[openstack-dev] [[Openstack-dev] [Ironic] Ironic-conductor fails to start - AttributeError '_keepalive_evt'
Hello All, I am trying to deploy bare-metal nodes using openstack-ironic. It is a 2 - node architecture with controller/keystone/mysql on a virtual machine, and cinder/compute/nova network on a physical machine on a CentOS 7 environment. openstack-ironic-common-2014.2-2.el7.centos.noarch openstack-ironic-api-2014.2-2.el7.centos.noarch openstack-ironic-conductor-2014.2-2.el7.centos.noarch I have followed this document, http://docs.openstack.org/developer/ironic/deploy/install-guide.html#ipmi-support and installed ironic. But when i start ironic-conductor, i get the below error : ironic-conductor[15997]: 2014-12-05 15:38:12.457 15997 TRACE ironic.common.service ironic-conductor[15997]: 2014-12-05 15:38:12.457 15997 ERROR ironic.common.service [-] Service error occurred when cleaning up the RPC manager. Error: 'ConductorManager' object has no attribute '_keepalive_evt' ironic-conductor[15997]: 2014-12-05 15:38:12.457 15997 TRACE ironic.common.service Traceback (most recent call last): ironic-conductor[15997]: 2014-12-05 15:38:12.457 15997 TRACE ironic.common.service File /usr/lib/python2.7/site-packages/ironic/common/service.py, line 91, in stop ironic-conductor[15997]: 2014-12-05 15:38:12.457 15997 TRACE ironic.common.service self.manager.del_host() ironic-conductor[15997]: 2014-12-05 15:38:12.457 15997 TRACE ironic.common.service File /usr/lib/python2.7/site-packages/ironic/conductor/manager.py, line 235, in del_host ironic-conductor[15997]: 2014-12-05 15:38:12.457 15997 TRACE ironic.common.service self._keepalive_evt.set() hc004 ironic-conductor[15997]: 2014-12-05 15:38:12.457 15997 TRACE ironic.common.service AttributeError: 'ConductorManager' object has no attribute '_keepalive_evt' hc004 ironic-conductor[15997]: 2014-12-05 15:38:12.457 15997 TRACE ironic.common.service hc004 ironic-conductor[15997]: 2014-12-05 15:38:12.457 15997 INFO ironic.common.service [-] Stopped RPC server for service ironic.conductor_manager on host hc004. A look at the source code, tells me that it is something related to RPC service being started/stopped. Also, I cannot debug this more as - I do not see any logs being created with respect to ironic. Do i have to explicitly enable the logging properties in ironic.conf, or are they expected to be working by default? Here is the configuration from ironic.conf # [DEFAULT] verbose=true rabbit_host=172.18.246.104 auth_strategy=keystone debug=true [keystone_authtoken] auth_host=172.18.246.104 auth_uri=http://172.18.246.104:5000/v2.0 admin_user=ironic admin_password= admin_tenant_name=service [database] connection = mysql://ironic:x@172.18.246.104/ironic?charset=utf8 [glance] glance_host=172.18.246.104 # I understand that i did not give neutron URL as required by the documentation. The reason : that i have architecture limitations to install neutron networking and would like to experiment if nova-network and dhcp pxe server will server the purpose although i highly doubt that. However, i wish to know if the above issue is anyway related to non-existent neutron network, or if it is related to something else. Please do let me know. Thank you, Lohit ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [[Openstack-dev] [Ironic] Ironic-conductor fails to start - AttributeError '_keepalive_evt'
I apologize. I was not sure about where to post the errors. I will post to the general list from next time. Thank you, Lohit On Friday, December 5, 2014, Devananda van der Veen devananda@gmail.com wrote: Hi Lohit, In the future, please do not cross-post or copy-and-paste usage questions on the development list. Since you posted this question on the general list (*) -- which is exactly where you should post it -- I will respond there. Regards, Devananda (*) http://lists.openstack.org/pipermail/openstack/2014-December/010698.html On Fri Dec 05 2014 at 1:15:44 PM Lohit Valleru loh...@gwmail.gwu.edu javascript:_e(%7B%7D,'cvml','loh...