keystone V3 support needed

Bug #1543262 reported by Ryan Beisner
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Canonical Juju
Fix Released
High
Ian Booth
2.1
Fix Released
Critical
Ian Booth
Go OpenStack Exchange
Fix Committed
High
Ian Booth

Bug Description

Juju OpenStack provider needs Keystone V3 support. Some OpenStack clouds already provide V3-only support. Ubuntu OpenStack, if following upstream, may eventually require V3 support.

Also: python-keystoneclient is deprecated in favor of python-openstackclient, using V3.

Ryan Beisner (1chb1n)
tags: added: uosci
Revision history for this message
Ryan Beisner (1chb1n) wrote :

I suspect "tenant-name" will need to give way to project-id and user-domain-name, or some such. Here is an example of V3 usage from the cli:

export OS_PROJECT_ID=00ff00ff00ff00ff00ff00ff00ff00ff
export OS_USERNAME=john.doe@local
export OS_USER_DOMAIN_NAME=domain12345
export OS_AUTH_URL=https://f.q.d.n/v3
export OS_IDENTITY_API_VERSION=3
export OS_REGION_NAME=earth
export OS_PASSWORD=FooFooFoo

openstack server list

openstack image list

Revision history for this message
Ian Booth (wallyworld) wrote :

Keystone v3 support is targetted for Juju 2.0

Changed in juju-core:
milestone: none → 2.0-beta2
importance: Undecided → High
status: New → Triaged
Ryan Beisner (1chb1n)
tags: added: openstack-provider
Curtis Hovey (sinzui)
Changed in juju-core:
milestone: 2.0-beta2 → 2.0-beta3
Curtis Hovey (sinzui)
Changed in juju-core:
milestone: 2.0-beta3 → 2.0-beta4
Revision history for this message
Cheryl Jennings (cherylj) wrote :

This was included in 2.0-beta3

Changed in juju-core:
status: Triaged → Fix Released
affects: juju-core → juju
Changed in juju:
milestone: 2.0-beta4 → none
milestone: none → 2.0-beta4
Revision history for this message
David Ames (thedac) wrote :

This appears to still be a problem.

Scoping between domain and project requires mutually exclusive settings. Compare these novarc files:
http://bazaar.launchpad.net/~ost-maintainers/openstack-charm-testing/trunk/view/head:/novarcv3_project
http://bazaar.launchpad.net/~ost-maintainers/openstack-charm-testing/trunk/view/head:/novarcv3_domain

It would appear that in the project scope the following are not being set in gooes:
OS_PROJECT_DOMAIN_NAME
OS_USER_DOMAIN_NAME

The following did not fully address these requirements:
https://github.com/go-goose/goose/commit/a6ab4cac05e147190aee673670c2ddd9a2f777d2

Ideally, juju gooes should support:
 v2
 v3 domain scope
 v3 project scope

Documentation on the v3 API:
An old but informative simple description of the v3 api:
http://adam.younglogic.com/2013/09/keystone-v3-api-examples/

The full API documentation:
https://developer.openstack.org/api-ref/identity/v3/

Ryan Beisner (1chb1n)
Changed in juju:
status: Fix Released → New
Revision history for this message
Marco Ceppi (marcoceppi) wrote :
Download full text (3.7 KiB)

Using a project configured v3 auth endpoint I'm unable to bootstrap.

```
OS_REGION_NAME=coolcloud
OS_USER_DOMAIN_NAME=admin_domain
OS_PROJECT_NAME=cloud_kubernetes
OS_IDENTITY_API_VERSION=3
OS_PASSWORD=<REDACTED>
OS_AUTH_URL=http://10.0.3.240:5000/v3
OS_USERNAME=kubernetes_admin
OS_PROJECT_DOMAIN_NAME=jumpin-joy
```

```
$ juju show-cloud my-cloud
defined: local
type: openstack
description: Openstack Cloud
auth-types: [userpass, access-key]
regions:
  coolcloud:
    endpoint: http://10.0.3.240:5000/v3
```

```
$ juju list-credentials --format yaml --show-secrets
credentials:
  my-cloud:
    kubernetes:
      auth-type: userpass
      domain-name: admin_domain
      password: <REDACTED>
      tenant-name: cloud_kubernetes
      username: kubernetes_admin
```

```
$ juju bootstrap --debug my-cloud
19:49:14 INFO juju.cmd supercommand.go:63 running juju [2.1-rc1 gc go1.6.2]
19:49:14 DEBUG juju.cmd supercommand.go:64 args: []string{"juju", "bootstrap", "--debug", "my-cloud"}
19:49:14 DEBUG juju.cmd.juju.commands bootstrap.go:780 authenticating with region "coolcloud" and credential "kubernetes" ()
19:49:14 DEBUG juju.cmd.juju.commands bootstrap.go:892 provider attrs: map[use-floating-ip:false use-default-secgroup:false network: external-network:]
19:49:14 INFO cmd cmd.go:141 Adding contents of "/home/ubuntu/.local/share/juju/ssh/juju_id_rsa.pub" to authorized-keys
19:49:14 DEBUG juju.cmd.juju.commands bootstrap.go:948 preparing controller with config: map[logging-config: enable-os-refresh-update:true external-network: image-metadata-url: agent-stream:released provisioner-harvest-mode:destroyed http-proxy: name:controller proxy-ssh:false ignore-machine-addresses:false authorized-keys:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7ax7LrroQh6ayFPH7vfU+/1veF40s6UJF4YeaevTvrx/xELELSjSeEIkQw6KoA/nCysOMUDmkFPfVoe7u5reO37IRWS+c7k/O3MOMTUGlOeGEmDE2trFzoBSNj4lYRuQxDC8ecyk0d0Lui1gEV24ZjT/Wo/d3QUJy/VQojqEztl565+UoaCv5Ck33suD1mYpesoDkJcQv9igArNCqQ/t5QnMxgmhxs0HOF29PI+aGkHMjGBHVL8PQaC95n0B9q1tD0w5DdkFRZQpRaWuvZ1g0ykBNKX+OU5Tp4iq+bU9NH9za8UnBrVgumAXv9gAVjrcWpOo/VUkhvb06FRi63ZCD juju-client-key
 image-stream:released development:false net-bond-reconfigure-delay:17 type:openstack ssl-hostname-verification:true enable-os-upgrade:true no-proxy: network: apt-ftp-proxy: use-default-secgroup:false uuid:4465ae20-ad7c-4e1c-8cf3-31c403ff59ea disable-network-management:false transmit-vendor-metrics:true apt-mirror: resource-tags: https-proxy: default-series:xenial apt-https-proxy: firewall-mode:instance apt-http-proxy: agent-metadata-url: test-mode:false use-floating-ip:false ftp-proxy: logforward-enabled:false automatically-retry-hooks:true]
19:49:14 INFO juju.provider.openstack provider.go:131 opening model "controller"
19:49:15 DEBUG juju.provider.openstack provider.go:763 authentication failed: authentication failed
caused by: requesting token: Unauthorised URL http://10.0.3.240:5000/v3/auth/tokens
caused by: request (http://10.0.3.240:5000/v3/auth/tokens) returned unexpected status: 401; error info: Failed: 401 error: The request you have made requires authentication.
19:49:15 ERROR cmd supercommand.go:458 authentication failed.

Please ensure the credentials are corr...

Read more...

Revision history for this message
Nicholas Skaggs (nskaggs) wrote :

Bug 1585708 has a fix landing; that should help.

Changed in juju:
milestone: 2.0-beta4 → none
Revision history for this message
Marco Ceppi (marcoceppi) wrote :

This is not a duplicate. Why was this closed? Juju supporting v3 and charms are two different problem domains.

Revision history for this message
Anastasia (anastasia-macmood) wrote :

Marked incorrectly as duplicate based on comment # 6. Un-marking \o/

Changed in juju:
status: New → Triaged
milestone: none → 2.2.0-alpha1
Revision history for this message
Ryan Beisner (1chb1n) wrote :

Just to reinforce, this bug (a Juju provider bug) is in no way related to bug 1585708 (a charm bug).

Revision history for this message
Ian Booth (wallyworld) wrote :
