Re: ceph + openstack integration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Jun 28, 2013 at 1:11 AM, Vadim Izvekov <vizvekov@xxxxxxxxxxxx> wrote:
> Hello!
>
>
> We got a issue with integration of RadosGW and Keystone. Can you support us?
>
> We have such ceph configuration:
>
> [global]
> ....
>   rgw socket path = /tmp/radosgw.sock
> ....
> [client.radosgw.gateway]
>   host = fuel-controller-01
>   user = www-data
>   keyring = /etc/ceph/client.radosgw.gateway.keyring
>   log file = /var/log/ceph/radosgw.log
>   rgw enable usage log = true
>   rgw usage log tick interval = 30
>   rgw usage log flush threshold = 1024
>   rgw usage max shards = 32
>   rgw usage max user shards = 1
>   rgw data = /var/lib/ceph/rados
>   rgw dns name = fuel-controller-01
>   rgw keystone url = http://10.10.10.127:5000
>   rgw keystone admin token = nova
>   rgw keystone accepted roles = admin, SwiftOperator
>   rgw keystone token cache size = 10
>   rgw keystone revocation interval = 60
>   nss db path = /var/ceph/nss
>
>
>
>   When we start the RadosGW, we obtain such error in log:
>
> 2013-06-26 05:03:52.838089 7f2cc944c700  2 keystone revoke thread: start
> 2013-06-26 05:03:52.838123 7f2cc944c700 20 sending request to
> http://10.10.10.127:5000/v2.0/tokens/revoked
> 2013-06-26 05:03:53.073184 7f2cc944c700 10 request returned {"signed":
> "-----BEGIN
> CMS-----\nMIIBkAYJKoZIhvcNAQcCoIIBgTCCAX0CAQExCTAHBgUrDgMCGjBrBgkqhkiG9w0B\nBwGgXgRceyJyZXZva2VkIjogW3siZXhwaXJlcyI6ICIyMDEzLTA2LTI3VDA3OjQ0\nOjA0WiIsICJpZCI6ICJlNmU4MTJiY2Y1YWM0ZTY4YjM2ODhiM2VlODYwZmY1MCJ9\nXX0xgf8wgfwCAQEwXDBXMQswCQYDVQQGEwJVUzEOMAwGA1UECBMFVW5zZXQxDjAM\nBgNVBAcTBVVuc2V0MQ4wDAYDVQQKEwVVbnNldDEYMBYGA1UEAxMPd3d3LmV4YW1w\nbGUuY29tAgEBMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIGAqbZEjICFOVUz22f3\nqkZ4CcjExMXo2bbgpODFE9J8XFQ+kOwT0X/gp1ALIq8y9gRYjX4LGBXQ0Nd2RqMQ\nkm+vIIHkVzOt5q5nbKhXNSTkTWBGRrPLWdJo3IedAB64F7qfiAdhtqw9FUtwLSxr\nfSkdijXjyzNgoJbVV2MYAIkV6cE=\n-----END
> CMS-----\n"}
> 2013-06-26 05:03:53.073239 7f2cc944c700 10 signed=-----BEGIN CMS-----
> MIIBkAYJKoZIhvcNAQcCoIIBgTCCAX0CAQExCTAHBgUrDgMCGjBrBgkqhkiG9w0B
> BwGgXgRceyJyZXZva2VkIjogW3siZXhwaXJlcyI6ICIyMDEzLTA2LTI3VDA3OjQ0
> OjA0WiIsICJpZCI6ICJlNmU4MTJiY2Y1YWM0ZTY4YjM2ODhiM2VlODYwZmY1MCJ9
> XX0xgf8wgfwCAQEwXDBXMQswCQYDVQQGEwJVUzEOMAwGA1UECBMFVW5zZXQxDjAM
> BgNVBAcTBVVuc2V0MQ4wDAYDVQQKEwVVbnNldDEYMBYGA1UEAxMPd3d3LmV4YW1w
> bGUuY29tAgEBMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIGAqbZEjICFOVUz22f3
> qkZ4CcjExMXo2bbgpODFE9J8XFQ+kOwT0X/gp1ALIq8y9gRYjX4LGBXQ0Nd2RqMQ
> km+vIIHkVzOt5q5nbKhXNSTkTWBGRrPLWdJo3IedAB64F7qfiAdhtqw9FUtwLSxr
> fSkdijXjyzNgoJbVV2MYAIkV6cE=
> -----END CMS-----
>
> 2013-06-26 05:03:53.073246 7f2cc944c700 10
> content=MIIBkAYJKoZIhvcNAQcCoIIBgTCCAX0CAQExCTAHBgUrDgMCGjBrBgkqhkiG9w0BBwGgXgRceyJyZXZva2VkIjogW3siZXhwaXJlcyI6ICIyMDEzLTA2LTI3VDA3OjQ0OjA0WiIsICJpZCI6ICJlNmU4MTJiY2Y1YWM0ZTY4YjM2ODhiM2VlODYwZmY1MCJ9XX0xgf8wgfwCAQEwXDBXMQswCQYDVQQGEwJVUzEOMAwGA1UECBMFVW5zZXQxDjAMBgNVBAcTBVVuc2V0MQ4wDAYDVQQKEwVVbnNldDEYMBYGA1UEAxMPd3d3LmV4YW1wbGUuY29tAgEBMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIGAqbZEjICFOVUz22f3qkZ4CcjExMXo2bbgpODFE9J8XFQ+kOwT0X/gp1ALIq8y9gRYjX4LGBXQ0Nd2RqMQkm+vIIHkVzOt5q5nbKhXNSTkTWBGRrPLWdJo3IedAB64F7qfiAdhtqw9FUtwLSxrfSkdijXjyzNgoJbVV2MYAIkV6cE=
> 2013-06-26 05:03:53.073442 7f2cc944c700  0 ERROR: signer 0 status =
> BadSignature
> 2013-06-26 05:03:53.073451 7f2cc944c700  0 ERROR: problem decoding
> 2013-06-26 05:03:53.073452 7f2cc944c700  0 ceph_decode_cms returned -22
> 2013-06-26 05:03:53.073457 7f2cc944c700  0 ERROR: keystone revocation
> processing returned error r=-22
> 2013-06-26 05:04:51.395179 7f82be63a780  0 ceph version 0.61.4
> (1669132fcfc27d0c0b5e5bb93ade59d147e23404), process radosgw, pid 23148
> 2013-06-26 05:04:51.410852 7f82b1408700  2 garbage collection: start
>
>
> At the same time we obtain such rows in Keystone's log:
>
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] ********************
> REQUEST ENVIRON ********************
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] SCRIPT_NAME = /v2.0
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] webob.adhoc_attrs =
> {'response': <Response at 0x3d68150 200 OK>}
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] REQUEST_METHOD = GET
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] PATH_INFO =
> /tokens/revoked
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] SERVER_PROTOCOL =
> HTTP/1.0
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] HTTP_X_AUTH_TOKEN = nova
