[Rdo-list] Autoscaling stack croaks warning messages about trustee
shardy at redhat.com
Fri Dec 4 19:08:43 UTC 2015
On Fri, Dec 04, 2015 at 11:21:24AM +0900, Takenaka Kazuhiro wrote:
> Hi, All
> I have tried to run an autoscaling stack by Heat
> on the Openstack Liberty environment.
> The environment consists of the RHEL7.1 nodes and
> Openstack Liberty was installed by PackStack.
> At the first time I ran an autoscaling stack, it didn't work
> because of an installation problem; python-redis had not been
> After installation of python-redis, I tried again and the
> autoscaling stack is working now.
> But I found another problem. The following message
> periodically appears in /var/log/heat/heat-engine.log
> 2015-12-01 17:23:25.034 6231 WARNING heat.common.context [req-22848a8b-892b-4996-bf12-56d17181d878 - f023b311e4364188be9dc2ca33726467] Using the keystone_authtoken user as the heat trustee user directly is deprecated. Please add the trustee credentials you need to the trustee section of your heat.conf file.
> I looked /etc/heat/heat.conf made by PackStack and
> confirmed no trustee section is in it.
> I also compared the content of my heat.conf with the following
> web page.
> I noticed the following things besides the trustee section issue.
> (A) My heat.conf has some definitions in below
> which aren't used in the DEFAULT section of
> the draft web page.
> deferred_auth_method = trusts
> trusts_delegated_roles = heat_stack_owner
Yes these entries are no longer required:
- deferred_auth_method = trusts is the default (since kilo)
- heat_stack_owner is no longer required because by default we delegate
all roles, since Launchpad bug #1376562 was fixed.
> (B) The keystone_authtoken sections have many differences.
> My heat.conf:
> Draft Page:
> auth_uri = http://controller:5000
> auth_url = http://controller:35357
> auth_plugin = password
> project_domain_id = default
> user_domain_id = default
> project_name = service
> username = heat
> password = HEAT_PASS
Not sure about this - IIRC authtoken supports several argument formats for
backwards compatibility, so we need to ensure we're documenting the
currently preferred one.
> My questions is
> Can I configure the heat-engine service not to croak
> the warning message about trustee?
Yes, you need to configure the "trustee" section in heat.conf, which means
heat will no longer use the keystone_authtoken to initialize the auth
plugin associated with deferred authentication via trusts.
Unfortunately, this isn't currently documented or exposed in our sample
config. I'm working on a patch to fix that which I hope to post soon, you
can follow progress here:
More information about the dev