[Rdo-list] Fwd: [OpenStack-docs] [install-guide] (not that much) progress with Kilo install on RHEL/Centos 7
Steve Gordon
sgordon at redhat.com
Mon Apr 13 16:01:31 UTC 2015
FYI, interested in any further info on the below to help the docs team out.
----- Forwarded Message -----
> From: "Bernd Bausch" <berndbausch at gmail.com>
> To: openstack-docs at lists.openstack.org
> Sent: Sunday, April 12, 2015 9:49:17 PM
> Subject: [OpenStack-docs] [install-guide] (not that much) progress with Kilo install on RHEL/Centos 7
>
> In preparation for the install guide meeting on Tuesday, I would like to
> share what I have been able to do so far and what problems I hit. Advice
> would be welcome (I'd be happy to discuss that in the meeting):
>
> - There are places where the install guide content should be modified
> (flagged with "CONTENT" below). What's the procedure - I file a bug and
> immediately provide the fix?
> - Other places look like packaging bugs; I am using a Kilo repository for
> the Red Hat RDO project that is still work in progress. I think I should
> leave such bugs alone for now, since they are likely to go away. Correct?
>
> This is my report. It's based on Matt's version of the install guide
> http://docs-draft.openstack.org/92/167692/13/gate/gate-openstack-manuals-tox
> -doc-publish-checkbuild/31c1ab2//publish-docs/trunk/install-guide/install/yu
> m/content/index.html.
>
> ---------------------------
> Section 2 Basic environment
> ---------------------------
>
> openstack-selinux not found in the repositories I am using. On first look,
> it seems that there is no need to install it, as rules in
> /etc/selinux/targeted/contexts/files/* seem to be the same as on my Juno
> installation. So I am brave, plan to watch the audit log and go ahead
> without modifying SELinux configs.
>
> CONTENT: The guide lacks info about the firewall rules, except a vague
> allusion in Chapter 2 Basic Environment.
> Since this is Red Hat with a locked-down firewall, nothing will work without
> opening ports for fundamental services (DB, RabbitMQ) and the OpenStack
> services.
>
> My NTP server doesn't work (this has nothing to do with OpenStack).
> This forum says that NTP needs to be started after DNS (???)
> https://forum.zentyal.org/index.php/topic,13045.0.html
> In any case, issuing a ``systemctl restart ntpd.service`` fixes the problem,
> but how can it be done automatically?
>
> ---------------------------------
> section 2, Maria DB installation:
> ---------------------------------
>
> ``/usr/bin/mysql_secure_installation: line 379: find_mysql_client: command
> not found``
> CONTENT: The install guide doesn't say how to answer the questions of this
> script.
> After setting the root password on the DB, I just hit enter at each
> question.
>
> ------------------------------------
> Section 2, Rabbit MQ installation:
> ------------------------------------
>
> CONTENT: The guide asks for adding a line to /etc/rabbitmq/rabbitmq.config.
> Scratching my head because I don't have that file, but then I see that it
> may not always exist. Perhaps this should be made clearer to accommodate
> slow thinkers.
>
> -------------------------------
> Section 3, Identity concepts
> -------------------------------
>
> CONTENT: The diagram showing the process flow confuses me more than it
> helps.
>
> --------------------------------
> Section 3, install and configure
> --------------------------------
>
> ``yum install openstack-keystone python-keystoneclient``: dependency
> python-cryptography can't be found
>
> After adding this repo (found via internet search):
>
> [npmccallum-python-cryptography]
> name=Copr repo for python-cryptography owned by npmccallum
>
> baseurl=https://copr-be.cloud.fedoraproject.org/results/npmccallum/python-cr
> yptography/epel-7-$basearch/
> skip_if_unavailable=True
> gpgcheck=1
>
> gpgkey=https://copr-be.cloud.fedoraproject.org/results/npmccallum/python-cry
> ptography/pubkey.gpg
> enabled=1
>
> it works.
> This looks very much like a packaging error, and I hope it will eventually
> go away.
>
> CONTENT (or perhaps not CONTENT): keystone.conf contains "connection =
> <None>" rather than the connection string cited in the install guide. This
> may be legitimately so, in which case the guide needs to be modified, or a
> packaging error.
>
> ------------------------------------------------------
> Section 3, create the service entity and API endpoints
> ------------------------------------------------------
>
> CONTENT: ``openstack`` command missing. Found in the package
> python-openstackclient.
>
> CONTENT: ``openstack service create --type identity`` gives me:
> WARNING: openstackclient.identity.v2_0.service.CreateService The
> argument --type is deprecated, use service create --name <service-name> type
> instead.
