FYI, interested in any further info on the below to help the docs team out.
----- Forwarded Message -----
From: "Bernd Bausch" <berndbausch(a)gmail.com>
To: openstack-docs(a)lists.openstack.org
Sent: Sunday, April 12, 2015 9:49:17 PM
Subject: [OpenStack-docs] [install-guide] (not that much) progress with Kilo install on
RHEL/Centos 7
In preparation for the install guide meeting on Tuesday, I would like to
share what I have been able to do so far and what problems I hit. Advice
would be welcome (I'd be happy to discuss that in the meeting):
- There are places where the install guide content should be modified
(flagged with "CONTENT" below). What's the procedure - I file a bug and
immediately provide the fix?
- Other places look like packaging bugs; I am using a Kilo repository for
the Red Hat RDO project that is still work in progress. I think I should
leave such bugs alone for now, since they are likely to go away. Correct?
This is my report. It's based on Matt's version of the install guide
http://docs-draft.openstack.org/92/167692/13/gate/gate-openstack-manuals-tox
-doc-publish-checkbuild/31c1ab2//publish-docs/trunk/install-guide/install/yu
m/content/index.html.
---------------------------
Section 2 Basic environment
---------------------------
openstack-selinux not found in the repositories I am using. On first look,
it seems that there is no need to install it, as rules in
/etc/selinux/targeted/contexts/files/* seem to be the same as on my Juno
installation. So I am brave, plan to watch the audit log and go ahead
without modifying SELinux configs.
CONTENT: The guide lacks info about the firewall rules, except a vague
allusion in Chapter 2 Basic Environment.
Since this is Red Hat with a locked-down firewall, nothing will work without
opening ports for fundamental services (DB, RabbitMQ) and the OpenStack
services.
My NTP server doesn't work (this has nothing to do with OpenStack).
This forum says that NTP needs to be started after DNS (???)
https://forum.zentyal.org/index.php/topic,13045.0.html
In any case, issuing a ``systemctl restart ntpd.service`` fixes the problem,
but how can it be done automatically?
---------------------------------
section 2, Maria DB installation:
---------------------------------
``/usr/bin/mysql_secure_installation: line 379: find_mysql_client: command
not found``
CONTENT: The install guide doesn't say how to answer the questions of this
script.
After setting the root password on the DB, I just hit enter at each
question.
------------------------------------
Section 2, Rabbit MQ installation:
------------------------------------
CONTENT: The guide asks for adding a line to /etc/rabbitmq/rabbitmq.config.
Scratching my head because I don't have that file, but then I see that it
may not always exist. Perhaps this should be made clearer to accommodate
slow thinkers.
-------------------------------
Section 3, Identity concepts
-------------------------------
CONTENT: The diagram showing the process flow confuses me more than it
helps.
--------------------------------
Section 3, install and configure
--------------------------------
``yum install openstack-keystone python-keystoneclient``: dependency
python-cryptography can't be found
After adding this repo (found via internet search):
[npmccallum-python-cryptography]
name=Copr repo for python-cryptography owned by npmccallum
baseurl=https://copr-be.cloud.fedoraproject.org/results/npmccallum/python-cr
yptography/epel-7-$basearch/
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://copr-be.cloud.fedoraproject.org/results/npmccallum/python-cry
ptography/pubkey.gpg
enabled=1
it works.
This looks very much like a packaging error, and I hope it will eventually
go away.
CONTENT (or perhaps not CONTENT): keystone.conf contains "connection =
<None>" rather than the connection string cited in the install guide. This
may be legitimately so, in which case the guide needs to be modified, or a
packaging error.
------------------------------------------------------
Section 3, create the service entity and API endpoints
------------------------------------------------------
CONTENT: ``openstack`` command missing. Found in the package
python-openstackclient.
CONTENT: ``openstack service create --type identity`` gives me:
WARNING: openstackclient.identity.v2_0.service.CreateService The
argument --type is deprecated, use service create --name <service-name> type
instead.
