[Yahoo-eng-team] [Bug 2028409] Re: Add domain_id config option to remove the need of cloud admin user when generating dynamic credentials

[Ghanshyam Mann]

** Also affects: keystone
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2028409

Title:
  Add domain_id config option to remove the need of cloud admin user
  when generating dynamic credentials

Status in OpenStack Identity (keystone):
  New
Status in tempest:
  In Progress

Bug description:
  Currently generating dynamic credentials requires listing domains and
  filter the result by domain name to get the current/admin domain
  object from Keystone API (through `/v3/domains` API). And as stated in
  the default keystone policy, listing domains requires cloud_admin
  privilege, which means we cannot use a domain admin to create test
  accounts with tempest.

  ```
  "identity:list_domains": "rule:cloud_admin",
  ```

  A better behavior would be using `/v3/domains/{domain_id}` API to get
  the domain object directly so that only a domain admin user is needed
  to generate test accounts. The benefit of reducing required user
  privileges is isolating test environment. This requires adding an
  additional domain_id configuration option in [auth] section.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2028409/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 2042598] Re: neutron_server container suspended in health:starting state

[Bence Romsics]

Hi,

Thanks for the report!

At first glance this looks like a deployment problem, not a neutron bug.
From neutron perspective there's no clear error symptom described (other
than "networking does not work"). And no neutron log (the attached "log
from neutron_server" stops right when neutron-server is started). Even
if there is a neutron bug, this is not enough to identify and/or debug
it.

I'm no kolla expert (not even a kolla user), but I would recommend that
you turn with your questions to kolla folks, for example on their irc
channel (#kolla on irc.oftc.net, archives:
https://meetings.opendev.org/) or on the mailing list
(https://lists.openstack.org/mailman3/lists/openstack-
discuss.lists.openstack.org/). It would also help in debugging if you
collected actual neutron-server logs to see why it did not start
properly.

Hope this helps,
Bence

** Changed in: neutron
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2042598

Title:
  neutron_server container suspended in health:starting state

Status in neutron:
  Invalid

Bug description:
  I installed OpenStack (zed) on a Raspberry Pi cluster with kolla-
  ansible (version tagged for zed), all containers are healthy except
  the neutron_server which is suspended in 'health: starting' state.
  Network related part of OpenStack does not work. Some other commands
  commands work as expected (e.g., can create an image which is reported
  by openstack image list as 'active').

  There are four Raspberry Pi 4B in the cluster (2 x 4GB RAM and 2 x 8GB RAM). 
They run Debian 11 (bullseaye) and kolla-ansible has been used for the 
installation.
  Notably, I'm using a specific configuration of networking on my Pis to mimic 
two network interfaces on each host as kolla-ansible expects. These are 
provided as interfaces of veth pairs (more details on that below, too).

  Below, one can find:

  1. configuration commands I used to configure my Pi hosts (this panel)
  2. environment details related to the Pis (the one serving as controller in 
OpenStack) and kolla-ansible install information (this panel)
  3. ml2_conf.ini and nova-compute.conf configuration used in kolla-ansible
  4. kolla-ansible files: globals.yml (4.1) and inventory multinode (4.2)
     - changed parts - this panel
     - complete versions - attachments
  5. HttpException: 503 message from running init-runonce (kolla-ansible test 
script for new installation) (this panel)
  6. status of containers on the control node as reported by 'docker ps -a' 
(this panel)
  7. output form docker neutron_server inspect command (attachment)
  8. log form neutron_server container (attachment)

  *
  1. Debian configuration on the Pis
  *

  Selected details fo the configuration are given in the following.
  Basically, most of them are needed to configure Pis' host networking
  using netplan. Another one relates to qemu-kvm.

  (Note: initial configs to enable ssh access should be done locally (keyboard, 
monitor) on each Pi, in particular:
  PermitRootLogin yes
  PasswordAuthentication yes
  I skip the details of enabling ssh access, though. Below, I assume ssh acces 
as a regular (non-root) user.
  )

  === Preparation for host networking setup ===

  $ sudo apt-get remove unattended-upgrades -y
  $ sudo apt-get update -y && sudo apt-get upgrade -y

  - updating $PATH for a user
  $ sudo tee -a ~/.bashrc << EOT
  export PATH=$PATH:/usr/local/sbin:/usr/sbin:/sbin
  EOT
  $ source ~/.bashrc

  - enable systemd-networkd and configure eth0 for ssh access (neede to use 
ssh; not neede if one does stuff locally, attaching keyboard and monitor to 
each Pi)
    - enabling systemd-networkd
  $ sudo mv /etc/network/interfaces /etc/network/interfaces.save
  $ sudo mv /etc/network/interfaces.d /etc/network/interfaces.d.save
  $ sudo systemctl enable systemd-networkd && sudo systemctl start 
systemd-networkd
  $ sudo systemctl status systemd-networkd

  - configure eth0 (in may case, I've configured static DHCP for each Pi on my 
DHCP server)
  $ sudo tee /etc/systemd/network/20-wired.network << EOT
  [Match]
  Name=eth0

  [Network]
  DHCP=yes
  EOT

  - install netplan
  $ sudo apt update && sudo apt -y install netplan.io
  $ sudo reboot

  - enable ip forwarding
  $ sudo nano /etc/sysctl.conf
   ===> uncomment the line: net.ipv4.ip_forward=1
  $sudo sysctl -p

  = Host networking setup ==
  - network setup on each Pi host - drawing:

  192.168.1.xy/24   bez adresu IP
    +-+   +-+
    |  veth0  |   |  veth1  |< network-interface and 
network-external-interface for kolla-ansible
    +-+   +-+
     |   veth  pairs   |
    +-+   +-+
    | veth0br |   | veth1br |

[Yahoo-eng-team] [Bug 2042647] [NEW] doc: Options described in "DHCP High-availability" are outdated

[Takashi Kajinami]

Public bug reported:

The "DHCP High-availability" chapter in admin guide[1] contains multiple
outdated options.

 - linux bridge core_plugin is used instead of ml2 + linuxbridge
 - [database] option should be added to neutron.conf
 - [DEFAULT] rabbit_host option and [DEFAULT] rabbit_password option no longer 
exit

 - [DEFAULT] use_neutron and [DEFAULT] firewall_driver were removed from nova
 - [neutron] admin_* options were removed from nova 

[1] https://docs.openstack.org/neutron/latest/admin/config-dhcp-ha.html

Although we can fix these, it probably makes better sense to refer to
installation guide for most of options and then describe only specific
options ( dhcp_agents_per_network ), so that we don't have to maintain
basic options in multiple chapters.

** Affects: neutron
 Importance: Undecided
 Status: New


** Tags: doc

** Tags added: doc

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2042647

Title:
  doc: Options described in "DHCP High-availability" are outdated

Status in neutron:
  New

Bug description:
  The "DHCP High-availability" chapter in admin guide[1] contains
  multiple outdated options.

   - linux bridge core_plugin is used instead of ml2 + linuxbridge
   - [database] option should be added to neutron.conf
   - [DEFAULT] rabbit_host option and [DEFAULT] rabbit_password option no 
longer exit

   - [DEFAULT] use_neutron and [DEFAULT] firewall_driver were removed from nova
   - [neutron] admin_* options were removed from nova 

  [1] https://docs.openstack.org/neutron/latest/admin/config-dhcp-
  ha.html

  Although we can fix these, it probably makes better sense to refer to
  installation guide for most of options and then describe only specific
  options ( dhcp_agents_per_network ), so that we don't have to maintain
  basic options in multiple chapters.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2042647/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp