[Openstack] authentication failure for glance client in the latest devstack dev environment
Hi fellows, Today I just updated my devstack to setup a new openstack dev environment with RECLONE set to yes in localrc. The stack.sh failed at the very end in glance image-create with the error of Invalid OpenStack Identify credential. I then tried to run glance image-list in the command line after source openrc admin, it also failed with the same error. When the error happens, glance-api server reported the following errors on the screen: 2012-11-09 16:20:31 16950 ERROR keystone.middleware.auth_token [-] HTTP connection exception: [Errno 1] _ssl.c:504: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2012-11-09 16:20:31 16950 WARNING keystone.middleware.auth_token [-] Authorization failed for token MIIL7wYJKoZIhvcNAQcCoIIL4DCCC9wCAQExCTAHBgUrDgMCGjCCCkUGCSqGSIb3DQEHAaCCCjYEggoyeyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMDg6MjA6MzEuNjM3.(..omit here) A8uKBr1VlQoeF2Y-ND+DhZV+vjrM8i6FcGfeFq6Vra-1ktoQjkfh88XmG2tCcwrlGo0nVM4OrRaIs8F9Iwc4EIXHA+Aw73MzqUIRVSE8ahiFg9nNM= 2012-11-09 16:20:31 16950 INFO keystone.middleware.auth_token [-] Invalid user token - deferring reject downstream And the keystone reported the following: (eventlet.wsgi.server): 2012-11-09 16:28:21,276 DEBUG wsgi write 127.0.0.1 - - [09/Nov/2012 16:28:21] POST /v2.0/tokens HTTP/1.1 200 6780 0.095150 localhost - - [09/Nov/2012 16:28:21] code 400, message Bad request syntax (\x16\x03\x01\x00\xcd\x01\x00\x00\xc9\x03\x02P\x9c\xbe\xa5#\xc8D\xf8\xe9\xe9\x97\xc5w\x19LX\xfc\xb8\x04v\xb1w'\x04A\xa7}\xa8\x0c) localhost - - [09/Nov/2012 16:28:21] ��P���#�DwLX�v�w'A�}� 400 - Does anyone know what's going wrong here? Yours, -Lianhao ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] authentication failure for glance client in the latest devstack dev environment
My system is Ubuntu 12.04 64bit. My nova list also failed with a HTTP 401 status error, with the following output on nova-api: 2012-11-09 18:30:09 ERROR keystone.common.cms [-] Verify error: Verification failure 139967656924832:error:04091077:rsa routines:INT_RSA_VERIFY:wrong signature length:rsa_sign.c:175: 139967656924832:error:2E09A09E:CMS routines:CMS_SignerInfo_verify_content:verification failure:cms_sd.c:900: 139967656924832:error:2E09D06D:CMS routines:CMS_verify:content verify error:cms_smime.c:425: 2012-11-09 18:30:09 WARNING keystone.middleware.auth_token [-] Authorization failed for token .. 2012-11-09 18:30:09 INFO keystone.middleware.auth_token [-] Invalid user token - rejecting request 2012-11-09 18:30:09 INFO nova.osapi_compute.wsgi.server [-] 10.239.36.61 GET /v2/447239d7ddfd4ae89393c9ecf538d703/servers/det ail HTTP/1.1 status: 401 len: 461 time: 0.0153220 However, the keystone command-line client works fine. Best Regards, Lianhao -Original Message- From: openstack-bounces+lianhao.lu=intel@lists.launchpad.net [mailto:openstack-bounces+lianhao.lu=intel@lists.launchpad.net] On Behalf Of Lu, Lianhao Sent: Friday, November 09, 2012 4:31 PM To: openstack@lists.launchpad.net; openstack-...@lists.openstack.org Subject: [Openstack] authentication failure for glance client in the latest devstack dev environment Hi fellows, Today I just updated my devstack to setup a new openstack dev environment with RECLONE set to yes in localrc. The stack.sh failed at the very end in glance image-create with the error of Invalid OpenStack Identify credential. I then tried to run glance image-list in the command line after source openrc admin, it also failed with the same error. When the error happens, glance-api server reported the following errors on the screen: 2012-11-09 16:20:31 16950 ERROR keystone.middleware.auth_token [-] HTTP connection exception: [Errno 1] _ssl.c:504: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 2012-11-09 16:20:31 16950 WARNING keystone.middleware.auth_token [-] Authorization failed for token MIIL7wYJKoZIhvcNAQcCoIIL4DCCC9wCAQExCTAHBgUrDgMCGjCCCkUGCSqGSIb3DQEHAaCCCjYEggoyeyJhY2Nlc3MiOiB7InRva2VuIjogeyJp c3N1ZWRfYXQiOiAiMDg6MjA6MzEuNjM3.