keystone authentication in tripleo with haproxy

asked 2018-01-15 08:39:55 -0600

CloudEnthusiast gravatar image

updated 2018-01-15 08:54:21 -0600


I have a lab setup deployed with RHOSP10 - UnderCloud and Overcloud with haproxy. I have developed a python script using keystoneclient(V3 api) to fetch few details. I tested this script in my local laptop packstack environment. It works fine here. But when i change the auth_url to external VIP in script towards overcloud [keystone public endpoint] , it fails with below error:

> Traceback (most recent call last):  
> File "", line 49, in
> <module>
>     get_projectslist()   File "", line 14, in
> get_projectslist
>     tenants = keystone.projects.list() # list of class objects   File "/usr/lib/python2.7/site-packages/positional/",
> line 101, in inner
>     return wrapped(*args, **kwargs)   File
> "/usr/lib/python2.7/site-packages/keystoneclient/v3/",
> line 119, in list
>     **kwargs)   File "/usr/lib/python2.7/site-packages/keystoneclient/",
> line 75, in func
>     return f(*args, **new_kwargs)   File
> "/usr/lib/python2.7/site-packages/keystoneclient/",
> line 390, in list
>     self.collection_key)   File "/usr/lib/python2.7/site-packages/keystoneclient/",
> line 125, in _list
>     resp, body = self.client.get(url, **kwargs)   File "/usr/lib/python2.7/site-packages/keystoneauth1/",
> line 288, in get
>     return self.request(url, 'GET', **kwargs)   File "/usr/lib/python2.7/site-packages/keystoneauth1/",
> line 447, in request
>     resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)   File
> "/usr/lib/python2.7/site-packages/keystoneauth1/",
> line 192, in request
>     return self.session.request(url, method, **kwargs)   File
> "/usr/lib/python2.7/site-packages/positional/",
> line 101, in inner
>     return wrapped(*args, **kwargs)   File
> "/usr/lib/python2.7/site-packages/keystoneclient/",
> line 430, in request
>     resp = send(**kwargs)   File "/usr/lib/python2.7/site-packages/keystoneclient/",
> line 474, in _send_request
>     raise exceptions.ConnectionRefused(msg)
> keystoneauth1.exceptions.connection.ConnectFailure:
> Unable to establish connection to
> http://a.b.c.d:35357/v3/projects?

Please let me know how to handle this?


edit retag flag offensive close merge delete


"Connection refused" means that nobody is listening on that address/port. My guess is a problem with your haproxy config. Test the VIP with curl http://a.b.c.d:35357, and use netstat or ss to check if there is a listener, e.g. ss -lntp | grep 35357. Also check any haproxy log.

Bernd Bausch gravatar imageBernd Bausch ( 2018-01-15 17:33:38 -0600 )edit

Hi, Thanks for reply!. The observation is: I used the external public IP(VIP) in my script and ran the script from a fresh dev vm in laptop(vip is accessible, it opens up the dashboard inside my VM). Once you ran script in VM, haproxy directs to internal api IP (a.b.c.d), which is not accessible.

CloudEnthusiast gravatar imageCloudEnthusiast ( 2018-01-15 20:12:32 -0600 )edit

If suppose i ran the script from the director node, it works fine, keystone authentication succeeds and fetch details. I also checked pcs status command that a.b.c.d(also it is admin endpoint of keystone) is assigned to 2nd controller out of 3 controllers. Any suggestions ? --Regards

CloudEnthusiast gravatar imageCloudEnthusiast ( 2018-01-15 20:15:00 -0600 )edit

In short, i'm reaching at publi api VIP(10.Y.Y.Y) and haproxy redirects to provisionging network VIP(a.b.c.d=192.X.X.X), and not able to connect

CloudEnthusiast gravatar imageCloudEnthusiast ( 2018-01-15 20:47:14 -0600 )edit

Since you can access the VIP, and a.b.c.d is accessible as well, the problem must be somewhere in the path between HA-Proxy and a.b.c.d. I don't know what tools you have to check that path; in the worst case, use tcpdump.

Bernd Bausch gravatar imageBernd Bausch ( 2018-01-15 21:48:49 -0600 )edit