Ask Your Question

zaneb's profile - activity

2020-07-21 16:04:02 -0500 answered a question Can I use Openstack logo?

The OpenStack Trademark Policy may answer your question. (Best guess: probably not.) Failing that, the best place to ask would be on the legal-discuss list.

2020-07-20 10:57:27 -0500 answered a question Programmatic use of Openstack API

The Python libraries are the most complete and best maintained (because they are used internally by some OpenStack components), but there is a .NET SDK that looks to be sufficient for basic tasks like creating VMs.

2020-07-17 10:23:51 -0500 answered a question Change notification in OpenStack Python SDK

For the most part, OpenStack doesn't support notifications in "userspace" - i.e. through the API.

There is a notification bus intended to be used by cloud operators (note that it includes data about all tenants, and while the most sensitive information should be redacted, bugs do happen - so not suitable for exposing to users directly). This is what is referred to in the document you linked. Commonly these notifications are transmitted to the same RabbitMQ service used for internal RPC, although this is of course configurable.

For ordinary users, you basically have to poll everything.

2020-06-19 13:23:06 -0500 answered a question How to transfer an image between two OpenStack platforms?

The only way I can think of to do this with OpenStack APIs only is to first upload the image to Swift in either A or B, then import from the Swift object into Glance in both A and B using the web-download workflow. (Note that this feature was added to Glance in the Queens release.) An obvious disadvantage to this is that the image data in Swift has to be public.

Alternatively, as Bernd suggested, you can spin up a Nova VM in one of the clouds and do the download+upload from there so that it doesn't have to traverse the network to your PC.

2020-06-19 13:12:39 -0500 answered a question freezer(ussuri) - a bytes-like object is required, not 'str'

This is a bug caused by an incomplete port to Python 3.

Most OpenStack service APIs are now designed to run using uWSGI (i.e. inside e.g. Apache) rather than as standalone python processes. Almost all production deployments are now run this way. So probably this standalone configuration of Freezer has not been tested since before it was ported to Python 3.

2020-05-21 08:52:13 -0500 edited question unable to stop an instance using python api

I am trying to stop an instance using openstack api with the help of python.

from openstack import connection
import os

def auth_args():
    d = {}
    d['username'] = os.environ['OS_USERNAME']
    d['password'] = os.environ['OS_PASSWORD']
    d['auth_url'] = os.environ['OS_AUTH_URL']
    d['project_name'] = os.environ['OS_TENANT_NAME']
    d['project_domain_id'] = os.environ['OS_PROJECT_DOMAIN_ID']
    d['user_domain_id'] = os.environ['OS_PROJECT_DOMAIN_ID']
    return d

for server in conn.compute.servers():
  if == 'server_test':

i have set a source file then i am trying to run this code, but it gives the below error.

Traceback (most recent call last):

  File "", line 20, in <module>
  File "/root/.local/lib/python2.7/site-packages/openstack/compute/v2/", line 345, in stop
    self._action(session, body)
  File "/root/.local/lib/python2.7/site-packages/openstack/compute/v2/", line 181, in _action

I am able to retrieve instance details and meta data using the same conn.compute.servers() method. Please help.

2020-05-19 16:18:59 -0500 answered a question openStack - Package : keyStone error requires a different python version

OpenStack is now Python3-only (as of the Ussuri release), so if you install from devstack it will use Python 3.

In this case it's using 3.5 (not 2.7). But the minimum version supported by OpenStack is 3.6. Use a later version of Ubuntu (18.04 would be a much better choice than 16.04) to get a more recent version of Python.

2020-05-19 16:15:15 -0500 edited question openStack - Package : keyStone error requires a different python version

i want to install openStack on ubuntu 16.04. when i enter the command ./ i get the following error
python version is 2.7.12 , i also read the documentaion, it said in Prerequisites that use to up version 2.7.

Ignoring zipp: markers 'python_version == "2.7"' don't match your environment
Ignoring zipp: markers 'python_version == "3.6"' don't match your environment
Ignoring zipp: markers 'python_version == "3.7"' don't match your environment
Ignoring zipp: markers 'python_version == "3.8"' don't match your environment
Obtaining file:///opt/stack/keystone
ERROR: Package 'keystone' requires a different Python: 3.5.2 not in '>=3.6'
+inc/python:pip_install:1                  exit_trap
+./                  local r=1
++./                  jobs -p
+./                  jobs=
+./                  [[ -n '' ]]
+./                  '[' -f '' ']'
+./                  kill_spinner
+./               '[' '!' -z '' ']'
+./                  [[ 1 -ne 0 ]]
+./                  echo 'Error on exit'
Error on exit
+./                  type -p generate-subunit
+./                  generate-subunit 1589480494 258 fail
+./                  [[ -z /opt/stack/logs ]]

Each time I get error, I re-enter the following commands:
But I get the same error again.

2020-04-30 12:06:14 -0500 commented question heat intrinsic function get_attr used in heat resourcegroup does not fetch anything

Does this happen when you actually update the stack, or only when using --dry-run? Those use completely different code paths, so it's possible there is a bug in the preview.

2020-04-30 11:59:13 -0500 edited question heat intrinsic function get_attr used in heat resourcegroup does not fetch anything


rocky release
Installed Packages
openstack-heat-api.noarch                                           1:11.0.2-1.el7                                        @centos-openstack-rocky
openstack-heat-api-cfn.noarch                                       1:11.0.2-1.el7                                        @centos-openstack-rocky
openstack-heat-engine.noarch                                        1:11.0.2-1.el7                                        @centos-openstack-rocky
heat --version

Let me first share the snippets of my templates: (full templates available here:


type: OS::Heat::ResourceGroup
        - "listener_count_is_not_zero"
        - get_attr: [lb_group, poolID]
        - get_param: poolids


    description: LB pool id
    value: { get_resource: pool }

This works fine when I do stack create but fails when I do stack update.

openstack stack update test-lb -e /home/stack/heat/test/parameters/test-lb.yaml-t git/heat/resources/group_instance_create.yaml --dry-run --show-nested -f shell ERROR: Internal Error

error logs:

2020-03-25 16:06:59.417 2020-03-25 16:06:51.281 39936 ERROR heat.common.wsgi [req-a589e893-3c2f-41f4-a5ac-f3fcfdd07a36
- test - default default] Unexpected error occurred serving API: Property poolids not assigned 2020-03-25 16:06:59.418 ValueError: Property poolids not assigned 2020-03-25 16:06:59.420 2020-03-25 16:06:51.272 39876 ERROR oslo_messaging.rpc.server [req-31a3e12f-7695-4c21-be70-2bfa25715a93
- - - - -] Exception during message handling: ValueError: Property poolids not assigned 2020-03-25 16:06:59.421 2020-03-25 16:06:51.272 39876 ERROR oslo_messaging.rpc.server ValueError: Property poolids not assigned

it looks like intrinsic functions get_attr and get_resource inside a resource with type 'type: OS::Heat::ResourceGroup' cannot retrieve the attribute values or the attributes are empty.

I checked the attributes of the resource and output key poolID is empty after the creation:

openstack stack resource show test-lb lb_group --with-attr poolID -c attributes
+------------+----------------------------------------------------------------------------------------------------+ | Field      | Value                   |
+------------+----------------------------------------------------------------------------------------------------+ | attributes | {u'attributes': None, u'refs': None, u'poolID': None, u'refs_map': None, u'removed_rsrc_list': []} |

But it could not be empty during the creation because it didn't fail and worked fine.

Could anyone help me to fix this or understand better the nested templates.

It works with stack update in an openstack env. on queens release.


2020-04-30 11:55:17 -0500 answered a question heat orchestration service - purpose?

Heat provides a declarative user interface to OpenStack resources. You give it a template and it figures out how to create all of the resources in the right order (if they are dependent on each other) and does it for you. You can update the stack with a modified template, or delete it altogether, and it figures out how to do that for you too.

In general it supports most resource types provided by OpenStack APIs (see the full list).

The Zun service provides an OpenStack API for spinning up (Linux) containers, and is supported by Heat.

2020-04-30 11:47:22 -0500 answered a question Is it possible to create multiple openstack resources using same heat resource

There's no way to use the repeat function outside of a resource, as you've no doubt discovered. The best alternative is really to generate the template using some external system (e.g. jinja templating).

