yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #77271
[Bug 1818295] [NEW] Only Ironic public endpoint is supported
Public bug reported:
Currently, there are number of places in Ironic that does endpoint lookup from the Keystone service catalog. By default, keystoneauth set it to 'public' if not specified.
Description
===========
We are supposed to be able to select the endpoint type by specify either the 'interface' or 'valid_interfaces' option in the [keystone_authtoken] section in nova.conf. But that parameter is not being conveyed in ironicclient.
Consequently, this makes it impossible to using Ironic without having to
expose the public endpoint in the service catalog. Furthermore, for
security reasons, our controller nodes (subnet) have no route to the
public network and therefore will not be able to access the public
endpoint. This is a rather significant limitation in deploying Ironic.
Also, we seem to have broken backward compatibility as well as Ironic
use to work in Pike without having to configure a public endpoint.
Steps to reproduce
==================
1) enable Ironic in devstack
2) delete the Ironic public endpoint in Keystone
3) set 'valid_interfaces = internal' in the [ironic] section in nova.conf and restart nova-compute service
4) try to provision a server and it will fail with errors similar to these in nova-compute logs
2019-02-28 18:00:28.136 48891 ERROR nova.virt.ironic.driver [req-
4bace607-0ab6-45b5-911b-1df5fbcc0e01 None None] An unknown error has
occurred when trying to get the list of nodes from the Ironic inventory.
Error: Must provide Keystone credentials or user-defined endpoint, error
was: publicURL endpoint for baremetal service not found:
AmbiguousAuthSystem: Must provide Keystone credentials or user-defined
endpoint, error was: publicURL endpoint for baremetal service not found
Expected result
===============
Server created without error.
Actual result
=============
Server failed to create, with errors similar to these in nova-compute logs
2019-02-28 18:00:28.136 48891 ERROR nova.virt.ironic.driver [req-
4bace607-0ab6-45b5-911b-1df5fbcc0e01 None None] An unknown error has
occurred when trying to get the list of nodes from the Ironic inventory.
Error: Must provide Keystone credentials or user-defined endpoint, error
was: publicURL endpoint for baremetal service not found:
AmbiguousAuthSystem: Must provide Keystone credentials or user-defined
endpoint, error was: publicURL endpoint for baremetal service not found
Environment
===========
This bug is reproducible in devstack with Ironic plugin enabled.
Related bugs:
Ironic: https://storyboard.openstack.org/#!/story/2005118
Nova: https://bugs.launchpad.net/nova/+bug/1707860
** Affects: nova
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1818295
Title:
Only Ironic public endpoint is supported
Status in OpenStack Compute (nova):
New
Bug description:
Currently, there are number of places in Ironic that does endpoint lookup from the Keystone service catalog. By default, keystoneauth set it to 'public' if not specified.
Description
===========
We are supposed to be able to select the endpoint type by specify either the 'interface' or 'valid_interfaces' option in the [keystone_authtoken] section in nova.conf. But that parameter is not being conveyed in ironicclient.
Consequently, this makes it impossible to using Ironic without having
to expose the public endpoint in the service catalog. Furthermore, for
security reasons, our controller nodes (subnet) have no route to the
public network and therefore will not be able to access the public
endpoint. This is a rather significant limitation in deploying Ironic.
Also, we seem to have broken backward compatibility as well as Ironic
use to work in Pike without having to configure a public endpoint.
Steps to reproduce
==================
1) enable Ironic in devstack
2) delete the Ironic public endpoint in Keystone
3) set 'valid_interfaces = internal' in the [ironic] section in nova.conf and restart nova-compute service
4) try to provision a server and it will fail with errors similar to these in nova-compute logs
2019-02-28 18:00:28.136 48891 ERROR nova.virt.ironic.driver [req-
4bace607-0ab6-45b5-911b-1df5fbcc0e01 None None] An unknown error has
occurred when trying to get the list of nodes from the Ironic
inventory. Error: Must provide Keystone credentials or user-defined
endpoint, error was: publicURL endpoint for baremetal service not
found: AmbiguousAuthSystem: Must provide Keystone credentials or user-
defined endpoint, error was: publicURL endpoint for baremetal service
not found
Expected result
===============
Server created without error.
Actual result
=============
Server failed to create, with errors similar to these in nova-compute logs
2019-02-28 18:00:28.136 48891 ERROR nova.virt.ironic.driver [req-
4bace607-0ab6-45b5-911b-1df5fbcc0e01 None None] An unknown error has
occurred when trying to get the list of nodes from the Ironic
inventory. Error: Must provide Keystone credentials or user-defined
endpoint, error was: publicURL endpoint for baremetal service not
found: AmbiguousAuthSystem: Must provide Keystone credentials or user-
defined endpoint, error was: publicURL endpoint for baremetal service
not found
Environment
===========
This bug is reproducible in devstack with Ironic plugin enabled.
Related bugs:
Ironic: https://storyboard.openstack.org/#!/story/2005118
Nova: https://bugs.launchpad.net/nova/+bug/1707860
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1818295/+subscriptions
Follow ups
