Ask Your Question
0

Unable to start keystone

asked 2016-04-21 07:02:22 -0500

DarkKnight gravatar image

I have installed openstack mitaka using packstack installation on centos 7 by following the steps mentioned here

Now when i check the openstack-status, i see that the keystone service has failed to start. FYI,

[root@set-compute ~(keystone_admin)]# systemctl status openstack-keystone
● openstack-keystone.service - OpenStack Identity Service (code-named Keystone)
   Loaded: loaded (/usr/lib/systemd/system/openstack-keystone.service; enabled; vendor preset: disabled)
   Active: failed (Result: start-limit) since Thu 2016-04-21 16:58:18 IST; 5h 49min ago
 Main PID: 32976 (code=exited, status=1/FAILURE)

Apr 21 16:58:18 set-compute systemd[1]: Failed to start OpenStack Identity Service (code-named Keystone).
Apr 21 16:58:18 set-compute systemd[1]: Unit openstack-keystone.service entered failed state.
Apr 21 16:58:18 set-compute systemd[1]: openstack-keystone.service failed.
Apr 21 16:58:18 set-compute systemd[1]: openstack-keystone.service holdoff time over, scheduling restart.
Apr 21 16:58:18 set-compute systemd[1]: start request repeated too quickly for openstack-keystone.service
Apr 21 16:58:18 set-compute systemd[1]: Failed to start OpenStack Identity Service (code-named Keystone).
Apr 21 16:58:18 set-compute systemd[1]: Unit openstack-keystone.service entered failed state.
Apr 21 16:58:18 set-compute systemd[1]: openstack-keystone.service failed.

even openstack-status confirms this

[root@set-compute ~(keystone_admin)]# openstack-status
== Nova services ==
openstack-nova-api:                     active
openstack-nova-compute:                 active
openstack-nova-network:                 inactive  (disabled on boot)
openstack-nova-scheduler:               active
openstack-nova-cert:                    active
openstack-nova-conductor:               active
openstack-nova-console:                 active
openstack-nova-consoleauth:             active
openstack-nova-xvpvncproxy:             active
== Glance services ==
openstack-glance-api:                   active
openstack-glance-registry:              active
== Keystone service ==
openstack-keystone:                     failed
== Horizon service ==
openstack-dashboard:                    502

But i am able to create instances, upload images etc. which surprises me because from what i know, each service has to get an authentication token from the keystone as soon as the service receives and API request. So if the keystone service is not running, how come are other services like creation of instances working fine. Would any one bother to explain. Even links to explanation would work.

These information might interest you.

/etc/keystone/keystone.conf

[root@set-compute ~(keystone_admin)]# grep -v -e^# -e ^$ /etc/keystone/keystone.conf
[DEFAULT]
admin_token = ca7172741569472e8d258ae5aedbaf74
debug = False
log_dir = /var/log/keystone
public_port=5000
admin_bind_host=0.0.0.0
public_bind_host=0.0.0.0
admin_port=35357
[assignment]
[auth]
[cache]
[catalog]
template_file = /etc/keystone/default_catalog.templates
driver = sql
[cors]
[cors.subdomain]
[credential]
[database]
connection = mysql+pymysql://keystone_admin:c034c5a9cfba44f1@172.19.18.1/keystone
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
public_workers = 24
admin_workers = 24
[eventlet_server_ssl]
[federation]
[fernet_tokens]
key_repository = /etc/keystone/fernet-keys
[identity]
[identity_mapping]
[kvs]
[ldap]
[matchmaker_redis]
[memcache]
[oauth1]
[os_inherit]
[oslo_messaging_amqp]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
rabbit_ha_queues = False
[oslo_middleware]
[oslo_policy]
[paste_deploy]
[policy]
[resource]
[revoke]
[role]
[saml]
[shadow_users]
[signing]
certfile = /etc/keystone/ssl/certs/signing_cert.pem
keyfile = /etc/keystone/ssl/private/signing_key.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
ca_key = /etc/keystone/ssl/private/cakey.pem
key_size = 2048
cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com
[ssl]
enable=False
[token]
expiration = 3600
provider = fernet
driver = sql
revoke_by_id = True
[tokenless_auth]
[trust]

Also when i check this o/p i see many process for keystone running. Here is an abridged output.

[root@set-compute ~(keystone_admin)]# ps -ef | grep keystone
root      6134 ...
(more)
edit retag flag offensive close merge delete

Comments

What is value CONFIG_KEYSTONE_SERVICE_NAME= ? in your answer-file.

dbaxps gravatar imagedbaxps ( 2016-04-21 07:18:59 -0500 )edit

yes it is httpd, the explanation of eduardo helps. Thanks for your assistance too. :-)

DarkKnight gravatar imageDarkKnight ( 2016-04-21 23:04:52 -0500 )edit
1

Hey dbaxps, Could you please have a look at this issue and maybe suggest something. https://ask.openstack.org/en/question...

DarkKnight gravatar imageDarkKnight ( 2016-04-22 01:57:07 -0500 )edit
add a comment

2 answers

Sort by » oldest newest most voted
2

answered 2016-04-21 07:25:28 -0500

Eduardo Gonzalez gravatar image

Hi,

Keystone service has been included as apache wsgi in the past releases. If you start keystone service it will fail because ports are already in use by the keystone wsgi processes.

You can check that keystone ports are bind and which process uses it with: 

netstat -antupo | egrep '(5000|35357)'

To restart keystone, you can simply restart apache:

systemctl restart httpd

That's the reason why you can't start keystone eventlet service.

Regards

edit flag offensive delete link more

Comments

Can you specify since which release has the keystone process changed from a python process to a httpd process. Also, why do we need openstack-keystone service in this case, i mean that packstack should not have installed the keystone for these releases.

DarkKnight gravatar imageDarkKnight ( 2016-04-21 23:03:16 -0500 )edit

If i dont remember bad, it was introduced in kilo release. You can still using eventlet service if you need so. Pack stack allows you specify which keystone service type you want to use. Regards

Eduardo Gonzalez gravatar imageEduardo Gonzalez ( 2016-04-22 04:52:43 -0500 )edit
add a comment
0

answered 2016-07-01 00:06:08 -0500

ayoung gravatar image

Keystone is not in HTTPD, not Eventlet. The systemd way to star\t keystone is systemctl start httpd.service.

edit flag offensive delete link more
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2016-04-21 07:02:22 -0500

Seen: 12,567 times

Last updated: Jul 01 '16

Related questions

Unable to login to horizon

RHOSP 9 Mitaka finishes successfully but controller keystone not fully populated

Reporting cloudkitty

keystone endpoint

Release-Date of Packstack for mitaka? [closed]

tenant creation date

deleted admin role by accident

How to detect keystone version

Where do I find the horizon login url view?

Verify Keystone with Curl