Re: [Openstack] Object Storage Swift on rhel6.0
Your config file looks fine Sudhakar (included below, sent offline). Have you checked your syslog (/var/log/syslog) for errors? [DEFAULT] #cert_file = /etc/swift/cert.crt #key_file = /etc/swift/cert.key bind_port = 8080 bind_ip = 10.30.91.80 workers = 8 user = swift [pipeline:main] pipeline = healthcheck cache swauth proxy-server [app:proxy-server] use = egg:swift#proxy allow_account_management = true [filter:swauth] use = egg:swauth#swauth set log_name = swauth super_admin_key = swauthkey default_swift_cluster = local#https://10.30.91.80:8080/v1 [filter:healthcheck] use = egg:swift#healthcheck [filter:cache] use = egg:swift#memcache memcache_servers = 10.30.91.80:11211 On 23 February 2012 04:39, Sudhakar Maiya sma...@gmail.com wrote: please check and let me know what needs to be done On Wed, Feb 22, 2012 at 7:31 PM, Adrian Smith adrian_f_sm...@dell.com wrote: Is there anything of interest in your logs? This will either be /var/log/syslog or /var/log/swift/?. Depends how you configured it in /etc/swift/proxy-server.conf. On 22 February 2012 13:47, Sudhakar Maiya sma...@gmail.com wrote: when i tried with below command swauth-add-user -K swauthkey -A http://10.30.91.80:8080/auth/ -a system root testpass error Account creation failed: 500 Server Error User creation failed: 500 Server Error Regards Sudhakar On Wed, Feb 22, 2012 at 4:07 PM, Adrian Smith adrian_f_sm...@dell.com wrote: Could be a problem with the URL (/swauth rather than /auth). Try this, swauth-add-user -K swauthkey -A http://10.30.91.80:8080/auth/ -a system root testpass On 22 February 2012 10:16, Sudhakar Maiya sma...@gmail.com wrote: Hi, after successfull configuration of openstack object storage.. i tried to test the installation swauth-add-user -K swauthkey -A http://10.30.91.80:8080/swauth/ -a system root testpass error on /var/log/meesage Feb 21 22:06:18 ostack-proxyserver proxy-server ERROR with Account server 10.30.91.84:6042/sdb13 re: Trying to get account info for /v2: Connection refused (client_ip: 10.30.91.80) Feb 21 22:06:18 ostack-proxyserver proxy-server ERROR with Account server 10.30.91.84:6052/sdb14 re: Trying to get account info for /v2: Connection refused (client_ip: 10.30.91.80) Feb 21 22:06:18 ostack-proxyserver proxy-server ERROR with Account server 10.30.91.84:6022/sdb11 re: Trying to get account info for /v2: Connection refused (client_ip: 10.30.91.80) Feb 21 22:06:18 ostack-proxyserver proxy-server ERROR with Account server 10.30.91.84:6032/sdb12 re: Trying to get account info for /v2: Connection refused (client_ip: 10.30.91.80) Feb 21 22:06:18 ostack-proxyserver proxy-server 10.30.91.80 10.30.91.80 22/Feb/2012/04/06/18 PUT /swauth/v2/system/root HTTP/1.0 401 - - - - - - - - 0.0151 can any one help me on this regards Sudhakar On Tue, Feb 21, 2012 at 7:20 PM, Jasper Capel jasper.ca...@spilgames.com wrote: Change use = egg:swift#swauth to use = egg:swauth#swauth. Cheers, Jasper On Feb 21, 2012, at 2:25 PM, Sudhakar Maiya wrote: yes i have installed rpm On Tue, Feb 21, 2012 at 6:53 PM, Chmouel Boudjnah chmo...@chmouel.com wrote: Hi, On Tue, Feb 21, 2012 at 12:48 PM, Sudhakar Maiya sma...@gmail.com wrote: LookupError: Entry point 'swauth' not found in egg 'swift' (dir: /usr/lib/python2.6/site-packages; protocols: paste.filter_factory, paste.filter_app_factory; entry_points: ) did you install Pete's swauth rpm? http://people.redhat.com/zaitcev/tmp/ Cheers, Chmouel. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Essex-4 Installfest March 8, 2012
andi abes wrote: Essex-4 is almost here, and once it comes out, you’d probably want to install it. Good idea ! Don't forget to feed back the bugs you encounter, so that we can fix them in the release candidates we'll have up to final release of Essex (2012.1) planned on April 5. Cheers, -- Thierry Carrez (ttx) Release Manager, OpenStack ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Object Storage Swift on rhel6.0
attached the log file. i stop all firewall services. please let me know what can be done regards Sudhakar On Thu, Feb 23, 2012 at 2:08 PM, Adrian Smith adr...@17od.com wrote: Your config file looks fine Sudhakar (included below, sent offline). Have you checked your syslog (/var/log/syslog) for errors? [DEFAULT] #cert_file = /etc/swift/cert.crt #key_file = /etc/swift/cert.key bind_port = 8080 bind_ip = 10.30.91.80 workers = 8 user = swift [pipeline:main] pipeline = healthcheck cache swauth proxy-server [app:proxy-server] use = egg:swift#proxy allow_account_management = true [filter:swauth] use = egg:swauth#swauth set log_name = swauth super_admin_key = swauthkey default_swift_cluster = local#https://10.30.91.80:8080/v1 [filter:healthcheck] use = egg:swift#healthcheck [filter:cache] use = egg:swift#memcache memcache_servers = 10.30.91.80:11211 On 23 February 2012 04:39, Sudhakar Maiya sma...@gmail.com wrote: please check and let me know what needs to be done On Wed, Feb 22, 2012 at 7:31 PM, Adrian Smith adrian_f_sm...@dell.com wrote: Is there anything of interest in your logs? This will either be /var/log/syslog or /var/log/swift/?. Depends how you configured it in /etc/swift/proxy-server.conf. On 22 February 2012 13:47, Sudhakar Maiya sma...@gmail.com wrote: when i tried with below command swauth-add-user -K swauthkey -A http://10.30.91.80:8080/auth/ -a system root testpass error Account creation failed: 500 Server Error User creation failed: 500 Server Error Regards Sudhakar On Wed, Feb 22, 2012 at 4:07 PM, Adrian Smith adrian_f_sm...@dell.com wrote: Could be a problem with the URL (/swauth rather than /auth). Try this, swauth-add-user -K swauthkey -A http://10.30.91.80:8080/auth/ -a system root testpass On 22 February 2012 10:16, Sudhakar Maiya sma...@gmail.com wrote: Hi, after successfull configuration of openstack object storage.. i tried to test the installation swauth-add-user -K swauthkey -A http://10.30.91.80:8080/swauth/ -a system root testpass error on /var/log/meesage Feb 21 22:06:18 ostack-proxyserver proxy-server ERROR with Account server 10.30.91.84:6042/sdb13 re: Trying to get account info for /v2: Connection refused (client_ip: 10.30.91.80) Feb 21 22:06:18 ostack-proxyserver proxy-server ERROR with Account server 10.30.91.84:6052/sdb14 re: Trying to get account info for /v2: Connection refused (client_ip: 10.30.91.80) Feb 21 22:06:18 ostack-proxyserver proxy-server ERROR with Account server 10.30.91.84:6022/sdb11 re: Trying to get account info for /v2: Connection refused (client_ip: 10.30.91.80) Feb 21 22:06:18 ostack-proxyserver proxy-server ERROR with Account server 10.30.91.84:6032/sdb12 re: Trying to get account info for /v2: Connection refused (client_ip: 10.30.91.80) Feb 21 22:06:18 ostack-proxyserver proxy-server 10.30.91.80 10.30.91.80 22/Feb/2012/04/06/18 PUT /swauth/v2/system/root HTTP/1.0 401 - - - - - - - - 0.0151 can any one help me on this regards Sudhakar On Tue, Feb 21, 2012 at 7:20 PM, Jasper Capel jasper.ca...@spilgames.com wrote: Change use = egg:swift#swauth to use = egg:swauth#swauth. Cheers, Jasper On Feb 21, 2012, at 2:25 PM, Sudhakar Maiya wrote: yes i have installed rpm On Tue, Feb 21, 2012 at 6:53 PM, Chmouel Boudjnah chmo...@chmouel.com wrote: Hi, On Tue, Feb 21, 2012 at 12:48 PM, Sudhakar Maiya sma...@gmail.com wrote: LookupError: Entry point 'swauth' not found in egg 'swift' (dir: /usr/lib/python2.6/site-packages; protocols: paste.filter_factory, paste.filter_app_factory; entry_points: ) did you install Pete's swauth rpm? http://people.redhat.com/zaitcev/tmp/ Cheers, Chmouel. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net
Re: [Openstack] Nova VMware support improvements
We have recently updated the XenServer/XCP code so the storage is configurable, if you want a pattern to copy. https://github.com/citrix-openstack/nova/blob/everett/nova/virt/xenapi/vm_utils.py If I remember correctly, they assumed standalone ESX hosts with local storage, so never got around to adding a flag to configure which storage is used. Cheers, John -Original Message- From: openstack-bounces+john.garbutt=eu.citrix@lists.launchpad.net [mailto:openstack-bounces+john.garbutt=eu.citrix@lists.launchpad.net] On Behalf Of Graham Hagger Sent: 23 February 2012 01:27 To: Ewan Mellor Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Nova VMware support improvements Right now I'd mostly like to know what the reasoning was behind making the driver only pick the first available local datastore, rather than making it configurable? Also, on http://nova.openstack.org/vmwareapi_readme.html it mentions nova.network.vmwareapi_net for vlan networking support, but it doesn't appear to actually exist in the code - am I missing something? At present I'm just evaluating OpenStack, but support for configurable vmware storage options is one of the first things I'd look to add if it gets picked up. Right now my Python foo is somewhat lacking, but I'll happily contribute what I can when the need arises. Thanks, Graham On Wed, Feb 22, 2012 at 2:03 AM, Ewan Mellor ewan.mel...@eu.citrix.com wrote: It's generally working OK; we (Citrix) did a bit of work on it a couple of months ago. It's not going to get much attention in the near future though, so if you're keen to keep it up to date you'd be more than welcome to get involved. Cheers, Ewan. From: openstack-bounces+ewan.mellor=citrix@lists.launchpad.net [mailto:openstack-bounces+ewan.mellor=citrix@lists.launchpad.net] On Behalf Of Graham Hagger Sent: Monday, February 20, 2012 11:01 AM To: openstack@lists.launchpad.net Subject: [Openstack] Nova VMware support improvements Greetings all, Is anyone actively working to improve the VMware support within Nova, and is there any kind of roadmap for enhancements? I can find general information about the direction of the project, but nothing specific to VMware right now. Many thanks, Graham ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Essex-4 Installfest March 8, 2012
On Thu, Feb 23, 2012 at 1:10 AM, andi abes andi.a...@gmail.com wrote: If you're going to be hacking at the same time, let's connect! Excellent timing, we plan Fedora OpenStack Test Day on the same day: https://fedoraproject.org/wiki/Test_Day:2012-03-08_OpenStack_Test_Day Cheers, Alan ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Security Group Rule Refresh
OK - I'll put a description into lanchpad along with our notes on how we're proposing to fix this on our Diablo branch (as there is a performance related change in here as well) As with the previous performance change it will take us some time to get an Essex compatible fix - but if I provide all the details perhaps someone else can pick this up in parallel. Phil From: openstack-bounces+philip.day=hp@lists.launchpad.net [mailto:openstack-bounces+philip.day=hp@lists.launchpad.net] On Behalf Of Vishvananda Ishaya Sent: 22 February 2012 22:00 To: McNally, Dave (HP Cloud Services) Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Security Group Rule Refresh Maybe soren has a comment on this, but as far as I can tell it looks like a bug. It seems getting a list of instances that are in that group and refreshing those would be the right approach. Vish On Feb 22, 2012, at 9:13 AM, McNally, Dave (HP Cloud Services) wrote: Hi all, Currently I'm trying to track how a refresh of the security groups is handled (upon creation or deletion of a vm). Following through the code I get to 'do_refresh_security_group_rules' in libvirt/firewall.py. Up to this point the security group in question has been carried through however it seems to be discarded here and rather than filtering the instances to refresh the rules for based on this group it looks to me like all instances on the current host are iterated through and then there is an attempt to update the rules for all these instances. Is this full refresh necessary/intentional? If so can anyone tell me why it's required? Thanks, Dave ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Object Storage Swift on rhel6.0
