Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

root@ubuntu:/etc/keystone# service keystone restart keystone stop/waiting keystone start/running, process 3002 saran@ubuntu:/etc$ export OS_SERVICE_TOKEN=28e1d88c16d41eb39662 saran@ubuntu:/etc$ export OS_SERVICE_ENDPOINT= saran@ubuntu:/etc$ keystone service-create --name=keystone --type=identity --description="Identity Service" <attribute 'message'="" of="" 'exceptions.baseexception'="" objects=""> (HTTP Unable to establish connection to

I am trying for a week to resolve this error but i cant.please help The internet connection is firewall protected.

1.keystone.db is in this location

root@ubuntu:/home/saran# ls Desktop Downloads Music Public Videos Documents keystone.db Pictures Templates

2.keystone.conf file is here

root@ubuntu:~# cd /etc/keystone/ root@ubuntu:/etc/keystone# ls default_catalog.templates keystone.conf keystone-paste.ini logging.conf policy.json ssl

root@ubuntu:/etc/keystone# sudo cat keystone.conf [DEFAULT]

A "shared secret" between keystone and other openstack services

admin_token = 28e1d88c16d41eb39662

The IP address of the network interface to listen on

bind_host =

The port number which the public service listens on

public_port = 5000

The port number which the public admin listens on

admin_port = 35357

The base endpoint URLs for keystone that are advertised to clients

(NOTE: this does NOT affect how keystone listens for connections)

public_endpoint = http://localhost:%(public_port)s/

admin_endpoint = http://localhost:%(admin_port)s/

The port number which the OpenStack Compute service listens on

compute_port = 8774

Path to your policy definition containing identity actions

policy_file = policy.json

Rule to check if no matching policy definition is found

FIXME(dolph): This should really be defined as [policy] default_rule

policy_default_rule = admin_required

Role for migrating membership relationships

During a SQL upgrade, the following values will be used to create a new role

that will replace records in the user_tenant_membership table with explicit

role grants. After migration, the member_role_id will be used in the API

add_user_to_project, and member_role_name will be ignored.

member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab

member_role_name = _member_

enforced by optional sizelimit middleware (keystone.middleware:RequestBodySizeLimiter)

max_request_body_size = 114688

limit the sizes of user & tenant ID/names

max_param_size = 64

similar to max_param_size, but provides an exception for token values

max_token_size = 8192

=== Logging Options ===

Print debugging output

(includes plaintext request logging, potentially including passwords)

debug = False

Print more verbose output

verbose = False

Name of log file to output to. If not set, logging will go to stdout.

log_file = keystone.log

The directory to keep log files in (will be prepended to --logfile)

log_dir = /var/log/keystone

Use syslog for logging.

use_syslog = False

syslog facility to receive log lines

syslog_log_facility = LOG_USER

If this option is specified, the logging configuration file specified is

used and overrides any other logging options specified. Please see the

Python logging module documentation for details on logging configuration


log_config = /etc/keystone/logging.conf

A logging.Formatter log message format string which may use any of the

available logging.LogRecord attributes.

log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s

Format string for %(asctime)s in log records.

log_date_format = %Y-%m-%d %H:%M:%S

onready allows you to send a notification when the process is ready to serve

For example, to have it notify using systemd, one could set shell command:

onready = systemd-notify --ready

or a module with notify() method:

onready = keystone.common.systemd

=== Notification Options ===

Notifications can be sent when users or projects are created, updated or

deleted. There are three methods of sending notifications: logging (via the

log_file directive), rpc (via a message queue) and no_op (no notifications

sent, the default)

notification_driver can be defined multiple times

Do nothing driver (the default)

notification_driver = keystone.openstack.common.notifier.no_op_notifier

Logging driver example (not enabled by default)

notification_driver = keystone.openstack.common.notifier.log_notifier

RPC driver example (not enabled by default)

notification_driver = keystone.openstack.common.notifier.rpc_notifier

Default notification level for outgoing notifications

default_notification_level = INFO

Default publisher_id for outgoing notifications; included in the payload.

default_publisher_id =

AMQP topics to publish to when using the RPC notification driver.

Multiple values can be specified by separating with commas.

