Ask Your Question

Keystone not available after Cinder install

asked 2019-11-19 10:41:50 -0500

Daryl gravatar image

When I install Cinder (Stein release) all goes well until I get to the verify step:

openstack volume service list

That command reports that "The Keystone service is temporarily unavailable." and that I should try again later. I have verified everything I can think of (spelling, capitalization, etc.) in the config files and installation commands. I've also run the same command with the --debug option and captured the output, and I've looked at that until my eyes defocus. I've reviewed several other "Keystone service unavailable" posts, but none of them seem to have any bearing on my symptoms.

Any suggestions would be appreciated. If someone would like to see the captured output, I'd be glad to post it, but it's 23KB and the attachment feature on this forum won't accept anything but image files.

edit retag flag offensive close merge delete


You can share text files on

I would check the authentication section in cinder.conf and compare it with equivalent sections in the Nova, Neutron and Glance configuration. Also check if Keystone is up at all by issuing Keystone commands.

Bernd Bausch gravatar imageBernd Bausch ( 2019-11-19 15:54:38 -0500 )edit

I ran $ sudo grep auth_url sudo find /etc -name "*.conf"and all the auth_url entries are identical: http://controller:5000/v3. This matches OS_AUTH_URL in my environment. I can't find a list of Keystone commands, but the following all work correctly: (To be continued...)

Daryl gravatar imageDaryl ( 2019-11-20 10:42:33 -0500 )edit

$ openstack user list $ openstack service list $ openstack role list

This works (empty list returned): $ openstack volume list

But this fails: $ openstack volume service list

I pasted the output of $ openstack --debug volume service listhere:

Daryl gravatar imageDaryl ( 2019-11-20 10:50:03 -0500 )edit

I would check the Cinder API log for message pertaining to Keystone. Probably "Keystone unavailable; marking token as invalid and deferring auth decision". My hope is that messages shortly prior to this contain details as to why Cinder is unable to connect to Keystone.

Bernd Bausch gravatar imageBernd Bausch ( 2019-11-20 23:34:48 -0500 )edit

The test whose results you pasted has a request ID of req-8be146b2-eed1-4e36-bff5-03162baa0596. Again, looking for Cinder API log messages that contain this request ID should help.

Bernd Bausch gravatar imageBernd Bausch ( 2019-11-20 23:35:50 -0500 )edit

3 answers

Sort by ยป oldest newest most voted

answered 2020-01-16 09:07:56 -0500

Ion42 gravatar image

I had the same symptoms...

Each failure in /var/log/apache2/cinder_error.log gave messages like

2020-01-15 21:34:51.340187 2020-01-15 21:34:51.339 7300 WARNING keystonemiddleware.auth_token [req-421aaf5e-0aa6-4f7e-a5e7-ba866ee43504 - - - - -] Identity response: {"error":{"code":401,"message":"The request you have made requires authentication.","title":"Unauthorized"}}

So I suspected the user/role situation and repeated the command from the install guide

 openstack role add --project service --user cinder admin

and it's working:

root@control:~# openstack volume service list
| Binary           | Host       | Zone | Status  | State | Updated At                 |
| cinder-scheduler | control    | nova | enabled | up    | 2020-01-15T20:37:28.000000 |
| cinder-volume    | block1@lvm | nova | enabled | up    | 2020-01-15T20:37:34.000000 |

Maybe you've missed the same part...

edit flag offensive delete link more


Thank you, Ion42 - this worked for me. :)

dmcgrandle gravatar imagedmcgrandle ( 2020-06-13 13:49:40 -0500 )edit

answered 2019-11-21 11:45:34 -0500

Daryl gravatar image

I"m putting this in an answer because the character count limit on comments is too low.

I'm convinced I have an authentication problem and I'm worried it's because of domain name. When I created the 'cinder' user it was with '--domain default'. When I list my domains I have a domain with ID = 'default' and name = 'Default'. So my questions are:

  1. Is domain name matching case sensitive?
  2. Is domain name matching on the name or the ID?
  3. Should I be looking elsewhere?
  4. Can I coerce Keystone into telling me exactly why the authentication failed?
edit flag offensive delete link more

answered 2019-11-19 12:34:56 -0500

You have to verify one by one keystone service is running fine ? Make sure keystone is running well. which version of keystone you are using v2 or v3 http or https ? systemctl status openstack-cinder-api.service systemctl status openstack-cinder-scheduler.service

check cinder.conf file. /etc/cinder/cinder.conf | grep auth_uri check if uri is correct.

you can try restart nova api service

edit flag offensive delete link more


Keystone V3, http. openstack-cinder-api.service and openstack-cinder.scheduler.service are not found, but "cinder.scheduler.service" is. The auth_url question was bothersome. The various config files had a mix: http://controller:5000 and http://controller/v3. (to be continued...)

Daryl gravatar imageDaryl ( 2019-11-19 16:00:49 -0500 )edit

I made them all end in /v3, because the Verify step in the Keystone install guide included it. The bothersome part is the comment in keystone.conf to the effect that that part of the URL appears to be ignored, or at least that's what I saw on first reading. Thanks for the help; I am continuing.

Daryl gravatar imageDaryl ( 2019-11-19 16:05:03 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2019-11-19 10:41:50 -0500

Seen: 450 times

Last updated: Jan 16 '20