On Thu, Feb 23, 2012 at 9:53 AM, Sudhakar Maiya sma...@gmail.com wrote: attached the log file. packages/swauth/middleware.py, line 510, in handle_prep#012(path, resp.status))#012Exception: Could not create the main auth account: /v1/AUTH_.auth 503 Internal Server Error#012: Have you checked file permissions on the disk? Cheers, Chmouel. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Object Storage Swift on rhel6.0
what is the permission do i need to give i have given like this /dev/sdb6 5.0G 33M 5.0G 1% /srv/node/sdb6 /dev/sdb7 5.0G 33M 5.0G 1% /srv/node/sdb7 /dev/sdb8 5.0G 33M 5.0G 1% /srv/node/sdb8 /dev/sdb9 5.0G 33M 5.0G 1% /srv/node/sdb9 /dev/sdb105.0G 33M 5.0G 1% /srv/node/sdb10 /dev/sdb115.0G 33M 5.0G 1% /srv/node/sdb11 /dev/sdb125.0G 33M 5.0G 1% /srv/node/sdb12 /dev/sdb135.0G 33M 5.0G 1% /srv/node/sdb13 /dev/sdb145.0G 33M 5.0G 1% /srv/node/sdb14 [root@ostack-acctainerserver node]# [root@ostack-acctainerserver node]# ls -l total 4 drwxr-xr-x 2 swift swift 4096 Feb 20 20:24 sdb1 drwxr-xr-x 2 swift swift6 Feb 21 17:39 sdb10 drwxr-xr-x 2 swift swift6 Feb 21 17:39 sdb11 drwxr-xr-x 2 swift swift6 Feb 21 17:39 sdb12 drwxr-xr-x 2 swift swift6 Feb 21 17:39 sdb13 drwxr-xr-x 2 swift swift6 Feb 21 17:39 sdb14 drwxr-xr-x 2 swift swift6 Feb 21 17:39 sdb5 drwxr-xr-x 2 swift swift6 Feb 21 17:39 sdb6 drwxr-xr-x 2 swift swift6 Feb 21 17:39 sdb7 drwxr-xr-x 2 swift swift6 Feb 21 17:39 sdb8 drwxr-xr-x 2 swift swift6 Feb 21 17:39 sdb9 [root@ostack-acctainerserver node]# On Thu, Feb 23, 2012 at 3:45 PM, Chmouel Boudjnah chmo...@chmouel.comwrote: On Thu, Feb 23, 2012 at 9:53 AM, Sudhakar Maiya sma...@gmail.com wrote: attached the log file. packages/swauth/middleware.py, line 510, in handle_prep#012(path, resp.status))#012Exception: Could not create the main auth account: /v1/AUTH_.auth 503 Internal Server Error#012: Have you checked file permissions on the disk? Cheers, Chmouel. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Object Storage Swift on rhel6.0
Try adding the following line to the [app:proxy-server] section of your proxy config file, i.e. just below allow_account_management = true account_autocreate = true On 23 February 2012 09:53, Sudhakar Maiya sma...@gmail.com wrote: attached the log file. i stop all firewall services. please let me know what can be done regards Sudhakar On Thu, Feb 23, 2012 at 2:08 PM, Adrian Smith adr...@17od.com wrote: Your config file looks fine Sudhakar (included below, sent offline). Have you checked your syslog (/var/log/syslog) for errors? [DEFAULT] #cert_file = /etc/swift/cert.crt #key_file = /etc/swift/cert.key bind_port = 8080 bind_ip = 10.30.91.80 workers = 8 user = swift [pipeline:main] pipeline = healthcheck cache swauth proxy-server [app:proxy-server] use = egg:swift#proxy allow_account_management = true [filter:swauth] use = egg:swauth#swauth set log_name = swauth super_admin_key = swauthkey default_swift_cluster = local#https://10.30.91.80:8080/v1 [filter:healthcheck] use = egg:swift#healthcheck [filter:cache] use = egg:swift#memcache memcache_servers = 10.30.91.80:11211 On 23 February 2012 04:39, Sudhakar Maiya sma...@gmail.com wrote: please check and let me know what needs to be done On Wed, Feb 22, 2012 at 7:31 PM, Adrian Smith adrian_f_sm...@dell.com wrote: Is there anything of interest in your logs? This will either be /var/log/syslog or /var/log/swift/?. Depends how you configured it in /etc/swift/proxy-server.conf. On 22 February 2012 13:47, Sudhakar Maiya sma...@gmail.com wrote: when i tried with below command swauth-add-user -K swauthkey -A http://10.30.91.80:8080/auth/ -a system root testpass error Account creation failed: 500 Server Error User creation failed: 500 Server Error Regards Sudhakar On Wed, Feb 22, 2012 at 4:07 PM, Adrian Smith adrian_f_sm...@dell.com wrote: Could be a problem with the URL (/swauth rather than /auth). Try this, swauth-add-user -K swauthkey -A http://10.30.91.80:8080/auth/ -a system root testpass On 22 February 2012 10:16, Sudhakar Maiya sma...@gmail.com wrote: Hi, after successfull configuration of openstack object storage.. i tried to test the installation swauth-add-user -K swauthkey -A http://10.30.91.80:8080/swauth/ -a system root testpass error on /var/log/meesage Feb 21 22:06:18 ostack-proxyserver proxy-server ERROR with Account server 10.30.91.84:6042/sdb13 re: Trying to get account info for /v2: Connection refused (client_ip: 10.30.91.80) Feb 21 22:06:18 ostack-proxyserver proxy-server ERROR with Account server 10.30.91.84:6052/sdb14 re: Trying to get account info for /v2: Connection refused (client_ip: 10.30.91.80) Feb 21 22:06:18 ostack-proxyserver proxy-server ERROR with Account server 10.30.91.84:6022/sdb11 re: Trying to get account info for /v2: Connection refused (client_ip: 10.30.91.80) Feb 21 22:06:18 ostack-proxyserver proxy-server ERROR with Account server 10.30.91.84:6032/sdb12 re: Trying to get account info for /v2: Connection refused (client_ip: 10.30.91.80) Feb 21 22:06:18 ostack-proxyserver proxy-server 10.30.91.80 10.30.91.80 22/Feb/2012/04/06/18 PUT /swauth/v2/system/root HTTP/1.0 401 - - - - - - - - 0.0151 can any one help me on this regards Sudhakar On Tue, Feb 21, 2012 at 7:20 PM, Jasper Capel jasper.ca...@spilgames.com wrote: Change use = egg:swift#swauth to use = egg:swauth#swauth. Cheers, Jasper On Feb 21, 2012, at 2:25 PM, Sudhakar Maiya wrote: yes i have installed rpm On Tue, Feb 21, 2012 at 6:53 PM, Chmouel Boudjnah chmo...@chmouel.com wrote: Hi, On Tue, Feb 21, 2012 at 12:48 PM, Sudhakar Maiya sma...@gmail.com wrote: LookupError: Entry point 'swauth' not found in egg 'swift' (dir: /usr/lib/python2.6/site-packages; protocols: paste.filter_factory, paste.filter_app_factory; entry_points: ) did you install Pete's swauth rpm? http://people.redhat.com/zaitcev/tmp/ Cheers, Chmouel. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net
Re: [Openstack] Object Storage Swift on rhel6.0
No luck :( On Thu, Feb 23, 2012 at 4:14 PM, Adrian Smith adrian_f_sm...@dell.comwrote: Try adding the following line to the [app:proxy-server] section of your proxy config file, i.e. just below allow_account_management = true account_autocreate = true On 23 February 2012 09:53, Sudhakar Maiya sma...@gmail.com wrote: attached the log file. i stop all firewall services. please let me know what can be done regards Sudhakar On Thu, Feb 23, 2012 at 2:08 PM, Adrian Smith adr...@17od.com wrote: Your config file looks fine Sudhakar (included below, sent offline). Have you checked your syslog (/var/log/syslog) for errors? [DEFAULT] #cert_file = /etc/swift/cert.crt #key_file = /etc/swift/cert.key bind_port = 8080 bind_ip = 10.30.91.80 workers = 8 user = swift [pipeline:main] pipeline = healthcheck cache swauth proxy-server [app:proxy-server] use = egg:swift#proxy allow_account_management = true [filter:swauth] use = egg:swauth#swauth set log_name = swauth super_admin_key = swauthkey default_swift_cluster = local#https://10.30.91.80:8080/v1 [filter:healthcheck] use = egg:swift#healthcheck [filter:cache] use = egg:swift#memcache memcache_servers = 10.30.91.80:11211 On 23 February 2012 04:39, Sudhakar Maiya sma...@gmail.com wrote: please check and let me know what needs to be done On Wed, Feb 22, 2012 at 7:31 PM, Adrian Smith adrian_f_sm...@dell.com wrote: Is there anything of interest in your logs? This will either be /var/log/syslog or /var/log/swift/?. Depends how you configured it in /etc/swift/proxy-server.conf. On 22 February 2012 13:47, Sudhakar Maiya sma...@gmail.com wrote: when i tried with below command swauth-add-user -K swauthkey -A http://10.30.91.80:8080/auth/ -a system root testpass error Account creation failed: 500 Server Error User creation failed: 500 Server Error Regards Sudhakar On Wed, Feb 22, 2012 at 4:07 PM, Adrian Smith adrian_f_sm...@dell.com wrote: Could be a problem with the URL (/swauth rather than /auth). Try this, swauth-add-user -K swauthkey -A http://10.30.91.80:8080/auth/ -a system root testpass On 22 February 2012 10:16, Sudhakar Maiya sma...@gmail.com wrote: Hi, after successfull configuration of openstack object storage.. i tried to test the installation swauth-add-user -K swauthkey -A http://10.30.91.80:8080/swauth/-a system root testpass error on /var/log/meesage Feb 21 22:06:18 ostack-proxyserver proxy-server ERROR with Account server 10.30.91.84:6042/sdb13 re: Trying to get account info for /v2: Connection refused (client_ip: 10.30.91.80) Feb 21 22:06:18 ostack-proxyserver proxy-server ERROR with Account server 10.30.91.84:6052/sdb14 re: Trying to get account info for /v2: Connection refused (client_ip: 10.30.91.80) Feb 21 22:06:18 ostack-proxyserver proxy-server ERROR with Account server 10.30.91.84:6022/sdb11 re: Trying to get account info for /v2: Connection refused (client_ip: 10.30.91.80) Feb 21 22:06:18 ostack-proxyserver proxy-server ERROR with Account server 10.30.91.84:6032/sdb12 re: Trying to get account info for /v2: Connection refused (client_ip: 10.30.91.80) Feb 21 22:06:18 ostack-proxyserver proxy-server 10.30.91.80 10.30.91.80 22/Feb/2012/04/06/18 PUT /swauth/v2/system/root HTTP/1.0 401 - - - - - - - - 0.0151 can any one help me on this regards Sudhakar On Tue, Feb 21, 2012 at 7:20 PM, Jasper Capel jasper.ca...@spilgames.com wrote: Change use = egg:swift#swauth to use = egg:swauth#swauth. Cheers, Jasper On Feb 21, 2012, at 2:25 PM, Sudhakar Maiya wrote: yes i have installed rpm On Tue, Feb 21, 2012 at 6:53 PM, Chmouel Boudjnah chmo...@chmouel.com wrote: Hi, On Tue, Feb 21, 2012 at 12:48 PM, Sudhakar Maiya sma...@gmail.com wrote: LookupError: Entry point 'swauth' not found in egg 'swift' (dir: /usr/lib/python2.6/site-packages; protocols: paste.filter_factory, paste.filter_app_factory; entry_points: ) did you install Pete's swauth rpm? http://people.redhat.com/zaitcev/tmp/ Cheers, Chmouel. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to :
Re: [Openstack] Security Group Rule Refresh
2012/2/22 McNally, Dave (HP Cloud Services) dave.mcna...@hp.com: Currently I’m trying to track how a refresh of the security groups is handled (upon creation or deletion of a vm). Following through the code I get to ‘do_refresh_security_group_rules’ in libvirt/firewall.py. Up to this point the security group in question has been carried through however it seems to be discarded here and rather than filtering the instances to refresh the rules for based on this group it looks to me like all instances on the current host are iterated through and then there is an attempt to update the rules for all these instances. Is this full refresh necessary/intentional? If so can anyone tell me why it’s required? I forget the exact history here (i.e. why some of the method calls include it and why some don't), but there are three reasons I decided to do a full refresh: 1 deal with the situation where a refresh call to one of the compute nodes got lost. If that happened, at least it would all get sorted out on the next refresh. 2 the routine that turned the rules from the database into iptables rules was complex enough as it was. Making it remove only rules for a single security group or a single instance or whatever would make it even worse. 3 The difference in terms of efficiency is miniscule. iptables replaces full tables at a time anyway, and while the relative amount of data needed to be fetched from the database might be much larger than with a more selective refresh, the absolute amount of data is still pretty small. Point 1 could be addressed now by a periodical refresh of the rules, if one was so inclined. Point 2 should be more palatable now that the simpler implementation has proven itself. Point 3 might be less true now. In the beginning, there were separate chains for each security group, now it's just one big list, IIRC. That may change things. -- Soren Hansen | http://linux2go.dk/ Senior Software Engineer | http://www.cisco.com/ Ubuntu Developer | http://www.ubuntu.com/ OpenStack Developer | http://www.openstack.org/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Nova VMware support improvements
