authentication required when creating port on demo-net

asked 2014-09-15 09:09:50 -0600

wangrich gravatar image

updated 2014-09-16 00:33:09 -0600

Hi,all! I'm following the intructions on OpenStack Icehouse Installation Manual for Ubuntu 14.04 Server. After I installed Glance, Neutron, Keystone and Nova, I tried to launch Cirros instance as the manual suggested. However, the vm failed to start.

I checked nova-compute.log on contorller node. It says:

2014-09-15 20:48:50.939 1754 DEBUG neutronclient.client [-] 
REQ: curl -i h ttp://controller:9696/v2.0/ports.json -X POST -H "X-Auth-Token: (omitted)" -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-neutronclient" -d '{"port": {"binding:host_id": "compute", "admin_state_up": true, "network_id": "065eea33-798c-490c-ae45-65cb323b0383", "tenant_id": "a8c813f2bd9b4d41b895f933bac32c3d", "device_owner": "compute:None", "security_groups": ["335f1122-a119-42ab-8c6b-4c1dc07935cb"], "device_id": "65f8c769-d260-4fef-ae8e-db9edaf91140"}}'
 http_log_req /usr/lib/python2.7/dist-packages/neutronclient/common/

2014-09-15 20:48:50.958 1754 DEBUG neutronclient.client [-] RESP:{'status': '401', 'content-length': '23', 'x-openstack-request-id': 'req-471db8f6-9e67-4215-9ebf-3471164a8298', 'date': 'Mon, 15 Sep 2014 12:48:50 GMT', 'content-type': 'text/plain', 'www-authenticate': "Keystone uri='h ttp://controller:5000'"} **Authentication required**
 http_log_resp /usr/lib/python2.7/dist-packages/neutronclient/common/

2014-09-15 20:48:50.959 1754 ERROR [-] [instance: 65f8c769-d260-4fef-ae8e-db9edaf91140] Neutron error creating port on network 065eea33-798c-490c-ae45-65cb323b0383

I'm sure that the tenant name and password are right. Why is there the authenticating process in creating ports? And what should I do to pass the authenticating?

Thank you!

UPDATED at 04:46pm GMT

As @larsks suggested, I checked Neutron and Keystone server log on controller node, and found something wired and incomprehensible(to me). I've a summary about what might happen according to the logs: (some previous interactions omitted)

  1. the Neutron client on compute node asked for a token to the Keystone server on controller node(controller:35357), and got HTTP 200 response.
  2. after got the token, the Neutron client on compute node sent a request to Neutron server on controller node(controller:9696) to create a port on demo-net(a tenant network)
  3. The Neutron server got the request. It started a connection to Keystone to 'revoke' the token. And got HTTP 200.
  4. The Neutron server invalidated the user token, and responsed HTTP 401 to the Neutron client on compute node. That is wired!

NOTE: in step 2, the client put demo's tenant id and token got by (neutron:neutron_password) in the HTTP header. Then it asked the server to create a port on demo's network(the tenant id of demo-net [demo_tenant's id]). Is that inconsistent?

Could you bother to look into my logs and find out why Neutron server got the reponse from Keystone and decided the user token was invalid?

Some related logs pasted below:

I must confess that the logs are too long... as it is about two processes on three nodes.

nova-compute.log on compute node:

2014-09-16 10:11:05.512 1654 DEBUG neutronclient.client [-] 
REQ: curl -i h-ttp://controller:35357/v2.0/tokens -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-neutronclient" -d '{"auth": {"tenantName": null, "passwordCredentials": {"username": "neutron", "password": "REDACTED"}}}'
 http_log_req /usr/lib/python2.7/dist-packages/neutronclient/common/ ...
edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2014-09-15 09:50:37 -0600

larsks gravatar image

Why is there the authenticating process in creating ports?

Because all operations in OpenStack that create or destroy resources require some sort of authentication.

And what should I do to pass the authenticating?

There are a few places to check.

First, verify that your credentials are correct. You should be able to run other commands (like keystone token-get) without errors. After that, try interacting with Nova (e.g., using nova flavor-list). If those work, you probably want to carefully check the credentials in your Neutron configuration (in /etc/neutron/neutron.conf).

It is also possible you will get better error messages looking at both the Neutron and Keystone server logs.

edit flag offensive delete link more


Thanks for your suggestion. I've looked into the logs and find the Neutron server asked for Keystone to 'revoke' the token after it received the request to create a port from Neutron client. However, the Neutron server decided the token from client was invalid after got the response from Keystone.

wangrich gravatar imagewangrich ( 2014-09-16 00:17:12 -0600 )edit

I've updated the question and pasted some logs on it. Before that I wrote a summary about the authenticating process. I've puzzled by this issue for nearly a week.....

wangrich gravatar imagewangrich ( 2014-09-16 00:22:34 -0600 )edit

answered 2014-09-29 08:55:17 -0600

wangrich gravatar image

Well, I've solved the problem after nearly a month...

I lost one line in /etc/neutron/neutron.conf on client side:

admin_tenant_name = service

which made nova-compute.log show the token-getting request with

{"tenantName": null, "passwordCredentials": {"username": "neutron", "password": "REDACTED"}}

while the right form should be

{"tenantName": "service", "passwordCredentials": {"username": "neutron", "password": "REDACTED"}}
edit flag offensive delete link more


Thanks for the update!

larsks gravatar imagelarsks ( 2014-09-29 09:33:48 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-09-15 09:09:50 -0600

Seen: 4,929 times

Last updated: Sep 29 '14