Ask Your Question

ceilometer cli commands returns 403

asked 2017-01-05 01:35:56 -0500

DarkKnight gravatar image

I am running opentack newton and have installed ceilometer service. However my ceilometer cli commands are not working. I have sourced the admin rc file that has the correct values of various parameters.

I have also tried a debug statement and found out this. ceilometer --debug meter-list

Some excerpts from the logs

DEBUG (client) REQ: curl -g -i -X 'GET' 'http://controller:8777/v2/meters' -H 'User-Agent: ceilometerclient.openstack.common.apiclient' -H 'X-Auth-Token: {SHA1}53522111fa34135e7732e859e93797faa1be7a76'
DEBUG (connectionpool) Starting new HTTP connection (1): controller
DEBUG (connectionpool) http://controller:8777 "GET /v2/meters HTTP/1.1" 403 211
DEBUG (client) RESP: [403] {'Content-Length': '211', 'Keep-Alive': 'timeout=5, max=100', 'Server': 'Apache/2.4.6 (CentOS) PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5', 'Connection': 'Keep-Alive', 'Date': 'Thu, 05 Jan 2017 07:29:14 GMT', 'Content-Type': 'text/html; charset=iso-8859-1'}

<title>403 Forbidden</title>

Can someone suggest what is the issue?

edit retag flag offensive close merge delete


A few suggestions:

Check the ceilometer log files.

Perhaps something is wrong with the authentication configuration in ceilometer.conf, for example in the keystone_authtoken section of that file.

Or the policy.json file is buggy.

Bernd Bausch gravatar imageBernd Bausch ( 2017-01-05 19:41:05 -0500 )edit

Agree with @bernd-bausch . Try to enable debug/verbose and check ceilometer's logs as well as httpd's logs.

yprokule gravatar imageyprokule ( 2017-01-06 05:57:01 -0500 )edit

3 answers

Sort by ยป oldest newest most voted

answered 2017-01-18 08:21:31 -0500

updated 2017-01-19 23:11:57 -0500

Had the same problem. What I did to make it work:

  1. Copied the default wsgi file to a new one:

    sudo cp /usr/lib/python2.7/dist-packages/ceilometer/api/app.wsgi /var/www/cgi-bin/ceilometer/app/app.wsgi

  2. Changed the WSGIScriptAlias line in /etc/apache2/sites-available/ceilometer.conf

    WSGIScriptAlias / "/var/www/cgi-bin/ceilometer/app/app.wsgi"

Side note: it seems 'ceilometer-api' component is not needed (even though the guide asks us to install it). If you check the ceilometer-api logs it's trying to enable its service on port 8777, which Apache already enabled. Anyway, Ceilometer API through port 8777 is deprecated in favor of Gnocchi and other components

edit flag offensive delete link more


@gianpietro - so it works for U ?

yprokule gravatar imageyprokule ( 2017-01-19 10:03:40 -0500 )edit

Yes, working fine after replacing the file and reloading apache.

gianpietro gravatar imagegianpietro ( 2017-01-19 10:45:30 -0500 )edit

The procedure indicated by @gianpietro works very well (installation for Ubuntu)

ctomas gravatar imagectomas ( 2017-01-24 14:15:58 -0500 )edit

@gianpietro: I was seeking some clarifications. There are two ways of how to start the ceilometer-api service. One of them is to start it as CGI script inside a webserver, HTTPD in this case. Other way is to start it as a python process. Correct me if i have got it wrong.

DarkKnight gravatar imageDarkKnight ( 2017-01-31 01:21:38 -0500 )edit

@DarkKnight: I understand the same. The service starts by default inside httpd, so if we install the ceilometer-api component as the newton guide shows (wrongly I guess, as it's deprecated) it will try to start its service as a python process and fail as the port is already taken.

gianpietro gravatar imagegianpietro ( 2017-01-31 08:32:21 -0500 )edit

answered 2017-01-16 20:02:35 -0500

I have the same probleme, had you found the solution !

edit flag offensive delete link more


it seems wsgi service got some permission issues.

zero gravatar imagezero ( 2017-01-17 07:55:38 -0500 )edit

Change the port on which on which the ceilometer api service runs.

DarkKnight gravatar imageDarkKnight ( 2017-01-19 03:44:10 -0500 )edit

@DarkKnight - so how changing port helps ? U either start ceilometer-api from apache's mod_wsgi or with regular systemctl start openstack-ceilometer-api

yprokule gravatar imageyprokule ( 2017-01-19 10:05:16 -0500 )edit

answered 2017-01-17 07:47:43 -0500

zero gravatar image

updated 2017-01-17 07:52:46 -0500

The Openstack official Document may lost this config

<Directory />
        Require all granted

you can change http like this

Listen 8777

<VirtualHost *:8777>
WSGIDaemonProcess ceilometer-api processes=2 threads=10 user=ceilometer group=ceilometer display-name=%{GROUP}
WSGIProcessGroup ceilometer-api
WSGIScriptAlias / /usr/lib/python2.7/site-packages/ceilometer/api/app.wsgi
WSGIApplicationGroup %{GLOBAL}
ErrorLog /var/log/httpd/ceilometer_error.log
CustomLog /var/log/httpd/ceilometer_access.log combined

<Directory />
    Require all granted


WSGISocketPrefix /var/run/httpd
edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2017-01-05 01:35:56 -0500

Seen: 519 times

Last updated: Jan 19 '17