Ask Your Question

Keystone Unable to Establish Connection

asked 2015-02-17 16:03:50 -0500

ALU.RDC gravatar image

updated 2015-02-18 02:20:04 -0500

Hello everyone. I'd like to provide you with a very clear concise description of what I have set up, so there is no ambiuguity.

I have 1 single server, with 1 active network interface. I'm running OpenSuSE 13.1. I'm trying to install Openstack-keystone. I have the option of running through a proxy, but at the moment, I have it set to disabled in /etc/sysconfig/proxy.   My export list has no proxy variables set. but I did have a no_proxy="localhost,, <myip"  variable set at one time during testing.  

Ok, so with that background, onto my problem.  I have set up openstack-keystone, mysql-python (which uses mariadb) 

My first issue is this when I start keystone I get this output:

>  Loaded: loaded (/etc/init.d/openstack-keystone)
   Active: active (exited) since Tue 2015-02-17 04:44:02 EST; 7min ago
  Process: 4262 ExecStop=/etc/init.d/openstack-keystone stop (code=exited, status=0/SUCCESS)
  Process: 4272 ExecStart=/etc/init.d/openstack-keystone start (code=exited, status=0/SUCCESS)

The status is Active (Exited). As opposed to other processes that have Active (running). I thought this may be normal, but in running netstat -atp or netstat -tulpen I see nothing that shows that the keystone process is listening for connections. My /etc/keystone/keystone.conf (which i'll post shortly) has it's bind address to and it listening on ports 35357 and 5000.

Yet when I go to run or start openstack-keystone, while it recieves a real process ID, it shows no listening port. I've grepped for it, and everything. There is nothing listening on 35357 or 5000. Now before this issue comes up, I have opened up the ports in SuSEfirewall. In fact, I actually disabled the entire firewall itself, unloaded all rules. Currently, the system is wide open, no firewall rules exist.

So this leads to the next issue. I'm not sure if they are related. After I even start openstack-keystone (when it is in active (exited)), I try to connect to the mysql database. From the terminal i can issue 'mysql -u root -p" and enter the database no problem. In fact, I ran a keystone-manage db_sync keystone, and it populated the keystone table with 18 entries. So I'm assuming that all is correct....

The problem is when I take it a step further. I use the command 'keystone tenant-create --name admin --description 'admin-tenant'

This is where things get really hairy. The error I'm getting is:

Unable to establish connection to

That's the error I receive if I set the OS_SERVICE_ENDPOINT equal to I've tried many options such as localhost, controller, and my own interface's IP address. The results are the same. It is unable to establish a connection. I can only assume this is linked to the fact that I see nothing listening on ports 35357 and 5000.

Also ... (more)

edit retag flag offensive close merge delete


Hi, Please check by changing admin_endpoint and public_endpoint in keystone.conf from localhost to your interface IP. Restart httpd service, then keystone service. Thanks.

Praveen N gravatar imagePraveen N ( 2016-02-28 02:39:54 -0500 )edit

4 answers

Sort by ยป oldest newest most voted

answered 2015-02-18 11:19:32 -0500

ALU.RDC gravatar image

Thanks! I actually found out the issue. According the Juno install docs for opensuse, it says to add the .persistence. keyword to the [token] portion of the /etc/keystone/keystone.conf file. Like this: ... [token] # Provides token persistence. driver = keystone.token.persistence.backends.sql.Token ....

After removing the persistence word, I had no issue. I restarted openstack-keystone, it brought the ports up, I was able to connect to them, and I finished the keystone install last night... Again I removed the word persistence from the drive parameter, and it worked.

driver = keystone.token.backends.sql.Token

They ask you to place the keyword "persistence" in between token and backends. It causes the keystone.conf file to not be fully loaded, and the port's listed in the same file, will not be opened up.

edit flag offensive delete link more

answered 2015-02-18 02:31:25 -0500

updated 2015-02-18 02:33:36 -0500

hey there,

first of all try to find the errors from logs which are available at


likewise all relevant logs are automatically saved in respective places. log files which are nothing but a continous description of the executions no matter right one or not will be saved.

unable to establish connection to OS_AUTH_URL means it is a keystone error. hope you must have received the right tokens. because

export OS_AUTH_URL

will act as a temporary variables which will be placed as environment variables and will vanish after closing terminal or a restart system.

and do check with which interface like (eth0, lo) your mysql is binded, the same IP you have to provide in every other configuration.

if possible post some logs.

edit flag offensive delete link more


The keystone.log is in /var/log/apache2 on ubuntu 16.04 LTS. Just adding as a FYI

nerak99 gravatar imagenerak99 ( 2016-11-02 09:46:55 -0500 )edit

answered 2016-02-27 01:19:33 -0500

rackerstacker gravatar image

None of the above mentioned solutions helped....

So tried to troubleshoot using some basic concepts... here are the steps tried :

  1. Check if keystone service is running using
  2. If not running keystone-all command
  3. If it starts without error problem solved.
  4. If it does not troubleshoot the new error


edit flag offensive delete link more

answered 2015-02-18 23:37:15 -0500

madhank gravatar image

updated 2015-02-22 23:48:32 -0500

Hi this error will appears due to missing grant PRIVILEGES please do the below in mysql db and check


GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'<your host="" name="">' IDENTIFIED BY 'KEYSTONE_DBPASS';

GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'yourmanagementip <or>' IDENTIFIED BY 'KEYSTONE_DBPASS';


edit in this file vi /etc/keystone/keystone.conf

admin_token = 12345

connection = mysql://keystone:KEYSTONE_DBPASS@<your host="" name="">or <>/keystone


provider = keystone.token.providers.uuid.Provider

driver = keystone.token.persistence.backends.sql.Token

save and sync keystone db

su -s /bin/sh -c "keystone-manage db_sync" keystone

Note OS_SERVICE_TOKEN and admin_token need to have same character do the below exports it will works for sure

export OS_SERVICE_TOKEN=12345

export OS_SERVICE_ENDPOINT=http://<your host="" name="">:35357/v2.0

edit flag offensive delete link more


Thanks for the response madhank. I have two questions. Before I drop the keystone database and do as you say, will this cause all of my service Id's, tenants, and users from glance to be removed?

Also I'm having trouble starting the openstack-glance-api process. Could this be related to it?

ALU.RDC gravatar imageALU.RDC ( 2015-02-20 10:27:43 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2015-02-17 16:03:50 -0500

Seen: 17,639 times

Last updated: Feb 27 '16