Also, on http://nova.openstack.org/vmwareapi_readme.html it mentions nova.network.vmwareapi_net for vlan networking support, but it doesn't appear to actually exist in the code - am I missing something? You are correct, vmwareapi_net.py is removed sometime back when hypervisor driver api (xenapi or vmwareapi) specific network interface drivers are introduced and new flags (xenapi_vif_driver for xenapi vmware_vif_driver for vmwareapi. I have reported a bug (https://bugs.launchpad.net/bugs/939480) and proposed the updated documentation for upstream merge. Regards, Sateesh This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and/or privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -Original Message- From: openstack-bounces+sateesh.chodapuneedi=citrix@lists.launchpad.net [mailto:openstack-bounces+sateesh.chodapuneedi=citrix@lists.launchpad.net] On Behalf Of Graham Hagger Sent: Thursday, February 23, 2012 6:57 AM To: Ewan Mellor Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Nova VMware support improvements Right now I'd mostly like to know what the reasoning was behind making the driver only pick the first available local datastore, rather than making it configurable? Also, on http://nova.openstack.org/vmwareapi_readme.html it mentions nova.network.vmwareapi_net for vlan networking support, but it doesn't appear to actually exist in the code - am I missing something? At present I'm just evaluating OpenStack, but support for configurable vmware storage options is one of the first things I'd look to add if it gets picked up. Right now my Python foo is somewhat lacking, but I'll happily contribute what I can when the need arises. Thanks, Graham On Wed, Feb 22, 2012 at 2:03 AM, Ewan Mellor ewan.mel...@eu.citrix.com wrote: It's generally working OK; we (Citrix) did a bit of work on it a couple of months ago. It's not going to get much attention in the near future though, so if you're keen to keep it up to date you'd be more than welcome to get involved. Cheers, Ewan. From: openstack-bounces+ewan.mellor=citrix@lists.launchpad.net [mailto:openstack-bounces+ewan.mellor=citrix@lists.launchpad.net] On Behalf Of Graham Hagger Sent: Monday, February 20, 2012 11:01 AM To: openstack@lists.launchpad.net Subject: [Openstack] Nova VMware support improvements Greetings all, Is anyone actively working to improve the VMware support within Nova, and is there any kind of roadmap for enhancements? I can find general information about the direction of the project, but nothing specific to VMware right now. Many thanks, Graham ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] SmokeStack update
This week, we switched Smokestack over to use a Fedora/puppet configuration that Derek Higgins and I have been working on. You can see those results in gerrit now. It seems very stable and supports running Nova smoke tests and Torpedo. We plan on focussing our trunk chasing on Fedora/puppet/libvirt. I'd love to see someone else pick up the Ubuntu/chef/Xen support. Any takers? Dan ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Security Group Rule Refresh
Hi Soren, Thanks for the insight, a few questions / comments: 1 deal with the situation where a refresh call to one of the compute nodes got lost. If that happened, at least it would all get sorted out on the next refresh. Can see the advantage of this, but on an active system this can be quite an overhead compared to a periodic refresh. 2 the routine that turned the rules from the database into iptables rules was complex enough as it was. Making it remove only rules for a single security group or a single instance or whatever would make it even worse. I wonder if we're talking about the same driver - the code we're looking at is in the IptablesFirewallDriver in libvirt/firewall.py (which I think is moved up to virt/firewall.py in Essex). That seems to create a chain per Instance and do the update on a per instance basis, so I'm not quite sure I understand your point ? 3 The difference in terms of efficiency is miniscule. iptables replaces full tables at a time anyway, and while the relative amount of data needed to be fetched from the database might be much larger than with a more selective refresh, the absolute amount of data is still pretty small. It may be that we're hitting a particular case - but we have a test system with 10's of VMs per host, on not many hosts, and some groups with 70+ VMs and a rule set that references the security group itself. So every VM in that group that gets refreshed (and there are many on each host) has to rebuild rules for each VM in the group. The impact of this overhead on every VM create and delete in un-related groups is killing the system - eps as the update code doesn't yield so other tasks on the compute node (such as the create itself are blocked). Point 2 should be more palatable now that the simpler implementation has proven itself. Could you clarify which simpler implementation your referring to - I've seen the NWFilterFirewall class and its associated comment block, but it wasn't clear to me under what circumstances it would be worth switching to this ? Thanks, Phil -Original Message- From: openstack-bounces+philip.day=hp@lists.launchpad.net [mailto:openstack-bounces+philip.day=hp@lists.launchpad.net] On Behalf Of Soren Hansen Sent: 23 February 2012 12:53 To: McNally, Dave (HP Cloud Services) Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Security Group Rule Refresh 2012/2/22 McNally, Dave (HP Cloud Services) dave.mcna...@hp.com: Currently I’m trying to track how a refresh of the security groups is handled (upon creation or deletion of a vm). Following through the code I get to ‘do_refresh_security_group_rules’ in libvirt/firewall.py. Up to this point the security group in question has been carried through however it seems to be discarded here and rather than filtering the instances to refresh the rules for based on this group it looks to me like all instances on the current host are iterated through and then there is an attempt to update the rules for all these instances. Is this full refresh necessary/intentional? If so can anyone tell me why it’s required? I forget the exact history here (i.e. why some of the method calls include it and why some don't), but there are three reasons I decided to do a full refresh: 1 deal with the situation where a refresh call to one of the compute nodes got lost. If that happened, at least it would all get sorted out on the next refresh. 2 the routine that turned the rules from the database into iptables rules was complex enough as it was. Making it remove only rules for a single security group or a single instance or whatever would make it even worse. 3 The difference in terms of efficiency is miniscule. iptables replaces full tables at a time anyway, and while the relative amount of data needed to be fetched from the database might be much larger than with a more selective refresh, the absolute amount of data is still pretty small. Point 1 could be addressed now by a periodical refresh of the rules, if one was so inclined. Point 2 should be more palatable now that the simpler implementation has proven itself. Point 3 might be less true now. In the beginning, there were separate chains for each security group, now it's just one big list, IIRC. That may change things. -- Soren Hansen | http://linux2go.dk/ Senior Software Engineer | http://www.cisco.com/ Ubuntu Developer | http://www.ubuntu.com/ OpenStack Developer | http://www.openstack.org/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe :
[Openstack] Running for Nova PTL
I've put my name on the ballot for Nova PTL, and I'd like to explain what I expect to do (my platform, if you will). Nova is facing many separate, but related problems. * Nova is too big. Very few (if any) core developers are comfortable reviewing every part of the code base. In itself, this isn't necessarily a problem, but I think it would be valuable to try to somehow acknowledge that the average focus is much narrower than all of nova. * Lots of things in Nova that should be orthogonal are not. This problem is especially prevalent in the virtualisation layer. The layout and number of disks you get attached to instances shouldn't depend on the hypervisor you've chosen, but it does. There is lots and lots and lots of logic embedded in both the libvirt and XenServer drivers that isn't related to the hypervisor, but is a result of the origin of these drivers. * The overall quality is decreasing There's an almost unilateral focus on features across the board. The topic of almost every session at the summit is some new feature. There is very little focus on stability, predictability and operation. Personally, I think that shows very clearly in the final product. I'd like to try to shift our focus and turn the proverbial ship around. I'd like to remove any incentive to rush things into Nova trunk. 1. A much shorter release cycle (as Thierry also suggests[1]) would be very beneficial. Noone wants to have to wait an extra 6 months getting some new feature in just because it missed the feature freeze. However, just a single month of delay... That should be manageable in most cases. 2. I'd like to make it more straight forward to have things mature somewhere separete from Nova trunk, but still make it easy to collaborate on them or get people to test them. 3. I'd like to encourage a stronger focus on QA and testing. Specifically, I'd love to have more people focused on making it easier to test things in Nova. Tempest is a great effort, but the unit test suite is our first line of defence. It should be fast and comprehensive. Right now, it's neither. 4. I'd like a stronger focus on extensibility and plugability. 5. I'd like us to rethink our configuration management strategy. So far, we've punted on it and deferred to deployers to choose between Puppet, Chef or whatever else to handle this. However, many things will crash and burn if the configuration of various components is out of sync with each other or with the database. This is particularly clear in the networking area. [1]: http://fnords.wordpress.com/2012/02/21/open-dev-releases-quality/ -- Soren Hansen | http://linux2go.dk/ Senior Software Engineer | http://www.cisco.com/ Ubuntu Developer | http://www.ubuntu.com/ OpenStack Developer | http://www.openstack.org/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Swift S3 with Keystone anyone?