Revision history for this message
Ian Booth (wallyworld) wrote :
Changed in goose:
assignee: nobody → Ian Booth (wallyworld)
importance: Undecided → High
status: New → In Progress
Ian Booth (wallyworld)
Changed in goose:
status: In Progress → Fix Committed
Ian Booth (wallyworld)
Changed in juju:
assignee: nobody → Ian Booth (wallyworld)
status: Triaged → Fix Committed
Curtis Hovey (sinzui)
Changed in juju:
status: Fix Committed → Fix Released
Revision history for this message
Bruno Carvalho (brunowcs) wrote :

 I am using juju --version 2.1.2-xenial-amd64 and I am still having bootstrap issuestack on provide keystone v3.

This problem has been fixed in which version?

My clientpython openstack works normally.

21:48:45 INFO juju.provider.openstack provider.go:131 opening model "controller"
21:48:46 DEBUG juju.provider.openstack provider.go:765 authentication failed: authentication failed
caused by: requesting token: Unauthorised URL https://api.domain.com:5000/v3/auth/tokens
caused by: request (https://api.domain.com:5000/v3/auth/tokens) returned unexpected status: 401; error info: Failed: 401 error: The request you have made requires authentication.
21:48:46 ERROR cmd supercommand.go:458 authentication failed.

Please ensure the credentials are correct. A common mistake is
to specify the wrong tenant. Use the OpenStack "project" name
for tenant-name in your model configuration.
21:48:46 DEBUG cmd supercommand.go:459 (error details: [{github.com/juju/juju/cmd/juju/commands/bootstrap.go:445: } {github.com/juju/juju/environs/bootstrap/prepare.go:99: } {github.com/juju/juju/environs/bootstrap/prepare.go:163: } {github.com/juju/juju/provider/openstack/provider.go:770: authentication failed.

Please ensure the credentials are correct. A common mistake is
to specify the wrong tenant. Use the OpenStack "project" name
for tenant-name in your model configuration.}])

Revision history for this message
Ian Booth (wallyworld) wrote :

Can you provide the content of your Juju credentials file (with secrets redacted). It lives in ~/.local/share/juju/credentials.yaml. And also the ~/.novarc file (or env vars) with secrets redacted for comparison.

Revision history for this message
Bruno Carvalho (brunowcs) wrote :

Hello Ian!

# juju list-credentials --format yaml --show-secrets
credentials:
  openstack:
    default-region: myregion
    myuser:
      auth-type: userpass
      password: mypass
      tenant-name: myprojectname
      username: myuser

# juju show-cloud openstack
defined: local
type: openstack
description: Openstack Cloud
auth-types: [userpass]
regions:
  myregion:
    endpoint: https://api.domain.com:5000/v3/

Note: my api is in HTTPS

Caused by: request (https://api.domain.com:5000/v3/tokens) returned unexpected status: 404; Error info: Failed: 404 error: The resource could not be found.

I noticed that the URL is not being formed correctly

Caused by: request (https://api.domain.com:5000/v3/tokens) returned unexpected status: 404; Error info: Failed: 404 error: The resource could not be found

The correct one would not be: https://api.domain.com:5000/v3/auth/tokens

I noticed the "auth" in the url is missing.

Revision history for this message
Bruno Carvalho (brunowcs) wrote :

mycloud.yaml

openstack:
    type: openstack
    auth-types: [userpass]
    endpoint: https://api.domain.com:5000/v3
    regions:
      trm:
        endpoint: https://api.domain.com:5000/v3

mycredentials.yaml

credentials:
  openstack:
    default-credential: myuser
    myuser:
      auth-type: userpass
      tenant-name: myproject
      domain-name: mydomain
      username: myuser
      password: mypass

MY ENV rc_openstak - work ok

export OS_PROJECT_NAME="myproject"
export OS_USER_DOMAIN_NAME="mydomain"

Revision history for this message
Bruno Carvalho (brunowcs) wrote :

Hi!!! now works fine.

credentials:
  openstack:
    default-credential: myuser
    myuser:
      auth-type: userpass
      tenant-name: myproject
# domain-name: mydomain
      user-domain-name: mydomain
      project-domain-name: mydomain
      username: myuser
      password: mypasswd

but error

14:30:58 ERROR cmd supercommand.go:458 failed to bootstrap model: no image metadata found

Revision history for this message
Ian Booth (wallyworld) wrote :

Hi Bruno

Great that you got the first part working!

The next part is teaching Juju what openstack images are available. This is done by producing metadata which can either be stored in swift or in a local directory.

This doc shows how to set up the metadata in swift

https://jujucharms.com/docs/devel/howto-privatecloud

This blog post is using Juju 1.25 but the steps outlined are still generally applicable to Juju 2.x

https://blog.felipe-alfaro.com/2014/04/29/bootstraping-juju-on-top-of-an-openstack-private-cloud/

Revision history for this message
Bruno Carvalho (brunowcs) wrote :

Hi Ian

I performed the procedures and I went through the second phase, now I'm standing still in this, could you help me?

2:15:37 ERROR juju.cmd.juju.commands bootstrap.go:1056 error cleaning up: destroying controller model: destroying instances: failed to get list of server details
caused by: failed unmarshaling the response body: {"servers": [{"status": "ACTIVE", "updated": "2017-05-02T12:22:15Z", "hostId": "3ecf224269edfe46c693983c897711a708859d546f96e32110eaa

Revision history for this message
Heather Lanigan (hmlanigan) wrote :

Bruno,

By any chance do you have an instance deployed in your openstack which is booted to a volume? If so, you could be hitting this bug: https://bugs.launchpad.net/juju/+bug/1683495

Revision history for this message
Bruno Carvalho (brunowcs) wrote :

Hi Heather, this resolved my problem!

But now I'm having trouble setting up the security group even if you set the "--config use-default-secgroup=true" option on the bootstrap line it is trying to create a new security group and giving error, has anyone had this problem?

00:16:54 DEBUG juju.provider.openstack firewaller.go:294 deleting security group "juju-b39c0bd4-d789-4711-8f5c-7a3d98e9e39d-6eec5115-cba1-4ea9-8e10-1c849f827f7d"
00:16:55 ERROR cmd supercommand.go:458 failed to bootstrap model: cannot start bootstrap instance: cannot set up groups: failed to create a rule for the security group with id: e88c409f-4185-49ce-8cf4-c47e981c44e7

Tks!

Revision history for this message
Bruno Carvalho (brunowcs) wrote :

Hi! I am resolved with change firewaller.go my error was related to my IPV6 that the nuage plugin could not support.

I removed all ipv6 lines from the security group's creation of the file firewaller.go and recomputed the juju so it worked the creation of the controller

Revision history for this message
Heather Lanigan (hmlanigan) wrote :

Bruno,

Perhaps we can move this conversation to <email address hidden> as we've moved off the topic of the bug?

Juju will always create it's own security groups for openstack, "--config use-default-secgroup=true" added the default security group to the list of juju created ones for each
instance. There's a bug on this topic: https://bugs.launchpad.net/juju/+bug/1625830. Sounds
like we need to clarify what this flag does. It's currently described as:
`Whether new machine instances should have the "default" Openstack security group assigned.`
But doesn't say whether that's in replacement of, or addition to the juju created security groups.

All of that said, you can easily skip using that flag. It sounds like you had a different issue going on, which doesn't appear to be a known bug. Can you file a new one? Or ask for help on <email address hidden>, where more people will see it?

Revision history for this message
Bruno Carvalho (brunowcs) wrote :

Hi!

In my environment as "use-default-secgroup=true" it added the "default" group along with the rules created by juju.

Related list I believe my solution is well specified for SDN nuage plugin without IPV6 support, but if you want you can create it.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.