Ask Your Question

'openstack endpoint list' fails, equivalent curl command works

asked 2016-12-04 11:09:35 -0500

fortunepickle gravatar image

updated 2016-12-04 11:10:13 -0500

Setup information:

  • Openstack version: Mitaka
  • openstack client version: 3.4.1
  • keystoneauth1 version: 2.16.0

I was trying to run a simple rally task, which fails with the following error:

$ sudo rally task start /usr/share/rally/samples/tasks/scenarios/nova/boot-and-delete.json
2016-12-04 16:43:35.655 13422 INFO rally.plugins.openstack.context.keystone.users [-] Task 2b3168c4-ccb6-4214-865f-c31e5450560c | Starting:  Enter context: `users`
2016-12-04 16:43:35.801 13422 WARNING [-] Failed to consume a task from the queue: Could not find requested endpoint in Service Catalog.
Task config is invalid: `Unable to setup context 'users': 'Failed to create the requested number of tenants.'`

After some debugging (running rally with the -vd options), I found the apparent source of the error to be related to the keystoneauth1 package (I get the same error when running sudo openstack endpoint list):

2016-12-04 16:48:32.777 13837 ERROR     return self.session.request(url, method, **kwargs)
2016-12-04 16:48:32.777 13837 ERROR   File "/usr/local/lib/python2.7/dist-packages/positional/", line 101, in inner
2016-12-04 16:48:32.777 13837 ERROR     return wrapped(*args, **kwargs)
2016-12-04 16:48:32.777 13837 ERROR   File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/", line 492, in request
2016-12-04 16:48:32.777 13837 ERROR     raise exceptions.EndpointNotFound()
2016-12-04 16:48:32.777 13837 ERROR EndpointNotFound: Could not find requested endpoint in Service Catalog.
2016-12-04 16:48:32.777 13837 ERROR

If I get a token and directly request the endpoint list with a curl request, I seem to get a successful response (I looked into the headers used by sudo openstack endpoint list and used the same headers):

$ curl -g -i -X GET -H "Accept: application/json" -H "User-Agent: osc-lib keystoneauth1/2.16.0 python-requests/2.12.3 CPython/2.7.6" -H "X-Auth-Token: <token>"

HTTP/1.1 200 OK
Date: Sun, 04 Dec 2016 16:53:45 GMT
Server: Apache/2.4.7 (Ubuntu)
Vary: X-Auth-Token
x-openstack-request-id: req-ae4ad72b-5055-4e72-bde0-b6800fba0833
Content-Length: 7772
Content-Type: application/json

{"endpoints": [{"region_id": "RegionOne", "links": {"self": ""}, "url": "", "region": "RegionOne", "enabled": true, "interface": "public", "service_id": "7438e2504b2e4c1ea9b9b5526c059186",

Same thing happens if I use the v2.0 API:

$ curl -g -i -X GET -H "Accept: application/json" -H "User-Agent: osc-lib keystoneauth1/2.16.0 python-requests/2.12.3 CPython/2.7.6" -H "X-Auth-Token: <token>"

HTTP/1.1 200 OK
Date: Sun, 04 Dec 2016 17:03:59 GMT
Server: Apache/2.4.7 (Ubuntu)
Vary: X-Auth-Token
x-openstack-request-id: req-bc82e230-7901-4b3d-91a0-8c73e94914e8
Content-Length: 2247
Content-Type: application/json

{"endpoints": [{"adminurl": "", "region": "RegionOne", "enabled": true, "internalurl": "", "service_id": "bb2b738498af4778879b20321c17293d", "id": "c5872d8494b24f31840f3c9263714a10", "publicurl": " ...
edit retag flag offensive close merge delete



By default, sudo clears the environment, so that your OS_xxxxxxx environment variables are probably not set at all, or not correctly. This includes Keystone user name and password and would mean authentication failure. If sudo is required, you can add OS_xxxxx to /etc/sudoers.

Bernd Bausch gravatar imageBernd Bausch ( 2016-12-04 16:56:42 -0500 )edit

Thank you Bernd,

That's a good point.

I actually added the OS_xxx env variables to the /etc/sudoers file (via visudo), so that shouldn't be a problem. For example other commands like 'sudo openstack project list' work fine.

fortunepickle gravatar imagefortunepickle ( 2016-12-05 05:32:57 -0500 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2016-12-05 11:17:27 -0500

fortunepickle gravatar image

updated 2016-12-05 11:20:48 -0500

I was able to dig this up a bit more. After what I've found, I feel I'm probably doing something terribly wrong... By this I mean that the problem should be solvable by installing the correct versions of clients and Openstack services. I suspect I'm not doing it.

I've traced the error to the file keystoneauth1/ (take a look at it here: ), function get_endpoint():

def get_endpoint(self, auth=None, **kwargs):
    """Get an endpoint as provided by the auth plugin.

    :param auth: The auth plugin to use for token. Overrides the plugin on
                 the session. (optional)
    :type auth: keystoneauth1.plugin.BaseAuthPlugin

    :raises keystoneauth1.exceptions.auth_plugins.MissingAuthPlugin:
        if a plugin is not available.

    :returns: An endpoint if available or None.
    :rtype: string
    auth = self._auth_required(auth, 'determine endpoint URL')          
    return auth.get_endpoint(self, **kwargs)

The above returns None every time. Since I'm able to get the actual endpoint URLs using curl, I coded a workaround in, just to see things working. The workaround consists in setting the base_url variable to the respective URL, based on the service_type (e.g. 'identity' => ''):

    if not urllib.parse.urlparse(url).netloc:

        base_url = None

        if endpoint_override:
            base_url = endpoint_override % _StringFormatter(self, auth)
        elif endpoint_filter:
            base_url = self.get_endpoint(auth, allow=allow,

            # UGLY FIX START
            if base_url is None:
                if endpoint_filter['service_type'] == 'identity':
                    if "/tenants" in url:
                        base_url = ""
                        base_url = ""
            # UGLY FIX END

        if not base_url:
            raise exceptions.EndpointNotFound()

        url = '%s/%s' % (base_url.rstrip('/'), url.lstrip('/'))

So - considering the rally task - the process continues till the creation of new users and tenants (aka 'projects' with v3). But it stops when rally requests a token for newly created users, e.g.:

curl -X POST -d '{"auth":{"tenantName":"test_project", "passwordCredentials":{"username":"test_user", "password":"hello"}}}' -H "Content-type: application/json"

I made sure the parameters are correct.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2016-12-04 11:09:35 -0500

Seen: 637 times

Last updated: Dec 05 '16