Ask Your Question

Kilo deployment using packstack fails with 403-error on "/usr/bin/openstack service list"

asked 2015-05-20 08:31:50 -0500

holger-king gravatar image

updated 2015-05-20 08:55:17 -0500

Dear RDO community,

when trying to deploy the Kilo OpenStack RDO release, we always get the following abortion independent of the chosen SELinux configuration setting "enforced", "permissive" and "disabled" in "/etc/selinux/config":

ERROR : Error appeared during Puppet run:
Error: /Stage[main]/Neutron::Keystone::Auth/Keystone::Resource::Service_identity[neutron]/Keystone_service[neutron]: Could not evaluate: Execution of '/usr/bin/openstack service list --quiet --format csv --long --os-token fa9cee971d134776a98108ab9232f136 --os-url' returned 1: ERROR: openstack Forbidden (HTTP 403)

A manual execution of the above command showed exactly the same error. Is there a sustainable way to get rid of that error message and to allow packstack continue its work?

Your help is highly appreciated :-)

edit retag flag offensive close merge delete

4 answers

Sort by ยป oldest newest most voted

answered 2015-05-22 02:52:51 -0500

holger-king gravatar image

updated 2015-05-22 04:37:22 -0500

Problem solved: it is important to also set the "no_proxy" environment variable when the machine you try to deploy OpenStack on is located behind an authenticating proxy infrastructure.

Before, we just exported:

  • http_proxy
  • https_proxy

environment variables but did forget to provide an exclusion list of hosts respectively domains where the authenticating proxy should not be used! This exclusion list is stored in the "no_proxy" environment variable and has to be exported via the "export" command. A simple example can be found below:


With that result the deployment passed successfully :-)

P.S.: "tcp6" ports do accept "IPv4" and "IPv6" connections on that port!

edit flag offensive delete link more


This seems to still fail with no_proxy set with packstack openstack mitaka. if I unset proxy environment settings, keystone installs ok, but then glance fails at downloading cirros image. I have no idea how to get this working.

miccicke gravatar imagemiccicke ( 2016-09-06 13:32:01 -0500 )edit

answered 2015-05-20 08:44:07 -0500

updated 2015-05-20 08:44:52 -0500

Which repository are you using and which OS, please?

edit flag offensive delete link more


We are using RHEL 7.1 in combination with the following repository: (

Is something wrong with that combination?

holger-king gravatar imageholger-king ( 2015-05-20 08:46:35 -0500 )edit

answered 2015-05-20 09:04:32 -0500

dbaxps gravatar image

updated 2015-05-20 09:25:04 -0500

Not sure regarding RHEL 7.1 . On CentOS 7.1 per Standard RDO QuickStart page instructions, keep SELINUX enforcing run packstack .

    It  will install package openstack-selinux ( might be via CBS repos) and proceed with any kind of AIO either  multi node deployment  with no problems . In meantime as pre installation step, run:-
# yum install -y  on every node (Controller,Network,Compute) involved in packstack run. The last command would result :-

[root@hostX  yum.repos.d(keystone_admin)]# ls -l
total 40
-rw-r--r--. 1 root root 1664 Apr  1 01:27 CentOS-Base.repo
-rw-r--r--. 1 root root 1309 Apr  1 01:27 CentOS-CR.repo
-rw-r--r--. 1 root root  649 Apr  1 01:27 CentOS-Debuginfo.repo
-rw-r--r--. 1 root root  290 Apr  1 01:27 CentOS-fasttrack.repo
-rw-r--r--. 1 root root 1331 Apr  1 01:27 CentOS-Sources.repo
-rw-r--r--. 1 root root 1002 Apr  1 01:27 CentOS-Vault.repo
-rw-r--r--. 1 root root  957 May 20 14:37 epel.repo
-rw-r--r--. 1 root root 1056 Nov 25 19:23 epel-testing.repo
-rw-r--r--. 1 root root  217 May 20 14:36 rdo-release.repo
-rw-r--r--. 1 root root  178 May 20 14:03 rdo-testing.repo
edit flag offensive delete link more


We set SELinux in "enforcing" mode re-installed the "rdo-release.rpm" to be sure to take the right one ;) But no change :-( The "packstack --allinone" command execution still failed with the same error.

holger-king gravatar imageholger-king ( 2015-05-20 09:26:14 -0500 )edit

Most probably you need to be subscribed to one or more optional RHN channels. Escalate to RH support.

dbaxps gravatar imagedbaxps ( 2015-05-20 09:30:47 -0500 )edit

After the installation of:

yum install -y

and a 1st "packstack --allinone" run we see:

  • epel.repo
  • epel-testing.repo
  • rdo-release.repo
  • rdo-testing.repo

in "/etc/yum.repos.d"

holger-king gravatar imageholger-king ( 2015-05-20 09:34:39 -0500 )edit

You may check

[root@hostX  ~(keystone_admin)]# rpm -qa | grep openstack-selinux
dbaxps gravatar imagedbaxps ( 2015-05-20 09:48:02 -0500 )edit

Exactly this version of the package we found on our host as well:

[root@controller ~]# rpm -qa | grep -i "openstack-selinux"

Is there a way to debug the problem?

holger-king gravatar imageholger-king ( 2015-05-20 10:02:13 -0500 )edit

answered 2015-06-08 06:08:03 -0500

kildarejoe gravatar image


I am having the same problem with Ubuntu14.04 - kilo install -

root@kloud-controller1:~# netstat -nltp | grep 35357 tcp6 0 0 :::35357 :::* LISTEN 23385/apache2

Is there any solution?

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-05-20 08:31:50 -0500

Seen: 2,013 times

Last updated: Jun 08 '15