@gwmail.gwu.edu'); wrote: Hello All, I am trying to deploy bare-metal nodes using openstack-ironic. It is a 2 - node architecture with controller/keystone/mysql on a virtual machine, and cinder/compute/nova network on a physical machine on a CentOS 7 environment. openstack-ironic-common-2014.2-2.el7.centos.noarch openstack-ironic-api-2014.2-2.el7.centos.noarch openstack-ironic-conductor-2014.2-2.el7.centos.noarch I have followed this document, http://docs.openstack.org/developer/ironic/deploy/install-guide.html#ipmi-support and installed ironic. But when i start ironic-conductor, i get the below error : ironic-conductor[15997]: 2014-12-05 15:38:12.457 15997 TRACE ironic.common.service ironic-conductor[15997]: 2014-12-05 15:38:12.457 15997 ERROR ironic.common.service [-] Service error occurred when cleaning up the RPC manager. Error: 'ConductorManager' object has no attribute '_keepalive_evt' ironic-conductor[15997]: 2014-12-05 15:38:12.457 15997 TRACE ironic.common.service Traceback (most recent call last): ironic-conductor[15997]: 2014-12-05 15:38:12.457 15997 TRACE ironic.common.service File /usr/lib/python2.7/site-packages/ironic/common/service.py, line 91, in stop ironic-conductor[15997]: 2014-12-05 15:38:12.457 15997 TRACE ironic.common.service self.manager.del_host() ironic-conductor[15997]: 2014-12-05 15:38:12.457 15997 TRACE ironic.common.service File /usr/lib/python2.7/site-packages/ironic/conductor/manager.py, line 235, in del_host ironic-conductor[15997]: 2014-12-05 15:38:12.457 15997 TRACE ironic.common.service self._keepalive_evt.set() hc004 ironic-conductor[15997]: 2014-12-05 15:38:12.457 15997 TRACE ironic.common.service AttributeError: 'ConductorManager' object has no attribute '_keepalive_evt' hc004 ironic-conductor[15997]: 2014-12-05 15:38:12.457 15997 TRACE ironic.common.service hc004 ironic-conductor[15997]: 2014-12-05 15:38:12.457 15997 INFO ironic.common.service [-] Stopped RPC server for service ironic.conductor_manager on host hc004. A look at the source code, tells me that it is something related to RPC service being started/stopped. Also, I cannot debug this more as - I do not see any logs being created with respect to ironic. Do i have to explicitly enable the logging properties in ironic.conf, or are they expected to be working by default? Here is the configuration from ironic.conf # [DEFAULT] verbose=true rabbit_host=172.18.246.104 auth_strategy=keystone debug=true [keystone_authtoken] auth_host=172.18.246.104 auth_uri=http://172.18.246.104:5000/v2.0 admin_user=ironic admin_password= admin_tenant_name=service [database] connection = mysql://ironic:x@172.18.246.104/ironic?charset=utf8 [glance] glance_host=172.18.246.104 # I understand that i did not give neutron URL as required by the documentation. The reason : that i have architecture limitations to install neutron networking and would like to experiment if nova-network and dhcp pxe server will server the purpose although i highly doubt that. However, i wish to know if the above issue is anyway related to non-existent neutron network, or if it is related to something else. Please do let me know. Thank you, Lohit ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org javascript:_e(%7B%7D,'cvml','OpenStack-dev@lists.openstack.org'); http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone] Support for external authentication (i.e. REMOTE_USER) in Havana
Thank you Nathan, Do you have more details on what your mapping is configured like? There have been some changes around this area in Juno, but it's still possible that there is some sort of bug here. Here are my mapping details: # Search base for users. (string value) user_tree_dn=ou=People,dc=example,dc=com # LDAP search filter for users. (string value) #user_filter=((objectClass=posixAccount)) # LDAP objectClass for users. (string value) user_objectclass = posixAccount # LDAP attribute mapped to user id. (string value) user_id_attribute = uidNumber # LDAP attribute mapped to user name. (string value) user_name_attribute = uid # LDAP attribute mapped to user email. (string value) user_mail_attribute = mail However, I see that keystone does not