| *** openstack has joined #openstack-ec2api | 01:43 | |
| *** andrey-mp has joined #openstack-ec2api | 10:42 | |
| *** cybojanek has joined #openstack-ec2api | 14:28 | |
| cybojanek | Hi! | 14:29 |
|---|---|---|
| cybojanek | Is there more documentation on installation and configuration? | 14:30 |
| cybojanek | I'm trying to install the ec2api and I get errors from keystone: BadRequest: Expecting to find domain in project - the server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error | 14:30 |
| andrey-mp | hi | 14:48 |
| andrey-mp | which way do you use to install ec2api? | 14:48 |
| cybojanek | yum install | 14:58 |
| cybojanek | from the following repo (h/o) | 14:58 |
| cybojanek | http://mirror.centos.org/centos/7/cloud/x86_64/openstack-mitaka/ | 14:59 |
| cybojanek | I messed around with the settings | 14:59 |
| cybojanek | ec2 describe-images works | 14:59 |
| cybojanek | But now ec2 describe-instances returns a 401 while executing one of the subcalls | 15:00 |
| cybojanek | I see it does some neutron calls which return empty ports/floatingips json arrays, some security groups | 15:02 |
| cybojanek | I think my nova api endpoint is 2.0 - does it have to be smoething else? | 15:03 |
| cybojanek | I'm using keystone v3 with domains | 15:04 |
| andrey-mp | mmm, I didn't install it via yum - what ec2api.conf contains? | 15:08 |
| cybojanek | Getting | 15:08 |
| cybojanek | [DEFAULT] | 15:10 |
| cybojanek | ec2api_workers=4 | 15:10 |
| cybojanek | debug = True | 15:10 |
| cybojanek | verbose = True | 15:10 |
| cybojanek | admin_tenant_name = service | 15:10 |
| cybojanek | admin_user = ec2 | 15:10 |
| cybojanek | admin_password = xxxxx | 15:10 |
| cybojanek | region_list = xxxx | 15:10 |
| cybojanek | keystone_ec2_tokens_url=http://muffin:5000/v3/ec2tokens | 15:10 |
| cybojanek | keystone_url=http://muffin:5000/v3 | 15:10 |
| cybojanek | external_network = public | 15:10 |
| cybojanek | full_vpc_support=true | 15:10 |
| cybojanek | the ec2 user belongs to the tenant service | 15:10 |
| andrey-mp | my config from devstack is here - http://paste.org.ru/?j3po8v | 15:10 |
| andrey-mp | these settings are important also - | 15:11 |
| andrey-mp | keystone_ec2_tokens_url = http://10.10.0.4/identity/v3/ec2tokens | 15:11 |
| andrey-mp | keystone_url = http://10.10.0.4/identity | 15:11 |
| andrey-mp | state_path = /opt/stack/data/ec2api | 15:11 |
| andrey-mp | and database section | 15:11 |
| cybojanek | The database I have set up correctly | 15:12 |
| cybojanek | Because I had that issue before and now its fixed | 15:12 |
| cybojanek | I assume identity is a vhost to port/v3 | 15:12 |
| cybojanek | Lemme check that the ec2 user has the correct role | 15:12 |
| cybojanek | Does it need admin and service? | 15:12 |
| andrey-mp | yes | 15:13 |
| andrey-mp | it needs | 15:13 |
| cybojanek | Here's the log of describe-volumes | 15:16 |
| cybojanek | http://pastebin.com/qyFaEg8k | 15:16 |
| cybojanek | As an aside, whats the status of ec2-api within the openstack community? | 15:19 |
| cybojanek | I've read up that they removed the core support and pushed it out to a separate project, but I'm wondering how much openstack backing this now has? | 15:19 |
| andrey-mp | it's an official project | 15:20 |
| andrey-mp | I don't know who use separate ec2api project now - We don't have such information... | 15:22 |