Hi all,
My co-worker built swift e3 environment (thank you Eguchi-san), so I checked
my patch and fix it. Then, I checked the last s3_token.py and swift3.py. I found
two problems.
a) swift3 sets HTTP_X_AUTH_TOKEN (= X-Auth-Token?) in constructors
of ServiceController, BucketController and ObjectController with base64ed
canonical_string(req). I think it's NOT necessary when s3_token already sets
X-Auth-Token header.
b) swift3 gets account information from Authorization header (I'm sorry that
I called it 'Signature' header) but it's an EC2 access key. I
think it's better to
create a new header for account information to pass it to swift3, but it's a
solution to rewrite Authorization header in s3_token.py like below:
diff --git a/keystone/middleware/s3_token.py b/keystone/middleware/s3_token.py
index 8cf3e0a..f8c6a14 100644
--- a/keystone/middleware/s3_token.py
+++ b/keystone/middleware/s3_token.py
@@ -122,6 +122,7 @@ class S3Token(object):
raise
req.headers['X-Auth-Token'] = token_id
+req.headers['Authorization'] = 'AUTH_%s:dummy' % tenant[0]
environ['PATH_INFO'] = environ['PATH_INFO'].replace(
account, 'AUTH_%s' % tenant[0])
return self.app(environ, start_response)
p.s.
One more thing. Swift3.py returns illegal status for request to nonexistent
buckets, so euca-upload-bundle will fail when uploading some files to a new
bucket. I'm using euca-upload-bundle for keystoned swift with a patch below:
diff -u swift3.py ~/swift3.py
--- swift3.py 2012-02-23 21:40:10.0 +0900
+++ /root/swift3.py 2012-02-23 22:28:22.0 +0900
@@ -240,7 +240,7 @@
if status == 401:
return get_err_response('AccessDenied')
elif status == 404:
-return get_err_response('InvalidBucketName')
+return get_err_response('NoSuchBucket')
else:
return get_err_response('InvalidURI')
@@ -311,7 +311,7 @@
if status == 401:
return get_err_response('AccessDenied')
elif status == 404:
-return get_err_response('InvalidBucketName')
+return get_err_response('NoSuchBucket')
elif status == 409:
return get_err_response('BucketNotEmpty')
else:
Best regards,
Akira YOSHIYAMA akirayoshiy...@gmail.com
2012年2月19日10:20 Akira Yoshiyama akirayoshiy...@gmail.com:
Hi all,
I'm sorry for my previous post.
Thank you Pete for your work. I think your s3token middleware have
to modify the S3 Signature header
from
Signature: EC2ACCESSKEY:signaturehash
to
Signature: USERID:anything
for swift3 middleware without my original patch for it.
And I'm sorry about my late. Unfortunately, I'm not a programmer of OpenStack
but an OSS system engineer, so I don't have enough time to develop
OpenStack.
Best regards,
Akira Yoshiyama
2012/2/19 Akira Yoshiyama akirayoshiy...@gmail.com:
Hi,
2012/02/18 0:36 Chmouel Boudjnah chmo...@chmouel.com:
On 17 Feb 2012, at 06:12, Pete Zaitcev wrote:
- A S3Token middleware which is based on Akira version with some fixes.
Yeah, that looks beautiful... Unfortunately the back-end
inherits the old problem: it authorizes against EC2 credentials
instead of Swift credentials. The result is, if two applications
A and B use different access methods, CF and S3, to the same account,
they do not see each other's objects. It happens because the storage
URL returned by Keystone differs for them, as far as I can discern.
This is actually supported as mentioned in my temporary doc[1] see the
transcript here :
http://pastie.org/3401911
this made of from a fresh devstack with a few tweaks to the
configurations.
I plan to add this to devstack but I am waiting first for some of my
other review to get approved to push those changes and be able to get rid of
swift-keystone2 for good.
S3token middleware: https://review.openstack.org/#change,3910
Swift token middleware: https://review.openstack.org/#change,3911
Do you still want reviews on these, after the merge of redux?
This has been merged to keystone master, feel free to review the one the
add reseller admin support :
https://review.openstack.org/#change,4234
and the doc update :
https://review.openstack.org/#change,4233
The reseller admin will allow us ultimately to have swift acting as a
nova-objectstore for nova.
I have more plans for the middleware, I'd like to get the compressive
tempauth testsuite running on swiftauth with almost no modifications and
add along the way anonymous user object access via ACL.
Let me know if you have questions.
Cheers,
Chmouel.
PS: readding openstack@ as this may be useful for everyone.
[1] http://p.chmouel.com/swift-keystonelight-s3.txt
___
Mailing list: https://launchpad.net/~openstack
Post to :
[Openstack] understanding ephemeral and persistant volumes
Hi all, I'd like to understand how things go with ephemeral and persistant volumes. For instance, say that my gold images are stored in a Swift storage network, connected to Glance. When I ask Nova to boot the VM, - will the disk image stay in Swift storage? - will the physical compute node copy the image from Swift to its local filesystem? - will ephemeral volumes be stored on local compute node filesystem whereas persistant drives be stored in Swift? According to these answers, I'll know if the compute nodes of my cloud should have disks attached or if no data will ever be stored on these nodes even when VMs are running. maybe this is documented somewhere, but I didn't find clear information about ephemeral and persistant volume management? thank you, Michaël -- Michaël Van de Borne RD Engineer, SOA team, CETIC Phone: +32 (0)71 49 07 45 Mobile: +32 (0)472 69 57 16, Skype: mikemowgli www.cetic.be, rue des Frères Wright, 29/3, B-6041 Charleroi ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] SmokeStack update
On Thu, Feb 23, 2012 at 6:06 AM, Dan Prince dpri...@redhat.com wrote: This week, we switched Smokestack over to use a Fedora/puppet configuration that Derek Higgins and I have been working on. that is great news You can see those results in gerrit now. It seems very stable and supports running Nova smoke tests and Torpedo. We plan on focussing our trunk chasing on Fedora/puppet/libvirt. I'd love to see someone else pick up the Ubuntu/chef/Xen support. Any takers? I am happy to work on Ubuntu/Puppet/Xen and Ubuntu/Puppet/libvirt (or any anything Puppet related) -Dan Dan ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Running for Nova PTL
On Thu, Feb 23, 2012 at 9:17 AM, Soren Hansen so...@linux2go.dk wrote: I've put my name on the ballot for Nova PTL, and I'd like to explain what I expect to do (my platform, if you will). Nova is facing many separate, but related problems. * Nova is too big. Very few (if any) core developers are comfortable reviewing every part of the code base. In itself, this isn't necessarily a problem, but I think it would be valuable to try to somehow acknowledge that the average focus is much narrower than all of nova. This has been one of my biggest concerns since I started using OpenStack... * Lots of things in Nova that should be orthogonal are not. This problem is especially prevalent in the virtualisation layer. The layout and number of disks you get attached to instances shouldn't depend on the hypervisor you've chosen, but it does. There is lots and lots and lots of logic embedded in both the libvirt and XenServer drivers that isn't related to the hypervisor, but is a result of the origin of these drivers. And this has been my very biggest concern, as I believe it is the root cause for other things which I am keenly interested in seeing addressed (e.g., quality, maintainability, interoperability, etc.). Soren, if elected, by what processes/policies etc. would you accomplish these goals? Are there blueprints that already exist which you would rally folks around? Or would you introduce a new effort to more thoroughly componentize OpenStack? More specifically, how do you envision: 1) clarifying what needs to be done 2) building consensus around this, and 3) accomplishing these goals? (it's a lot of work!) Thanks, d * The overall quality is decreasing There's an almost unilateral focus on features across the board. The topic of almost every session at the summit is some new feature. There is very little focus on stability, predictability and operation. Personally, I think that shows very clearly in the final product. I'd like to try to shift our focus and turn the proverbial ship around. I'd like to remove any incentive to rush things into Nova trunk. 1. A much shorter release cycle (as Thierry also suggests[1]) would be very beneficial. Noone wants to have to wait an extra 6 months getting some new feature in just because it missed the feature freeze. However, just a single month of delay... That should be manageable in most cases. 2. I'd like to make it more straight forward to have things mature somewhere separete from Nova trunk, but still make it easy to collaborate on them or get people to test them. 3. I'd like to encourage a stronger focus on QA and testing. Specifically, I'd love to have more people focused on making it easier to test things in Nova. Tempest is a great effort, but the unit test suite is our first line of defence. It should be fast and comprehensive. Right now, it's neither. 4. I'd like a stronger focus on extensibility and plugability. 5. I'd like us to rethink our configuration management strategy. So far, we've punted on it and deferred to deployers to choose between Puppet, Chef or whatever else to handle this. However, many things will crash and burn if the configuration of various components is out of sync with each other or with the database. This is particularly clear in the networking area. [1]: http://fnords.wordpress.com/2012/02/21/open-dev-releases-quality/ -- Soren Hansen | http://linux2go.dk/ Senior Software Engineer | http://www.cisco.com/ Ubuntu Developer | http://www.ubuntu.com/ OpenStack Developer | http://www.openstack.org/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] OpenStack Governance Elections Spring 2012
One important (and apparently often overlooked) part of your email is this: *How to register to vote for Project Policy Board * Any registered member of the OpenStack Launchpad group is eligible to vote for the Project Policy Board. If you want to vote you need to register to Launchpad and add yourself to the public OpenStack group on https://launchpad.net/~openstack https://launchpad.net/openstack before registering as a voter using the form at http://ppbelectionsregistration.openstack.org/. Company affiliation is only collected as an interesting statistic; it has no effect on the outcome of the election. Register to vote before the end of the week ! -- Thierry Carrez (ttx) Release Manager, OpenStack ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] OpenStack Governance Elections Spring 2012
On Thu, 2012-02-23 at 18:07 +0100, Thierry Carrez wrote: One important (and apparently often overlooked) part of your email is this: Indeed, thank you Thierry. Let me try to be even clearer about this: ** REGISTER HERE OR YOU WON'T VOTE http://ppbelectionsregistration.openstack.org/ DO IT NOW ** ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Running for Nova PTL
I'd love to hear more specifics about what needs more focus. These issues are large and have been the major focus of the core team for a while. * Nova is too big. Very few (if any) core developers are comfortable reviewing every part of the code base. In itself, this isn't necessarily a problem, but I think it would be valuable to try to somehow acknowledge that the average focus is much narrower than all of nova. As for services, a major amount of work has been done to improve the situation, such as: - volumes: once a name is agreed upon (cindr was vish's proposal) volumes can be abstracted during folsom - the internals are now separated and during essex you can deploy as seperate endpoints - network: nova-network will be deprecated in folsom assuming successful integration of quantum (as was discussed at the last PBB meeting) - identity: nova's user system was deprecated during diablo and being removed in essex - a migration path exists - ec2 compat: during essex ec2 access/secret was moved to keystone, cert management was decoupled from API Are there addition areas to make nova smaller? For instance, a topic for folsom is how we can move drivers out of core. * Lots of things in Nova that should be orthogonal are not. This problem is especially prevalent in the virtualisation layer. The layout and number of disks you get attached to instances shouldn't depend on the hypervisor you've chosen, but it does. There is lots and lots and lots of logic embedded in both the libvirt and XenServer drivers that isn't related to the hypervisor, but is a result of the origin of these drivers. There was a major push to fix many of the identified issues around parity in Essex by Rackspace Public Cloud, Cloud Builders, and Citrix. For instance the disk configuration issue you mentioned was blueprinted at the last summit and fixed in Essex. Are there specific bugs/blueprints that should be prioritized in folsom? * The overall quality is decreasing There's an almost unilateral focus on features across the board. The topic of almost every session at the summit is some new feature. There is very little focus on stability, predictability and operation. Personally, I think that shows very clearly in the final product. I think that your statement is harsh and over-reaching. Unlike previous releases, we've tried to design the milestone structure to have a focus on quality and uniform experience regardless of deployment choices. While there are things that can be improved, we've taken an iterative approach to improving the situation (both during essex and then in discussions at the next summit) I can think of few features that weren't in the name of parity (features existing for only one configuration) The work done by mtaylor jblair on gating merges has lead to a much saner trunk. During diablo our team would routinely spend a few hours a day fixing trunk. During Essex the timeframe having a broken trunk was the exception! I look forward to further discussions about improving openstack regardless of who is PTL. Jesse ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] OpenStack Governance Elections Spring 2012: Action Item For All Candidates
The OpenStack community is electing its Project Technical Leads and two members of the Project Policy Board. Details are at http://www.openstack.org/blog/2012/02/openstack-governance-elections-spring-2012/. On February 26 the nominations will close and the voting process will start on February 28 and finish on March 3rd. The list of nominees is at http://etherpad.openstack.org/Spring2012-Nominees. It’s still open. You must register to vote for PPB on http://ppbelectionsregistration.openstack.org/ Before the voting process starts the election committee asks all nominees to create a page on OpenStack wiki and answer three simple questions: 1a. [for PPB] Since the last elections, what areas have you focused on and what contributions have you made in order to improve OpenStack as a whole? 1b. [for PTL] Since the last elections, what areas have you focused on and what contributions have you made in order to improve your project? 2a. [for PPB] What are the most pressing/important issues facing OpenStack as a whole? 2b. [for PTL] What are the most pressing/important issues facing your project? 3. What is your relationship to OpenStack why is its success important to you and/or your company? If you’re a candidate, create a wiki page using the template http://wiki.openstack.org/Governance/ElectionsSpring2012/[Firstname_Lastname] and answer those questions there. Feel free to add more content, too. Those pages will be included in the link sent to all voters. The election committee is made of Stefano Maffulli, Lloyd Dewolf and Dave Nielsen. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Uploading Images to nova
Run 'euca-describe-images' it should tell you what your missing in your
environment, or perhaps the error. ( It looks like you have all the
environment variables )
The euca-describe-images needs the following
EC2_SECRET_KEY
EC2_ACCESS_KEY
EC2_URL
On a side note, uec-publish-tarball didn't work for me on essex-3 ( it
worked, but uploaded the image incorrectly).
