Packer + OpenStack-based system - not able to authenticate
359 views
Skip to first unread message
peet.p...@gmail.com
Mar 23, 2017, 5:15:14 AM3/23/17
to Packer
Hello, I am trying to automate some deployment to an Openstack-based cloud. It's based on Openstack, but there might be some minor differences between those. Therefore I would like to ask, to check whether my script and template is OK. With this setting I am able to connect to Openstack CLI, I am not able to use Packer with same config though. Is there something missing? http://pastebin.com/0Tzf0X5E Thanks.
2017/03/23 10:27:04 ui: openstack output will be in this color.
2017/03/23 10:27:04 ui:
2017/03/23 10:27:04 Build debug mode: false
2017/03/23 10:27:04 Force build: false
2017/03/23 10:27:04 On error:
2017/03/23 10:27:04 Preparing build: openstack
openstack output will be in this color.
2017/03/23 10:27:04 Build 'openstack' prepare failure: 1 error(s) occurred:
* Authentication failed
2017/03/23 10:27:04 ui error: 1 error(s) occurred:
* Authentication failed
2017/03/23 10:27:04 waiting for all plugin processes to complete...
1 error(s) occurred:
* Authentication failed
2017/03/23 10:27:04 /usr/local/Cellar/packer/0.12.2/bin/packer: plugin process exited
2017/03/23 10:27:04 /usr/local/Cellar/packer/0.12.2/bin/packer: plugin process exited
Rickard von Essen
Mar 23, 2017, 5:38:37 AM3/23/17
to packe...@googlegroups.com
Looks good to me. Can you run with PACKER_LOG=1 packer build template.json and pastbin the output.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/9e852472-9c4c-468c-a615-2a130003bd53%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
peet.p...@gmail.com
Mar 23, 2017, 6:07:47 AM3/23/17
to Packer
http://pastebin.com/A2Wx9whX Here is the full log.
Dne čtvrtek 23. března 2017 11:15:14 UTC+2 peet.p...@gmail.com napsal(a):
Dne čtvrtek 23. března 2017 11:15:14 UTC+2 peet.p...@gmail.com napsal(a):
Rickard von Essen
Mar 24, 2017, 5:27:41 AM3/24/17
to packe...@googlegroups.com
It's hard to give any further debugging advice unless you can capture the traffic or access the logs on keystone and see why your auth is denied.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/mitchellh/packer/issues
IRC: #packer-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Packer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/525c8356-58ef-4a83-b4f6-b16c0be61fa1%40googlegroups.com.
peet.p...@gmail.com
Mar 27, 2017, 7:33:44 AM3/27/17
to Packer
Hi again,
So I have done some heavy debugging. And I have found that login process is slightly different between Packer and Python Based Openstack Client.
{"auth":{"identity":{"methods":["password"],"password":{"user":{"domain":{"name":"soc"},"name":"myname","password”:”……”}}},”scope":{"project":{"domain":{"name":"soc"},"name":"soc"}}}}HTTP/1.1 401 UNAUTHORIZED <<<<<< PACKER
{"auth": {"scope": {"project": {"domain": {"name": "soc"}, "name": "mcafee-siem"}}, "identity": {"password": {"user": {"domain": {"name": "soc"}, "password": “….”, "name": "myname"}}, "methods": ["password"]}}}HTTP/1.1 201 CREATED <<<<<<< python based openstack client
If you look carefully on scope>project>name you can see that in Packer, 2 times 'soc' is used, in python client is used 'mcafee-siem' instead. I am almost sure that this is the problem. A way how to confirm it is to intercept the request and try to change the value. I will do that now, but anyway, I am almost sure this is the hitch.
Do you have any idea how to change it? This is my current openrc.sh setting.
export OS_PROJECT_NAME=mcafee-siem
export OS_USER_DOMAIN_NAME=soc
export OS_PROJECT_DOMAIN_NAME=soc
export OS_TENANT_NAME=soc
But in Packer I cannot change project name, in the docummentation is written that PROJECT_NAME is same as TENANT_NAME or similar.
From documentation: This will authenticate the user on the domain and scope you to the project. A tenant is the same as a project. ....
Well, it actually has effect this time.... Do you have any clue how to fix it? Beside intercepting every request?
Dne pátek 24. března 2017 11:27:41 UTC+2 Rickard von Essen napsal(a):
So I have done some heavy debugging. And I have found that login process is slightly different between Packer and Python Based Openstack Client.
{"auth":{"identity":{"methods":["password"],"password":{"user":{"domain":{"name":"soc"},"name":"myname","password”:”……”}}},”scope":{"project":{"domain":{"name":"soc"},"name":"soc"}}}}HTTP/1.1 401 UNAUTHORIZED <<<<<< PACKER
{"auth": {"scope": {"project": {"domain": {"name": "soc"}, "name": "mcafee-siem"}}, "identity": {"password": {"user": {"domain": {"name": "soc"}, "password": “….”, "name": "myname"}}, "methods": ["password"]}}}HTTP/1.1 201 CREATED <<<<<<< python based openstack client
If you look carefully on scope>project>name you can see that in Packer, 2 times 'soc' is used, in python client is used 'mcafee-siem' instead. I am almost sure that this is the problem. A way how to confirm it is to intercept the request and try to change the value. I will do that now, but anyway, I am almost sure this is the hitch.
Do you have any idea how to change it? This is my current openrc.sh setting.
export OS_PROJECT_NAME=mcafee-siem
export OS_USER_DOMAIN_NAME=soc
export OS_PROJECT_DOMAIN_NAME=soc
export OS_TENANT_NAME=soc
But in Packer I cannot change project name, in the docummentation is written that PROJECT_NAME is same as TENANT_NAME or similar.
From documentation: This will authenticate the user on the domain and scope you to the project. A tenant is the same as a project. ....
OS_TENANT_NAME or OS_TENANT_ID must be used even with Identity v3,
OS_PROJECT_NAME and OS_PROJECT_ID has no effect in Packer.Well, it actually has effect this time.... Do you have any clue how to fix it? Beside intercepting every request?
Dne pátek 24. března 2017 11:27:41 UTC+2 Rickard von Essen napsal(a):
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool...@googlegroups.com.
Rickard von Essen
Mar 28, 2017, 3:28:59 PM3/28/17
to packe...@googlegroups.com
That is interesting.
I assume that this is a private OpenStack installation.
Did you try changing OS_PROJECT_DOMAIN_NAME=mcafee-siem ?
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/258b2352-3109-47d2-a17e-e5f22d816267%40googlegroups.com.
Rickard von Essen
Mar 28, 2017, 3:59:32 PM3/28/17
to packe...@googlegroups.com
The bottom note on https://www.packer.io/docs/builders/openstack.html suggest that OS_TENANT_NAME should be mcafee-siem and not soc.
peet.p...@gmail.com
Mar 29, 2017, 3:28:44 AM3/29/17
to Packer
Hi,
I changed configuration on Openstack and then everything is working just fine. I am not sure what is exactly correct configuration, but If I am correct, my Openstack does not use same credentials in Project_Name x Tenant_name .... In Packer those values are identical, maybe I would change it in next release and let a user choose those value. The problem is solved now, but not sure whether Packer should not change this hardcoded configuration.
Dne úterý 28. března 2017 22:59:32 UTC+3 Rickard von Essen napsal(a):
I changed configuration on Openstack and then everything is working just fine. I am not sure what is exactly correct configuration, but If I am correct, my Openstack does not use same credentials in Project_Name x Tenant_name .... In Packer those values are identical, maybe I would change it in next release and let a user choose those value. The problem is solved now, but not sure whether Packer should not change this hardcoded configuration.
Dne úterý 28. března 2017 22:59:32 UTC+3 Rickard von Essen napsal(a):
Rickard von Essen
Mar 29, 2017, 4:05:09 AM3/29/17
to packe...@googlegroups.com
This is actually not handled by packer at all but in the official OpenStack Go library. Specifically this is handled here:
It's unfortunate that they didn't do a clear cut between v2 and v3 or didn't change names at all.
// Rickard
PS. If you find a way to make this more clear in the Packer docs we appreciate PR's.
To unsubscribe from this group and stop receiving emails from it, send an email to packer-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/packer-tool/809ab831-de7f-4606-a1b4-3b69d02ce5f8%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages