Ask Your Question

Warning: Policy check failed. Openstack Ocata

asked 2017-07-06 19:09:31 -0600

dbchuck gravatar image

updated 2017-07-07 13:12:35 -0600

Hi, I have been having this problem consistently on my one server. This is the first time I have experimented with Openstack so I am quite sure how to troubleshoot this problem. I am using RDO install on CentOS 7 x86_64. Server: Dell Poweredge 2950 Gen III, Dual Xeon's 2.8GHZ, 16GB of ram and 2 X 1TB configured in Raid 1 on a Perc/6i Controller. I followed this tutorial : ( Everything worked fine until I tried to add an image to the Openstack library. (Admin > System > Images). I would get 5 warning messages saying: Warning Policy check failed. I am not able to add any images or launch any instances (with the default cirros image). Since I am new I don't really know if someone needs logs to troubleshoot this.

EDIT: The reason why I am pushing for this is just to test it out with some friends(they don't have time or patience to learn the CLI of Openstack, so this is why I am pushing for use of the web interface.)

edit retag flag offensive close merge delete


Have you tried the equivalent command line command? Probably openstack image create --disk-format qcow2 --file FILENAME YOUR-IMAGE-NAME.

The relevant Glance log should be /var/log/glance/glance-api.log. I don't think Keystone is involved.

Bernd Bausch gravatar imageBernd Bausch ( 2017-07-07 06:36:19 -0600 )edit

I was able to add an ISO file, but when I look at it from the web interface, the launch button isn't on the newly added file.

dbchuck gravatar imagedbchuck ( 2017-07-07 13:09:59 -0600 )edit

3 answers

Sort by ยป oldest newest most voted

answered 2017-07-07 04:43:22 -0600

Deepa gravatar image

Can you share logs from glance and keystone ?

edit flag offensive delete link more

answered 2017-07-07 17:37:51 -0600

updated 2017-07-07 17:48:09 -0600

The Glance log says

ERROR [-] A value for swift_store_auth_address is required.

Your /etc/glance/glance-api.conf is missing swift_store_auth_address. If swift is your default store, this means you can create image records in Glance, but not upload any image data.

But this doesn't explain the "policy check" error.

The Keystone log points to misconfigured DB permissions:

CRITICAL keystone [-] OperationalError: (_mysql_exceptions.OperationalError) (1045, "Access denied for user 'keystone'@'localhost' (using password: YES)")

That might well be the root cause. EDIT: No, It only appears at the very beginning of the log days ago.

edit flag offensive delete link more


I configured the RDO installation to exclude the Swift part of Openstack. I also was able to upload an ISO file to the image library, but still no change in web interface.

dbchuck gravatar imagedbchuck ( 2017-07-07 18:07:27 -0600 )edit

Perhaps it's not uploaded. Check the image status. If ACTIVE, it's in the store, which means your installation uses a default store other than Swift. It might be QUEUED, which means it's not in the store.

Also check glance-api.conf for the store parameters.

Bernd Bausch gravatar imageBernd Bausch ( 2017-07-07 18:59:21 -0600 )edit

As far as I can tell, it is ACTIVE. The api.conf shows "normal" activity (web traffic, no errors). However, I did find this strange. WARNING glance_store.driver [-] Failed to configure store correctly: A value for swift_store_auth_address is required. ***Disabling add method.***

dbchuck gravatar imagedbchuck ( 2017-07-09 13:13:27 -0600 )edit

By glance-api.conf, I mean the configuration file, not the log file. So, what are the Swift parameters in your Glance configuration? Note that they might be in a different file referenced by swift_store_config_file.

To confirm the image is active, run openstack image list.

Bernd Bausch gravatar imageBernd Bausch ( 2017-07-09 18:56:09 -0600 )edit

answered 2017-07-07 13:43:49 -0600

dbchuck gravatar image

updated 2017-07-17 11:04:44 -0600

Here are the logs from Glance and Keystone. (seems that I can't upload files so here are the PasteBin links)

Glance API log: Glance Registry log: Keystone log:


I figured out that my browser (Brave) was causing the problem from what it looks like. The administration web interface works just fine with Firefox.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2017-07-06 19:09:31 -0600

Seen: 436 times

Last updated: Jul 17 '17