I stole the upload code from devstack and made a little script located on
my github repo ( I'm running glance )
https://github.com/thrawn01/dev-tools/blob/master/openstack/publish-uec-image.sh
It might be of some help to you. Hope this helps!
Derrick,
On Wed, Feb 22, 2012 at 5:51 AM, Nicolas Odermatt oderma...@gmail.comwrote:
Hey guys,
** **
I successfully installed a single-node with the stackops-distro. However I
encountered an error while uploading an image to nova using
“uec-publish-tarball” command.
** **
Here is what I did:
//Execute command to upload
root@nova-controller:~# uec-publish-tarball
lucid-server-cloudimg-amd64.tar.gz images
** **
// Error message printed
Unable to run euca-describe-images. Is euca2ools environment set up?
** **
// First of all I checked wether euca2ools were installed:
root@nova-controller:~# dpkg --get-selections | grep euca2ools
euca2ools install
** **
// Then I looked into the environment variables to verify that the novarc
file has been sourced:
** **
root@nova-controller:/usr/lib/python2.6/dist-packages# env
TERM=xterm
SHELL=/bin/bash
SSH_CLIENT=192.168.163.1 49471 22
EUCALYPTUS_CERT=/root/ipa-cred/cacert.pem
OLDPWD=/root
SSH_TTY=/dev/pts/0
USER=root
LS_COLORS=rs=0:di=01;34:ln=01;36:hl=44;37:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:
NOVA_CERT=/root/ipa-cred/cacert.pem
EC2_SECRET_KEY=ec90b740-8f45-49c1-880a-71a8f8f8b6cc
NOVA_PROJECT_ID=ipa
EC2_USER_ID=42
MAIL=/var/mail/root
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/var/lib/nova/bin/
NOVA_VERSION=1.1
NOVA_USERNAME=nodermatt
PWD=/usr/lib/python2.6/dist-packages
LANG=en_US.UTF-8
NOVA_API_KEY=nodermatt
NOVA_URL=http://192.168.163.10:8774/v1.1/
SHLVL=1
HOME=/root
EC2_URL=http://192.168.163.10:8773/services/Cloud
LOGNAME=root
SSH_CONNECTION=192.168.163.1 49471 192.168.163.10 22
EC2_ACCESS_KEY=nodermatt:ipa
LESSOPEN=| /usr/bin/lesspipe %s
EC2_PRIVATE_KEY=/root/ipa-cred/pk.pem
S3_URL=http://192.168.163.10:
LESSCLOSE=/usr/bin/lesspipe %s %s
EC2_CERT=/root/ipa-cred/cert.pem
_=/usr/bin/env
** **
//After that I took a look into the nova-api.log:
root@nova-controller:~/ipa-cred# tail -n10 /var/log/nova/nova-api.log
2012-02-22 11:01:26,999 DEBUG routes.middleware
[293b16dd-ca98-46f1-94f3-34469d85ca6e admin 2] Match dict: {'action':
u'index', 'controller': nova.api.openstack.wsgi.Resource object at
0x4058d10, 'project_id': u'2'} from (pid=1369) __call__
/usr/lib/pymodules/python2.6/routes/middleware.py:103
2012-02-22 11:01:26,999 INFO nova.api.openstack.wsgi
[293b16dd-ca98-46f1-94f3-34469d85ca6e admin 2] GET
http://192.168.163.10:8774/v1.1/2/os-keypairs?fresh=1329908486.91
2012-02-22 11:01:27,000 DEBUG nova.api.openstack.wsgi
[293b16dd-ca98-46f1-94f3-34469d85ca6e admin 2] Unrecognized Content-Type
provided in request from (pid=1369) deserialize_body
/var/lib/nova/nova/api/openstack/wsgi.py:231
2012-02-22 11:01:27,004 INFO nova.api.openstack.wsgi
[293b16dd-ca98-46f1-94f3-34469d85ca6e admin 2]
http://192.168.163.10:8774/v1.1/2/os-keypairs?fresh=1329908486.91returned
with HTTP 200
2012-02-22 11:02:35,731 INFO nova.api.openstack.wsgi [-] GET
Re: [Openstack] Object Storage Swift on rhel6.0
On Thu, 23 Feb 2012 10:09:07 +0530 Sudhakar Maiya sma...@gmail.com wrote: please check and let me know what needs to be done You have to decide if you run with SSL or without. These two clauses obviously contradict to each other: [DEFAULT] #cert_file = /etc/swift/cert.crt #key_file = /etc/swift/cert.key bind_port = 8080 bind_ip = 10.30.91.80 [filter:swauth] use = egg:swauth#swauth set log_name = swauth super_admin_key = swauthkey default_swift_cluster = local#https://10.30.91.80:8080/v1 Note that swauth loops right back to Swift in order to serve account information. Make sure you've got the right key, too. -- Pete ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] Swift with Keystone middleware -- Keep getting 401s from Swift (Launchpad question Question #179733 followup)
Hello all,
During the last few days I've been struggling to get Swift to use Keystone
middleware. Problem is that even if Keystone works fine when trying to
access the Swift configured with Keystone middleware I keep getting 401s,
no matter how I try i.e. which Swift url I try to access (admin_url,
internal or public):
So, after quite a bit of researching, collaborating different docs
(outdated to different degrees...) I found someone experienced the exact
same symptioms -- Question #179733 on Launchpad QA
https://answers.launchpad.net/swift/+question/179733
Now, I don't want to make this too long a mail by copypaste too much
inline, so I've posted most of the stuff (commands, MySQL tables configu
files etc.) here:
http://pastebin.com/6YGzV9PA
My Setup is Ubuntu 11.10 x64, running 2011.3-d5-rcb8~oneiric packages
from http://ops.rcb.me/packages/
My questions:
1) The format of the curl requests while testing keystone:
For some reasons the format of curl requests (and returns) is different as
from the latest docs. I.e. this works:
curl -s -d '{tenantName: MyTenant, passwordCredentials: {username:
myuser, password: mypassword}}' -H 'Content-type: application/json'
http://10.2.20.51:5001/v2.0/tokens
{auth: {token: {expires: 2015-02-05T00:00:00, id:
999888777666}, serviceCatalog: {keystone: [{adminURL:
http://10.2.20.51:5001/v2.0;, region: RegionOne, internalURL:
http://10.2.20.51:5000/v2.0;, publicURL: http://10.2.20.51:5000/v2.0}],
glance: [{adminURL: http://10.2.20.51:9292/v1.1/MyTenant;, region:
RegionOne, internalURL: http://10.2.20.51:9292/v1.1/MyTenant;,
publicURL: http://10.2.20.51:9292/v1.1/MyTenant}], swift:
[{adminURL: http://10.2.20.51:8080/;, region: RegionOne,
internalURL: http://10.2.20.51:8080/v1/AUTH_MyTenant;, publicURL:
http://10.2.20.51:8080/v1/AUTH_MyTenant}], nova: [{adminURL:
http://10.2.20.51:8774/v1.1/MyTenant;, region: RegionOne,
internalURL: http://10.2.20.51:8774/v1.1/MyTenant;, publicURL:
http://10.2.20.51:8774/v1.1/MyTenant}]}}}
But specifying auth fails with a 400 code:
root@Swift1:/etc/swift# curl -s -d '{auth: {tenantName: MyTenant,
passwordCredentials: {username: myuser, password: mypassword}}}'
-H 'Content-type: application/json' http://10.2.20.51:5001/v2.0/tokens |
python -mjson.tool
{
badRequest: {
code: 400,
message: Expecting passwordCredentials
}
}
Any suggestions ? Am I missing something ?
2) In all the references I found the format of the Swift admin_url in
the endpointTemplate. I used IP:8080, for the admin_url whereas the
internal and public are parameterized with %tenant_id% e.g.
http://10.2.20.51:8080/v1/AUTH_%tenant_id%; . Is this correct i.e. not
even a version number ?
3) Last but most importantly -- my problem: Accessing Swift admin_url,
internal / public with the keystone_admin_token does result in a 401
(coyping only the attempt to access the admin_url here):
root@Swift1:~# curl -v -H 'X-Auth-Token: AUTH_999888777666'
http://10.2.20.51:8080
* About to connect() to 10.2.20.51 port 8080 (#0)
* Trying 10.2.20.51... connected
* Connected to 10.2.20.51 (10.2.20.51) port 8080 (#0)
GET / HTTP/1.1
User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6
OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3
Host: 10.2.20.51:8080
Accept: */*
X-Auth-Token: AUTH_999888777666
HTTP/1.1 401 Unauthorized
Content-Length: 358
Content-Type: text/html; charset=UTF-8
X-Trans-Id: txec38e4f2018240ffad2aeff57936cd96
Date: Thu, 23 Feb 2012 20:03:35 GMT
html
head
title401 Unauthorized/title
/head
body
h1401 Unauthorized/h1
This server could not verify that you are authorized to access the
document you requested. Either you supplied the wrong credentials (e.g.,
bad password), or your browser does not understand how to supply the
credentials required.br /br /
Sorry for cross-posting this on this list (instead of following up on
Question #179733 on launchpad) but the question on Launchpad doesn't list a
resolution and I couldn't get in touch with the person that originally
posted it.
