Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

In the spirit of self-answering my question, here's how I finally solved it:

First thing was a certificate format error: OAT being a JDK project creates jks-formatted keys/certs. OpenStack requires PEM formats, however. I had reused the jks-formatted certificate that was used to access OAT from the trust agents but needed to use a PEM certificate to access OAT from my control node.

Second thing was a name resolution error on the OAT node. During the trusted_filter run it is not enough to have the compute nodes registered in OAT by ip address. Compute node names in OAT must resolve to exactly the same names in the Nova controller and vice versa.

Pretty dumb mistakes that I only found by trial and error in the end. Would be great if the trusted_filter gave more then a plain "ERROR" state for root-causing...