OpenStack Keystone Charm

Bug #1822063
Comment #3

Comment 3 for bug 1822063

Revision history for this message

Ed Stewart (emcs2) wrote on 2019-03-28:

here you go:

series: bionic
applications:

  keystone:
    charm: cs:keystone-294
    num_units: 1
    to:
    - lxd:0
    options:
      admin-password: dpcopopenstack
      openstack-origin: cloud:bionic-rocky
      os-public-hostname: dev.xxxx.xxxx.xxxx.net
      worker-multiplier: 0.25
    annotations:
      gui-x: "500"
      gui-y: "0"

  vault:
    charm: cs:vault-12
    series: xenial
    num_units: 1
    to:
    - lxd:0
    options:
      auto-generate-root-ca-cert: true
      totally-unsecure-auto-unlock: true
    annotations:
      gui-x: "750"
      gui-y: "250"
machines:
  "0":
    constraints: root-disk=500000 instance-type=n1-highmem-16
relations:
...
- - vault:shared-db
  - mysql:shared-db
- - vault:certificates
  - keystone:certificates
- - keystone:shared-db
  - mysql:shared-db
...

BTW, I'm getting the same thing on this bundle too which we were using for other testing:

machines:
  '0':
    series: bionic
    constraints: "instance-type=n1-standard-4 root-disk=500000"
series: bionic
variables:
  #openstack-origin: &openstack-origin distro
  openstack-origin: &openstack-origin cloud:bionic-rocky
relations:
- - keystone:shared-db
  - mysql:shared-db
- - glance:shared-db
  - mysql:shared-db
- - glance:identity-service
  - keystone:identity-service
- - keystone
  - keystone-saml-mellon
- - vault:shared-db
  - mysql:shared-db
- - vault:certificates
  - keystone:certificates
- - vault:certificates
  - glance:certificates
- - vault:certificates
  - openstack-dashboard:certificates
- - openstack-dashboard
  - keystone-saml-mellon
- - keystone:websso-trusted-dashboard
  - openstack-dashboard:websso-trusted-dashboard
- - openstack-dashboard:identity-service
  - keystone:identity-service
applications:
  mysql:
    constraints: mem=3072M
    charm: cs:~openstack-charmers-next/percona-cluster
    num_units: 1
    options:
      source: *openstack-origin
    to:
    - lxd:0
  keystone:
    series: bionic
    charm: cs:~openstack-charmers-next/keystone
    num_units: 1
    options:
      openstack-origin: *openstack-origin
      token-provider: 'fernet'
      token-expiration: 60
      os-public-hostname: 'auth.xxxxvxx.customera.internal'
    to:
    - lxd:0
  keystone-saml-mellon:
    series: bionic
    charm: cs:~openstack-charmers-next/keystone-saml-mellon
    num_units: 0
    options:
      idp-name: 'samltest'
      protocol-name: 'mapped'
      user-facing-name: "samltest.id"
      subject-confirmation-data-address-check: False
      nameid-formats: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
    resources:
      idp-metadata: './IdP_metadata_xxxx_domain.xml'
      sp-signing-keyinfo: './http_openstack_dev.xxxxxxx_5000_JustKeyInfo.xml'
      sp-private-key: './http_openstack_dev.xxxxxxxx_5000.pem'
  glance:
    charm: cs:~openstack-charmers-next/glance
    num_units: 1
    options:
      openstack-origin: *openstack-origin
    to:
    - lxd:0
  vault:
    num_units: 1
    charm: cs:~openstack-charmers-next/vault
    options:
      # these options need changing for production
      auto-generate-root-ca-cert: true
      totally-unsecure-auto-unlock: true
    to:
    - lxd:0
  openstack-dashboard:
    num_units: 1
    charm: cs:~openstack-charmers-next/openstack-dashboard
    options:
      openstack-origin: *openstack-origin
    to:
    - lxd:0

which gives this:

Model Controller Cloud/Region Version SLA Timestamp
xxxxx-mellon1 google-controller google/us-east1 2.5.1 unsupported 13:28:44Z

Unit Workload Agent Machine Public address Ports Message
glance/0* waiting idle 0/lxd/0 252.5.238.180 9292/tcp Incomplete relations: identity
keystone/0* error idle 0/lxd/1 252.5.235.27 5000/tcp hook failed: "shared-db-relation-changed"
keystone-saml-mellon/0* active idle 252.5.235.27 Unit is ready
mysql/0* active idle 0/lxd/2 252.5.239.57 3306/tcp Unit is ready
openstack-dashboard/0* waiting idle 0/lxd/3 252.5.239.43 80/tcp,443/tcp Incomplete relations: identity
vault/0* active idle 0/lxd/4 252.5.231.134 8200/tcp Unit is ready (active: true, mlock: disabled)