However, another option is to use a ResourceGroup. You can't just create a group of OS::Neutron::Port resources though, you have to define another template that contains a port resource and has parameters for the index and the list of netNames, and then select the appropriate name from the list inside the template.

2020-03-09 09:24:18 -0500 answered a question Create stack failed due to bad request error

This error indicates that it is not creating a stack but updating an existing stack. This is failing because the existing stack has already started deleting (i.e. it is in the DELETE_IN_PROGRESS or DELETE_FAILED state). You will have to complete the deletion of the existing stack before you can create a new one with the same name.

2020-03-05 23:19:12 -0500 commented answer Conditional resource properties (not conditional values)

You're right, on further investigation that doesn't work. I have an idea for how to implement this feature, and I opened a bug for it.

2020-03-05 11:26:38 -0500 answered a question Can users sniff each other's packets and perform man in the middle attacks?

It depends on the network architecture of your deployment. It is certainly possible to stand up an OpenStack deployment where tenant networks are completely separated from each other, using either VLANs or some sort of overlay networking.

However, provider:network_type = flat offers no such protections.

2020-03-05 11:23:02 -0500 answered a question Zun container privileged mode with heat stack

There isn't, you would have to patch Heat.

Normally I'd suggest submitting a patch upstream, but in this case it's unlikely to be widely useful. The default policy in Zun for creating privileged containers is rule:deny_everybody.

2020-03-03 10:22:32 -0500 answered a question Conditional resource properties (not conditional values)

You can pass null as a value, and that's equivalent to not specifying the property at all:

http_method: {if: [typeIsHTTP, GET, null]}
2020-02-28 20:28:23 -0500 commented answer heat - assigning existing port to a load balancer fails

On the bright side... patches welcome ;)

2020-02-27 07:52:35 -0500 answered a question heat - assigning existing port to a load balancer fails

It appears that Octavia allows three different ways to specify the port:

  1. vip_port_id (+ vip_subnet_id or vip_address if ambiguous)
  2. vip_network_id
  3. vip_subnet_id

But the Heat resource only supports the last one, so Octavia always tries to create a port.

Not implementing vip_network_id may have been intentional (stuff automatically selecting a subnet behind the scenes is a pain for Heat because it adds invisible dependencies between resources). But it's likely that vip_port_id was either overlooked or added after the Heat resource was implemented. Heat would have to add support for it in order to do what you want.

2020-02-18 23:55:17 -0500 edited answer why is octavia not using keystone public endpoint to validate tokens?

Hi there,

There are two settings in Octavia that you will need to set for Octavia when using an alternate keystone endpoint:

For the keystone client code, it is:

auth_url = https://<ip address>/identity

(I just noticed this is not in the keystonemiddleware configuration documentation we import, how odd)

As well as:

interface = public

(however this is not as important for this section) - (

It is also a good practice to set www_authenticate_uri(

The [keystone_authtoken] section is how Octavia validates tenant tokens and comes directly from the keystone client.

You will also need to configure the [service_auth] section. This is how Octavia gets a token to use with other OpenStack services such as nova and neutron.

auth_url = https://<ip address>/identity


As well as:

interface = public


2020-02-11 08:44:16 -0500 answered a question Error: "An error occurred authenticating. Please try again later." It was working completely fine since many days but the power cable was loose so the system shut down. After restarting the computer, this error persisted.

Sounds like MySQL/MariaDB is not running. Probably it was not enabled to start on boot.

2020-01-06 08:57:29 -0500 answered a question User Registerations for openstack cloud

In general the way you want to enroll users is specific to the business, rather than something that is generic to the technology, so historically that hasn't been part of OpenStack.

Many private clouds use Keystone in a configuration where it is backed by an existing IdM provider (e.g. LDAP or ActiveDirectory); in this case the users are already enrolled and you just need to assign them roles on projects.

More recently, the Adjutant project (which is an official OpenStack project) has been created to provide an API for business-specific tasks like enrolling users. It allows you to implement custom workflows that are specific to your business process. You might want to look into this.

