← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #77476

[Bug 1818295] Re: Only Ironic public endpoint is supported

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.openstack.org/640879
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=e082bdc166cb8215576801e0c89ef1fe771681ed
Submitter: Zuul
Branch:    master

commit e082bdc166cb8215576801e0c89ef1fe771681ed
Author: Guang Yee <guang.yee@xxxxxxxx>
Date:   Mon Mar 4 13:30:09 2019 -0800

    pass endpoint interface to Ironic client
    
    Via change [1], ironicclient began to use endpoint_filter in the
    version negotiation code path, whereas it was previously unused if a
    fully-qualified endpoint had already been determined. Suddenly it was
    important that the `interface` part of this endpoint_filter be correct.
    
    Prior to ironicclient change [2], there was no way to pass an
    appropriate `interface` value through ironicclient's initialization, so
    the ironicclient used from nova would always end up with the default
    value, `public`, in the endpoint_filter. This would break in clouds
    lacking a public ironic API endpoint (see the referenced bug).
    
    With this change, we pass the value of the (standard, per ksa)
    `valid_interfaces` ironic config option into the ironicclient
    initialization, where (if and only if the ironicclient fix [2] is also
    present) it eventually gets passed through to the ksa Adapter
    initialization (which is set up to accept values from exactly that conf
    option) to wind up in the endpoint_filter.
    
    The effect is that nova's ironicclient will actually be using the
    interface from nova.conf throughout. (Because `valid_interfaces` is also
    used in recommended configuration setups - i.e. those that use the
    service catalog to determine API endpoints - to construct the
    endpoint_override used to initialize the ironicclient, the value used
    during version negotiation should be in sync with that used for regular
    API calls.)
    
    [1] I42b66daea1f4397273a3f4eb1638abafb3bb28ce
    [2] I610836e5038774621690aca88b2aee25670f0262
    
    Change-Id: I5f78d21c39ed2fd58d2a0f3649116e39883d5a2c
    closes-bug: 1818295


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1818295

Title:
  Only Ironic public endpoint is supported

Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Compute (nova) queens series:
  Confirmed
Status in OpenStack Compute (nova) rocky series:
  Confirmed

Bug description:
  Currently, there are number of places in Ironic that does endpoint lookup from the Keystone service catalog. By default, keystoneauth set it to 'public' if not specified.
  Description
  ===========
  We are supposed to be able to select the endpoint type by specify either the 'interface' or 'valid_interfaces' option in the [keystone_authtoken] section in nova.conf. But that parameter is not being conveyed in ironicclient.

  Consequently, this makes it impossible to using Ironic without having
  to expose the public endpoint in the service catalog. Furthermore, for
  security reasons, our controller nodes (subnet) have no route to the
  public network and therefore will not be able to access the public
  endpoint. This is a rather significant limitation in deploying Ironic.
  Also, we seem to have broken backward compatibility as well as Ironic
  use to work in Pike without having to configure a public endpoint.

  Steps to reproduce
  ==================
  1) enable Ironic in devstack
  2) delete the Ironic public endpoint in Keystone
  3) set 'valid_interfaces = internal' in the [ironic] section in nova.conf and restart nova-compute service
  4) try to provision a server and it will fail with errors similar to these in nova-compute logs

  2019-02-28 18:00:28.136 48891 ERROR nova.virt.ironic.driver [req-
  4bace607-0ab6-45b5-911b-1df5fbcc0e01 None None] An unknown error has
  occurred when trying to get the list of nodes from the Ironic
  inventory. Error: Must provide Keystone credentials or user-defined
  endpoint, error was: publicURL endpoint for baremetal service not
  found: AmbiguousAuthSystem: Must provide Keystone credentials or user-
  defined endpoint, error was: publicURL endpoint for baremetal service
  not found

  Expected result
  ===============
  Server created without error.

  
  Actual result
  =============
  Server failed to create, with errors similar to these in nova-compute logs

  2019-02-28 18:00:28.136 48891 ERROR nova.virt.ironic.driver [req-
  4bace607-0ab6-45b5-911b-1df5fbcc0e01 None None] An unknown error has
  occurred when trying to get the list of nodes from the Ironic
  inventory. Error: Must provide Keystone credentials or user-defined
  endpoint, error was: publicURL endpoint for baremetal service not
  found: AmbiguousAuthSystem: Must provide Keystone credentials or user-
  defined endpoint, error was: publicURL endpoint for baremetal service
  not found

  Environment
  ===========
  This bug is reproducible in devstack with Ironic plugin enabled.

  
  Related bugs:

  Ironic: https://storyboard.openstack.org/#!/story/2005118
  Nova: https://bugs.launchpad.net/nova/+bug/1707860

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1818295/+subscriptions

References

  Thread PreviousDate PreviousThread Next