Ask Your Question

Matt G's profile - activity

2017-09-11 07:50:02 -0500 received badge  Famous Question (source)
2017-09-11 07:50:02 -0500 received badge  Notable Question (source)
2017-09-11 07:50:02 -0500 received badge  Popular Question (source)
2016-05-19 14:32:19 -0500 received badge  Teacher (source)
2016-05-19 13:29:25 -0500 answered a question Can anyone explain how heat-engine communicates with other services to launch a VM with yaml template

The configuration objects you use in a Heat template are registered with the Heat engine and map to a Python object that carries out the necessary processing, including, in this case, calling the Nova API to create the instance.

Check out https://github.com/openstack/heat/blo... for the implementation code of this particular object, and note the code at the bottom of the file that registers the mapping:

def resource_mapping():
    return {
        'OS::Nova::Server': Server,
    }
2016-05-19 13:06:42 -0500 answered a question How to get OS::Heat::CloudConfig to copy files into my virtual machine?

You can use runcmd to ftp or wget a resource, eg:

runcmd:
 - [ wget, "http://my.resource-server.local/resources/myresource.tgz", -O, /root/myresource.tgz ]
2016-05-16 12:32:55 -0500 received badge  Famous Question (source)
2016-05-16 12:28:56 -0500 asked a question Project A-owned port can be on Project B network - bug or feature?

If a user (e.g. "admin") is a member of multiple projects, that user can create a port in one project that attaches to the network of another project in which they are a member. This results in the ability to directly connect to a VM in another project as shown in this diagram, where VM-A and VM-B can ping each other via the same subnet:

image description

Used carefully, this may be a desirable feature, but it could also be considered a vulnerability (e.g. a careless admin copy/pastes the wrong network ID and bridges two completely different customers' networks).

I'm working on a project that could make use of this "feature", but I want to check if this is intended behaviour that will stick around, or if it's a bug that might be fixed in the future. Any insights greatly appreciated.

2016-05-16 11:37:44 -0500 answered a question problem in get openstack token by cURL

You need to specify a value for tenantName (I'd guess "admin" in this case) in the 'data' dictionary in token(). Also, change 'url' in image() to http://x.x.x.x:8774/v2/images

2016-05-16 11:12:45 -0500 answered a question devstack install error: glance api upload image error

I hit the same issue. Got round it by adding "return" as the first line in the "upload_image" function in the devstack/functions file. If you need cirros then you can just download the image and register it manually; if not, that's it.

2015-10-23 15:22:59 -0500 received badge  Notable Question (source)
2015-10-23 10:02:36 -0500 received badge  Scholar (source)
2015-10-23 10:02:30 -0500 answered a question Getting an authentication token for tenant using admin credentials (DevStack works, RDO fails)

For anyone who comes across the same issue, the cause of the symptoms was that DevStack automatically adds the "admin" user to the tenants it creates whereas RDO does not. The fix, therefore, is to add the "admin" user to the tenant in Horizon (couldn't see a way to do it with the CLI) manually.

2015-10-15 03:43:57 -0500 received badge  Popular Question (source)
2015-10-09 03:30:56 -0500 received badge  Enthusiast
2015-10-05 13:46:46 -0500 answered a question What is %(tenant_id)s in keystone endpoints

I believe % is in the endpoints returned by Keystone v2 and $ is in the endpoints returned by Keystone v3.

2015-10-05 13:46:42 -0500 asked a question Getting an authentication token for tenant using admin credentials (DevStack works, RDO fails)

I'm writing some automation scripts that instantiate Nova servers on behalf of tenants using the python-keystoneclient to perform authentication and authorization. These scripts work fine on a DevStack installation but fail on RDO because of an inability to get an authentication token for a tenant using the admin credentials.

The issue can be demonstrated with the following code...

#!/usr/bin/env python

from keystoneclient.v2_0 import client as keystone_client

def get_keystone_client(user, password, tenant):
    params = {
        "username": user,
        "password": password,
        "tenant_name": tenant,
        "auth_url": "http://localhost:35357/v2.0"
    }
    return keystone_client.Client(**params)

tests = [
    {"user": "admin", "password": "password", "tenant": "admin"},
    {"user": "admin", "password": "password", "tenant": "tenant1"},
    {"user": "tenant1-user", "password": "password", "tenant": "tenant1"}
]

for test in tests:
    print "Attempting authentication for tenant %s by user %s" % (
        test['tenant'], test['user']
    ),
    try:
        ks = get_keystone_client(**test)
        print "Authorized"
    except:
        print "Denied"

On DevStack, the following output is produced...

Attempting authentication for tenant admin by user admin Authorized
Attempting authentication for tenant tenant1 by user admin Authorized
Attempting authentication for tenant tenant1 by user tenant1-user Authorized

However, when I run the same script on an RDO installation with the same tenants/users/roles configured, authentication for tenant1 fails when using the admin user credentials....

Attempting authentication for tenant admin by user admin Authorized
Attempting authentication for tenant tenant1 by user admin Denied
Attempting authentication for tenant tenant1 by user tenant1-user Authorized

I have compared the Keystone configurations on the two installations and I can't see anything that suggests it might cause this difference. I've also tried using the Keystone port 5000 endpoint, the Keystone v3 client, and plain Keystone REST requests, all with the same result.

Does anyone have any idea which setting (assuming it's a setting!?) is causing this disparity? It's something of a blocker for our workflow.

2014-07-20 22:10:49 -0500 received badge  Taxonomist
2014-03-19 08:17:37 -0500 received badge  Famous Question (source)
2014-03-05 20:33:29 -0500 received badge  Notable Question (source)
2014-03-05 20:33:29 -0500 received badge  Popular Question (source)
2014-02-07 09:49:15 -0500 received badge  Student (source)
2014-02-07 07:24:00 -0500 asked a question How can I associate a port created by LBaaS to a nova instance?

I am writing a Neutron LBaaS driver that, when a new VIP is created, launches a Nova instance that is essentially a software-based load-balancer virtual appliance. The core LBaaS driver creates a Neutron port and associates it with an IP address; I want to assign this same port/IP to the Nova LB-VA instance, but when I do so (using the nics={"port-id": <port_id>} parameter in the novaclient.servers.create() call), although it seems to work (all the database entries look right, a floating IP associated with the port shows up as associated with the VA when running "nova list" etc.), when I log on to the VA console the network is not configured (no address on eth0) and my cloud-init script has not run. I've tried using nics={"port-id": <port_id>, "v4-fixed-ip": <ip> } as well, with the same result. If I omit the "nics" parameter then the VA boots correctly (with an IP address, cloud-init script has run, can SSH to the instance's associated floating IP) but obviously with a different IP address to that specified by the VIP object.

Is it possible to use this port/IP for the VA Nova instance? If not, I have an LBaaS VIP object that is associated with a port/IP address which isn't actually the one the load-balancer service is listening on.