Keystone user creation fails: 'IndexError: deque index out of range'

Not sure it deserves to be of High importance, though.

We have
1) Alexandr Makarov believed MOS uses "fernet" as token backend.
2) I see "uuid" provider (with "sql" driver) in "[token]" section in puppets.
3) Also "uuid|sql" are default values in keystone code (current master): https://github.com/openstack/keystone/blob/3456a9e8a8ecfb74d4bb814a625c19b161306b8f/keystone/common/config.py#L304-L315
4) Current "documentation" in keystone.conf says ("cache" section, "backend" setting): "It is recommended that Memcache with pooling (oslo_cache.memcache_pool) or Redis (dogpile.cache.redis) be used in production deployments".
5) Proposed fix is to change "cache/backend" (and all other occurrences of "memcache_pool") from "keystone.cache.memcache_pool" to "keystone.cache.memcache".
6) For fernet: Alexandr suggested to use "provider = keystone.token.providers.fernet.Provider" to prevent token reading attempts from memcache.
7) from chat conversation: "when they extracted memcache_pool from keystone to oslo they've forgotten the fix" - there may be an error in keystone/oslo refactoring process (as I guess)

I suggest for the first stage
a) find the real problem (I am not sure it is "puppet issue")
b) if it is puppet problem
  b.1) fix puppet
  b.2) fix docs (because I see conflict here)
c) if the problem is in code, but we can't solve it in the near future - we can temporary hack puppet

After that in stage 2 we can discuss fernet in fuel.

Colleagues, your thoughts?

Dmirty,can you please provide a link to the place you see in 2) ?

What else configures MOS?

2. MOS/fuel.
I did a mistake in "2)" - "uuid"/"sql" is not used in puppets.

- "token_driver" is 'keystone.token.persistence.backends.memcache_pool.Token'
- "token_provider" is read from hiera, the value should be "keystone.token.providers.fernet.Provider"

here they are: https://github.com/openstack/fuel-library/blob/master/deployment/puppet/openstack_tasks/manifests/keystone/keystone.pp#L93-L94

1. About defaults from puppet-keystone (upstream).
token section with defaults:
- 'token/driver', default: 'sql' # https://github.com/openstack/puppet-keystone/blob/4e386acb4ec81c1e812d2cefef457fa2dcc867fe/manifests/init.pp#L593
- 'token/expiration', default: 3600
- 'token/caching', default: <is not set in keystone.conf>
- 'token/provider', default: 'uuid' # https://github.com/openstack/puppet-keystone/blob/4e386acb4ec81c1e812d2cefef457fa2dcc867fe/manifests/init.pp#L592
- 'token/revoke_by_id', default: true

For more details try "token/" in your browser search field for this file: https://github.com/openstack/puppet-keystone/blob/4e386acb4ec81c1e812d2cefef457fa2dcc867fe/manifests/init.pp
All options are set in "keystone_config {}" cunstructions.

Anyway, I got this from current keystone master after "tox -e genconfig" in etc/keystone.conf:
[cache]
...
# Dogpile.cache backend module. It is recommended that Memcache with pooling
# (oslo_cache.memcache_pool) or Redis (dogpile.cache.redis) be used in
# production deployments. Small workloads (single process) like devstack can
# use the dogpile.cache.memory backend. (string value)
#backend = dogpile.cache.null

As we use this options, do we cache somethig for keystone?
Is there an error in docs (it recommends "oslo_cache.memcache_pool")?

I'm confused a bit about this topic, please, help me understand the situation.
How configuration should look like?

This doc is a bit outdated. memcache_pool was a workaround in it's time of
eventlet and currently there are replacement recommendations: pylibmc,
pymemcached.
For our tasks simple memcache client is the optimal solution as
memcache_pool has some performance issues with our current
multithreading/non-eventlet model.
Another thing is that Fernet tokens do not require storage anymore, so
memcached is used just for caching right now and not for token storage
anymore.