Kind thanks in advance for the help,
Florian Otel
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Uploading Images to nova
Hi Derrick, Thanks a lot for your answer! Well, the euca-describe-images command gave me the following output: root@nova-controller:~# euca-describe-availability-zones verbose Warning: failed to parse error message from AWS: unknown:1:0: syntax error BotoServerError: 500 Internal Server Error Traceback (most recent call last): File /usr/lib/pymodules/python2.6/eventlet/wsgi.py, line 336, in handle_one_response result = self.application(self.environ, start_response) File /usr/lib/pymodules/python2.6/paste/urlmap.py, line 203, in __call__ return app(environ, start_response) File /usr/lib/pymodules/python2.6/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/pymodules/python2.6/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /var/lib/nova/nova/api/ec2/__init__.py, line 58, in __call__ rv = req.get_response(self.application) File /usr/lib/pymodules/python2.6/webob/request.py, line 919, in get_response application, catch_exc_info=False) File /usr/lib/pymodules/python2.6/webob/request.py, line 887, in call_application app_iter = application(self.environ, start_response) File /usr/lib/pymodules/python2.6/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/pymodules/python2.6/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /var/lib/nova/keystone/middleware/ec2_token.py, line 71, in __call__ o = urlparse(FLAGS.keystone_ec1_url) File /var/lib/nova/nova/flags.py, line 144, in __getattr__ val = gflags.FlagValues.__getattr__(self, name) File /usr/lib/python2.6/dist-packages/gflags.py, line 810, in __getattr__ raise AttributeError(name) AttributeError: keystone_ec1_url I don't want to leap on conclusions, but because of the AttributeError for keystone_ec1_url I think there might be some kind of typo ;). I found a thread in the openstack forum [1] where a similar problem is discussed and apparently the euca2ools need to be patched. My euca2ools are currently on version 1.2 and on the euca2ools download page [3] release 1.3 is available. The website states that lucid users can install it from the standard Ubuntu repository, but when I execute apt-get update and apt-get install euca2ools, my system tells me that they are already installed. I suppose that I have to add a source to my sources.list but sadly I couldn't find one including the desired version of euca2ools. In the forum thread I mentioned, Lean posted a link to a github commit [2] which fixes the AttributeError. But I have never done a software update from a github repository commit. How does one approach this intention? Cheers, Nicolas [1] http://forums.openstack.org/viewtopic.php?f=23t=379 http://forums.openstack.org/viewtopic.php?f=23t=379 [2] https://github.com/openstack/keystone/commit/2bb474331d73e7c6d2a507cb097c50 https://github.com/openstack/keystone/commit/2bb474331d73e7c6d2a507cb097c50 [3]http://open.eucalyptus.com/downloads From: Derrick Wippler [mailto:thraw...@gmail.com] Sent: Donnerstag, 23. Februar 2012 20:32 To: Nicolas Odermatt Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Uploading Images to nova Run 'euca-describe-images' it should tell you what your missing in your environment, or perhaps the error. ( It looks like you have all the environment variables ) The euca-describe-images needs the following EC2_SECRET_KEY EC2_ACCESS_KEY EC2_URL On a side note, uec-publish-tarball didn't work for me on essex-3 ( it worked, but uploaded the image incorrectly). I stole the upload code from devstack and made a little script located on my github repo ( I'm running glance ) https://github.com/thrawn01/dev-tools/blob/master/openstack/publish-uec-imag e.sh It might be of some help to you. Hope this helps! Derrick, On Wed, Feb 22, 2012 at 5:51 AM, Nicolas Odermatt oderma...@gmail.com wrote: Hey guys, I successfully installed a single-node with the stackops-distro. However I encountered an error while uploading an image to nova using uec-publish-tarball command. Here is what I did: //Execute command to upload root@nova-controller:~# uec-publish-tarball lucid-server-cloudimg-amd64.tar.gz images // Error message printed Unable to run euca-describe-images. Is euca2ools environment set up? // First of all I checked wether euca2ools were installed: root@nova-controller:~# dpkg --get-selections | grep euca2ools euca2ools install // Then I looked into the environment variables to verify that the novarc file has been sourced: root@nova-controller:/usr/lib/python2.6/dist-packages# env TERM=xterm SHELL=/bin/bash SSH_CLIENT=192.168.163.1 49471 22 EUCALYPTUS_CERT=/root/ipa-cred/cacert.pem OLDPWD=/root SSH_TTY=/dev/pts/0 USER=root
Re: [Openstack] Running for Nova PTL
2012/2/23 Duncan McGreggor dun...@dreamhost.com: Soren, if elected, by what processes/policies etc. would you accomplish these goals? Well, there are limits to what a PTL really can do :) However, in practical terms there are a number of things I'd like us to do: * I'd like us to look at the various components of Nova and thoroughly document (in prose as well as as tests) their API and expected behaviour. It's very tempting to change (in major or minor ways) these API's on a whim since we control both ends of the channel (often even in the same patch), but this a distributed system. Upgrades across an entire Nova installation are not instantaneous, and shouldn't have to be. We need to be more aware of the interfaces between components and the fact that they may not be in perfect sync. * In a similar vein, while we do a good job ensuring db schema upgrades work well, the code doesn't support anything other than the newest schema it knows about. Or rather, if it does, it's by accident. This makes it exceedingly difficult to upgrade a Nova installation peacemeal. * I'd like to revamp the virtualisation subsystem to move much more behavioural logic into a superclass and have the actual drivers be only the glue code to make the individual hypervisors work. * As I wrote in my response to Robert earlier in this thread, I'd like to see more branches pop up specific to particular subsystems. I'd like to make it easier to get features landed somewhere and let them mature there before they hit trunk. * I'd like to have much more frequent releases, and I mean *actual* releases, not just milestones. Each with merge windows, QA phases, release artifacts, etc. * Lots of other things I'll try to elaborate on over the next few days. Are there blueprints that already exist which you would rally folks around? Or would you introduce a new effort to more thoroughly componentize OpenStack? More specifically, how do you envision: 1) clarifying what needs to be done I don't expect to do this all on my own. I'd like to set some overall topics for the release cycle and try to seed the conversations about these efforts (as I'm trying to do right now), but I'd really, really like for everyone else to help identify all of this stuff and find issues you care about. 2) building consensus around this, and Excellent question. I can't force anyone to suddenly think QA and unit tests are the most important things in the world. :) I think there's a strong correlation between my chances of getting elected and the how much of a pre-existing consensus there is around the issues (and issues like them). If I get elected, it's because people already think these things are important, so it shoulnd't be too hard. Or so I hope. 3) accomplishing these goals? (it's a lot of work!) I hope the rest of my e-mail sheds a bit of light on this. -- Soren Hansen | http://linux2go.dk/ Senior Software Engineer | http://www.cisco.com/ Ubuntu Developer | http://www.ubuntu.com/ OpenStack Developer | http://www.openstack.org/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Swift/Keystone authorization question
OK.
Reading through the swiftkeystone2 (module that I'm using to support v2
authentication in swift's proxy configuration) source and documentation, I've
figured out the necessary roles that need to be applied to user's accounts and
ACLs to project containers to allow all combinations of access to swift
storage. Works great.
/ross
On Feb 22, 2012, at 3:26 PM, Lillie Ross-CDSR11 wrote:
As a followup, additional info…
Both the admin and glance accounts, that successfully authenticate against
keystone, were created via the command line. Both accounts also have a tenant
of the same name as the user (probably irrelevant). All other user accounts
that have been created for general users won't authenticate agains keystone,
and exhibit the same error pattern as described below.
Interestingly, if I create a tenant with the same name as a user account, then
I get a 403 unable to get HEAD message when issuing a stat command as described
below.
/ross
On Feb 22, 2012, at 2:52 PM, Lillie Ross-CDSR11 wrote:
I've successfully installed all OpenStack components with Keystone
authorization (well, mostly at least), but am now seeing an interesting problem
for new accounts (created in Dashboard).
Using my admin account, I issue a swift stat command and get the expected
response back from swift-proxy:
root@swift:/etc/swift# swift -v -V 2 -A http://173.23.181.1:5000/v2.0/ -U admin
-K admin stat
StorageURL: http://173.23.181.2:8080/v1/AUTH_1
Auth Token: 10111213141516171819
Account: AUTH_1
Containers: 5
Objects: 20
Bytes: 6335748
Accept-Ranges: bytes
X-Trans-Id: tx6ffec7207a5c41329e53dbab6a6e2c37
Looking at the keystone admin.log file (with debugging enabled) I see the
following:
2012-02-22 14:26:38DEBUG [routes.middleware] Matched POST /tokens
2012-02-22 14:26:38DEBUG [routes.middleware] Route path: '/tokens',
defaults: {'action': u'authenticate', 'controller':
keystone.controllers.auth.AuthController object at 0x170da10}
2012-02-22 14:26:38DEBUG [routes.middleware] Match dict: {'action':
u'authenticate', 'controller': keystone.controllers.auth.AuthController object
at 0x170da10}
2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT
tenants.id AS tenants_id, tenants.name AS tenants_name, tenants.`desc` AS
tenants_desc, tenants.enabled AS tenants_enabled
FROM tenants
WHERE tenants.name = %s
LIMIT 0, 1
2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0]
(u'admin',)
2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Col
('tenants_id', 'tenants_name', 'tenants_desc', 'tenants_enabled')
2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Row (1L,
'admin', 'All administrative tasks are to be grouped underneath this tenancy.
Users are not to be associated with this tenant unless they have been granted
admin roles.', 1L)
2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT
users.id AS users_id, users.name AS users_name, users.password AS
users_password, users.email AS users_email, users.enabled AS users_enabled,
users.tenant_id AS users_tenant_id
FROM users
WHERE users.name = %s
LIMIT 0, 1
2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0]
(u'admin',)
2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Col
('users_id', 'users_name', 'users_password', 'users_email', 'users_enabled',
'users_tenant_id')
2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Row (1L,
'admin',
'$6$rounds=4$k5f0Zd1lOK3AVXbx$awVYhvdu1CI33hRhugjURheVePZYh60EjWSUa4Zwq0Ha48eNH3SQXSFVQeEYv4ffwUzlRVVkoUbr6C4Ai63WC.',
None, 1L, 1L)
2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] SELECT
users.id AS users_id, users.name AS users_name, users.password AS
users_password, users.email AS users_email, users.enabled AS users_enabled,
users.tenant_id AS users_tenant_id
FROM users
WHERE users.tenant_id = %s AND users.id = %s
LIMIT 0, 1
2012-02-22 14:26:38 INFO [sqlalchemy.engine.base.Engine.0x...14d0] (1L, 1L)
2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Col
('users_id', 'users_name', 'users_password', 'users_email', 'users_enabled',
'users_tenant_id')
2012-02-22 14:26:38DEBUG [sqlalchemy.engine.base.Engine.0x...14d0] Row (1L,
'admin',
'$6$rounds=4$k5f0Zd1lOK3AVXbx$awVYhvdu1CI33hRhugjURheVePZYh60EjWSUa4Zwq0Ha48eNH3SQXSFVQeEYv4ffwUzlRVVkoUbr6C4Ai63WC.',
None, 1L, 1L)
2012-02-22 14:26:38 . . .
