Not able to create network in openstack
140 views
Skip to first unread message
Sathia Nadarajah
Sep 6, 2018, 1:48:21 AM9/6/18
to cloudify-users
Hi All,
I have this blueprint.yaml which basically created a network with subnet.
tosca_definitions_version: cloudify_dsl_1_3
imports:
- 'http://www.getcloudify.org/spec/cloudify/4.4/types.yaml'
- 'plugin:cloudify-openstack-plugin?version=2.9.6&distribution=redhat'
description: |
Create sathia openstack network and subnet.
inputs:
username:
description: OS_USERNAME as specified in Openstack RC file.
default:
get_secret: keystone_username
password:
description: Openstack user password.
default:
get_secret: keystone_password
tenant_name:
description: OS_TENANT_NAME as specified in Openstack RC file.
default:
get_secret: keystone_tenant_name
auth_url:
description: OS_AUTH_URL as specified in Openstack RC file.
default:
get_secret: keystone_url
region:
description: OS_REGION_NAME as specified in Openstack RC file.
default:
get_secret: keystone_region
node_templates:
myNetwork1:
type: cloudify.openstack.nodes.Network
capabilities:
scalable:
properties:
default_instances: 1
properties:
resource_id: my_network_sathias1
openstack_config:
username:
get_input: username
password:
get_input: password
tenant_name:
get_input: tenant_name
auth_url:
get_input: auth_url
region:
get_input: region
create_if_missing: true
mySubnet1:
type: cloudify.openstack.nodes.Subnet
relationships:
- type: cloudify.relationships.contained_in
target: myNetwork1
capabilities:
scalable:
properties:
default_instances: 1
properties:
resource_id: my_subnet_sathias1
openstack_config:
username:
get_input: username
password:
get_input: password
tenant_name:
get_input: tenant_name
auth_url:
get_input: auth_url
region:
get_input: region
create_if_missing: true
dsl_definitions:
client_config:
username:
get_input: username
password:
get_input: password
tenant_name:
get_input: tenant_name
auth_url:
get_input: auth_url
region:
get_input: region
custom_configuration:
nova_client:
insecure: true
keystone_client:
insecure: true
neutron_client:
insecure: true
cinder_client:
insecure: true
The error I am getting,
2018-09-06 04:27:54,756:INFO: [a16089c5-6815-40c9-a38a-5794c3f30855] Starting 'install' workflow execution
2018-09-06 04:27:55,021:INFO: [a16089c5-6815-40c9-a38a-5794c3f30855] Creating node
2018-09-06 04:27:55,119:INFO: [a16089c5-6815-40c9-a38a-5794c3f30855] Sending task 'neutron_plugin.network.create'
2018-09-06 04:27:55,320:INFO: [a16089c5-6815-40c9-a38a-5794c3f30855] Task started 'neutron_plugin.network.create'
2018-09-06 04:27:56,263:WARNING: Failed to discover available identity versions when contacting https://10.173.120.110:13000/v3. Attempting to parse version from URL.
2018-09-06 04:27:56,546:ERROR: Task neutron_plugin.network.create[198f5e8d-95ac-4ec7-b04d-dd69b4d2842b] raised:
Traceback (most recent call last):
File "/opt/mgmtworker/env/lib/python2.7/site-packages/cloudify/dispatch.py", line 669, in main
payload = handler.handle()
File "/opt/mgmtworker/env/lib/python2.7/site-packages/cloudify/dispatch.py", line 411, in handle
result = self.func(*self.args, **kwargs)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/openstack_plugin_common/__init__.py", line 882, in wrapper
return f(*args, **kw)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/neutron_plugin/network.py", line 52, in create
{NETWORK_OPENSTACK_TYPE: network})[NETWORK_OPENSTACK_TYPE]
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 772, in create_network
return self.post(self.networks_path, body=body)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 365, in post
headers=headers, params=params)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 288, in do_request
resp, replybody = self.httpclient.do_request(action, method, body=body)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/neutronclient/client.py", line 310, in do_request
self._check_uri_length(url)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/neutronclient/client.py", line 303, in _check_uri_length
uri_len = len(self.endpoint_url) + len(url)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/neutronclient/client.py", line 317, in endpoint_url
return self.get_endpoint()
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 193, in get_endpoint
return self.session.get_endpoint(auth or self.auth, **kwargs)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/keystoneauth1/session.py", line 856, in get_endpoint
return auth.get_endpoint(self, **kwargs)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 215, in get_endpoint
service_catalog = self.get_access(session).service_catalog
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 136, in get_access
self.auth_ref = self.get_auth_ref(session)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/keystoneauth1/identity/generic/base.py", line 198, in get_auth_ref
return self._plugin.get_auth_ref(session, **kwargs)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/keystoneauth1/identity/v3/base.py", line 167, in get_auth_ref
authenticated=False, log=False, **rkwargs)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/keystoneauth1/session.py", line 766, in post
return self.request(url, 'POST', **kwargs)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/positional/__init__.py", line 108, in inner
return wrapped(*args, **kwargs)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/keystoneauth1/session.py", line 616, in request
resp = send(**kwargs)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/keystoneauth1/session.py", line 678, in _send_request
raise exceptions.SSLError(msg)
SSLError: SSL exception connecting to https://10.173.120.110:13000/v3/auth/tokens: HTTPSConnectionPool(host='10.173.120.110', port=13000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)'),))
Screenshots from cloudify console is attached. Also with the inputs used.
