authentication required when creating port on demo-net
Hi,all! I'm following the intructions on OpenStack Icehouse Installation Manual for Ubuntu 14.04 Server. After I installed Glance, Neutron, Keystone and Nova, I tried to launch Cirros instance as the manual suggested. However, the vm failed to start.
I checked nova-compute.log on contorller node. It says:
2014-09-15 20:48:50.939 1754 DEBUG neutronclient.client [-]
REQ: curl -i h ttp://controller:9696/v2.0/ports.json -X POST -H "X-Auth-Token: (omitted)" -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-neutronclient" -d '{"port": {"binding:host_id": "compute", "admin_state_up": true, "network_id": "065eea33-798c-490c-ae45-65cb323b0383", "tenant_id": "a8c813f2bd9b4d41b895f933bac32c3d", "device_owner": "compute:None", "security_groups": ["335f1122-a119-42ab-8c6b-4c1dc07935cb"], "device_id": "65f8c769-d260-4fef-ae8e-db9edaf91140"}}'
http_log_req /usr/lib/python2.7/dist-packages/neutronclient/common/utils.py:173
2014-09-15 20:48:50.958 1754 DEBUG neutronclient.client [-] RESP:{'status': '401', 'content-length': '23', 'x-openstack-request-id': 'req-471db8f6-9e67-4215-9ebf-3471164a8298', 'date': 'Mon, 15 Sep 2014 12:48:50 GMT', 'content-type': 'text/plain', 'www-authenticate': "Keystone uri='h ttp://controller:5000'"} **Authentication required**
http_log_resp /usr/lib/python2.7/dist-packages/neutronclient/common/utils.py:179
2014-09-15 20:48:50.959 1754 ERROR nova.network.neutronv2.api [-] [instance: 65f8c769-d260-4fef-ae8e-db9edaf91140] Neutron error creating port on network 065eea33-798c-490c-ae45-65cb323b0383
I'm sure that the tenant name and password are right. Why is there the authenticating process in creating ports? And what should I do to pass the authenticating?
Thank you!
UPDATED at 04:46pm GMT
As @larsks suggested, I checked Neutron and Keystone server log on controller node, and found something wired and incomprehensible(to me). I've a summary about what might happen according to the logs: (some previous interactions omitted)
- the Neutron client on compute node asked for a token to the Keystone server on controller node(controller:35357), and got HTTP 200 response.
- after got the token, the Neutron client on compute node sent a request to Neutron server on controller node(controller:9696) to create a port on demo-net(a tenant network)
- The Neutron server got the request. It started a connection to Keystone to 'revoke' the token. And got HTTP 200.
- The Neutron server invalidated the user token, and responsed HTTP 401 to the Neutron client on compute node. That is wired!
NOTE: in step 2, the client put demo's tenant id and token got by (neutron:neutron_password) in the HTTP header. Then it asked the server to create a port on demo's network(the tenant id of demo-net [demo_tenant's id]). Is that inconsistent?
Could you bother to look into my logs and find out why Neutron server got the reponse from Keystone and decided the user token was invalid?
Some related logs pasted below:
I must confess that the logs are too long... as it is about two processes on three nodes.
nova-compute.log on compute node:
2014-09-16 10:11:05.512 1654 DEBUG neutronclient.client [-]
REQ: curl -i h-ttp://controller:35357/v2.0/tokens -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-neutronclient" -d '{"auth": {"tenantName": null, "passwordCredentials": {"username": "neutron", "password": "REDACTED"}}}'
http_log_req /usr/lib/python2.7/dist-packages/neutronclient/common/utils.py ...