>
> I don't like the openstack client, because its help facility is much
> inferior to the one of the separate command line clients. Tough luck, I
> guess.
>
> CONTENT: The relevance of the sentence "Also, OpenStack supports multiple
> regions for scalability" is not clear to a first time (even n-th time) user.
>
> CONTENT: Why are we using API v2, not v3? Why a separate adminurl port, and
> same port for internal and publicurl? Some clarification would help.
>
> CONTENT: I would phrase the note at the end differently, e.g. "You will
> create similar endpoints for each of the other services as you install them"
>
> --------------------------------------------
> Section 3, Create projects, users, and roles
> --------------------------------------------
>
> CONTENT: Rather than saying "project (tenant)", be a bit more explicit e.g.
> "project (also named "tenant" in earlier OpenStack releases)"
>
> CONTENT:
> # openstack role add --project demo --user demo _member_
> ERROR: openstack No role with a name or ID of '_member_' exists.
> I fix this by adding the _member_ role first:
> # openstack role create _member_
>
> --------------------------------------------
> Section 3, verify operation
> --------------------------------------------
>
> CONTENT: There is no /etc/keystone/keystone-paste.ini; it's now under
> /usr/share/keystone. Not sure yet if this file is supposed to be modified.
> It seems that all the Paste/Deploy files are now under /usr/share.
>
> For now, instead of changing paste.ini I just remove the admin token from
> keystone.conf.
>
> --------------------------------------------
> Section 4, Glance install and configure
> --------------------------------------------
>
> ugly message when synching DB:
> /usr/lib/python2.7/site-packages/glance/db/sqlalchemy/artifacts.py:20:
> DeprecationWarning: The oslo namespace package is deprecated. Please use
> oslo_config instead.
> Not sure what to do about this.
>
> --------------------------------------------
> Section 4, Verify operation
> --------------------------------------------
>
> Major problems with glance. I am stuck with problem 3 below.
>
> Problem 1:
> ~~~~~~~~~~
>
> glance image-create fails. See also Monty Taylor's comments on the docs and
> dev mailing lists.
>
> It turns out that I am using glance API v2, set in the rc files:
>
> export OS_IMAGE_API_VERSION=2
>
> Glance v2 requires a quite different workflow to upload images. Setting API
> version to 1 for the moment.
>
> Problem 2:
> ~~~~~~~~~~
>
> It turns out glance is not running. api.log says:
>
> ERROR glance.common.config [-] Unable to load glance-api-keystone
> from configuration file /usr/share/glance/glance-api-dist-paste.ini.
> Got: ImportError('No module named elasticsearch',)
>
> After pip install elasticsearch, I can start glance.
>
> Still getting a strange warning in api.log:
> 2015-04-12 17:42:30.267 6789 WARNING oslo_config.cfg [-] Option
> "username" from group "keystone_authtoken" is deprecated. Use option
> "username" from group "keystone_authtoken".
>
> Problem 3:
> ~~~~~~~~~~
>
> Trying to upload an image now fails because of wrong credentials???? Haven't
> resolved this yet. Any glance request is rejected with
> # glance image-list
> Invalid OpenStack Identity credentials.
>
> Glance's API log:
> 2015-04-12 22:31:03.932 9048 DEBUG keystoneclient.session [-] REQ: curl -g
> -i -X GET http://kilocontrol:35357 -H "Accept: application/json" -H
> "User-Agent: python-keystoneclient" _http_log_request
> /usr/lib/python2.7/site-packages/keystoneclient/session.py:195
> 2015-04-12 22:31:03.935 9048 WARNING
> keystoneclient.auth.identity.generic.base [-] Discovering versions from the
> identity service failed when creating the password plugin. Attempting to
> determine version from URL.
> 2015-04-12 22:31:03.936 9048 WARNING keystonemiddleware.auth_token [-]
> Authorization failed for token
>
> This seems to be related with this DEBUG entry in keystone.log:
> keystone.middleware.core [-] Auth token not in the request header. Will not
> build auth context. process_request
> /usr/lib/python2.7/site-packages/keystone/middleware/core.py:229
>
> I assume a misconfiguration on my side but haven't figured out what it might
> be. Need to study the nature of WSGI middleware.
>
>
> _______________________________________________
> OpenStack-docs mailing list
> OpenStack-docs at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-docs
>
--
Steve Gordon, RHCE
Sr. Technical Product Manager,
Red Hat Enterprise Linux OpenStack Platform
More information about the dev
mailing list