However, when I issue the same command with a newly created user account I get
a 401 not authorized command back from swift-proxy. For example:
root@swift:/etc/swift# swift -v -V 2 -A http://173.23.181.1:5000/v2.0/ -U
lillie -K changeme stat
Auth GET failed: http://173.23.181.1:5000/v2.0/tokens 401 Unauthorized
and the keystone admin.log file shows the following:
2012-02-22 14:30:40DEBUG [routes.middleware] Matched POST /tokens
2012-02-22 14:30:40DEBUG
[Openstack] Swift container ACLs and container visibility question
I'm setting up Swift storage for an internal project. For the project's use of Swift, I want all members of the project to be able to see what's stored in Swift. Applying suitable ACLs, it's possible for user's to see the contents of the projects container. However, is there any way to allow users to see a list of containers used by the project? Or must I create an additional container to store this type of project meta data? May be a dumb question and more of a architecture convention issue, but I'm just getting started with Swift and OpenStack in general and was wondering what other's have done. Thanks and regards, Ross ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] swift keystone help
hi, st/swift worked well. But how curl works when swift is configured with keystone. With non keystone,I run this to get the token curl -v -H 'X-Storage-User: admin:admin' -H 'X-Storage-Pass: admin' http:// 127.0.0.1:8080/auth/v1.0 Now I have keystone configured at http://192.168.122.14:5000/v2.0 how to use curl in this case to get a token? Thanks Paras. On Wed, Feb 22, 2012 at 4:49 PM, Jyothi Krishnan sto...@yahoo.com wrote: To create a container with st tool: http://docs.openstack.org/bexar/openstack-object-storage/admin/content/ch04s10.html curl command would be something like: curl -i -X PUT -H 'x-auth-token: token' 'http://127.0.0.1:8080/v1/token/container_name' Hope that helps Jo From: Paras pradhan pradhanpa...@gmail.com To: Pete Zaitcev zait...@redhat.com Cc: openstack openstack@lists.launchpad.net Sent: Wednesday, February 22, 2012 2:23 PM Subject: Re: [Openstack] swift keystone help Looks like swift with keystone is working swift -A http://192.168.122.14:5000/v2.0 -U adminTenant:adminUser -K secretword -V 2.0 stat -v StorageURL: https://192.168.122.14:8080/v1/AUTH_2 Auth Token: 999888777666 Account: AUTH_2 Containers: 0 Objects: 0 Bytes: 0 Accept-Ranges: bytes -- Now how do I create a container over there? Thanks Paras. On Tue, Feb 21, 2012 at 2:10 PM, Paras pradhan pradhanpa...@gmail.com wrote: Pete, This is what I have #keystone-manage endpointTemplates add RegionOne swift http://192.168.122.14:8080/v1/AUTH_%tenant_id% http://192.168.122.14:8080/ http://192.168.122.14:8080/v1/AUTH_%tenant_id% 1 1 I have ssl enabled in swift-proxy.conf. Do I replace http with https here? Thanks Paras. On Tue, Feb 21, 2012 at 11:56 AM, Pete Zaitcev zait...@redhat.com wrote: On Tue, 21 Feb 2012 11:24:06 -0600 Paras pradhan pradhanpa...@gmail.com wrote: Yeah that was a type when I copy pasted. You mean, the commented section header #[]? keystone-manage tenant add adminTenant keystone-manage user add adminUser secretword keystone-manage role add Admin keystone-manage role grant Admin adminUser keystone-manage role grant Admin adminUser adminTenant Did I miss something? You need an endpoint, like this: keystone-manage service add swift storage Swift Object Storage Service keystone-manage endpointTemplates add RegionOne swift \ http://kvm-rei.zaitcev.lan/v1/AUTH_%tenant_id% \ http://kvm-rei.zaitcev.lan/v1.0/ \ http://kvm-rei.zaitcev.lan/v1/AUTH_%tenant_id% \ 1 1 -- Pete ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Swift container ACLs and container visibility question
It all depends on the auth system you are using. Below is for swauth and tempauth: Are the users using the same shared storage? If so, set them up as .admin users with the same storage endpoint. If they are not using the same shared storage, then you may be stuck. The ACL support in swauth and tempauth is only on a container level (so you can't give permissions to do an account listing to see the containers in it). Of course, if this is something you need, then patches can be added to support this functionality. --John On Feb 23, 2012, at 3:55 PM, Lillie Ross-CDSR11 wrote: I'm setting up Swift storage for an internal project. For the project's use of Swift, I want all members of the project to be able to see what's stored in Swift. Applying suitable ACLs, it's possible for user's to see the contents of the projects container. However, is there any way to allow users to see a list of containers used by the project? Or must I create an additional container to store this type of project meta data? May be a dumb question and more of a architecture convention issue, but I'm just getting started with Swift and OpenStack in general and was wondering what other's have done. Thanks and regards, Ross ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp smime.p7s Description: S/MIME cryptographic signature ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Swift container ACLs and container visibility question
On Thu, Feb 23, 2012 at 10:25 PM, John Dickinson m...@not.mn wrote: It all depends on the auth system you are using. This is about the same for keystone but to be a .admin like in tempauth or swauth for keystone middleware you need to have one of the role specified in the configuration variable operator_roles[1] which is by default admin and SwiftOperator. Below is for swauth and tempauth: Chmouel. [1] https://github.com/openstack/keystone/blob/master/keystone/middleware/swift_auth.py#L80 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] swift keystone help
On Thu, Feb 23, 2012 at 11:23 PM, Paras pradhan pradhanpa...@gmail.com wrote:
Now I have keystone configured at http://192.168.122.14:5000/v2.0 how
to use curl in this case to get a token?
Example from devstack:
TOKEN=`curl -s -d {\auth\:{\passwordCredentials\:
{\username\: \$ADMIN_USER\, \password\: \$ADMIN_PASSWORD\},
\tenantName\: \$ADMIN_TENANT\}} -H Content-type:
application/json http://$HOST_IP:5000/v2.0/tokens | python -c import
sys; import json; tok = json.loads(sys.stdin.read()); print
tok['access']['token']['id'];`
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Security Group Rule Refresh
2012/2/23 Day, Phil philip@hp.com: 1 deal with the situation where a refresh call to one of the compute nodes got lost. If that happened, at least it would all get sorted out on the next refresh. Can see the advantage of this, but on an active system this can be quite an overhead compared to a periodic refresh. Well, a periodic refresh will likely happen more often than the refreshes triggered by changes, don't you think? And periodic refreshes will inevitably have to refresh everything (otherwise they seem pointless). 2 the routine that turned the rules from the database into iptables rules was complex enough as it was. Making it remove only rules for a single security group or a single instance or whatever would make it even worse. I wonder if we're talking about the same driver - the code we're looking at is in the IptablesFirewallDriver in libvirt/firewall.py (which I think is moved up to virt/firewall.py in Essex). That seems to create a chain per Instance and do the update on a per instance basis, so I'm not quite sure I understand your point ? Sorry, I was basing this all on memory. The point is simply that if the routine that did all of this would have to reliably leave everything else alone, and only touch the rules pertaining to a particular instance, the logic would be even more complicated than it already is. 3 The difference in terms of efficiency is miniscule. iptables replaces full tables at a time anyway, and while the relative amount of data needed to be fetched from the database might be much larger than with a more selective refresh, the absolute amount of data is still pretty small. It may be that we're hitting a particular case - but we have a test system with 10's of VMs per host, on not many hosts, and some groups with 70+ VMs and a rule set that references the security group itself. So every VM in that group that gets refreshed (and there are many on each host) has to rebuild rules for each VM in the group. That's a bug. It's supposed to only refresh once, regardless of how many affected VM's there are. The impact of this overhead on every VM create and delete in un-related groups is killing the system - eps as the update code doesn't yield so other tasks on the compute node (such as the create itself are blocked). Have you been able to profile this at all? Is it the DB query that takes a long time or is it something else? Anyways, I don't fully understand why any part of the process would make anything hang. Both the communication with the DB as well as calling out to iptables-restore should yield control over to the eventlet main loop and let other things run. I wonder why this isn't happening. Point 2 should be more palatable now that the simpler implementation has proven itself. Could you clarify which simpler implementation your referring to It's probably a poor choice of words :) The simpler implementation is the current one. The more complicated one would be one that reliably would only touch the rules pertaining to the instances or security groups that are actually being changed. - I've seen the NWFilterFirewall class and its associated comment block, but it wasn't clear to me under what circumstances it would be worth switching to this ? None, at the moment, due to this bug: https://bugzilla.redhat.com/show_bug.cgi?id=642171 -- Soren Hansen | http://linux2go.dk/ Senior Software Engineer | http://www.cisco.com/ Ubuntu Developer | http://www.ubuntu.com/ OpenStack Developer | http://www.openstack.org/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] swift keystone help
On Thu, Feb 23, 2012 at 10:57 PM, Alan Pevec ape...@gmail.com wrote: On Thu, Feb 23, 2012 at 11:23 PM, Paras pradhan pradhanpa...@gmail.com wrote: Now I have keystone configured at http://192.168.122.14:5000/v2.0 how to use curl in this case to get a token? Example from devstack: By the way for my dev and testing I use this (quickly and hacky written) script : http://p.chmouel.com/ks usage is : ks host user password #account == user here or ks host account:user password (host can be a full URL if you start it with http or it will use as a host and convert it to http://host:5000/v2.0/tokens) it wil auth to keystone print the formatted json (or show the error if there is a problem) and at the end will print the curl command to validate the token on object-storage. hopefully this should be useful for someone else. Chmouel. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] Basic networking/configuration woes
I'm trying to use OpenStack in what I think to be the typical non-public-cloud deployment, and my experience is not what it could/should be. I'm hoping someone can point me to the right way, or we can figure out what needs to change. My wishlist: * I want my instances to be on my network e.g. 10.0.0.0/16 * As Nova can't pull IPs from my DHCP server, I'm willing to allocate it a sub-range, e.g. 10.200.0.0/16 First decision: Choosing a networking mode: * I don't want / need VLANs * If I use FlatDHCPManager, I can't do the subrange stuff - it seems that this mode assumes it controls the entire address range. * So it's FlatManager. It works, but now I don't have DHCP, so I just have to inject info into the instance. Next decision: How to inject info (at least the IP address): * Supposedly the 'right way' is to use cloud-init. It looks like I'd still need DHCP before I can reach 169.254..., and I don't have that. It looks like cloud-init can't do network configuration even if nova passed the information in. And I'd be locked into cloud-init images - no Windows, no Debian etc. * The next best way is config_drive. It looks like I'd have to bundle my own image. Maybe I could use cloud-init, maybe with an OVF formatted config_drive, but even then I couldn't configure networking (?) * So now I'm back to file injection. That just works. So now I'm using FlatManager and file injection; and yet I feel this is the dodgy back alley of OpenStack, and I should be in the well-lit nice area. I worry that things like file injection and FlatManager are less favored and may be deprecated in future. But every time I try to do things right I just waste a lot of time and make no progress. Yet I feel I didn't really have a choice here. How are other people making this work? What is the right way? Justin ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Basic networking/configuration woes
I'd assume FlatDHCPManager works much like FlatManager, but maybe I'm wrong. I use FlatManager and I always end up having to modify the fixed_ips table manually after running nova-manage because I think I'm trying to do something similar as you. I have a /23... and I want to give nova a /25 out of it. Though I'm giving nova a /25, it's still really a /23. I use nova-manage to add my /23 and then I edit the fixed_ips table and mark a lot of addresses as 'reserved'... or just remove them altogether. (When I try to specify the /25 to nova-manage, it doesn't go so well) As far as 169.254... you can reach that without any address assigned. Your NIC should receive a link local address when there's no other IP assigned which is in the 169.254.* range. Not sure if that helped much :) - Chris On Feb 23, 2012, at 3:12 PM, Justin Santa Barbara wrote: I'm trying to use OpenStack in what I think to be the typical non-public-cloud deployment, and my experience is not what it could/should be. I'm hoping someone can point me to the right way, or we can figure out what needs to change. My wishlist: * I want my instances to be on my network e.g. 10.0.0.0/16 * As Nova can't pull IPs from my DHCP server, I'm willing to allocate it a sub-range, e.g. 10.200.0.0/16 First decision: Choosing a networking mode: * I don't want / need VLANs * If I use FlatDHCPManager, I can't do the subrange stuff - it seems that this mode assumes it controls the entire address range. * So it's FlatManager. It works, but now I don't have DHCP, so I just have to inject info into the instance. Next decision: How to inject info (at least the IP address): * Supposedly the 'right way' is to use cloud-init. It looks like I'd still need DHCP before I can reach 169.254..., and I don't have that. It looks like cloud-init can't do network configuration even if nova passed the information in. And I'd be locked into cloud-init images - no Windows, no Debian etc. * The next best way is config_drive. It looks like I'd have to bundle my own image. Maybe I could use cloud-init, maybe with an OVF formatted config_drive, but even then I couldn't configure networking (?) * So now I'm back to file injection. That just works. So now I'm using FlatManager and file injection; and yet I feel this is the dodgy back alley of OpenStack, and I should be in the well-lit nice area. I worry that things like file injection and FlatManager are less favored and may be deprecated in future. But every time I try to do things right I just waste a lot of time and make no progress. Yet I feel I didn't really have a choice here. How are other people making this work? What is the right way? Justin ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Basic networking/configuration woes
Thanks for chipping in. I have contributed a patch (which has merged) which should allow you to stop editing the SQL: https://review.openstack.org/#change,3816 With that, you should be able to pass the full range, with an additional argument specifying the subset that nova controls: e.g.-fixed_cidr=10.200.0.0/16 When I boot my VM, I think it gets a real address from my DHCP server (because the VM can reach the DHCP server), but not the address nova assigned it! I believe the nova iptables rules mean that the machine can't then do TCP/IP, but even if I am wrong/could overcome that, I don't think cloud-init could then configure the correct address. Justin On Thu, Feb 23, 2012 at 3:38 PM, Chris Behrens cbehr...@codestud.com wrote: I'd assume FlatDHCPManager works much like FlatManager, but maybe I'm wrong. I use FlatManager and I always end up having to modify the fixed_ips table manually after running nova-manage because I think I'm trying to do something similar as you. I have a /23... and I want to give nova a /25 out of it. Though I'm giving nova a /25, it's still really a /23. I use nova-manage to add my /23 and then I edit the fixed_ips table and mark a lot of addresses as 'reserved'... or just remove them altogether. (When I try to specify the /25 to nova-manage, it doesn't go so well) As far as 169.254... you can reach that without any address assigned. Your NIC should receive a link local address when there's no other IP assigned which is in the 169.254.* range. Not sure if that helped much :) - Chris On Feb 23, 2012, at 3:12 PM, Justin Santa Barbara wrote: I'm trying to use OpenStack in what I think to be the typical non-public-cloud deployment, and my experience is not what it could/should be. I'm hoping someone can point me to the right way, or we can figure out what needs to change. My wishlist: * I want my instances to be on my network e.g. 10.0.0.0/16 * As Nova can't pull IPs from my DHCP server, I'm willing to allocate it a sub-range, e.g. 10.200.0.0/16 First decision: Choosing a networking mode: * I don't want / need VLANs * If I use FlatDHCPManager, I can't do the subrange stuff - it seems that this mode assumes it controls the entire address range. * So it's FlatManager. It works, but now I don't have DHCP, so I just have to inject info into the instance. Next decision: How to inject info (at least the IP address): * Supposedly the 'right way' is to use cloud-init. It looks like I'd still need DHCP before I can reach 169.254..., and I don't have that. It looks like cloud-init can't do network configuration even if nova passed the information in. And I'd be locked into cloud-init images - no Windows, no Debian etc. * The next best way is config_drive. It looks like I'd have to bundle my own image. Maybe I could use cloud-init, maybe with an OVF formatted config_drive, but even then I couldn't configure networking (?) * So now I'm back to file injection. That just works. So now I'm using FlatManager and file injection; and yet I feel this is the dodgy back alley of OpenStack, and I should be in the well-lit nice area. I worry that things like file injection and FlatManager are less favored and may be deprecated in future. But every time I try to do things right I just waste a lot of time and make no progress. Yet I feel I didn't really have a choice here. How are other people making this work? What is the right way? Justin ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Basic networking/configuration woes
On Feb 23, 2012, at 3:55 PM, Justin Santa Barbara wrote: Thanks for chipping in. I have contributed a patch (which has merged) which should allow you to stop editing the SQL: https://review.openstack.org/#change,3816 With that, you should be able to pass the full range, with an additional argument specifying the subset that nova controls: e.g.-fixed_cidr=10.200.0.0/16 Oh cool.. that'll save me some pain. :) When I boot my VM, I think it gets a real address from my DHCP server (because the VM can reach the DHCP server), but not the address nova assigned it! I believe the nova iptables rules mean that the machine can't then do TCP/IP, but even if I am wrong/could overcome that, I don't think cloud-init could then configure the correct address. If you're going to go the cloud-init route... you wouldn't need DHCP, right? There should be iptables rules to allow you to talk to the metadata service over 169.254.* (And linux should give you a default link-local address that allows you to talk to the MD service magically) Do you have a non-nova DHCP server running as well? - Chris Justin On Thu, Feb 23, 2012 at 3:38 PM, Chris Behrens cbehr...@codestud.com wrote: I'd assume FlatDHCPManager works much like FlatManager, but maybe I'm wrong. I use FlatManager and I always end up having to modify the fixed_ips table manually after running nova-manage because I think I'm trying to do something similar as you. I have a /23... and I want to give nova a /25 out of it. Though I'm giving nova a /25, it's still really a /23. I use nova-manage to add my /23 and then I edit the fixed_ips table and mark a lot of addresses as 'reserved'... or just remove them altogether. (When I try to specify the /25 to nova-manage, it doesn't go so well) As far as 169.254... you can reach that without any address assigned. Your NIC should receive a link local address when there's no other IP assigned which is in the 169.254.* range. Not sure if that helped much :) - Chris On Feb 23, 2012, at 3:12 PM, Justin Santa Barbara wrote: I'm trying to use OpenStack in what I think to be the typical non-public-cloud deployment, and my experience is not what it could/should be. I'm hoping someone can point me to the right way, or we can figure out what needs to change. My wishlist: * I want my instances to be on my network e.g. 10.0.0.0/16 * As Nova can't pull IPs from my DHCP server, I'm willing to allocate it a sub-range, e.g. 10.200.0.0/16 First decision: Choosing a networking mode: * I don't want / need VLANs * If I use FlatDHCPManager, I can't do the subrange stuff - it seems that this mode assumes it controls the entire address range. * So it's FlatManager. It works, but now I don't have DHCP, so I just have to inject info into the instance. Next decision: How to inject info (at least the IP address): * Supposedly the 'right way' is to use cloud-init. It looks like I'd still need DHCP before I can reach 169.254..., and I don't have that. It looks like cloud-init can't do network configuration even if nova passed the information in. And I'd be locked into cloud-init images - no Windows, no Debian etc. * The next best way is config_drive. It looks like I'd have to bundle my own image. Maybe I could use cloud-init, maybe with an OVF formatted config_drive, but even then I couldn't configure networking (?) * So now I'm back to file injection. That just works. So now I'm using FlatManager and file injection; and yet I feel this is the dodgy back alley of OpenStack, and I should be in the well-lit nice area. I worry that things like file injection and FlatManager are less favored and may be deprecated in future. But every time I try to do things right I just waste a lot of time and make no progress. Yet I feel I didn't really have a choice here. How are other people making this work? What is the right way? Justin ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Swift container ACLs and container visibility question
Sorry, I should have mentioned my setup. I'm using Keystone from the managedit repository combined with a swift keystone plugin to allow the proxy to use version 2 authentication. Ross (finger tapped on my iPhone) On Feb 23, 2012, at 4:38 PM, Chmouel Boudjnah chmo...@chmouel.com wrote: On Thu, Feb 23, 2012 at 10:25 PM, John Dickinson m...@not.mn wrote: It all depends on the auth system you are using. This is about the same for keystone but to be a .admin like in tempauth or swauth for keystone middleware you need to have one of the role specified in the configuration variable operator_roles[1] which is by default admin and SwiftOperator. Below is for swauth and tempauth: Chmouel. [1] https://github.com/openstack/keystone/blob/master/keystone/middleware/swift_auth.py#L80 ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] unsubscribe
___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Basic networking/configuration woes
If you're going to go the cloud-init route... you wouldn't need DHCP, right? There should be iptables rules to allow you to talk to the metadata service over 169.254.* (And linux should give you a default link-local address that allows you to talk to the MD service magically) Do you have a non-nova DHCP server running as well? Yes, I do have a non-nova DHCP server. However, even if I didn't, and even if iptables allowed talking to 169.254 with the magic link-local, cloud-init still couldn't configure the IP address... :-( ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Basic networking/configuration woes
On Feb 23, 2012, at 5:42 PM, Justin Santa Barbara wrote: If you're going to go the cloud-init route... you wouldn't need DHCP, right? There should be iptables rules to allow you to talk to the metadata service over 169.254.* (And linux should give you a default link-local address that allows you to talk to the MD service magically) Do you have a non-nova DHCP server running as well? Yes, I do have a non-nova DHCP server. However, even if I didn't, and even if iptables allowed talking to 169.254 with the magic link-local, cloud-init still couldn't configure the IP address... :-( It is definitely possible to make this work with flatdhcp in multihost mode. Can you configure your home router to route for the whole range but not give out leases for macs it doesn't know? Then you can use --dnsmasq_config_file=/path/to/config in that config file you can use: dhcp_opiton=3,ip of router to force vms to use your router as their gateway. You may have to setup a forward on the router to get metadata to work, but I think this gets you 90% of the way there. (it may work to just run nova-api on each compute and leave metadata_host on the host_ip, but i'm not sure if it will go out to the gateway by default and skip the iptables rule on localhost) I know this basic setup was working as far back as diablo because it is the setup that freecloud is using. Vish ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Wish: Please rename all OpenStack packages to openstack-*
Current way makes it difficult to see which openstack packages are installed in a single list, and find what's lacking... -- -Alexey Eromenko Technologov ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