The actual topic names will be %s.%(default_notification_level)s

notification_topics = notifications

=== RPC Options ===

For Keystone, these options apply only when the RPC notification driver is


The messaging module to use, defaults to kombu.

rpc_backend = keystone.openstack.common.rpc.impl_kombu

Size of RPC thread pool

rpc_thread_pool_size = 64

Size of RPC connection pool

rpc_conn_pool_size = 30

Seconds to wait for a response from call or multicall

rpc_response_timeout = 60

Seconds to wait before a cast expires (TTL). Only supported by impl_zmq.

rpc_cast_timeout = 30

Modules of exceptions that are permitted to be recreated upon receiving

exception data from an rpc call.

allowed_rpc_exception_modules = keystone.openstack.common.exception,nova.exception,cinder.exception,exceptions

If True, use a fake RabbitMQ provider

fake_rabbit = False

AMQP exchange to connect to if using RabbitMQ or Qpid

control_exchange = openstack


The SQLAlchemy connection string used to connect to the database

connection = mysql://keystone:passw0rd14@

the timeout before idle sql connections are reaped

idle_timeout = 200

[identity] driver = keystone.identity.backends.sql.Identity

This references the domain to use for all Identity API v2 requests (which are

not aware of domains). A domain with this ID will be created for you by

keystone-manage db_sync in migration 008. The domain referenced by this ID

cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API.

There is nothing special about this domain, other than the fact that it must

exist to order to maintain support for your v2 clients.

default_domain_id = default


A subset (or all) of domains can have their own identity driver, each with

their own partial configuration file in a domain configuration directory.

Only values specific to the domain need to be placed in the domain specific

configuration file. This feature is disabled by default; set

domain_specific_drivers_enabled to True to enable.

domain_specific_drivers_enabled = False

domain_config_dir = /etc/keystone/domains

Maximum supported length for user passwords; decrease to improve performance.

max_password_length = 4096

[credential] driver = keystone.credential.backends.sql.Credential

[trust] driver =

delegation and impersonation features can be optionally disabled

enabled = True


role-assignment inheritance to projects from owning domain can be

optionally enabled

enabled = False


dynamic, sql-based backend (supports API/CLI-based management commands)

driver = keystone.catalog.backends.sql.Catalog

static, file-based backend (does NOT support any management commands)

driver = keystone.catalog.backends.templated.TemplatedCatalog

template_file = default_catalog.templates


extension for creating associations between project and endpoints in order to

provide a tailored catalog for project-scoped token requests.

driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter

return_all_endpoints_if_no_filter = True


Provides token persistence.

driver = keystone.token.backends.sql.Token

Controls the token construction, validation, and revocation operations.

Core providers are keystone.token.providers.[pki|uuid].Provider

provider =

Amount of time a token should remain valid (in seconds)

expiration = 86400

External auth mechanisms that should add bind information to token.

eg kerberos, x509

bind =

Enforcement policy on tokens presented to keystone with bind information.

One of disabled, permissive, strict, required or a specifically required bind

mode e.g. kerberos or x509 to require binding to that authentication.

enforce_token_bind = permissive

Token specific caching toggle. This has no effect unless the global caching

option is set to True

caching = True

Token specific cache time-to-live (TTL) in seconds.

cache_time =

Revocation-List specific cache time-to-live (TTL) in seconds.

revocation_cache_time = 3600


Global cache functionality toggle.

enabled = False

Prefix for building the configuration dictionary for the cache region. This

should not need to be changed unless there is another dogpile.cache region

with the same configuration name

config_prefix = cache.keystone

Default TTL, in seconds, for any cached item in the dogpile.cache region.

This applies to any cached method that doesn't have an explicit cache

expiration time defined for it.

expiration_time = 600

Dogpile.cache backend module. It is recommended that Memcache

(dogpile.cache.memcache) or Redis (dogpile.cache.redis) be used in production

deployments. Small workloads (single process) like devstack can use the

dogpile.cache.memory backend.

backend = keystone.common.cache.noop

Arguments supplied to the backend module. Specify this option once per

argument to be passed to the dogpile.cache backend.

Example format: <argname>:<value>

backend_argument =

Proxy Classes to import that will affect the way the dogpile.cache backend

functions. See the dogpile.cache documentation on changing-backend-behavior.

Comma delimited list e.g. my.dogpile.proxy.Class, my.dogpile.proxyClass2

proxies =

Use a key-mangling function (sha1) to ensure fixed length cache-keys. This

is toggle-able for debugging purposes, it is highly recommended to always

leave this set to True.

use_key_mangler = True

Extra debugging from the cache backend (cache keys, get/set/delete/etc calls)

This is only really useful if you need to see the specific cache-backend

get/set/delete calls with the keys/values. Typically this should be left

set to False.

debug_cache_backend = False

[policy] driver = keystone.policy.backends.sql.Policy

[ec2] driver = keystone.contrib.ec2.backends.kvs.Ec2


driver =

Assignment specific caching toggle. This has no effect unless the global

caching option is set to True

caching = True

Assignment specific cache time-to-live (TTL) in seconds.

cache_time =


Install python-oauth2 in order to use oauth

driver = keystone.contrib.oauth1.backends.sql.OAuth1

The Identity service may include expire attributes.

