keystone or dashboard problem?
by Vogel Nicolas
Hi,
I've just made a new install with the latest version of the < RedHat getting started guide with Openstack Folsom > Revision 1.0-2.
I'm using CentOS 6.3 for this install.
After installing Openstack-keystone, I'm unable to perform "keystone user-list" and "keystone token-get". I have sourced the keystonerc_username file but the system says "Expecting an endpoint provided via either --endpoint or env[SERVICE_ENDPOINT]". When I'm explicitly given the endpoint in the command line, the output is "Configuration error: Client configured to run without a service catalog. Run the client using --os-auth-url or OS_AUTH_URL, instead of --os-endpoint or OS_SERVICE_ENDPOINT, for example."
But the OS_AUTH_URL is configured in my keystonerc_username file so I don't understand why the system asks for it.
I can then all the installation steps without problems, but after I given my credentials in the dashboard login page (admin/secret or username/secret), I got "Internal Server Error".
Is that linked with the first problem from Keystone?
I'm searching for more information in logs but currently I found no answer to my questions.
Thanks for help,
Nicolas.
10 years, 6 months
Grow the root partition on boot
by Juerg Haefliger
Hi,
I have a need for the growroot feature that comes with cloud-utils and
cloud-initramfs-tools. I've noticed that these packages don't exist in
Fedora/EPEL and was wondering if there are any specific reasons for
that?
Thanks
...Juerg
10 years, 8 months
AWS VM created with ami-e3a433d9 - ssh times out . .
by Philip Rhoades
People,
I successfully created a VM with the default AMI image in the Virginia
region and after allocating an EIP, could ssh to it with no problems but
after creating a Sydney VM with ami-e3a433d9 and allocating an EIP,
trying to to ssh eg:
ssh -i sydney.pem root(a)xxx.xxx.xxx.xxx
fails with timeouts . .
I have tried rebooting the VM with no improvement - any other
suggestions?
I am also having trouble with getting Java running on F17 x64 (IcedTea
is installed) so I can't use the Java SSH client either . .
Even though the VM seems to be OK and nmap reports that the host is up
but that all ports are filtered . .
Any ideas/suggestions?
Thanks,
Phil.
--
Philip Rhoades
GPO Box 3411
Sydney NSW 2001
Australia
E-mail: phil(a)pricom.com.au
10 years, 8 months
2 commits - ec2/fedora-18-x86_64-ec2.ks generic/fedora-18-x86_64-cloud.ks generic/fedora-18-x86_64.ks generic/fedora-18-x86_64-minimal.ks
by Matthew Miller
ec2/fedora-18-x86_64-ec2.ks | 34 ++++++++++++++++++++++++++++------
generic/fedora-18-x86_64-cloud.ks | 6 +++---
generic/fedora-18-x86_64-minimal.ks | 6 +++---
generic/fedora-18-x86_64.ks | 6 +++---
4 files changed, 37 insertions(+), 15 deletions(-)
New commits:
commit a523dd89af2f889d9e7ad727ff721f3a410aea2e
Author: Matthew Miller <mattdm(a)mattdm.org>
Date: Sun Dec 30 14:47:48 2012 -0500
enable simple firewall even in ec2
diff --git a/ec2/fedora-18-x86_64-ec2.ks b/ec2/fedora-18-x86_64-ec2.ks
index 5cd8544..8e33752 100644
--- a/ec2/fedora-18-x86_64-ec2.ks
+++ b/ec2/fedora-18-x86_64-ec2.ks
@@ -6,11 +6,6 @@
#
# Note that unlike the standard F18 install, this image has /tmp on disk
# rather than in tmpfs, since memory is usually at a premium.
-#
-# It additionally configures _no_ local firewall, in line with EC2
-# recommendations that security groups be used instead.
-
-
lang en_US.UTF-8
keyboard us
@@ -19,7 +14,9 @@ timezone --utc America/New_York
auth --useshadow --enablemd5
selinux --enforcing
-firewall --disabled
+# this is actually not used, but a static firewall
+# matching these rules is generated below.
+firewall --service=ssh
bootloader --timeout=0 --location=mbr --driveorder=sda
@@ -46,6 +43,10 @@ cloud-init
# Needed initially, but removed below.
firewalld
+# Basic firewall. If you're going to rely on your cloud service's
+# security groups you can remove this.
+iptables-services
+
# cherry-pick a few things from @standard
tmpwatch
tar
@@ -104,6 +105,27 @@ yum -C -y remove linux-firmware
echo "Removing firewalld."
yum -C -y remove firewalld
+# Non-firewalld-firewall
+echo -n "Writing static firewall"
+cat <<EOF > /etc/sysconfig/iptables
+# Simple static firewall loaded by iptables.service. Replace
+# this with your own custom rules, run lokkit, or switch to
+# shorewall or firewalld as your needs dictate.