Machine State DNS Inst id Series AZ Message
0 started 35.231.190.66 juju-f80d42-0 bionic us-east1-b RUNNING
0/lxd/0 started 252.5.238.180 juju-f80d42-0-lxd-0 bionic us-east1-b Container started
0/lxd/1 started 252.5.235.27 juju-f80d42-0-lxd-1 bionic us-east1-b Container started
0/lxd/2 started 252.5.239.57 juju-f80d42-0-lxd-2 bionic us-east1-b Container started
0/lxd/3 started 252.5.239.43 juju-f80d42-0-lxd-3 bionic us-east1-b Container started
0/lxd/4 started 252.5.231.134 juju-f80d42-0-lxd-4 bionic us-east1-b Container started

Same lack of certs in /etc/apache2:

ubuntu@juju-f80d42-0-lxd-1:/etc/apache2$ ls -ltr
total 80
-rw-r--r-- 1 root root 320 Oct 10 18:59 ports.conf
-rw-r--r-- 1 root root 31063 Oct 10 18:59 magic
-rw-r--r-- 1 root root 1782 Oct 10 18:59 envvars
-rw-r--r-- 1 root root 7224 Oct 10 18:59 apache2.conf
drwxr-xr-x 2 root root 4096 Mar 28 11:37 conf-available
drwxr-xr-x 2 root root 4096 Mar 28 11:37 conf-enabled
drwxr-xr-x 2 root root 4096 Mar 28 11:38 sites-enabled
drwxr-xr-x 2 root root 4096 Mar 28 11:39 sites-available
drwxr-xr-x 2 root root 12288 Mar 28 11:40 mods-available
drwxr-xr-x 2 root root 4096 Mar 28 11:42 mods-enabled

Same error in keystone juju log:

2019-03-28 13:32:49 DEBUG shared-db-relation-changed RuntimeError: The call within manager.py failed with the error: 'Unable to establish connection to http://localhost:35337/v3/services?'. The call was: path=['list_services'], args=(), kwargs={}, api_version=None
2019-03-28 13:32:49 DEBUG shared-db-relation-changed /usr/lib/python3/dist-packages/keystoneauth1/adapter.py:200: UserWarning: Using keystoneclient sessions has been deprecated. Please update your software to use keystoneauth1.

Nothing listening on 35337 hence why connection timeout.

Happy to drop onto a call to demonstrate and give first hand access?

here you go:

series: bionic
applications:

vault:
    charm: cs:vault-12
    series: xenial
    num_units: 1
    to:
    - lxd:0
    options:
      auto-generate-root-ca-cert: true
      totally-unsecure-auto-unlock: true
    annotations:
      gui-x: "750"
      gui-y: "250"
machines:
  "0":
    constraints: root-disk=500000 instance-type=n1-highmem-16
relations:
	...
- - vault:shared-db
  - mysql:shared-db
- - vault:certificates
  - keystone:certificates
- - keystone:shared-db
  - mysql:shared-db
	...

BTW, I'm getting the same thing on this bundle too which we were using for other testing:

machines:
  '0':
    series: bionic
    constraints: "instance-type=n1-standard-4 root-disk=500000"
series: bionic
variables:
  #openstack-origin:    &openstack-origin    distro
  openstack-origin:    &openstack-origin    cloud:bionic-rocky
relations:
- - keystone:shared-db
  - mysql:shared-db
- - glance:shared-db
  - mysql:shared-db
- - glance:identity-service
  - keystone:identity-service
- - keystone
  - keystone-saml-mellon
- - vault:shared-db
  - mysql:shared-db
- - vault:certificates
  - keystone:certificates
- - vault:certificates
  - glance:certificates
- - vault:certificates
  - openstack-dashboard:certificates
- - openstack-dashboard
  - keystone-saml-mellon
- - keystone:websso-trusted-dashboard
  - openstack-dashboard:websso-trusted-dashboard
- - openstack-dashboard:identity-service
  -  keystone:identity-service
applications:
  mysql:
    constraints: mem=3072M
    charm: cs:~openstack-charmers-next/percona-cluster
    num_units: 1
    options:
      source: *openstack-origin
    to:
    - lxd:0
  keystone:
    series: bionic
    charm: cs:~openstack-charmers-next/keystone
    num_units: 1
    options:
      openstack-origin: *openstack-origin
      token-provider: 'fernet'
      token-expiration: 60
      os-public-hostname: 'auth.xxxxvxx.customera.internal'
    to:
    - lxd:0
  keystone-saml-mellon:
    series: bionic
    charm: cs:~openstack-charmers-next/keystone-saml-mellon
    num_units: 0
    options:
      idp-name: 'samltest'
      protocol-name: 'mapped'
      user-facing-name: "samltest.id"
      subject-confirmation-data-address-check: False
      nameid-formats: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
    resources:
      idp-metadata: './IdP_metadata_xxxx_domain.xml'
      sp-signing-keyinfo: './http_openstack_dev.xxxxxxx_5000_JustKeyInfo.xml'
      sp-private-key: './http_openstack_dev.xxxxxxxx_5000.pem'
  glance:
    charm: cs:~openstack-charmers-next/glance
    num_units: 1
    options:
      openstack-origin: *openstack-origin
    to:
    - lxd:0
  vault:
    num_units: 1
    charm: cs:~openstack-charmers-next/vault
    options:
      # these options need changing for production
      auto-generate-root-ca-cert: true
      totally-unsecure-auto-unlock: true
    to:
    - lxd:0
  openstack-dashboard:
    num_units: 1
    charm: cs:~openstack-charmers-next/openstack-dashboard
    options:
      openstack-origin: *openstack-origin
    to:
    - lxd:0

which gives this:

Model          Controller         Cloud/Region     Version  SLA          Timestamp
xxxxx-mellon1  google-controller  google/us-east1  2.5.1    unsupported  13:28:44Z

App                   Version       Status   Scale  Charm                 Store       Rev  OS      Notes
glance                17.0.0        waiting      1  glance                jujucharms  363  ubuntu
keystone              14.0.1        error        1  keystone              jujucharms  426  ubuntu
keystone-saml-mellon  14.0.1        active       1  keystone-saml-mellon  jujucharms    1  ubuntu
mysql                 5.7.20-29.24  active       1  percona-cluster       jujucharms  332  ubuntu
openstack-dashboard   14.0.1        waiting      1  openstack-dashboard   jujucharms  411  ubuntu
vault                 1.0.3         active       1  vault                 jujucharms   47  ubuntu

Unit                       Workload  Agent  Machine  Public address  Ports           Message
glance/0*                  waiting   idle   0/lxd/0  252.5.238.180   9292/tcp        Incomplete relations: identity
keystone/0*                error     idle   0/lxd/1  252.5.235.27    5000/tcp        hook failed: "shared-db-relation-changed"
  keystone-saml-mellon/0*  active    idle            252.5.235.27                    Unit is ready
mysql/0*                   active    idle   0/lxd/2  252.5.239.57    3306/tcp        Unit is ready
openstack-dashboard/0*     waiting   idle   0/lxd/3  252.5.239.43    80/tcp,443/tcp  Incomplete relations: identity
vault/0*                   active    idle   0/lxd/4  252.5.231.134   8200/tcp        Unit is ready (active: true, mlock: disabled)

Machine  State    DNS            Inst id              Series  AZ          Message
0        started  35.231.190.66  juju-f80d42-0        bionic  us-east1-b  RUNNING
0/lxd/0  started  252.5.238.180  juju-f80d42-0-lxd-0  bionic  us-east1-b  Container started
0/lxd/1  started  252.5.235.27   juju-f80d42-0-lxd-1  bionic  us-east1-b  Container started
0/lxd/2  started  252.5.239.57   juju-f80d42-0-lxd-2  bionic  us-east1-b  Container started
0/lxd/3  started  252.5.239.43   juju-f80d42-0-lxd-3  bionic  us-east1-b  Container started
0/lxd/4  started  252.5.231.134  juju-f80d42-0-lxd-4  bionic  us-east1-b  Container started

Same lack of certs in /etc/apache2:

ubuntu@juju-f80d42-0-lxd-1:/etc/apache2$ ls -ltr
total 80
-rw-r--r-- 1 root root   320 Oct 10 18:59 ports.conf
-rw-r--r-- 1 root root 31063 Oct 10 18:59 magic
-rw-r--r-- 1 root root  1782 Oct 10 18:59 envvars
-rw-r--r-- 1 root root  7224 Oct 10 18:59 apache2.conf
drwxr-xr-x 2 root root  4096 Mar 28 11:37 conf-available
drwxr-xr-x 2 root root  4096 Mar 28 11:37 conf-enabled
drwxr-xr-x 2 root root  4096 Mar 28 11:38 sites-enabled
drwxr-xr-x 2 root root  4096 Mar 28 11:39 sites-available
drwxr-xr-x 2 root root 12288 Mar 28 11:40 mods-available
drwxr-xr-x 2 root root  4096 Mar 28 11:42 mods-enabled

Same error in keystone juju log:

Nothing listening on 35337 hence why connection timeout.

Happy to drop onto a call to demonstrate and give first hand access?