If no such attribute is included, then the token lasts indefinitely.

Specify how quickly the request token will expire (in seconds)

request_token_duration = 28800

Specify how quickly the access token will expire (in seconds)

access_token_duration = 86400


enable = True

certfile = /etc/keystone/pki/certs/ssl_cert.pem

keyfile = /etc/keystone/pki/private/ssl_key.pem

ca_certs = /etc/keystone/pki/certs/cacert.pem

ca_key = /etc/keystone/pki/private/cakey.pem

key_size = 1024

valid_days = 3650

cert_required = False

cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=localhost


Deprecated in favor of provider in the [token] section

Allowed values are PKI or UUID

token_format =

certfile = /etc/keystone/pki/certs/signing_cert.pem

keyfile = /etc/keystone/pki/private/signing_key.pem

ca_certs = /etc/keystone/pki/certs/cacert.pem

ca_key = /etc/keystone/pki/private/cakey.pem

key_size = 2048

valid_days = 3650

cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/


url = ldap://localhost

user = dc=Manager,dc=example,dc=com

password = None

suffix = cn=example,cn=com

use_dumb_member = False

allow_subtree_delete = False

dumb_member = cn=dumb,dc=example,dc=com

Maximum results per page; a value of zero ('0') disables paging (default)

page_size = 0

The LDAP dereferencing option for queries. This can be either 'never',

'searching', 'always', 'finding' or 'default'. The 'default' option falls

back to using default dereferencing configured by your ldap.conf.

alias_dereferencing = default

The LDAP scope for queries, this can be either 'one'

(onelevel/singleLevel) or 'sub' (subtree/wholeSubtree)

query_scope = one

user_tree_dn = ou=Users,dc=example,dc=com

user_filter =

user_objectclass = inetOrgPerson

user_id_attribute = cn

user_name_attribute = sn

user_mail_attribute = email

user_pass_attribute = userPassword

user_enabled_attribute = enabled

user_enabled_mask = 0

user_enabled_default = True

user_attribute_ignore = default_project_id,tenants

user_default_project_id_attribute =

user_allow_create = True

user_allow_update = True

user_allow_delete = True

user_enabled_emulation = False

user_enabled_emulation_dn =

tenant_tree_dn = ou=Projects,dc=example,dc=com

tenant_filter =

tenant_objectclass = groupOfNames

tenant_domain_id_attribute = businessCategory

tenant_id_attribute = cn

tenant_member_attribute = member

tenant_name_attribute = ou

tenant_desc_attribute = desc

tenant_enabled_attribute = enabled

tenant_attribute_ignore =

tenant_allow_create = True

tenant_allow_update = True

tenant_allow_delete = True

tenant_enabled_emulation = False

tenant_enabled_emulation_dn =

role_tree_dn = ou=Roles,dc=example,dc=com

role_filter =

role_objectclass = organizationalRole

role_id_attribute = cn

role_name_attribute = ou

role_member_attribute = roleOccupant

role_attribute_ignore =

role_allow_create = True

role_allow_update = True

role_allow_delete = True

group_tree_dn =

group_filter =

group_objectclass = groupOfNames

group_id_attribute = cn

group_name_attribute = ou

group_member_attribute = member

group_desc_attribute = desc

group_attribute_ignore =

group_allow_create = True

group_allow_update = True

group_allow_delete = True

ldap TLS options

if both tls_cacertfile and tls_cacertdir are set then

tls_cacertfile will be used and tls_cacertdir is ignored

valid options for tls_req_cert are demand, never, and allow

use_tls = False

tls_cacertfile =

tls_cacertdir =

tls_req_cert = demand

Additional attribute mappings can be used to map ldap attributes to internal

keystone attributes. This allows keystone to fulfill ldap objectclass

requirements. An example to map the description and gecos attributes to a

user's name would be:

user_additional_attribute_mapping = description:name, gecos:name


domain_additional_attribute_mapping =

group_additional_attribute_mapping =

role_additional_attribute_mapping =

project_additional_attribute_mapping =

user_additional_attribute_mapping =

[auth] methods = external,password,token,oauth1

external = keystone.auth.plugins.external.ExternalDefault

password = keystone.auth.plugins.password.Password token = keystone.auth.plugins.token.Token oauth1 = keystone.auth.plugins.oauth1.OAuth


Name of the paste configuration file that defines the available pipelines

config_file = keystone-paste.ini root@ubuntu:/etc/keystone#

Please tell whether there is any mistake in the conf file...Thank u sir