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
+EOF
+echo .
# Because memory is scarce resource in most cloud/virt environments,
# and because this impedes forensics, we are differing from the Fedora
commit cccfb527887d6c945e97ce5c19b2897a02ce19b0
Author: Matthew Miller <mattdm(a)mattdm.org>
Date: Sun Dec 30 14:38:36 2012 -0500
default to only ssh allowed by firewall (as per discussion on mailing list)
diff --git a/generic/fedora-18-x86_64-cloud.ks b/generic/fedora-18-x86_64-cloud.ks
index 7bc2884..468c690 100644
--- a/generic/fedora-18-x86_64-cloud.ks
+++ b/generic/fedora-18-x86_64-cloud.ks
@@ -17,7 +17,7 @@ selinux --enforcing
# this is actually not used, but a static firewall
# matching these rules is generated below.
-firewall --service=ssh --service=http --service=https
+firewall --service=ssh
bootloader --timeout=0 --location=mbr --driveorder=sda
@@ -124,8 +124,8 @@ cat <<EOF > /etc/sysconfig/iptables
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
diff --git a/generic/fedora-18-x86_64-minimal.ks b/generic/fedora-18-x86_64-minimal.ks
index 71339a5..146477a 100644
--- a/generic/fedora-18-x86_64-minimal.ks
+++ b/generic/fedora-18-x86_64-minimal.ks
@@ -18,7 +18,7 @@ selinux --enforcing
# this is actually not used, but a static firewall
# matching these rules is generated below.
-firewall --service=ssh --service=http --service=https
+firewall --service=ssh
bootloader --timeout=0 --location=mbr --driveorder=sda
@@ -132,8 +132,8 @@ cat <<EOF > /etc/sysconfig/iptables
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
diff --git a/generic/fedora-18-x86_64.ks b/generic/fedora-18-x86_64.ks
index 877f4ae..4f2d64d 100644
--- a/generic/fedora-18-x86_64.ks
+++ b/generic/fedora-18-x86_64.ks
@@ -12,7 +12,7 @@ selinux --enforcing
# this is actually not used, but a static firewall
# matching these rules is generated below.
-firewall --service=ssh --service=http --service=https
+firewall --service=ssh
bootloader --timeout=0 --location=mbr --driveorder=sda
@@ -118,8 +118,8 @@ cat <<EOF > /etc/sysconfig/iptables
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
10 years, 8 months
Quantum instructions no longer up-to-date?
by Dennis Jacobfeuerborn
Hi,
I've followed the instructions on
http://fedoraproject.org/wiki/Test_Day:2012-09-18_OpenStack and on F18 TC3
they work out of the box.
No I try to deploy Quantum using
http://fedoraproject.org/wiki/QA:Testcase_Quantum_V2 but these instructions
don't seem to work.
The first issue is that the initial "OS_USERNAME=quantum" result in
commands such as "keystone tenant-list" ending with an authorization error.
When I ignore this bit and use the admin credentials from the keystonerc
instead the following instructions work fine.
I can then follow the full setup and 99% of the "How to test" section but
when I try to associate a floating ip with "quantum floatingip-associate
<floating ip id> <portid>" I run into trouble.
Since the value of <portid> isn't mentioned at all I assume it is the port
of the virtual machine which was launched with the ip 10.0.0.3 however when
I try to execute the command I get:
Could not find an external network gateway reachable from subnet
4a2e2166-b543-4b74-af74-0f3a4b31dd1a. Therefore, cannot associate Port
3c4b6375-7dca-4f58-9fef-e941ea8ff948 with a Floating IP.
This is the subnet:
+------------------+--------------------------------------------+
| Field | Value |
+------------------+--------------------------------------------+
| allocation_pools | {"start": "10.0.0.2", "end": "10.0.0.254"} |
| cidr | 10.0.0.0/24 |
| dns_nameservers | |
| enable_dhcp | True |
| gateway_ip | 10.0.0.1 |
| host_routes | |
| id | 4a2e2166-b543-4b74-af74-0f3a4b31dd1a |
| ip_version | 4 |
| name | |
| network_id | 26e64cea-5f27-46d9-9ea7-96837057e5fa |
| tenant_id | 68722f889ae04b569b765ed9fd2f13da |
+------------------+--------------------------------------------+
What's interesting here is that 10.0.0.1 is listed as the gateway_ip yet in
the "Expected results" section of the page this IP is listed as the DHCP IP?
Any ideas what is wrong here or how to debug it?
Regards,
Dennis
10 years, 9 months
RHEL6 - EPEL - quantum and openvswitch problem
by Benoit ML
Hello Evrybody,
I'm trying to install openstack Folsom on RHEL 6, with the EPEL repos.
But something goe wrong when I try to get quantum and openvswitch working.
In quantum/server.log :
-----------------------------------------------------------------
2012-12-20 17:20:59 WARNING [quantum.api.extensions] extension flavor
not supported by plugin
<quantum.plugins.openvswitch.ovs_quantum_plugin.OVSQuantumPluginV2
object at 0x3789590>
In quantum/openvswitch-agent.log
-----------------------------------------------------------------
2012-12-20 17:21:00 INFO [quantum.openstack.common.rpc.impl_qpid]
Connected to AMQP server on pvidgsh001:5672
2012-12-20 17:21:00 INFO
[quantum.plugins.openvswitch.agent.ovs_quantum_agent] Agent out of
sync with plugin!
My google search wasn't give me any solution ... Can you help me plz ?
Thank you in advance !
I've configured the different services as follow :
/etc/nova/nova.conf
-----------------------------------------------------------------
network_api_class = nova.network.quantumv2.api.API
quantum_admin_username = quantum
quantum_admin_password = servicepass
quantum_admin_auth_url = http://127.0.0.1:35357/v2.0/
quantum_auth_strategy = keystone
quantum_admin_tenant_name = service
quantum_url = http://localhost:9696/
libvirt_vif_driver = nova.virt.libvirt.vif.LibvirtHybridOVSBridgeDriver
/etc/quantum/quantum.conf
-----------------------------------------------------------------
[DEFAULT]
verbose = True
debug = False
bind_host = 0.0.0.0
bind_port = 9696
core_plugin = quantum.plugins.openvswitch.ovs_quantum_plugin.OVSQuantumPluginV2
api_paste_config = api-paste.ini
auth_strategy = keystone
control_exchange = quantum
list_notifier_drivers = quantum.openstack.common.notifier.rabbit_notifier
rpc_backend = quantum.openstack.common.rpc.impl_qpid
qpid_hostname = pvidgsh001
/etc/quantum/l3_agent.ini
-----------------------------------------------------------------
[DEFAULT]
interface_driver = quantum.agent.linux.interface.OVSInterfaceDriver
auth_url = http://localhost:35357/v2.0/
auth_region = RegionOne
admin_tenant_name = service
admin_user = quantum
admin_password = servicepass
root_helper = sudo quantum-rootwrap /etc/quantum/rootwrap.conf
use_namespaces = False
/etc/quantum/plugins/openvswitch/ovs_quantum_plugin.ini
-----------------------------------------------------------------
[DATABASE]
sql_connection = mysql://quantum:quantum@pvidgsh001/ovs_quantum
# sql_max_retries = 10
reconnect_interval = 2
[OVS]
tenant_network_type = local
#network_vlan_ranges = default:2000:3999
#tunnel_id_ranges =
integration_bridge = br-int
#bridge_mappings = default:br-eth1
[AGENT]
root_helper = sudo
symlink :
-----------------------------------------------------------------
/etc/quantum/plugin.ini ->
/etc/quantum/plugins/openvswitch/ovs_quantum_plugin.ini
Regards,
--
Benoit
10 years, 9 months
cloud and firewalld
by Matthew Miller
This may be of interest to people using Fedora as a cloud solution, for
several reasons.
First, on _host_ systems providing virtualization services, the firewall
daemon provides an interface for tracking dynamic rules. (Libvirt already
has code to use it, for example.)
On cloud _guest_ systems, it's probably less desirable: the firewall is
unlikely to have dynamic changes, and resources will be more constrained.
Having an extra python-based daemon running all the time with literally
nothing to do probably isn't what we're looking for, and it also happens
that the code pulls in a large list of dependencies.
The FirewallD feature page proposes that both options should be available
for at least the next few Fedora releases (just as we have the legacy
network scripts). But right now, the appliance building tools and anaconda
both rely on the new firewalld commands. I suggested putting that back to
the old way for now, but that's going to take some work and testing.
* https://bugzilla.redhat.com/show_bug.cgi?id=885807
* https://bugzilla.redhat.com/show_bug.cgi?id=884878
Anyway, see https://fedorahosted.org/fesco/ticket/973, which is a topic of a
FESCO meeting at 1 EDT today. Not asking people to storm the meeting (not
productive!) but I thought you might want to be aware if you haven't been
following this.