2019-12-16 08:38:50 -0500 edited answer Heat Template: 2nd interface

For multiple interface


    type: OS::Neutron::Port
      network: { get_param: VM_NET1_ID }
      name: VM_port1
          - { "ip_address": {get_param: [VM_IP1, 0] }}

    type: OS::Neutron::Port
      network: { get_param: VM_NET2_ID }
      name: VM_port2
          - { "ip_address": {get_param: [VM_IP2, 0] }}
        - port: { get_resource: VM_port1 }
        - port: { get_resource: VM_port2 }

Above will create two interface.

2019-12-16 08:36:55 -0500 edited question Heat Template: 2nd interface

Hi.. How can I add more than one interface (in a different network) in my heat template?

heat_template_version: 2014-10-16

description: Proxy-Server BadBank
      type: string
      default: eu-de-01
     type: string
     default: blabla
     type: string
     default: 20
     type: string
     default: s2.large.2 
     type: string
     default: Standard_CentOS_7_latest
     type: string
     default: c83616ec-a2ab-4622-b3d2-dcc890b44e38
     type: string
     default: 78408f55-6e46-4b05-907a-1602a7bb8c05
     type: string
     default: 5cd60c6e-b4d5-4d59-afb4-1bad7f9a43d8
     type: string
     default: Password!
      type: string
      default: sysXECS0000EVS0001
      type: string
      default: sysXECS0000
      type: string
      type: string

    type: OS::Neutron::Port
      network: { get_param: network }
      fixed_ips: [{"ip_address": { get_param: instance_ip }}]
      security_groups: [{ get_param: security_groups }]
      admin_state_up: true

    type: OS::Cinder::Volume
      name: { get_param: volume_name }
      size: { get_param: volume_size }
      availability_zone: { get_param: az }

    type: OS::Nova::Server
      admin_pass: { get_param: admin_pass }
      availability_zone: { get_param: az }
      name: { get_param: instance_name }
      image: { get_param: image }
      flavor: { get_param: flavor }
      key_name: { get_param: key }
      networks: [{"port": { get_resource: server_port }}]
      tags: [Project, Role]
      user_data_format: RAW
      user_data: |

    type: OS::Cinder::VolumeAttachment
      volume_id: { get_resource: data_volume }
      instance_uuid: { get_resource: Proxy }
2019-12-06 07:51:19 -0500 answered a question Stein not a valid heat_template_version

There have been no changes to the template format since the Rocky release, so we didn't end up adding new template versions for Stein/Train.

2019-12-02 16:13:07 -0500 answered a question Has "openstack stack update" command additional option to update multiple VMs consistently? or should use another way to update stack VMs consistently?

In general, stacks are updated in parallel (i.e. each resource is updated as soon as possible given the dependency graph between them). You can serialise updates by making each resource depend on the previous one.

However, Heat also includes several resource types that internally generate a nested stack. These resources are able to customise how they generate changes to the nested stack template, and thus can be instructed to do rolling updates with a user-configurable batch size:

2019-12-02 15:17:33 -0500 commented question Get proprety of an external resource

Do you have heat_template_version as newton or 2016-10-14 in your template? That is required to use external_id.

2019-11-26 22:22:19 -0500 commented answer How do i get IDs of the nested resources in ResourceGroup ?

Oh, so the scaled unit in your ResourceGroup is also a stack, not just a Port? You found the right solution then.

2019-11-25 10:23:32 -0500 commented question Is it possible to do comma_delimited_list inside a comma_delimited_list ?

You need to show how you're using this in the template. Best guess: use the json parameter type instead of comma_delimited_list

2019-11-25 10:13:21 -0500 answered a question How do i get IDs of the nested resources in ResourceGroup ?

{get_resource: my_resgroup} gets the ID of the resource group; {get_attr: [my_resgroup, refs]} gets a list of IDs of the ports (resources within the resource group).

2019-11-06 20:10:33 -0500 answered a question heat stack create and update with --timeout or --wait

They're completely different things, and both can be used together.

--timeout is the interval after which the stack will be marked failed if it has not yet completed. If you don't specify it, Heat will use the default (which is 1 hour).

--wait means the client will wait until the stack completes or fails before exiting. If you don't specify it, the client exits immediately.