| andrey-mp | let me check logs... | 15:23 |
| cybojanek | thanks :-) | 15:23 |
| andrey-mp | how have you installed OpenStack? | 15:24 |
| cybojanek | custom, from yum repo | 15:24 |
| cybojanek | not devstack, not puppet | 15:25 |
| cybojanek | openstack client itself works fine | 15:25 |
| cybojanek | list instances, images, volumes etc | 15:25 |
| andrey-mp | do you set domain options in other configurations files - like nova, cinder, glance? | 15:28 |
| cybojanek | Yes, for example | 15:29 |
| cybojanek | From nova.conf | 15:29 |
| cybojanek | [keystone_authtoken] | 15:29 |
| cybojanek | auth_uri = http://muffin:5000 | 15:29 |
| cybojanek | auth_url = http://muffin:35357 | 15:29 |
| cybojanek | memcached_servers = muffin:11211 | 15:29 |
| cybojanek | auth_type = password | 15:29 |
| cybojanek | project_domain_name = default | 15:29 |
| cybojanek | user_domain_name = default | 15:29 |
| cybojanek | project_name = service | 15:29 |
| cybojanek | username = nova | 15:29 |
| cybojanek | password = xxxxxx | 15:29 |
| cybojanek | does get_os_admin_session in clients.py need to be modified for domain support? | 15:30 |
| andrey-mp | maybe... | 15:30 |
| cybojanek | Is it this one? http://docs.openstack.org/developer/python-keystoneclient/api/keystoneclient.auth.identity.generic.html#module-keystoneclient.auth.identity.generic.password | 15:30 |
| cybojanek | Is the devstack identity portion a vhost to v2? | 15:34 |
| andrey-mp | i don't know right now what devstack use | 15:36 |
| andrey-mp | for validating ec2 credentials we use v3 | 15:37 |
| andrey-mp | for get_os_admin_session we use root URL of keystone - client will choose version | 15:37 |
| cybojanek | If I change it to | 15:39 |
| cybojanek | keystone_url=http://muffin:5000/ | 15:39 |
| cybojanek | (no v3) | 15:39 |
| cybojanek | I get Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-b02805da-6087-492c-83d8-aa16b6413868) | 15:39 |
| andrey-mp | can you modify clients.py of ec2api code and add passing of user_domain_name='default' to call https://github.com/openstack/ec2-api/blob/master/ec2api/clients.py#L211 | 15:39 |
| andrey-mp | ? | 15:39 |
| cybojanek | Mhm - 1 sec | 15:40 |
| cybojanek | Same issue BadRequest: Expecting to find domain in project | 15:42 |
| andrey-mp | is there a script of users/projects/domains creation? so I can check same on my devstack | 15:44 |
| cybojanek | http://pastebin.com/ap3xTNWY | 15:45 |
| cybojanek | Its missing the ec2 user which I created manually | 15:47 |
| cybojanek | But I also tried with nova user | 15:47 |
| cybojanek | in ec2api.conf | 15:47 |
| andrey-mp | and is the same result with nova user? | 15:47 |
| cybojanek | yes | 15:48 |
| cybojanek | I have a tcpdump of the keystone requests if need be | 15:48 |
| andrey-mp | I think we should check this on our side | 15:49 |
| cybojanek | Ok | 15:50 |
| andrey-mp | I will try to get same sutiation first and then will make a fix | 15:50 |
| andrey-mp | right now you can try to modify clients.py and add there domain_name and project_domain_name with same 'default' value as user_domain_name | 15:57 |
| cybojanek | mhm | 15:57 |
| andrey-mp | this only one idea that I have now :) | 15:58 |
| cybojanek | AuthorizationFailure: Authentication cannot be scoped to multiple targets. Pick one of: project, domain, trust or unscoped | 15:58 |