I have this blueprint.yaml which basically created a network with subnet.
tosca_definitions_version: cloudify_dsl_1_3
imports:
- 'http://www.getcloudify.org/spec/cloudify/4.4/types.yaml'
- 'plugin:cloudify-openstack-plugin?version=2.9.6&distribution=redhat'
description: |
Create sathia openstack network and subnet.
inputs:
username:
description: OS_USERNAME as specified in Openstack RC file.
default:
get_secret: keystone_username
password:
description: Openstack user password.
default:
get_secret: keystone_password
tenant_name:
description: OS_TENANT_NAME as specified in Openstack RC file.
default:
get_secret: keystone_tenant_name
auth_url:
description: OS_AUTH_URL as specified in Openstack RC file.
default:
get_secret: keystone_url
region:
description: OS_REGION_NAME as specified in Openstack RC file.
default:
get_secret: keystone_region
node_templates:
myNetwork1:
type: cloudify.openstack.nodes.Network
capabilities:
scalable:
properties:
default_instances: 1
properties:
resource_id: my_network_sathias1
openstack_config:
username:
get_input: username
password:
get_input: password
tenant_name:
get_input: tenant_name
auth_url:
get_input: auth_url
region:
get_input: region
create_if_missing: true
mySubnet1:
type: cloudify.openstack.nodes.Subnet
relationships:
- type: cloudify.relationships.contained_in
target: myNetwork1
capabilities:
scalable:
properties:
default_instances: 1
properties:
resource_id: my_subnet_sathias1
openstack_config:
username:
get_input: username
password:
get_input: password
tenant_name:
get_input: tenant_name
auth_url:
get_input: auth_url
region:
get_input: region
create_if_missing: true
dsl_definitions:
client_config:
username:
get_input: username
password:
get_input: password
tenant_name:
get_input: tenant_name
auth_url:
get_input: auth_url
region:
get_input: region
custom_configuration:
nova_client:
insecure: true
keystone_client:
insecure: true
neutron_client:
insecure: true
cinder_client:
insecure: true
The error I am getting,
2018-09-06 04:27:54,756:INFO: [a16089c5-6815-40c9-a38a-5794c3f30855] Starting 'install' workflow execution
2018-09-06 04:27:55,021:INFO: [a16089c5-6815-40c9-a38a-5794c3f30855] Creating node
2018-09-06 04:27:55,119:INFO: [a16089c5-6815-40c9-a38a-5794c3f30855] Sending task 'neutron_plugin.network.create'
2018-09-06 04:27:55,320:INFO: [a16089c5-6815-40c9-a38a-5794c3f30855] Task started 'neutron_plugin.network.create'
2018-09-06 04:27:56,263:WARNING: Failed to discover available identity versions when contacting https://10.173.120.110:13000/v3. Attempting to parse version from URL.
