Description of problem: # grep auth_url /etc/neutron/metadata_agent.ini auth_url = http://192.0.2.10:35357/ If there is RPC issue and the fallback to neutron client happens then this creates error messages with 404's as the resource /tokens resides in http://192.0.2.10:35357/v2.0/tokens and not in http://192.0.2.10:35357/tokens: {"error": {"message": "The resource could not be found.", "code": 404, "title": "Not Found"}} When the URL is constructed it uses token_url = self.auth_url + "/tokens" however when deployed with OpenStack director we see that this URL is not existent. And generates the error above. ~~~ File "/usr/lib/python2.7/site-packages/neutronclient/client.py", line 218 209 if self.auth_url is None: 210 raise exceptions.NoAuthURLProvided() 211 212 token_url = self.auth_url + "/tokens" 213 resp, resp_body = self._cs_request(token_url, "POST", 214 body=json.dumps(body), 215 content_type="application/json", 216 allow_redirects=True) 217 if resp.status_code != 200: 218 raise exceptions.Unauthorized(message=resp_body) 219 if resp_body: 220 try: 221 resp_body = json.loads(resp_body) 222 except ValueError: 223 pass 224 else: 225 resp_body = None 226 self._extract_service_catalog(resp_body) ~~~ Thank you, Kind Regards, Robin Černín
Note that means that once agent configuration is fixed, all metadata agents should be restarted, otherwise we leave those agents prone to breakage on any messaging error.
This is how I fixed Director templates to get auth_url for Neutron metadata agent: diff --git a/templates/my-overcloud/puppet/controller-puppet.yaml b/templates/my-overcloud/puppet/controller-puppet.yaml index b58f83e..f95187a 100644 --- a/templates/my-overcloud/puppet/controller-puppet.yaml +++ b/templates/my-overcloud/puppet/controller-puppet.yaml @@ -1233,7 +1233,7 @@ resources: neutron::agents::metadata::auth_password: {get_input: neutron_password} neutron_dnsmasq_options: {get_input: neutron_dnsmasq_options} neutron_dsn: {get_input: neutron_dsn} - neutron::agents::metadata::auth_url: {get_input: keystone_identity_uri} + neutron::agents::metadata::auth_url: {get_input: keystone_auth_uri} neutron::server::notifications::nova_url: {get_input: nova_internal_url} neutron::server::notifications::auth_url: {get_input: nova_admin_auth_url} neutron::server::notifications::tenant_name: 'service'
So the workaround in comment #3 seems reasonable, but it moves the neutron::agents::metadata::auth_url from the keystone admin endpoint to the public one, which I suspect isn't what we want (you just need to add the suffix to the existing admin endpoint, right?) See here: https://github.com/openstack/tripleo-heat-templates/blob/stable/liberty/puppet/controller.yaml#L1039 You're moving: keystone_identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } to keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } I suspect you actually need this: https://github.com/openstack/tripleo-heat-templates/blob/stable/liberty/puppet/controller.yaml#L1150 neutron_admin_auth_url: { get_param: [ EndpointMap, KeystoneAdmin, uri ] } Please try this workaround - if you can confirm it works OK I'll go ahead and propose it as the fix: diff --git a/puppet/controller.yaml b/puppet/controller.yaml index 06585a7..e1d28f1 100644 --- a/puppet/controller.yaml +++ b/puppet/controller.yaml @@ -1499,7 +1499,7 @@ resources: neutron::agents::metadata::auth_password: {get_input: neutron_password} neutron_dnsmasq_options: {get_input: neutron_dnsmasq_options} neutron_dsn: {get_input: neutron_dsn} - neutron::agents::metadata::auth_url: {get_input: keystone_identity_uri} + neutron::agents::metadata::auth_url: {get_input: neutron_admin_auth_url} neutron::db::mysql::password: {get_input: neutron_password} neutron::keystone::auth::public_url: {get_input: neutron_public_url } neutron::keystone::auth::internal_url: {get_input: neutron_internal_url } Adding needinfo as I'd like confirmation the above fixes the problem from Robin.
this is still an issue upstream (OSP10, OSP11, etc). See: https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/neutron-metadata.yaml#L73 reassigning to DFG:Networking for a fix, then we can consider backporting.
If I understand correctly, this is a keystone version specific detail and is not necessarily an issue in versions other than the one reported. If we can obtain the feedback requested by Steven in #c4, we can create a version specific fix.
Robin please see comment 4 and re-open if relevant.