thanks & Regards,*
*Abhishek*
*Cloudbyte Inc. *
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Virtual networking by hardware

[James Guo]

Traditional network device vendors have embrace openstack.

So H3C and Huawei in china have implemented the solution.

发件人: Ops Cloud [mailto:o...@19cloud.net]
发送时间: 2016年6月21日 9:12
收件人: openstack@lists.openstack.org
主题: [Openstack] Virtual networking by hardware

Hi

Rather than the soft SDN solution in neutron, is there any networking solution 
which is driven by hardware?
What I meant is, for example, VxLAN networks would be powered by hardware 
switches and routers.
If you know any Manufacturers who provides the solution, please let me know.

Thanks.

--
Ops Cloud
o...@19cloud.net
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Create instance fails on creating block device - Block Device Mapping is Invalid

[Eugen Block]

Can't you boot an instance without cinder?


Don't know, can I??


Well, you should ;-) How do you try to boot your instance, from CLI or  
Horizon? If it's Horizon, you would have to NOT klick the button  
"Create a new volume --> Yes" ;-) If it's CLI it's sufficient to only  
execute "nova boot --flavor  --image  --nic  
net-id= (optional: only if you have multiple networks  
available) "

This way you avoid creating a volume.


You could edit nova.conf

How?


It's usually the default, although I'm really not an expert in  
Openstack. But if you simply try to set up nova on control and compute  
node following an install guide, it should bring you there.
I followed  
http://docs.openstack.org/mitaka/install-guide-obs/nova-controller-install.html, there aren't many options to configure and it defaults to local file  
storage.



From what I can see, it doesn't even start sharing via iSCSI


You should try to fix that before you try to use it with openstack.


Didn't even knew you could do that. Thought you HAD to use cinder/swift..

Please point me to a faq/howto/doc on how to do that, thanx!


I used this guide:
http://docs.openstack.org/mitaka/install-guide-obs/environment-networking-storage-cinder.html
In the section for block storage it says "Block storage node  
(Optional)", so you wouldn't have to, but I guess it makes sense in  
the longterm. But as I already said, first you should try to get an  
instance running at all before using another backend.



Regards,
Eugen

Zitat von Turbo Fredriksson :


On Jun 20, 2016, at 3:27 PM, Eugen Block wrote:


Can't you boot an instance without cinder?


Don't know, can I??

You could edit nova.conf to use local file system, just to have a  
running instance. If that works you can switch to another backend.


How?


cinder create --image  --name  


I'll try that thanx. How do you do that with the "openstack" command?


Try debugging your iscsi connection, maybe first without openstack.


From what I can see, it doesn't even start sharing via iSCSI..

In my environment, I first tried to get all services running and  
working without external backends, cinder, glance and nova all ran  
on local storage.


Didn't even knew you could do that. Thought you HAD to use cinder/swift..

Please point me to a faq/howto/doc on how to do that, thanx!


Then I tried other backends for cinder (iscsi), now all services use ceph.


ceph?
--
Life sucks and then you die


___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack




--
Eugen Block voice   : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG  fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail  : ebl...@nde.ag

Vorsitzende des Aufsichtsrates: Angelika Mozdzen
  Sitz und Registergericht: Hamburg, HRB 90934
  Vorstand: Jens-U. Mozdzen
   USt-IdNr. DE 814 013 983


___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Openstack Mitaka Domain question

[Eugen Block]

Could you attach copies of your Keystone policy.json file and your Horizon
keystone_policy.json file?


I use the same file for both horizon and keystone, it's attached to  
this email. Please note that I changed the cloud_admin rule to use the  
user_id of my admin user because domain_id didn't work.



What method did you use to find out the ID of the domain named Default?


control1:/etc/keystone # openstack domain list
+--+-+-++
| ID   | Name| Enabled | Description|
+--+-+-++
| 696819fc8d8d40129ca3a7b54145ba9e | heat| True| Stack projects |
| d17c72d57ef344da922500b4f69de4b2 | users   | True||
| default  | Default | True||
+--+-+-++


What method did you use to check whether the cloud_admin user has the
admin role on the Default domain?


I followed your link in your previous answer  
http://www.symantec.com/connect/blogs/domain-support-horizon-here.

Here's the CLI output to show the role assignment:

control1:/etc/keystone # openstack role list | grep admin
| 465e2e9e201948668289ceb013277a50 | admin|

control1:/etc/keystone # openstack user list | grep admin
| 89c5dcc8793d4867bae22d50e51e16b3 | admin  |

control1:/etc/keystone # openstack role assignment list | grep default
+--+--+--+-+-+---+
| Role | User  
| Group| Project | Domain  | Inherited |

+--+--+--+-+-+---+
| 465e2e9e201948668289ceb013277a50 | 89c5dcc8793d4867bae22d50e51e16b3  
|  | | default | False |

+--+--+--+-+-+---+

Regards,
Eugen

Zitat von Brad Pokorny :


Could you attach copies of your Keystone policy.json file and your Horizon
keystone_policy.json file?

What method did you use to find out the ID of the domain named Default?

What method did you use to check whether the cloud_admin user has the
admin role on the Default domain?

Thanks,
Brad

On 6/20/16, 8:05 AM, "Eugen Block"  wrote:


Referring to the invisible domain field in the sidebar-accordion, I
tried to investigate Horizon with Firebug. If I get it right, the
identity panel is constructed in
/usr/lib/python2.7/site-packages/horizon/templates/horizon/_sidebar.html.
But
only four panels are built, projects, users, groups and roles. How can
I find out why the domain panel is not built here?

I'm logged in as the cloud_admin, in the apache logs I don't see
permission errors or anything, so that shouldn't be an issue.

Here's some information on the dashboard version I'm using:

control1:/etc/keystone # rpm -qi
openstack-dashboard-9.0.2~a0~dev6-1.1.noarch
Name: openstack-dashboard
Version : 9.0.2~a0~dev6
Release : 1.1
Architecture: noarch
Install Date: Fr 17 Jun 2016 16:08:08 CEST
Group   : Development/Languages/Python
Size: 50738471
License : Apache-2.0
Signature   : RSA/SHA256, Fr 17 Jun 2016 05:08:31 CEST, Key ID
893a90dad85f9316
Source RPM  : openstack-dashboard-9.0.2~a0~dev6-1.1.src.rpm
Build Date  : Fr 17 Jun 2016 05:07:19 CEST
Build Host  : build33
Relocations : (not relocatable)
Vendor  : obs://build.opensuse.org/Cloud:OpenStack
URL : http://wiki.openstack.org/OpenStackDashboard
Summary : OpenStack Dashboard (Horizon)


Any idea what goes wrong here?

Regards,
Eugen


Zitat von Brad Pokorny :


I added a "Common Issues" section to this blog post with some things
I've
seen that have tripped people up:
http://www.symantec.com/connect/blogs/domain-support-horizon-here

Resolving those things should at least get the Domains dashboard to show
up in Horizon. If everything is properly set up, it will show up under
the
Identity left nav.

That may also resolve your second issue with CLI commands. If not, it
could be that you're getting a project scoped token when you should be
getting a domain scoped token. Info on token scopes:
http://docs.openstack.org/admin-guide/keystone_tokens.html

Thanks,
Brad


On 6/9/16, 2:48 AM, "Eugen Block"  wrote:


Hi,

I've managed to enable multi-domain support for my Mitaka environment,
but there are still some things to configure properly. I have two
questions regarding domains.


Log in as admin under the default domain, go to the Domains dashboard


1. How can I enable the domain view in Horizon? I can't see that tab
in the dashboard, I'm not sure where to look anymore.

2. Has anyone a working separation of cloud_admin and domain_admin? I
used the v3-policy file mentioned in the last response, changed the
admin_domain_id to default as su