Hi all,

I have continued debugging multidomain support in Contrail 3.2.6.0.
I have disabled auth in Contrail by adding the following line:
aaa_mode = no-auth
in /etc/contrail/contrail-api.log and in 
/etc/contrail/contrail-analytics-api.conf

I was able to log in as testuser inside testdomain and view the networks from 
testproject.

Afterwards I tried to create a network inside testproject both from Contrail 
GUI and using neutron commands.
Both of them failed. From contrail-api.log, I have:
File "/usr/lib/python2.7/site-packages/cfgm_common/vnc_cassandra.py", line 
1283, in fq_name_to_uuid
    raise NoIdError('%s %s' % (obj_type, fq_name_str))
NoIdError: Unknown id: project testdomain:testproject

Do you have any idea why this happens?

Thanks,
Anda


From: Jakub Pavlik [mailto:jpav...@mirantis.com]
Sent: Wednesday, September 20, 2017 12:15 PM
To: Anda Nicolae
Cc: dev@lists.opencontrail.org
Subject: Re: [opencontrail-dev] Multiple domains support in Contrail 3.2.5.0

Hi Anda,

add project_name and project_domain_name what I specified in last mail.

jakub

On Wed, Sep 20, 2017 at 10:32 AM, Anda Nicolae 
<anico...@lenovo.com<mailto:anico...@lenovo.com>> wrote:
Hi Jakub,

I was able to login into Contrail and to have all contrail processes active. My 
contrail-keystone-auth.conf looks like this:

[KEYSTONE]
auth_url=http://<Keystone_IP>:35357/v3
auth_host=<Keystone_IP>
auth_protocol=http
auth_port=35357
user=admin
password=<admin_password>
memcache_servers=127.0.0.1:11211<http://127.0.0.1:11211>
insecure=False

I've tried with auth_url as 
http://<Keystone_IP>:5000/v3<http://%3cKeystone_IP%3e:5000/v3> and as 
http://<Keystone_IP>:35357/v3<http://%3cKeystone_IP%3e:35357/v3> and I have 
obtained the same results.

After I log into Contrail, whatever I select (Networks, Policies, Routers, IPAM 
etc), I get 503 Service Unavailable.

I looked over the HTTP requests that Contrail processes exchange with Keystone.
A HTTP Post request is sent to <Keystone_IP>:35357 and 400 Bad Request is 
received.
Since the contrail process can authenticate to keystone, it cannot further 
retrieve info about routers, networks etc.
Therefore, 503 Service Unavailable is displayed.

Below are the HTTP Request and Response:

POST /v2.0/tokens HTTP/1.1
Host: <Keystone_IP>:35357
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: application/json
User-Agent: keystonemiddleware.auth_token/4.4.1 keystoneauth1/2.4.1 
python-requests/2.10.0 CPython/2.7.5
Content-Type: application/json
Content-Length: 51

{"auth": {"passwordCredentials": {"password": ""}}}HTTP/1.1 400 Bad Request
Date: Wed, 20 Sep 2017 05:27:25 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux)
Vary: X-Auth-Token
x-openstack-request-id: req-40bf8fc7-45b1-4e45-b6cd-e3ea950dbc0e
Content-Length: 260
Connection: close
Content-Type: application/json

{"error": {"message": "Expecting to find username or userId in 
passwordCredentials - the server could not comply with the request since it is 
either malformed or otherwise incorrect. The client is assumed to be in 
error.", "code": 400, "title": "Bad Request"}}


Thanks,
Anda

From: Jakub Pavlik [mailto:jpav...@mirantis.com<mailto:jpav...@mirantis.com>]
Sent: Tuesday, September 19, 2017 6:32 PM

To: Anda Nicolae
Cc: dev@lists.opencontrail.org<mailto:dev@lists.opencontrail.org>
Subject: Re: [opencontrail-dev] Multiple domains support in Contrail 3.2.5.0

Hi Anda,

it is jinja template, you cannot put those params with {{}} . Extend config by 
this:

project_name=admin
project_domain_name=default
auth_url=http://ip:5000/v3

Jakub


On Tue, Sep 19, 2017 at 5:18 PM, Anda Nicolae 
<anico...@lenovo.com<mailto:anico...@lenovo.com>> wrote:
Hi Jakub,

Thank you for your response. Before I posted the question on the list, I had 
modified contrail-auth-keystone.conf like below. Without the changes below, I 
was not able to log into Contrail:
auth_url=http://<IP>:35357/v3
auth_host=<IP>
auth_protocol=http
auth_port=35357
user=admin
password=<password>
#admin_user=<admin_user>
#admin_password=< admin_password >
#admin_tenant_name=< admin_tenant_name >
memcache_servers=127.0.0.1:11211<http://127.0.0.1:11211>
insecure=False

However, I modified contrail-auth-keystone.conf like you told me and now it 
displays the following error in contrail-collector.log and Collector connection 
is down:

Error the options configuration file contains an invalid line '{%- from 
"opencontrail/map.jinja" import config with context -%}'

This is probably because I do not have any map.jinja file on my Contrail node.

Thanks,
Anda


From: Jakub Pavlik [mailto:jpav...@mirantis.com<mailto:jpav...@mirantis.com>]
Sent: Tuesday, September 19, 2017 12:50 PM
To: Anda Nicolae
Cc: dev@lists.opencontrail.org<mailto:dev@lists.opencontrail.org>
Subject: Re: [opencontrail-dev] Multiple domains support in Contrail 3.2.5.0

Hi Anda,

do you have configured this 
https://github.com/salt-formulas/salt-formula-opencontrail/blob/master/opencontrail/files/3.0/contrail-keystone-auth.conf#L14

Jakub

On Tue, Sep 19, 2017 at 11:40 AM, Anda Nicolae 
<anico...@lenovo.com<mailto:anico...@lenovo.com>> wrote:
Hi all,

I am using Contrail 3.2.5.0 on a RHEL server. I have 3 nodes: an OpenStack 
controller, a Contrail controller and a Contrail compute.
Do you know whether Contrail supports multiple domains?
I know that OpenStack supports multiple domains when keystone v3 is used, but 
Contrail processes do not seem to work OK with keystone v3.

Thanks,
Anda

_______________________________________________
Dev mailing list
Dev@lists.opencontrail.org<mailto:Dev@lists.opencontrail.org>
http://lists.opencontrail.org/mailman/listinfo/dev_lists.opencontrail.org



--
Jakub Pavlik
+420 602 177 027<tel:+420%20602%20177%20027>
jpav...@mirantis.com<mailto:jpav...@mirantis.com>



--
Jakub Pavlik
+420 602 177 027<tel:+420%20602%20177%20027>
jpav...@mirantis.com<mailto:jpav...@mirantis.com>



--
Jakub Pavlik
+420 602 177 027
jpav...@mirantis.com<mailto:jpav...@mirantis.com>
_______________________________________________
Dev mailing list
Dev@lists.opencontrail.org
http://lists.opencontrail.org/mailman/listinfo/dev_lists.opencontrail.org

Reply via email to