2018-09-06 04:27:56,546:ERROR: Task neutron_plugin.network.create[198f5e8d-95ac-4ec7-b04d-dd69b4d2842b] raised:
Traceback (most recent call last):
File "/opt/mgmtworker/env/lib/python2.7/site-packages/cloudify/dispatch.py", line 669, in main
payload = handler.handle()
File "/opt/mgmtworker/env/lib/python2.7/site-packages/cloudify/dispatch.py", line 411, in handle
result = self.func(*self.args, **kwargs)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/openstack_plugin_common/__init__.py", line 882, in wrapper
return f(*args, **kw)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/neutron_plugin/network.py", line 52, in create
{NETWORK_OPENSTACK_TYPE: network})[NETWORK_OPENSTACK_TYPE]
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 772, in create_network
return self.post(self.networks_path, body=body)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 365, in post
headers=headers, params=params)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 288, in do_request
resp, replybody = self.httpclient.do_request(action, method, body=body)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/neutronclient/client.py", line 310, in do_request
self._check_uri_length(url)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/neutronclient/client.py", line 303, in _check_uri_length
uri_len = len(self.endpoint_url) + len(url)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/neutronclient/client.py", line 317, in endpoint_url
return self.get_endpoint()
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 193, in get_endpoint
return self.session.get_endpoint(auth or self.auth, **kwargs)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/keystoneauth1/session.py", line 856, in get_endpoint
return auth.get_endpoint(self, **kwargs)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 215, in get_endpoint
service_catalog = self.get_access(session).service_catalog
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/keystoneauth1/identity/base.py", line 136, in get_access
self.auth_ref = self.get_auth_ref(session)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/keystoneauth1/identity/generic/base.py", line 198, in get_auth_ref
return self._plugin.get_auth_ref(session, **kwargs)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/keystoneauth1/identity/v3/base.py", line 167, in get_auth_ref
authenticated=False, log=False, **rkwargs)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/keystoneauth1/session.py", line 766, in post
return self.request(url, 'POST', **kwargs)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/positional/__init__.py", line 108, in inner
return wrapped(*args, **kwargs)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/keystoneauth1/session.py", line 616, in request
resp = send(**kwargs)
File "/opt/mgmtworker/env/plugins/Sathia/cloudify-openstack-plugin-2.9.6/lib/python2.7/site-packages/keystoneauth1/session.py", line 678, in _send_request
raise exceptions.SSLError(msg)
SSLError: SSL exception connecting to https://10.173.120.110:13000/v3/auth/tokens: HTTPSConnectionPool(host='10.173.120.110', port=13000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)'),))
Screenshots from cloudify console is attached. Also with the inputs used.
lukasz.m...@cloudify.co
Sep 7, 2018, 10:54:12 AM9/7/18
to cloudify-users
Hi,
it seems that you are getting an error related to TLS certificate validation when trying to contact your Openstack Keystone url.
If your Openstack Keystone uses a custom certificate, you must also include the "ca_cert" deployment input, with a path (on-manager) to
the CA certificate.
As a last resort, you can also set the deployment input "insecure: true" to skip certificate validation entirely.
Thanks,
Lukasz
Sathia Nadarajah
Sep 8, 2018, 7:02:20 AM9/8/18
to lukasz.m...@cloudify.co, cloudif...@googlegroups.com, Nadarajah, Sathia
Thanks for that Lukasz. We are still seeing the same issue even after including ca_cert. Do you see anything wrong with the way I have used ca_cert in my blueprint ?
The blueprint and the keystone certificate (part of it) is included here.
Appreciate your help.
Error,
2018-09-08 10:51:09,624:INFO: [ded7de67-d627-4160-82bd-454438232070] Starting 'install' workflow execution
2018-09-08 10:51:09,934:INFO: [ded7de67-d627-4160-82bd-454438232070] Creating node
2018-09-08 10:51:10,019:INFO: [ded7de67-d627-4160-82bd-454438232070] Sending task 'neutron_plugin.network.create'
2018-09-08 10:51:10,240:INFO: [ded7de67-d627-4160-82bd-454438232070] Task started 'neutron_plugin.network.create'
2018-09-08 10:51:11,281:WARNING: Failed to discover available identity versions when contacting https://10.173.120.110:13000/v3. Attempting to parse version from URL.
2018-09-08 10:51:11,566:ERROR: Task neutron_plugin.network.create[e657e156-bfb8-4641-be5a-ea2ae89afa9a] raised:
The blueprint.yaml used for the deployement,
ca_cert:
description: Path to CA certificate to validate OpenStack's endpoint with
default:
get_secret: ca_cert
node_templates:
myNetwork1:
type: cloudify.openstack.nodes.Network
capabilities:
scalable:
properties:
default_instances: 1
properties:
resource_id: my_network_sathias1
openstack_config:
username:
get_input: username
password:
get_input: password
tenant_name:
get_input: tenant_name
auth_url:
get_input: auth_url
region:
get_input: region
ca_cert:
get_input: ca_cert
create_if_missing: true
mySubnet1:
type: cloudify.openstack.nodes.Subnet
relationships:
- type: cloudify.relationships.contained_in
target: myNetwork1
capabilities:
scalable:
properties:
default_instances: 1
properties:
resource_id: my_subnet_sathias1
openstack_config:
username:
get_input: username
password:
get_input: password
tenant_name:
get_input: tenant_name
auth_url:
get_input: auth_url
region:
get_input: region
ca_cert:
get_input: ca_cert
create_if_missing: true
subnet:
ip_version: 4
cidr: 10.0.1.0/24
dns_nameservers:
- 203.58.209.137
allocation_pools:
- start: 10.0.1.2
end: 10.0.1.254
dsl_definitions:
client_config:
username:
get_input: username
password:
get_input: password
tenant_name:
get_input: tenant_name
auth_url:
get_input: auth_url
region:
get_input: region
ca_cert:
get_input: ca_cert
Output from keytool -list -v -keystore /etc/pki/ca-trust/extracted/java/cacerts, shows that the cert is in the TLS trust store,
..
..
..
*******************************************
Alias name: director01.ospoc.cmimodel.corp.telstra.com
Creation date: Sep 7, 2018
Entry type: trustedCertEntry
Owner: EMAILADDRESS=Venkat...@team.telstra.com, CN=director01.ospoc.cmimodel.corp.telstra.com, OU=CMS, O=Telstra, L=Melbourne, ST=Victoria, C=AU
Issuer: EMAILADDRESS=Venkat...@team.telstra.com, CN=director01.ospoc.cmimodel.corp.telstra.com, OU=CMS, O=Telstra, L=Melbourne, ST=Victoria, C=AU
Serial number: aabdd54132be89fb
Valid from: Fri Jun 22 03:50:49 UTC 2018 until: Thu Jun 17 03:50:49 UTC 2038
..
..
..
*******************************************
..
..
--
You received this message because you are subscribed to the Google Groups "cloudify-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cloudify-user...@googlegroups.com.
To post to this group, send email to cloudif...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cloudify-users/2ab172fb-ec15-44f0-804a-c7499e9f9683%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
lukasz.m...@cloudify.co
Sep 8, 2018, 11:34:55 AM9/8/18
to cloudify-users
Interesting! But it seems that you're using /etc/pki/ca-trust/extracted/java/cacerts in the keytool call,
while you're using /etc/pki/ca-trust/extracted/java as the secret value? Additionally, please note that
the cert used by keystoneauth (which uses requests, which uses openssl) has to be in a PEM format,
not PKCS12 which is used by java.
If this is indeed a PKCS12 file, please use the following command to extract a PEM-formatted cert
from it:
openssl pkcs12 -in path-to-pkcs12-file.p12 -out target-path-to-cert.pem -clcerts -nokeys
and provide the full path to the cert in your secrets/inputs. It can be a bundle, but it still must be
PEM formatted
For easier debugging, here are the ways to try that exact request without having to run a full Cloudify
execution:
Run the request using python's requests: (beware of shell quoting)
sudo -u cfyuser /opt/mgmtworker/env/bin/python -c 'import requests; print requests.get("https://10.173.120.110:13000/v3/auth/tokens", verify="/path/to/cert.pem")'
sudo -u cfyuser /opt/mgmtworker/env/bin/python -c 'import requests; print requests.get("https://10.173.120.110:13000/v3/auth/tokens", verify="/path/to/cert.pem")'
this should of course print some HTTP auth error, like 401, but not an SSL error.
Or start a connection using openssl's client, which will possibly show more helpful information:
sudo -u cfyuser openssl s_client -connect 10.173.120.110:13000 -servername 10.173.120.110 -CAfile /path/to/cert.pem
this will output lots of debugging data, along with a summary line eg. "Verify return code: 0 (ok)" or "Verify return code: 21 (unable to verify the first certificate)"
Thanks
Sathia Nadarajah
Sep 9, 2018, 6:37:38 AM9/9/18
to cloudify-users
Thanks Lukasz. The tips helped, I was pointing to the path where the CA was located instead of including the cert as part of the path. It works now.
Attached the cacert output from the secret store from my cloudify tenant.
Reply all
Reply to author
Forward
0 new messages