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] REMOTE_PORT = 39617
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] SERVER_NAME =
> 10.10.10.201
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] REMOTE_ADDR =
> 10.10.10.201
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] eventlet.input =
> <eventlet.wsgi.Input object at 0x3b55dd0>
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] wsgi.url_scheme = http
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] SERVER_PORT = 5000
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] wsgi.input =
> <eventlet.wsgi.Input object at 0x3b55dd0>
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] openstack.context =
> {'token_id': 'nova', 'is_admin': True}
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] HTTP_HOST =
> 10.10.10.127:5000
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] wsgi.multithread = True
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] eventlet.posthooks = []
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] HTTP_ACCEPT = */*
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] wsgi.version = (1, 0)
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] RAW_PATH_INFO =
> /v2.0/tokens/revoked
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] GATEWAY_INTERFACE =
> CGI/1.1
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] wsgi.run_once = False
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] wsgi.errors = <open file
> '<stderr>', mode 'w' at 0x7f083191d270>
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] wsgi.multiprocess =
> False
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] CONTENT_TYPE =
> text/plain
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi]
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] ********************
> REQUEST BODY ********************
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi]
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] arg_dict: {}
> 2013-06-26 05:04:53     INFO [sqlalchemy.engine.base.Engine] SELECT token.id
> AS token_id, token.expires AS token_expires, token.extra AS token_extra,
> token.valid AS token_valid, token.user_id AS token_user_id, token.trust_id
> AS token_trust_id
> FROM token
> WHERE token.expires > %s AND token.valid = %s
> 2013-06-26 05:04:53     INFO [sqlalchemy.engine.base.Engine]
> (datetime.datetime(2013, 6, 26, 12, 4, 53, 686305), 0)
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] ********************
> RESPONSE HEADERS ********************
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] Vary = X-Auth-Token
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] Content-Type =
> application/json
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] Content-Length = 612
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi]
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] ********************
> RESPONSE BODY ********************
> 2013-06-26 05:04:53    DEBUG [keystone.common.wsgi] {"signed": "-----BEGIN
> CMS-----\nMIIBkAYJKoZIhvcNAQcCoIIBgTCCAX0CAQExCTAHBgUrDgMCGjBrBgkqhkiG9w0B\nBwGgXgRceyJyZXZva2VkIjogW3siZXhwaXJlcyI6ICIyMDEzLTA2LTI3VDA3OjQ0\nOjA0WiIsICJpZCI6ICJlNmU4MTJiY2Y1YWM0ZTY4YjM2ODhiM2VlODYwZmY1MCJ9\nXX0xgf8wgfwCAQEwXDBXMQswCQYDVQQGEwJVUzEOMAwGA1UECBMFVW5zZXQxDjAM\nBgNVBAcTBVVuc2V0MQ4wDAYDVQQKEwVVbnNldDEYMBYGA1UEAxMPd3d3LmV4YW1w\nbGUuY29tAgEBMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIGALtqB6OzwGNhcypf6\n33JjLnm0l865R7jh4jz4aYWVOpF20QV3q/j9KZ+4BbG4ctyQ3nAn9hEZPXFOCVKU\nllpfmA/nahlcMLP1RU1ZPHPblBifyth8JOwiPRoSX9In8lr7+NNkCe1sIBxWBmzk\npTOK419MwIXNtsohQ+D5j2RnQA0=\n-----END
> CMS-----\n"}
> 2013-06-26 05:04:53    DEBUG [eventlet.wsgi.server] 10.10.10.201 - -
> [26/Jun/2013 05:04:53] "GET /v2.0/tokens/revoked HTTP/1.1" 200 760 0.033900
>
>
>
> Can you help us, what are we doing wrong?
>
> Sofware versions:
> ceph:
>   Installed: 0.61.4-1precise
> radosgw:
>   Installed: 0.61.4-1precise
> keystone:
>   Installed: 1:2013.1.1-0ubuntu2~cloud0 (grizzly)
> OS:
>  Ubuntu 12.04
>

It's a bit tricky to find out what's going on. The keystone and rgw
logs are pointing at different requests, from what I can tell. But
even so, when dealing with auth / encryption / signatures, it's very
hard to tell what went wrong. Usually the problem is with bad / wrong
certificates. Make sure that you have the correct files taken from the
keystone server, and that they're converted correctly. Did you try
that?

Yehuda
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux