Ask Your Question
1

Kilo on CentOS7: keystone throws HTTP 500 except when using OS_TOKEN

asked 2015-05-14 03:22:13 -0600

Kris gravatar image

I am following installation guide for Kilo release on CentOS7. First install for me. http://docs.openstack.org/kilo/install-guide/install/yum/content/keystone-verify.html (http://docs.openstack.org/kilo/instal...)

I get stuck in section 3 (add the identity service), performing the "Verify Operation" steps. All verification commands in this section throw: ERROR: openstack An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-9f065edb-b36etc.)

If I understand correctly, first I need to unconfigure the token authentication, and then fire some commands to test the password authentication.

command is: 'openstack --os-auth-url http://oscon01:35357 --os-project-name admin --os-username admin --os-auth-type password token issue --debug'

  • I have not changed keystone-paste.ini file in /etc/keystone. This file does not exist. This seems a documentation bug? (step 1)
  • I have unset the variables OS_TOKEN OS_URL (step 2)
  • After that the test commands show the behaviour with HTTP 500. (also there is a timeout, command takes 19 seconds including typing in the password)
  • Something is working though, when I provide wrong password my requests get rejected with HTTP 401
  • When I revert back to usage of the token (by setting the 2 env. variables) I can perform commands like 'openstack user list' and so on without error.

So basically token authentication seems to work. But as soon as I switch to password authentication I get HTTP 500 messages.

keystone log file: 2015-05-14 10:19:56.393 6343 INFO keystone.common.wsgi [-] GET /? 2015-05-14 10:19:56.394 6343 INFO eventlet.wsgi.server [-] 10.0.4.11 - - [14/May/2015 10:19:56] "GET / HTTP/1.1" 300 752 0.002065 2015-05-14 10:19:56.399 6343 INFO keystone.common.wsgi [-] POST /tokens? 2015-05-14 10:19:56.516 6343 INFO keystone.common.kvs.core [-] Using default dogpile sha1_mangle_key as KVS region token-driver key_mangler 2015-05-14 10:20:03.013 6343 WARNING keystone.common.wsgi [-] An unexpected error prevented the server from fulfilling your request. 2015-05-14 10:20:03.014 6343 INFO eventlet.wsgi.server [-] 10.0.4.11 - - [14/May/2015 10:20:03] "POST /v2.0/tokens HTTP/1.1" 500 381 6.617398 2015-05-14 10:20:03.024 6344 INFO keystone.common.wsgi [-] GET /? 2015-05-14 10:20:03.025 6344 INFO eventlet.wsgi.server [-] 10.0.4.11 - - [14/May/2015 10:20:03] "GET / HTTP/1.1" 300 752 0.004133 2015-05-14 10:20:03.061 6344 INFO keystone.common.wsgi [-] POST /tokens? 2015-05-14 10:20:03.153 6344 INFO passlib.registry [-] registered crypt handler 'sha512_crypt': <class 'passlib.handlers.sha2_crypt.sha512_crypt'=""> 2015-05-14 10:20:03.371 6344 INFO keystone.common.kvs.core [-] Using default dogpile sha1_mangle_key as KVS region token-driver key_mangler 2015-05-14 10:20:09.734 6344 WARNING keystone.common.wsgi [-] An unexpected error prevented the server from fulfilling your request. 2015-05-14 10:20:09.736 6344 INFO eventlet.wsgi.server [-] 10.0.4.11 - - [14/May/2015 10:20:09] "POST /v2.0/tokens HTTP/1.1" 500 381 6.707363

Any help would be great!... Kris

edit retag flag offensive close merge delete

Comments

I have the same issue with Ubuntu 14.04 as reported by Kris. No SElinux running but still giving me problems

prasantk gravatar imageprasantk ( 2015-05-22 19:14:12 -0600 )edit

5 answers

Sort by ยป oldest newest most voted
2

answered 2015-05-26 03:37:23 -0600

AntonioA gravatar image

updated 2015-05-29 11:32:39 -0600

I have resolved the "openstack service create" problem following this steps :

HTTP and KEYSTONE service sharing the same port, so stop httpd and start openstack-keystone.service. Edit /etc/keystone/keystone.conf and replace "hostname or ip" to "localhost":

connection = mysql://keystone:openstack@localhost/keystone

Remember to stop service httpd and enable start service keystone: - systemctl stop httpd.service - systemctl enable openstack-keystone.service => systemctl start openstack-keystone.service

And finally, exec "openstack service create --name keystone --description "OpenStack Identity" identity" command.