(..omit here) A8uKBr1VlQoeF2Y-ND+DhZV+vjrM8i6FcGfeFq6Vra-1ktoQjkfh88XmG2tCcwrlGo0nVM4OrRaIs8F9Iwc4EIXHA+Aw73MzqUIRVSE8ahiFg9nNM = 2012-11-09 16:20:31 16950 INFO keystone.middleware.auth_token [-] Invalid user token - deferring reject downstream And the keystone reported the following: (eventlet.wsgi.server): 2012-11-09 16:28:21,276 DEBUG wsgi write 127.0.0.1 - - [09/Nov/2012 16:28:21] POST /v2.0/tokens HTTP/1.1 200 6780 0.095150 localhost - - [09/Nov/2012 16:28:21] code 400, message Bad request syntax (\x16\x03\x01\x00\xcd\x01\x00\x00\xc9\x03\x02P\x9c\xbe\xa5#\xc8D\xf8\xe9\xe9\x97\xc5w\x19LX\xfc\xb8\x04v\xb1w'\x04A\xa7}\xa8\x 0c) localhost - - [09/Nov/2012 16:28:21] ��P���#�DwLX�v�w'A�}� 400 - Does anyone know what's going wrong here? Yours, -Lianhao ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] keystone installed by devstack redirect http request
You're right. The 301 is returned by my http proxy server. The reason is that
the httplib2 python module keystone client uses would use the proxy server in
the environment variable http_proxy, but the content of no_proxy environment
variable is not actually used in establishing the connection.
Best Regards,
Lianhao
From: anti...@gmail.com [mailto:anti...@gmail.com] On Behalf Of Dolph Mathews
Sent: Friday, August 24, 2012 8:58 PM
To: Lu, Lianhao
Cc: openstack@lists.launchpad.net
Subject: Re: [Openstack] keystone installed by devstack redirect http request
Keystone doesn't return 301's (ever). However, your 301 response headers show:
Server: BlueCoat-Security-Appliance
I'm guessing that wasn't installed by devstack :)
-Dolph
On Fri, Aug 24, 2012 at 3:03 AM, Lu, Lianhao
lianhao...@intel.commailto:lianhao...@intel.com wrote:
Hi gang,
I used the devstack to install a all-one-one develop environment, but the
keystone service seemed not working for me.
The host OS is Ubuntu 12.04 with a statically assigned IP address
192.168.79.201. Since this host is in the internal network, I have to use a
gateway(with 2 NICs of ip addresses 192.168.79.1 and 10.239.48.224) to login
into the 192.168.79.201 host from the 10.239.48.0/24http://10.239.48.0/24
network to run devstack.
After running devstack successfully, I found that the keystone service was not
usable. It mysteriously redirected http requests to the gateway
10.239.48.224(see below for the http response and keystone configurations).
Does anyone know why I saw the redirect here? Thanks!
Best Regards,
-Lianhao
$ keystone --debug tenant-list
connect: (127.0.0.1, 5000)
send: 'POST /v2.0/tokens HTTP/1.1\r\nHost:
127.0.0.1:5000http://127.0.0.1:5000\r\nContent-Length: 100\r\ncontent-type:
application/json\r\naccept-encoding: gzip, deflate\r\nuser-agent:
python-keystoneclient\r\n\r\n{auth: {tenantName: demo,
passwordCredentials: {username: admin, password: 123456}}}'
reply: 'HTTP/1.1 301 Moved Permanently\r\n'
header: Server: BlueCoat-Security-Appliance
header: Location:http://10.239.48.224
header: Connection: Close
connect: (10.239.48.224, 80)
send: 'POST / HTTP/1.1\r\nHost: 10.239.48.224\r\nContent-Length:
100\r\ncontent-type: application/json\r\naccept-encoding: gzip,
deflate\r\nuser-agent: python-keystoneclient\r\n\r\n{auth: {tenantName:
demo, passwordCredentials: {username: admin, password: 123456}}}'
--
-Dolph
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
[Openstack] keystone installed by devstack redirect http request
Hi gang,
I used the devstack to install a all-one-one develop environment, but the
keystone service seemed not working for me.
The host OS is Ubuntu 12.04 with a statically assigned IP address
192.168.79.201. Since this host is in the internal network, I have to use a
gateway(with 2 NICs of ip addresses 192.168.79.1 and 10.239.48.224) to login
into the 192.168.79.201 host from the 10.239.48.0/24 network to run devstack.
After running devstack successfully, I found that the keystone service was not
usable. It mysteriously redirected http requests to the gateway
10.239.48.224(see below for the http response and keystone configurations).
Does anyone know why I saw the redirect here? Thanks!
Best Regards,
-Lianhao
$ keystone --debug tenant-list
connect: (127.0.0.1, 5000)
send: 'POST /v2.0/tokens HTTP/1.1\r\nHost: 127.0.0.1:5000\r\nContent-Length:
100\r\ncontent-type: application/json\r\naccept-encoding: gzip,
deflate\r\nuser-agent: python-keystoneclient\r\n\r\n{auth: {tenantName:
demo, passwordCredentials: {username: admin, password: 123456}}}'
reply: 'HTTP/1.1 301 Moved Permanently\r\n'
header: Server: BlueCoat-Security-Appliance
header: Location:http://10.239.48.224
header: Connection: Close
connect: (10.239.48.224, 80)
send: 'POST / HTTP/1.1\r\nHost: 10.239.48.224\r\nContent-Length:
100\r\ncontent-type: application/json\r\naccept-encoding: gzip,
deflate\r\nuser-agent: python-keystoneclient\r\n\r\n{auth: {tenantName:
demo, passwordCredentials: {username: admin, password: 123456}}}'
$ cat /etc/keystone/keystone.conf
[DEFAULT]
admin_token = 123456
[sql]
connection = mysql://root:123456@localhost/keystone?charset=utf8
[catalog]
template_file = /etc/keystone/default_catalog.templates
driver = keystone.catalog.backends.templated.TemplatedCatalog
[ec2]
driver = keystone.contrib.ec2.backends.sql.Ec2
[filter:debug]
paste.filter_factory = keystone.common.wsgi:Debug.factory
[filter:token_auth]
paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
[filter:admin_token_auth]
paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
[filter:xml_body]
paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory
[filter:json_body]
paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
[filter:user_crud_extension]
paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
[filter:crud_extension]
paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
[filter:ec2_extension]
paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
[filter:s3_extension]
paste.filter_factory = keystone.contrib.s3:S3Extension.factory
[filter:url_normalize]
paste.filter_factory = keystone.middleware:NormalizingFilter.factory
[filter:stats_monitoring]
paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory
[filter:stats_reporting]
paste.filter_factory = keystone.contrib.stats:StatsExtension.factory
[app:public_service]
paste.app_factory = keystone.service:public_app_factory
[app:admin_service]
paste.app_factory = keystone.service:admin_app_factory
[pipeline:public_api]
pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body
json_body debug ec2_extension user_crud_extension public_service
[pipeline:admin_api]
pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body
json_body debug stats_reporting ec2_extension s3_extension crud_extension
admin_service
[app:public_version_service]
paste.app_factory = keystone.service:public_version_app_factory
[app:admin_version_service]
paste.app_factory = keystone.service:admin_version_app_factory
[pipeline:public_version_api]
pipeline = stats_monitoring url_normalize xml_body public_version_service
[pipeline:admin_version_api]
pipeline = stats_monitoring url_normalize xml_body admin_version_service
[composite:main]
use = egg:Paste#urlmap
/v2.0 = public_api
/ = public_version_api
[composite:admin]
use = egg:Paste#urlmap
/v2.0 = admin_api
/ = admin_version_api
$ cat /etc/keystone/default_catalog.templates
catalog.RegionOne.identity.publicURL =
http://192.168.79.201:$(public_port)s/v2.0
catalog.RegionOne.identity.adminURL = http://192.168.79.201:$(admin_port)s/v2.0
catalog.RegionOne.identity.internalURL =
http://192.168.79.201:$(public_port)s/v2.0
catalog.RegionOne.identity.name = Identity Service
catalog.RegionOne.compute.publicURL =
http://192.168.79.201:8774/v2/$(tenant_id)s
catalog.RegionOne.compute.adminURL = http://192.168.79.201:8774/v2/$(tenant_id)s
catalog.RegionOne.compute.internalURL =
http://192.168.79.201:8774/v2/$(tenant_id)s
catalog.RegionOne.compute.name = Compute Service
catalog.RegionOne.volume.publicURL = http://192.168.79.201:8776/v1/$(tenant_id)s
catalog.RegionOne.volume.adminURL = http://192.168.79.201:8776/v1/$(tenant_id)s
catalog.RegionOne.volume.internalURL =
http://192.168.79.201:8776/v1/$(tenant_id)s
catalog.RegionOne.volume.name = Volume Service
catalog.RegionOne.ec2.publicURL =