2019-11-06 20:08:11 -0500 edited question heat stack create and update with --timeout or --wait


Could you please suggest which one is the best option in --wait and --timeout to create and update the heat stack


# openstack stack create --timeout 7200 test_stack  -e /opt/environment.yaml -t /opt/test.yaml


# openstack stack create  test_stack -e /opt/environment.yaml -t /opt/test.yaml --wait

There is a debate on it and I'm suggesting them to use the --wait instead of -- timeout, I just wanted to take your help to choose the best option.

2019-11-06 20:05:36 -0500 commented question (heat) reserving a variable number of ports

Yeah, during validation get_attr returns None. What version of Heat are you using? This may or may not have been fixed already.

2019-10-29 10:11:23 -0500 answered a question openstack stack rollback

First of all, openstack stack update --help will tell you how to do an update with rollback enabled:

  --rollback <value>    Set rollback on update failure. Value "enabled" sets
                        rollback to enabled. Value "disabled" sets rollback to
                        disabled. Value "keep" uses the value of existing
                        stack to be updated (default)

The default is keep, so since you created the stack with rollback enabled you shouldn't need to pass the argument again on update.

If you want to revert a stack that is in a failed state, just issue another update passing the previous template/environment.

2019-10-29 10:02:28 -0500 answered a question What's the meaning of `across any number of hypervisors`?

It means it's not limited to a single machine. Nothing to do with multi-level hypervisors.

2019-10-24 12:59:47 -0500 commented answer How do I recreate every resource in an AutoScalingGroup automatically during rolling_updates?

Ah yeah, I forgot that OS::Heat::UpdateWaitConditionHandle is actually a variant on AWS::CloudFormation::WaitConditionHandle (not OS::Heat::WaitConditionHandle). So you use it using get_resource (instead of get_attr), but you may need to use an AWS::CloudFormation::WaitCondition with it.

2019-10-24 12:54:33 -0500 answered a question which is the messaging queue used by mistral....?Is it rabbitmq or zaqar

It's RabbitMQ.

2019-10-18 21:42:10 -0500 answered a question Issues with docker container orchestration using heat

What image is running on the VM? You will need one with the heat-agents installed in order to act on the software deployment.

Once you have that working, I'd recommend just using software deployments to deploy the docker containers as well, and forget about the DockerInc::Docker::Container resource.

Also, you might like to look into the Zun project, which is more a of a replacement for the (long-deprecated) Nova-docker driver (but providing a standalone API for running containers, rather than as a backend for Nova).

2019-10-18 21:35:03 -0500 edited question Issues with docker container orchestration using heat

Hello All,

I am quite new to openstack, very recently I have installed the STEIN version as per the instructions from the

Usage wise i have done few things like, I am able to bring up VM's with internet connectivity.

Now, I am trying to do docker - container deployment on the vm's, for this I tried couple of things First attempt was with docker plugin integration with nova by following instructions from the below mentioned link, it didn't succeed as I was getting this error "Module not found novadocker.virt.docker.DockerDriver" after I set the compute driver to point to docker driver [DEFAULT] compute_driver=novadocker.virt.docker.DockerDriver, I tried a lot but couldn't get this to work.

My second attempt and the ongoing one is with the heat based orchestration, below are the contents of HOT file which I am using to do orchestration:

heat_template_version: 2013-05-23
description: >
  Create a simple VM, run a dcoker-container on it.

    type: string
    description: >
      Name of a KeyPair to enable SSH access to the instance. 
    default: default-vm-ssh-key
    type: string
    description: Instance type for the docker server.
    default: m1.small
    type: string
    description: >
      Name or ID of the image to use for the Docker server.  
    default: cirros
    type: string
    description: name of public network for which floating IP addresses will be allocated.
    default: public

    type: OS::Heat::SoftwareConfig
      group: script
      config: |
        #!/bin/bash -v
        setenforce 0
        yum -y install docker-io
        cp /usr/lib/systemd/system/docker.service /etc/systemd/system/
        sed -i -e '/ExecStart/ { s,fd://,tcp://, }' /etc/systemd/system/docker.service
        systemctl start docker.service
        docker -H :2375 pull hello-server

    type: OS::Heat::SoftwareDeployment
      config: {get_resource: configuration}
      server: {get_resource: docker_server}
    type: OS::Nova::Server
      key_name: {get_param: key}
      image: { get_param: image }
      flavor: { get_param: flavor}
      - network: private
      user_data_format: SOFTWARE_CONFIG
    type: OS::Nova::FloatingIP
      pool: { get_param: public_net}
    type: OS::Nova::FloatingIPAssociation
      floating_ip: { get_resource: server_floating_ip}
      server_id: { get_resource: docker_server}

    type: DockerInc::Docker::Container
    depends_on: [deployment]
      image: hello-world
          template: http://localhost:2375
            host: {get_attr: [docker_server, networks, private, 0]}