Information about tokens in use you can find in keystone.conf
[token]provider parameter. You can find `driver` nearby that can confuse
you, but if provider is set to fernet, driver is not used.

On Mon, May 16, 2016 at 9:41 PM, Dmitry Burmistrov <
<email address hidden>> wrote:

> Anyway, I got this from current keystone master after "tox -e genconfig"
> in etc/keystone.conf:
> [cache]
> ...
> # Dogpile.cache backend module. It is recommended that Memcache with
> pooling
> # (oslo_cache.memcache_pool) or Redis (dogpile.cache.redis) be used in
> # production deployments. Small workloads (single process) like devstack
> can
> # use the dogpile.cache.memory backend. (string value)
> #backend = dogpile.cache.null
>
> As we use this options, do we cache somethig for keystone?
> Is there an error in docs (it recommends "oslo_cache.memcache_pool")?
>
>
> I'm confused a bit about this topic, please, help me understand the
> situation.
> How configuration should look like?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1581133
>
> Title:
> Keystone user creation fails: 'IndexError: deque index out of range'
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/fuel/+bug/1581133/+subscriptions
>

--
Kind Regards,
Alexander Makarov,
Senior Software Developer,

Mirantis, Inc.
35b/3, Vorontsovskaya St., 109147, Moscow, Russia

Tel.: +7 (495) 640-49-04
Tel.: +7 (926) 204-50-60

Skype: MAKAPOB.AJIEKCAHDP

This doc is a bit outdated. memcache_pool was a workaround in it's time of eventlet and currently there are replacement recommendations: pylibmc, pymemcached.
For our tasks simple memcache client is the optimal solution as memcache_pool has some performance issues with our current multithreading/non-eventlet model.
Another thing is that Fernet tokens do not require storage anymore, so memcached is used just for caching right now and not for token storage anymore.

Information about tokens in use you can find in keystone.conf [token]provider parameter. You can find `driver` nearby that can confuse you, but if provider is set to fernet, driver is not used.

> How configuration should look like?

[cache]
backend = dogpile.cache.memcache

Fix proposed to branch: master
Review: https://review.openstack.org/317384

Patch for master in upstream - https://review.openstack.org/#/c/318215/

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/318741

Reviewed: https://review.openstack.org/317384
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=da0f0dd670824eeddd4580ba1f56099d5d0299b8
Submitter: Jenkins
Branch: master

commit da0f0dd670824eeddd4580ba1f56099d5d0299b8
Author: dmburmistrov <email address hidden>
Date: Tue May 17 13:49:32 2016 +0300

    Set proper cache backend for keystone.conf

    * "memcache_pool" was a workaround for
      eventlet. As we don't use eventlet we
      should use proper backend for caching
    * cache backend can be configured via hiera
    * package installation provided by upstream
      puppet-oslo module
    * noop tests are updated

    Closes-bug: #1581133

    Change-Id: If86ce795a8f53d8e93b6e5eeab79f9231621ee0e
    Depends-On: I2e6a705971761754c59b4069b5dfdfd1dfd7f00f

Reviewed: https://review.openstack.org/318741
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=e65f393e419a07ecd1a3cd1e5ade697a792e6617
Submitter: Jenkins
Branch: stable/mitaka

commit e65f393e419a07ecd1a3cd1e5ade697a792e6617
Author: dmburmistrov <email address hidden>
Date: Tue May 17 13:49:32 2016 +0300

    Set proper cache backend for keystone.conf

    * "memcache_pool" was a workaround for
      eventlet. As we don't use eventlet we
      should use proper backend for caching
    * noop tests are updated

    Closes-bug: #1581133

    Change-Id: If86ce795a8f53d8e93b6e5eeab79f9231621ee0e

Fixed with downstream patch: https://review.fuel-infra.org/#/c/21651/
Corresponding upstream patch: https://review.openstack.org/#/c/325242/

verified on iso 484, mos 9.0

Verified on MOS 9.0 ISO 479