| andrey-mp | wow | 15:59 |
| cybojanek | Probably conflicting with the other tenant/project stuff | 15:59 |
| andrey-mp | lets try with domain_name only ? | 15:59 |
| andrey-mp | and if it's not difficult - please share keystone tcpdump with us | 16:00 |
| cybojanek | same issue again | 16:00 |
| cybojanek | h/o | 16:00 |
| cybojanek | ok | 16:04 |
| cybojanek | 1 more min | 16:04 |
| andrey-mp | np | 16:04 |
| andrey-mp | btw, ec2 service is not needed in keystone catalog for anyone... | 16:05 |
| andrey-mp | and it listens just on "${PREFIX_PUBLIC}://${HOSTNAME_PUBLIC}:8788/" not on "${PREFIX_PUBLIC}://${HOSTNAME_PUBLIC}:8788/services/Cloud" | 16:06 |
| cybojanek | K | 16:06 |
| cybojanek | I think the openstack ec2 credentials list command didn't work until I added it | 16:07 |
| cybojanek | Horizon also didn't show the download creds link until the service was there | 16:07 |
| andrey-mp | hm, looks strange ) | 16:07 |
| cybojanek | http://pastebin.com/UEapv7Zj | 16:07 |
| cybojanek | Lol - I dug into the horizon code, it has something like "is service enabled" that looks for ec2 in the endpoint list | 16:08 |
| andrey-mp | this last log says me that request should contain only project_domain_name | 16:09 |
| andrey-mp | but as I understood you've tried this with same result | 16:09 |
| cybojanek | Using project_domain_name instead of user_domain_name I get | 16:11 |
| cybojanek | {"auth": {"scope": {"project": {"domain": {"name": "default"}, "name": "service"}}, "identity": {"password": {"user": {"password": "xxxxx", "name": "ec2"}}, "methods": ["password"]}}} | 16:11 |
| andrey-mp | and 400 ? | 16:12 |
| cybojanek | Yes | 16:12 |
| andrey-mp | and the same error - "expecting to find domain in project" ? | 16:13 |
| cybojanek | Nope, user | 16:14 |
| andrey-mp | ^) | 16:14 |
| andrey-mp | :) | 16:14 |
| cybojanek | ok progress | 16:15 |
| cybojanek | I figured out how to fix it in curl | 16:15 |
| cybojanek | lol | 16:15 |
| andrey-mp | adn what if add user_domain_name to current? | 16:15 |
| andrey-mp | pass project_domain_name and user_domain_name together | 16:15 |
| cybojanek | Great success! | 16:15 |
| cybojanek | volumes and instances works | 16:16 |
| cybojanek | auth = keystone_auth.Password( | 16:16 |
| cybojanek | user_domain_name='default', | 16:16 |
| cybojanek | project_domain_name='default', | 16:16 |
| cybojanek | username=CONF.admin_user, | 16:16 |
| cybojanek | password=CONF.admin_password, | 16:16 |
| cybojanek | project_name=CONF.admin_tenant_name, | 16:16 |
| cybojanek | tenant_name=CONF.admin_tenant_name, | 16:16 |
| cybojanek | auth_url=CONF.keystone_url, | 16:16 |
| cybojanek | ) | 16:16 |
| cybojanek | Yea, now I get what the errors meant | 16:16 |
| andrey-mp | thank you - we will fix this in upstream shortly | 16:16 |
| cybojanek | Are you going to add a config option? | 16:17 |
| andrey-mp | yeah | 16:17 |
| andrey-mp | same as in nova | 16:17 |
| cybojanek | Cool | 16:17 |
| cybojanek | Thanks! AFK for a bit | 16:19 |
| andrey-mp | no problem :) | 16:19 |
| *** andrey-mp has quit IRC | 16:44 | |
| *** rbradfor has left #openstack-ec2api | 18:04 | |
| *** andrey-mp has joined #openstack-ec2api | 20:06 | |
| *** andrey-mp has quit IRC | 20:25 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!