When I run this template this using the openstack cli, the Vm come up, floating ip gets associated, but it hangs at s/w deployment stage always and then fails

mycontainerapp              DockerInc::Docker::Container            1 hour, 15 minutes  Init Complete   

associate_floating_ip   121     OS::Nova::FloatingIPAssociation     1 hour, 15 minutes  Check Complete  CHECK not supported for OS::Nova::FloatingIPAssociation

server_floating_ip  abc6e3fd-ca66-4ce3-966d-ac7089807d0f    OS::Nova::FloatingIP    1 hour, 15 minutes  Check 
Complete    CHECK not supported for OS::Nova::FloatingIP

deployment  90cade53-9538-46d7-b0c6-2c5cc3fafbf9    OS::Heat::SoftwareDeployment    1 hour, 15 minutes  Check Complete  CHECK not supported for OS::Heat::SoftwareDeployment

configuration   8db6ad4f-c7f6-4daa-9fb7-1056e98fa26d    OS::Heat::SoftwareConfig    1 hour, 15 minutes  Check Complete  CHECK not supported for OS::Heat::SoftwareConfig

docker_server   72de44e4-3b54-4297-a2c6-ae55acb193d0    OS::Nova::Server    1 hour, 15 minutes  Check Complete  state changed

Configuration wise, I ... (more)

2019-09-25 14:40:45 -0500 answered a question Can I instantiate bare metal using ironic via Heat ?

Yes, but the Ironic API isn't something that you (or Heat) interact with directly. Provisioning bare-metal servers is done through the Nova API, where they show up as flavors. You can use them from Heat using the OS::Nova::Server resource, the same way you would when creating VMs through the Nova API.

2019-09-16 21:51:32 -0500 commented answer HEAT template with OS::Cinder::Quota failing

Please raise a bug. It should allow None as a value, because that occurs during validation.

2019-09-05 10:20:16 -0500 commented answer Create Multiple instance with fixed IP and port in openstack using heat template

Sorry, forgot that yaml requires you to quote the string when it begins with %. Fixed now.

2019-09-03 10:10:40 -0500 answered a question Heat stack falling with volume in use

The size of a volume in an OS::Nova::Server cannot be updated in place, and hence changing it will result in the server resource being replaced with a new one.

2019-08-26 16:18:00 -0500 answered a question Create Multiple instance with fixed IP and port in openstack using heat template

Because intrinsic functions are evaluated before index substitution, you can only select the IP by index inside the sm_port.yaml template. So you need to add another parameter index to sm_port.yaml and pass it along with the full list of IPs like this:

          index: "%index%"
          sm_oam_ip: {get_param: sm_oam_ip}

then inside sm_port.yaml you can select the right IP by doing:

                - {ip_address: {get_param: sm_oam_ip, {get_param: index}}}
2019-08-14 08:25:21 -0500 received badge  Famous Question (source)
2019-07-29 10:54:04 -0500 commented answer How to avoid accidental removal of the stack with the heat stack-delete

One thing you can do is set deletion_policy: retain on servers so that if the stack does get deleted the servers are not removed. (If you really want to delete you can always update the stack again to remove the deletion policy first.)

2019-07-26 14:56:48 -0500 answered a question HEAT template with OS::Cinder::Quota failing

Try using:

project: {get_resource: Dev}
2019-07-22 18:46:45 -0500 answered a question How to avoid accidental removal of the stack with the heat stack-delete

There's no way to lock a stack. The stack delete command does prompt for confirmation if run from an interactive shell, to try to reduce accidents.

2019-07-17 10:25:32 -0500 edited answer create a bootable volume from an image and launch an instance from this volume

You don't need both a block_device_mapping property and an OS::Cinder::VolumeAttachment resource. Pick one.