Most important to remember, the dashboard horizon use apache so that keystone and apache service must be running. Into keystone.conf and wsgi-keystone.conf occur bind a single interface on ports 5000 and 35357 instead of all interface "*" or "0.0.0.0":

  • edit /etc/keystone/keystone.conf => set admin_bind_host = <ip_mgmt> => set public_bind_host = <ip_mgmt>
  • edit /etc/httpd/conf.d/wsgi-keystone.conf => set Listen 127.0.0.1:5000 => Listen 127.0.0.1:35357 => same for VirtualHost 127.0.0.1:5000 & 35357

After service openstack-keystone.service and httpd.service restart, both process will be running in the same time.

Antonio

edit flag offensive delete link more

Comments

Hi...this has been long ...but I have the same problem right noe ongoing for days !!! I realised that keystone automatically stops whenever apache2 stops.....even after restoring keystone to default. Does anyone have such an experience, what can I do at this point.....thanks in advance.

SyCode7 gravatar imageSyCode7 ( 2016-04-21 04:13:30 -0600 )edit

... i have this same issue but whenever I stop apache2 server , keystone also stops. How can I stop keystone from relying on apache2. I tried reinstalling keystone but there is no difference.

SyCode7 gravatar imageSyCode7 ( 2016-04-21 06:05:46 -0600 )edit
1

answered 2015-05-14 03:50:34 -0600

Kris gravatar image

Solved this disabling selinux. Selinux seems to be enforcing memcache port...

edit flag offensive delete link more
1

answered 2015-05-17 07:28:03 -0600

xinwenzeng gravatar image

updated 2016-01-26 15:30:59 -0600

Hi,Kris! I meet same problem about you. I disable selinux, but it did not solve problem. And I find some thing wrong in "http://docs.openstack.org/kilo/install-guide/install/yum/content/keystone-install.html".The docs do not tell me when and how get start the openstack-keystone, it only tell me start apache at the end.

kernel:centos 7     Linux controller 3.10.0-229.4.2.el7.x86_64
openstack relase:Kilo
command:openstack service create --name keystone --description "OpenStack Identity" identity
error:ERROR: openstack An unexpected error prevented the server from fulfilling your request. (HTTP 500)
erro log from /var/log/keystone/keystone.log:
ERROR keystone.common.wsgi [-] (OperationalError) (1045, "Access denied for user 'keystone'@'localhost' (using password: YES)") None None
2015-05-17 19:18:13.704 5792 TRACE keystone.common.wsgi OperationalError: (OperationalError) (1045, "Access denied for user 'keystone'@'localhost' (using password: YES)") None None

below are what i solving the problem

-1. confirm the keystone passwd

mysql -u keystone -p 
show databases;

if all above is ok, so it is not the the password problem.

-2. confirm "/etc/keystone/keystone.conf" about [database] section

connection = mysql://keystone:news@controller/keystone

it is right, I can ping controller.

-3,

systemctl stop firewalld

disable selinux reboot the problem is aslo exsit!!!

-4.

systemctl status openstack-keystone
openstack-keystone.service: main process exited, code=exited, status=1/FAILURE
Failed to start OpenStack Identity Service (code-named Keystone).
systemctl start openstack-keystone
error log:keystone error: [Errno 98] Address already in use
Could not bind to 0.0.0.0:35357

netstat -tunlp | grep 5000
tcp6       0      0 :::5000                 :::*                    LISTEN      6784/httpd
netstat -tunlp | grep 35357
tcp6       0      0 :::35357                :::*                    LISTEN      6784/httpd

the port 35357 and 5000 is used by apache
so i stop apache,and restart openstack-keystone,the openstack-keystone is ok
and  "openstack service create  --name keystone" is ok.

so, the real quetion is: Are the docs right? docs actually do not tell us to start openstack-keystone. And the apache conflict with the openstack-keystone.

Any help would be great!...Zeng

edit flag offensive delete link more
0

answered 2015-05-24 01:55:25 -0600

Jose gravatar image

I got the same problem and I think is related to the keystone.conf file permissions. Keystone script couldn't access it and was using default parameters to access the database thus being rejected. Could you check that?

edit flag offensive delete link more
0

answered 2015-05-27 15:57:02 -0600

This seems to be a bug, the workaround that I found is the following:

-Verify if keystone is using the port 35357 ( netstat -nltp | grep 35357 ) if instead of python, httpd is listening in that port, disable httpd:

systemctl stop httpd.service

And restart keystone:

systemctl restart openstack-keystone.service

Then proceed with the configuration. This issue is being addressed here:

review openstack org /#/c/167692/

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

Stats

Asked: 2015-05-14 00:21:57 -0600

Seen: 11,885 times

Last updated: Jan 26 '16