I don't like the openstack client, because its help facility is much
inferior to the one of the separate command line clients. Tough luck, I
guess.
CONTENT: The relevance of the sentence "Also, OpenStack supports multiple
regions for scalability" is not clear to a first time (even n-th time) user.
CONTENT: Why are we using API v2, not v3? Why a separate adminurl port, and
same port for internal and publicurl? Some clarification would help.
CONTENT: I would phrase the note at the end differently, e.g. "You will
create similar endpoints for each of the other services as you install them"
--------------------------------------------
Section 3, Create projects, users, and roles
--------------------------------------------
CONTENT: Rather than saying "project (tenant)", be a bit more explicit e.g.
"project (also named "tenant" in earlier OpenStack releases)"
CONTENT:
# openstack role add --project demo --user demo _member_
ERROR: openstack No role with a name or ID of '_member_' exists.
I fix this by adding the _member_ role first:
# openstack role create _member_
--------------------------------------------
Section 3, verify operation
--------------------------------------------
CONTENT: There is no /etc/keystone/keystone-paste.ini; it's now under
/usr/share/keystone. Not sure yet if this file is supposed to be modified.
It seems that all the Paste/Deploy files are now under /usr/share.
For now, instead of changing paste.ini I just remove the admin token from
keystone.conf.
--------------------------------------------
Section 4, Glance install and configure
--------------------------------------------
ugly message when synching DB:
/usr/lib/python2.7/site-packages/glance/db/sqlalchemy/artifacts.py:20:
DeprecationWarning: The oslo namespace package is deprecated. Please use
oslo_config instead.
Not sure what to do about this.
--------------------------------------------
Section 4, Verify operation
--------------------------------------------
Major problems with glance. I am stuck with problem 3 below.
Problem 1:
~~~~~~~~~~
glance image-create fails. See also Monty Taylor's comments on the docs and
dev mailing lists.
It turns out that I am using glance API v2, set in the rc files:
export OS_IMAGE_API_VERSION=2
Glance v2 requires a quite different workflow to upload images. Setting API
version to 1 for the moment.
Problem 2:
~~~~~~~~~~
It turns out glance is not running. api.log says:
ERROR glance.common.config [-] Unable to load glance-api-keystone
from configuration file /usr/share/glance/glance-api-dist-paste.ini.
Got: ImportError('No module named elasticsearch',)
After pip install elasticsearch, I can start glance.
Still getting a strange warning in api.log:
2015-04-12 17:42:30.267 6789 WARNING oslo_config.cfg [-] Option
"username" from group "keystone_authtoken" is deprecated. Use option
"username" from group "keystone_authtoken".
Problem 3:
~~~~~~~~~~
Trying to upload an image now fails because of wrong credentials???? Haven't
resolved this yet. Any glance request is rejected with
# glance image-list
Invalid OpenStack Identity credentials.
Glance's API log:
2015-04-12 22:31:03.932 9048 DEBUG keystoneclient.session [-] REQ: curl -g
-i -X GET
http://kilocontrol:35357 -H "Accept: application/json" -H
"User-Agent: python-keystoneclient" _http_log_request
/usr/lib/python2.7/site-packages/keystoneclient/session.py:195
2015-04-12 22:31:03.935 9048 WARNING
keystoneclient.auth.identity.generic.base [-] Discovering versions from the
identity service failed when creating the password plugin. Attempting to
determine version from URL.
2015-04-12 22:31:03.936 9048 WARNING keystonemiddleware.auth_token [-]
Authorization failed for token
This seems to be related with this DEBUG entry in keystone.log:
keystone.middleware.core [-] Auth token not in the request header. Will not
build auth context. process_request
/usr/lib/python2.7/site-packages/keystone/middleware/core.py:229
I assume a misconfiguration on my side but haven't figured out what it might
be. Need to study the nature of WSGI middleware.
_______________________________________________
OpenStack-docs mailing list
OpenStack-docs(a)lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-docs
--
Steve Gordon, RHCE
Sr. Technical Product Manager,
Red Hat Enterprise Linux OpenStack Platform