| *** andrey-mp has joined #openstack-ec2api | 05:48 | |
| ansiwen | andrey-mp: who knows about the pupppet-ec2api module, do you know that? I think I'm using it wrongly. The switch to v2 didn't help, btw. | 06:12 |
|---|---|---|
| ansiwen | andrey-mp: you are not into puppet, IIRC, right? | 06:12 |
| ansiwen | andrey-mp: "Unable to establish connection to https://[::1]:5000/v2.0/tokens" | 06:13 |
| ansiwen | andrey-mp: http://logs.openstack.org/42/356442/7/check/gate-puppet-openstack-integration-4-scenario003-tempest-centos-7-nv/55baf37/console.html#_2016-09-19_09_27_54_796859 | 06:13 |
| andrey-mp | hi | 06:46 |
| andrey-mp | i don't know much about puppet-ec2api and about puppets... | 06:47 |
| andrey-mp | another reson that I see - ec2 credentials are created too early | 06:56 |
| andrey-mp | for example - glance_id_setter that uses same credentials for openstack tool. | 06:58 |
| andrey-mp | right after error I see creation of rabbit user, creation of authtokens for all services, ... | 06:59 |
| andrey-mp | please look to glance and neutron sections here https://github.com/openstack/puppet-tempest/blob/master/manifests/init.pp#L668 | 07:04 |
| andrey-mp | these resources depend on keystone, tempest_config, something own. I think that you should depend ec2 on keystone_user_role and tempest_config there. | 07:06 |
| andrey-mp | ansiwen: ^^ | 07:07 |
| andrey-mp | and maybe in this case - keystone v3 credentials will work | 07:07 |
| ansiwen | andrey-mp: thanks, will have a look at that | 07:08 |
| ansiwen | andrey-mp: so this <||> stuff describes dependencies? good to know... will look it up | 07:14 |
| andrey-mp | yeah | 07:15 |
| ansiwen | andrey-mp: some modules use /v3 or /v2 at the end of the keystone auth urls... so I have no idea what would be the correct thing for ec2api... let me get you the code lines, so you know what I mean | 07:18 |
| ansiwen | https://github.com/openstack/puppet-openstack-integration/blob/master/manifests/barbican.pp#L47-L53 | 07:19 |
| ansiwen | https://github.com/openstack/puppet-openstack-integration/blob/master/manifests/aodh.pp#L57-L64 | 07:19 |
| ansiwen | https://github.com/openstack/puppet-openstack-integration/blob/master/manifests/mistral.pp#L42-L47 (this is the ::auth section, not authtolen, I know) | 07:21 |
| ansiwen | andrey-mp: ^ | 07:21 |
| andrey-mp | This section (keystone_authtoken) is parsed by keystoneauth1 library and it calls keystoneclient. so in general I don't care about version in these url - keystoneauth1 will care about it for me. | 07:23 |
| andrey-mp | as I know - difference in domains. v2 uses just user/password and v3 uses user/password/domains for auth | 07:23 |
| andrey-mp | also - we don't know what version of keystone will be in the Cloud... | 07:24 |
| andrey-mp | now I can't say what version should be use always - I use working version in each individual case | 07:25 |
| andrey-mp | your version of ec2api can use versionless URL for keystone in keystone_url configuration's parameter | 07:29 |
| andrey-mp | next version will use keystone_authtoken section (We recently merge this fix https://review.openstack.org/#/c/368475/ and will release it before the summit) | 07:30 |
| ansiwen | andrey-mp: so I don't need a /v2 or /v3 suffix neither in the auth nor in the authtoken section? | 07:30 |
| andrey-mp | you don't need authtoken section at all for Mitaka version ) | 07:30 |
| andrey-mp | (but please do not delete this section - it will be needed for Newton) | 07:31 |
| ansiwen | I'm working on master, which is Newton | 07:31 |
| andrey-mp | ah, ok | 07:31 |
| ansiwen | even ocata soon, right? | 07:33 |
| andrey-mp | mmm, we will release ec2api before the summit - it will be newton version. and ocata will use the same section I think | 07:34 |
| andrey-mp | I tjink that for master version you can use any version. For example - barbican section | 07:36 |
| ansiwen | andrey-mp: so, with the /v3 ? | 07:41 |
| ansiwen | andrey-mp: and do you know what it means, if the user and project is set to "Default", like in the barbican case? | 07:42 |
| ansiwen | andrey-mp: do I have to run the tempest tests then with the same user? | 07:43 |
| ansiwen | andrey-mp: so far I chose an arbitrary username and the project "openstack" for the tempest run | 07:43 |
| ansiwen | I hoped that it will we created "automagically" :-) | 07:44 |
| andrey-mp | Default - is the name of domain (for user and for project) | 07:51 |
| andrey-mp | tempest tests you should provide aws_access/aws_secret for some existing project | 07:52 |
| andrey-mp | we create user/project first in our gating and then get aws creds for them | 07:52 |
| ansiwen | another detail I found for keystone setup: token_provider => 'fernet' for scenario003, which is the scenario I'm using. does it matter? | 08:14 |
| ansiwen | andrey-mp: ^ | 08:14 |
| andrey-mp | I don't know what is it... | 08:15 |
| *** andrey-mp has quit IRC | 08:44 | |
| *** andrey-mp has joined #openstack-ec2api | 11:06 | |
| *** andrey-mp has quit IRC | 11:12 | |
| *** andrey-mp has joined #openstack-ec2api | 11:27 | |
| *** andrey-mp has quit IRC | 11:38 | |
| *** andrey-mp has joined #openstack-ec2api | 18:28 | |
| cybojanek | andrey-mp: Hi | 21:02 |
| cybojanek | I'm trying to use ec2-api with neutron RBAC for the private network | 21:02 |
| cybojanek | I had to modify instance.py line 1426: | 21:03 |
| cybojanek | 'tenant_id': context.project_id})['networks'] | 21:03 |
| cybojanek | and instead | 21:03 |
| cybojanek | just })['networks'] | 21:03 |
| cybojanek | Is the tenant_id needed there? Won't openstack filter things already by access control? | 21:04 |
| cybojanek | andrey-mp: I've also implemented a portion of import-image and would like to hand it back off to upstream if you're interested (http://docs.aws.amazon.com/cli/latest/reference/ec2/import-image.html) | 21:05 |
| cybojanek | It deals with importing images | 21:05 |
| cybojanek | AFK - be back tomorrow | 21:34 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!