make use of the user_id_attribute, while checking for authorization of user. It defaults to uid. Also, when i do - keystone user-role-add --user-id=lohit.valleru --tenant-id=xxx --role-id=xxx ( I see in the logs - that it uses the configuration value that i set above. i.e uidNumber. ) Now when i do - keyston user-list , or keystone user-get lohit.valleru (I see that it defaults to picking up uid values, in place of uidNumber as above.) So since it stores uid as the user_id_attribute, and searches for uidNumber when i do user-role-add, it will always fail, unless uidNumber = uid which is impractical. In addition - i am confused, on why the user_id_attribute is being defaulted to uid. Isn't user_id_attribute supposed to default to uidNumber? ( numerical) Why is the user_id_attribute being used to search, rather than user_name_attribute? As far as i understand - it is user_name_attribute that it stores in the mysql database. i would rather expect the logic to behave as follows : As soon as i authenticate using my kerberos principal : lohit.vall...@example.com, keystone is supposed to use lohit.valleru to search against user_name_attribute, and not user_id_attribute On swift storage or object storage - it is supposed to use user_id_attribute, to be in sync with legacy file systems, so user_id_attribute is supposed to similar to posix uidNumber. Since there is no way, i can list groups using keystone, i cannot verify if it is mapping group information in the right way. Thank you for helping with Kerberos information. I can try testing the same, but i might not be able to go too forward, till the above issue is resolved. Lohit On Sat, Oct 18, 2014 at 10:13 PM, Nathan Kinder nkin...@redhat.com wrote: On 10/18/2014 08:43 AM, lohit.valleru wrote: Hello, Thank you for posting this issue to openstack-dev. I had posted this on the openstack general user list and was waiting for response. May i know, if we have any progress regarding this issue. I am trying to use external HTTPD authentication with kerberos and LDAP identity backend, in Havana. I think, few things have changed with Openstack Icehouse release and Keystone 0.9.0 on CentOS 6.5. Currently I face a similar issue to yours : I get a full username with domain as REMOTE_USER from apache, and keystone tries to search LDAP along with my domain name. ( i have not mentioned any domain information to keystone. i assume it is called 'default', while my domain is: example.com ) I see that - External Default and External Domain are no longer supported by keystone but intstead - keystone.auth.plugins.external.DefaultDomain or external=keystone.auth.plugins.external.Domain are valid as of now. I also tried using keystone.auth.plugins.external.kerberos after checking the code, but it does not make any difference. For example: If i authenticate using kerberos with : lohit.vall...@example.com. I see the following in the logs. DEBUG keystone.common.ldap.core [-] LDAP search: dn=ou=People,dc=example,dc=come, scope=1, query=((uid=lohit.vall...@example.com)(objectClass=posixAccount)), attrs=['mail', 'userPassword', 'enabled', 'uid'] search_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:807 2014-10-18 02:34:36.459 5592 DEBUG keystone.common.ldap.core [-] LDAP unbind unbind_s /usr/lib/python2.6/site-packages/keystone/common/ldap/core.py:777 2014-10-18 02:34:36.460 5592 WARNING keystone.common.wsgi [-] Authorization failed. Unable to lookup user lohit.vall...@example.com from 172.31.41.104 Also, i see that keystone always searches with uid, no matter what i enter as a mapping value for userid/username in keystone.conf . I do not understand if this is a bug or limitation. ( The above logs show that they are not able to find uid with lohit.vall...@example.com since LDAP contains uid without domain name) Do you have more details on what your mapping is configured like? There have been some changes around this area in Juno, but it's still possible that there is some sort of bug here. May i know, how do i request keystone to split REMOTE_USER? Do i need to mention default domain