--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm(a)fedoraproject.org>
10 years, 9 months
OpenStack status
by Pádraig Brady
Hi,
Here is the latest Fedora OpenStack status report:
https://fedoraproject.org/wiki/OpenStack_status_report_2012-12-21
Historical archives are here:
http://fedoraproject.org/wiki/OpenStack_status_reports
Cheers,
Pádraig.
(appended below for convenience)
= Distro News =
== Folsom update for Fedora 18 and EPEL ==
Stable Folsom [http://lists.openstack.org/pipermail/openstack-announce/2012-November/000... 2012.2.1 releases]
for Nova, Glance, Keystone, Cinder, Quantum and Horizon were released to F18 and EPEL6
in first week of December, and a follow up 2012.2.2 release for Nova a week later.
== Grizzly Milestone 1 for Rawhide and RHEL (derivatives) ==
Grizzly milestone 1 packages were released to rawhide in first week of December,
and also made available for RHEL derivatives at this
[http://repos.fedorapeople.org/repos/openstack/openstack-grizzly/epel-6/ side repository]
Thierry Carrez blogged about
[http://fnords.wordpress.com/2012/11/23/what-to-expect-from-grizzly-1-mile... what to expect from Grizzly-1 milestone]
== The future of OpenStack in EPEL ==
There has been [http://lists.fedoraproject.org/pipermail/cloud/2012-November/001976.html discussion]
on how to handle OpenStack in EPEL going forward with the plan to detach OpenStack from EPEL
and make it available through additional repositories.
= Project News =
== The future of Incubation and Core ==
Mark McLoughlin summarizes the ongoing discussion to define
[http://blogs.gnome.org/markmc/2012/11/17/the-future-of-incubation-and-core/ the future of Incubation and Core].
== Red Hat Upstream contributions ==
[https://review.openstack.org/#/q/owner:berrange@redhat.com,n,z Dan Berrangé] has been improving
libvirt and libguestfs integration in nova.
[https://review.openstack.org/#/q/owner:markmc@redhat.com,n,z Mark McLoughlin] continued work on
the [https://launchpad.net/oslo oslo] and OpenStack stable releases.
Nikola Đipanov has been [https://blueprints.launchpad.net/nova/+spec/improve-boot-from-volume improving boot from volume]
There is too much to track in detail the OpenStack upstream activity of Red Hat developers,
but here is a link showing the [http://goo.gl/2eQJk latest Red Hat OpenStack upstream development]
= Community Engagement =
The SICSR in Pune India, has run an
[http://www.shakthimaan.com/posts/2012/12/03/openstack-symbiosis-pune-dece... OpenStack workshop]
using Essex on Fedora 17.
Etsuji Nakai prepared slides with detailed diagrams on
[http://www.slideshare.net/enakai/how-quantum-configures-virtual-networks-... How Quantum configures Virtual Networks under the Hood]
Daniel Berrangé documented details of running
[https://www.berrange.com/posts/2012/11/19/walk-through-of-running-opensta... OpenStack on Fedora 17 using DevStack]
Martyn Taylor and Steven Hardy have prepared a screencast demoing an
[http://blogs.gnome.org/markmc/2012/12/12/image-building-service-demo/ Image Building Service for OpenStack]
Derek Higgins [http://goodsquishy.com/2012/12/introducing-openstack-packstack/ introduces packstack], the OpenStack installer
= Related Projects =
Vincent Untz has started working on
[http://lists.openstack.org/pipermail/openstack-dev/2012-December/004135.html openSUSE support in smokestack/firestack]
10 years, 9 months
idle=halt on grub command line in cloud image?
by Matthew Miller
I just want to double-check that this is still the right thing to do in
EC2 (and in our other virt platforms).
I notice that Amazon does not have this in their grub.conf for Amazon Linux
(even for 32-bit) and I don't want to be cargo-cult carrying it forward.
--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm(a)fedoraproject.org>
10 years, 9 months
QEMU Virtual CPU version
by nux@li.nux.ro
Hi chaps,
On virtual machines deployed through Openstack folsom on EL6 I can see
the CPU type in /proc/cpuinfo is something like "Intel Core 2 Duo
P9xxx",
whereas in VMs deployed on vanilla EL6+libvirt the CPU type is "QEMU
Virtual CPU version (cpu64-rhel6)".
Now, as to avoid confusion and weird questions from my users, I'd like
to have "QEMU Virtual CPU version" on the Openstack VMs, too. How do I
convince Openstack to do this for me?
Regards,
Lucian
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
10 years, 9 months
