Yes Mark, but there is no keystone.conf in this modified Openstack code. There is only horizon.conf under /etc/apache2/sites-available folder. And that has virtual host 80 only. Should I simply add :35357?
root@overcloud-controller0-fjvtpqjip2hl:/etc/apache2/sites-available# ls
000-default.conf default-ssl.conf horizon.conf
000-default.conf default-ssl.conf horizon.conf
On Thursday, October 9, 2014 4:45 PM, Mark Kirkwood <mark.kirkwood@xxxxxxxxxxxxxxx>
wrote:
Hmm - It looks to me like you added the chunked request into Horizon
instead of Keystone. You want virtual host *:35357
On 10/10/14 12:32, lakshmi k s wrote:
> Have done this too, but in vain. I made changes to Horizon.conf as shown
> below. I had only I do not see the user being validated in radosgw log
> at all.
>
> root@overcloud-controller0-fjvtpqjip2hl:/etc/apache2/sites-available# ls
> 000-default.conf default-ssl.conf horizon.conf
>
> ----------------------------------------------------
> <VirtualHost *:80>
> WSGIScriptAlias /
> /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard/wsgi/django.wsgi
> WSGIDaemonProcess horizon user=horizon group=horizon processes=3
> threads=10 home=/opt/stack/venvs/horizon
> python-path=/opt/stack/venvs/horizon:/opt/stack/venvs/horizon/lib/python2.7/site-packages/
> WSGIApplicationGroup %{GLOBAL}
>
> SetEnv APACHE_RUN_USER horizon
> SetEnv APACHE_RUN_GROUP horizon
> WSGIProcessGroup horizon
> WSGIChunkedRequest On
>
> DocumentRoot
> /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard/static
> Alias /static
> /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard/static
> Alias /media
> /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard/static
>
> <Directory />
> Options FollowSymLinks
> AllowOverride None
> </Directory>
>
> <Directory
> /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard/static>
> Options Indexes FollowSymLinks MultiViews
> Require all granted
> AllowOverride None
> Order allow,deny
> allow from all
> </Directory>
>
> <Directory
> /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard>
> Options Indexes FollowSymLinks MultiViews
> Require all granted
> AllowOverride None
> Order allow,deny
> allow from all
> </Directory>
>
> ErrorLog /var/log/httpd/horizon_error.log
> LogLevel debug
> CustomLog /var/log/httpd/horizon_access.log combined
> </VirtualHost>
>
> WSGISocketPrefix /var/run/httpd
>
> ----------------------------------
>
>
>
>
> On Thursday, October 9, 2014 3:51 PM, Mark Kirkwood
> <mark.kirkwood@xxxxxxxxxxxxxxx> wrote:
>
>
> No, I don't have any explicit ssl enabled in the rgw site.
>
> Now you might be running into http://tracker.ceph.com/issues/7796
> <http://tracker.ceph.com/issues/7796>. So
> check if you have enabled
>
> WSGIChunkedRequest On
>
> In your keystone virtualhost setup (explained in the issue).
>
> Cheers
>
> Mark
>
>
> On 10/10/14 11:03, lakshmi k s wrote:
> > Right, I have these certs on both nodes - keystone node and rgw gateway
> > node. Not sure where I am going wrong. And what about SSL? Should the
> > following be in rgw.conf in gateway node? I am not using this as it was
> > optional.
> >
> > SSLEngine on
> > SSLCertificateFile /etc/apache2/ssl/apache.crt
> > SSLCertificateKeyFile /etc/apache2/ssl/apache.key
> > SetEnv SERVER_PORT_SECURE 443
> >
> >
> >
> >
> >
> > On Thursday, October 9, 2014 2:48 PM, Mark Kirkwood
> > <mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>> wrote:
> >
> >
> > Almost - the converted certs need to be saved on your *rgw* host in
> > nss_db_path (default is /var/ceph/nss but wherever you have it
> > configured should be ok). Then restart the gateway.
> >
> > What is happening is the the rgw needs these certs to speak with
> > encryption to the keystone server (the latter does not need anything
> > changed, as it is already using encryption).
> >
> > Regards
> >
> > Mark
> >
> > On 10/10/14 08:31, lakshmi k s wrote:
> > > Thanks Mark. I got past this error being root. So essentially, I
> copied
> > > the certs from openstack controller node to gateway node. Did the
> > > conversion using certutil and copied the files back to controller node
> > > under /var/lib/ceph/nss directory. Is this the correct directory? Ceph
> > > doc says /var/ceph/nss though.
> > >
> > > But after this, I tried to use curl GET command, but in vain.Same old
> > > 401 - Authorization failure.
> > >
> > > curl -i -X GET
> > > http://gateway.ex.com/swift/v1/AUTH_bad9e2232b304f89acb03436635b80cc
> > <http://gateway.ex.com/swift/v1/AUTH_bad9e2232b304f89acb03436635b80cc>-H
> > > "X-Auth-
> > > Token: a510edb22f074946940cd4c07aafcd9d"
> > >
> > > HTTP/1.1 401 Unauthorized
> > > Date: Thu, 09 Oct 2014 19:17:31 GMT
> > > Server: Apache/2.4.7 (Ubuntu)
> > > Accept-Ranges: bytes
> > > Content-Length: 12
> > > Content-Type: text/plain; charset=utf-8
> > > AccessDeniedroot
> > >
> > > Not much difference in radosgw logs too. Note that the token used
> above
> > > is same one in ceph.conf file too. Please help.
> > >
> > > [client.radosgw.gateway]
> > > rgw keystone url = "" shape="rect" href="http://192.0.8.2:5000/" target="_blank" class="" style="">http://192.0.8.2:5000
> <http://192.0.8.2:5000/><http://192.0.8.2:5000/>
> > > rgw keystone admin token = a510edb22f074946940cd4c07aafcd9d
> > > rgw keystone accepted roles = admim Member _member_ swiftoperator
> > > rgw keystone token cache size = 500
> > > rgw keystone revocation interval = 500
> > > rgw s3 auth use keystone = false
> > > nss db path = /var/lib/ceph/nss
> > > debug rgw = 20
> > > host = gateway
> > > keyring = /etc/ceph/ceph.client.radosgw.keyring
> > > rgw socket path = /var/run/ceph/ceph.radosgw.gateway.fastcgi.sock
> > > log file = /var/log/ceph/client.radosgw.gateway.log
> > > rgw dns name = gateway
> > >
> > >
> > >
> > >
> > >
> > > On Thursday, October 9, 2014 1:15 AM, Mark Kirkwood
> > > <mark.kirkwood@xxxxxxxxxxxxxxx <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>> wrote:
> > >
> > >
> > > I ran into this - needed to actually be root via sudo -i or similar,
> > > *then* it worked. Unhelpful error message is I think referring to no
> > > intialized db.
> > >
> > > On 09/10/14 16:36, lakshmi k s wrote:
> > > > Good workaround. But it did not work. Not sure what this error
> is all
> > > > about now.
> > > >
> > > > gateway@gateway <mailto:gateway@gateway>
> <mailto:gateway@gateway <mailto:gateway@gateway>>
> <mailto:gateway@gateway <mailto:gateway@gateway>
> > <mailto:gateway@gateway <mailto:gateway@gateway>>>:~$ openssl x509 -in
> > > /home/gateway/ca.pem -pubkey |
> > > > certutil -d /var/lib/ceph/nss -A -n ca -t "TCu,Cu,Tuw"
> > > > certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
> > > > certificate/key database is in an old, unsupported format.
> > > >
> > > >
> > > >
> > > > On Wednesday, October 8, 2014 7:55 PM, Mark Kirkwood
> > > > <mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
> > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>> wrote:
> > > >
> > > >
> > > > As a workaround check if your rgw host has openssl and certutil
> > > > installed, if so you can copy the relevant unconverted certs over
> > to it
> > > > and convert 'em there.
> > > >
> > > > On 09/10/14 15:07, lakshmi k s wrote:
> > > > > Tried aptitude as well, but no luck.
> > > > >
> > > > > Ceph users, have you tried to install libnss3-tools or certutil
> > > tool on
> > > > > debian/ubuntu? If so, how did you go about this problem.
> > > > >
> > > > >
> > > > > On Wednesday, October 8, 2014 7:01 PM, Mark Kirkwood
> > > > > <mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>
> > > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
> >
> > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>>> wrote:
> > >
> > > > >
> > > > >
> > > > > Ok, so that is the thing to get sorted. I'd suggest posting the
> > > error(s)
> > > > > you are getting perhaps here (someone else might know), but
> > definitely
> > > > > to one of the Debian specific lists.
> > > > >
> > > > > In the meantime perhaps try installing the packages with
> aptitude
> > > rather
> > > > > than apt-get - if there is some fancy footwork required it is
> > fairly
> > > > > smart about what needs to be done.
> > > > >
> > > > > Cheers
> > > > >
> > > > > Mark
> > > > >
> > > > > On 09/10/14 14:38, lakshmi k s wrote:
> > > > > > Thanks Mark. I have been trying to install this on controller
> > > > node. But
> > > > > > for some reason, I am unable to install certutil or
> > > libnss3-tools on
> > > > > > debian. I am not sure how to proceed.
> > > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> >
> >
> >
>
>
>
instead of Keystone. You want virtual host *:35357
On 10/10/14 12:32, lakshmi k s wrote:
> Have done this too, but in vain. I made changes to Horizon.conf as shown
> below. I had only I do not see the user being validated in radosgw log
> at all.
>
> root@overcloud-controller0-fjvtpqjip2hl:/etc/apache2/sites-available# ls
> 000-default.conf default-ssl.conf horizon.conf
>
> ----------------------------------------------------
> <VirtualHost *:80>
> WSGIScriptAlias /
> /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard/wsgi/django.wsgi
> WSGIDaemonProcess horizon user=horizon group=horizon processes=3
> threads=10 home=/opt/stack/venvs/horizon
> python-path=/opt/stack/venvs/horizon:/opt/stack/venvs/horizon/lib/python2.7/site-packages/
> WSGIApplicationGroup %{GLOBAL}
>
> SetEnv APACHE_RUN_USER horizon
> SetEnv APACHE_RUN_GROUP horizon
> WSGIProcessGroup horizon
> WSGIChunkedRequest On
>
> DocumentRoot
> /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard/static
> Alias /static
> /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard/static
> Alias /media
> /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard/static
>
> <Directory />
> Options FollowSymLinks
> AllowOverride None
> </Directory>
>
> <Directory
> /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard/static>
> Options Indexes FollowSymLinks MultiViews
> Require all granted
> AllowOverride None
> Order allow,deny
> allow from all
> </Directory>
>
> <Directory
> /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard>
> Options Indexes FollowSymLinks MultiViews
> Require all granted
> AllowOverride None
> Order allow,deny
> allow from all
> </Directory>
>
> ErrorLog /var/log/httpd/horizon_error.log
> LogLevel debug
> CustomLog /var/log/httpd/horizon_access.log combined
> </VirtualHost>
>
> WSGISocketPrefix /var/run/httpd
>
> ----------------------------------
>
>
>
>
> On Thursday, October 9, 2014 3:51 PM, Mark Kirkwood
> <mark.kirkwood@xxxxxxxxxxxxxxx> wrote:
>
>
> No, I don't have any explicit ssl enabled in the rgw site.
>
> Now you might be running into http://tracker.ceph.com/issues/7796
> <http://tracker.ceph.com/issues/7796>. So
> check if you have enabled
>
> WSGIChunkedRequest On
>
> In your keystone virtualhost setup (explained in the issue).
>
> Cheers
>
> Mark
>
>
> On 10/10/14 11:03, lakshmi k s wrote:
> > Right, I have these certs on both nodes - keystone node and rgw gateway
> > node. Not sure where I am going wrong. And what about SSL? Should the
> > following be in rgw.conf in gateway node? I am not using this as it was
> > optional.
> >
> > SSLEngine on
> > SSLCertificateFile /etc/apache2/ssl/apache.crt
> > SSLCertificateKeyFile /etc/apache2/ssl/apache.key
> > SetEnv SERVER_PORT_SECURE 443
> >
> >
> >
> >
> >
> > On Thursday, October 9, 2014 2:48 PM, Mark Kirkwood
> > <mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>> wrote:
> >
> >
> > Almost - the converted certs need to be saved on your *rgw* host in
> > nss_db_path (default is /var/ceph/nss but wherever you have it
> > configured should be ok). Then restart the gateway.
> >
> > What is happening is the the rgw needs these certs to speak with
> > encryption to the keystone server (the latter does not need anything
> > changed, as it is already using encryption).
> >
> > Regards
> >
> > Mark
> >
> > On 10/10/14 08:31, lakshmi k s wrote:
> > > Thanks Mark. I got past this error being root. So essentially, I
> copied
> > > the certs from openstack controller node to gateway node. Did the
> > > conversion using certutil and copied the files back to controller node
> > > under /var/lib/ceph/nss directory. Is this the correct directory? Ceph
> > > doc says /var/ceph/nss though.
> > >
> > > But after this, I tried to use curl GET command, but in vain.Same old
> > > 401 - Authorization failure.
> > >
> > > curl -i -X GET
> > > http://gateway.ex.com/swift/v1/AUTH_bad9e2232b304f89acb03436635b80cc
> > <http://gateway.ex.com/swift/v1/AUTH_bad9e2232b304f89acb03436635b80cc>-H
> > > "X-Auth-
> > > Token: a510edb22f074946940cd4c07aafcd9d"
> > >
> > > HTTP/1.1 401 Unauthorized
> > > Date: Thu, 09 Oct 2014 19:17:31 GMT
> > > Server: Apache/2.4.7 (Ubuntu)
> > > Accept-Ranges: bytes
> > > Content-Length: 12
> > > Content-Type: text/plain; charset=utf-8
> > > AccessDeniedroot
> > >
> > > Not much difference in radosgw logs too. Note that the token used
> above
> > > is same one in ceph.conf file too. Please help.
> > >
> > > [client.radosgw.gateway]
> > > rgw keystone url = "" shape="rect" href="http://192.0.8.2:5000/" target="_blank" class="" style="">http://192.0.8.2:5000
> <http://192.0.8.2:5000/><http://192.0.8.2:5000/>
> > > rgw keystone admin token = a510edb22f074946940cd4c07aafcd9d
> > > rgw keystone accepted roles = admim Member _member_ swiftoperator
> > > rgw keystone token cache size = 500
> > > rgw keystone revocation interval = 500
> > > rgw s3 auth use keystone = false
> > > nss db path = /var/lib/ceph/nss
> > > debug rgw = 20
> > > host = gateway
> > > keyring = /etc/ceph/ceph.client.radosgw.keyring
> > > rgw socket path = /var/run/ceph/ceph.radosgw.gateway.fastcgi.sock
> > > log file = /var/log/ceph/client.radosgw.gateway.log
> > > rgw dns name = gateway
> > >
> > >
> > >
> > >
> > >
> > > On Thursday, October 9, 2014 1:15 AM, Mark Kirkwood
> > > <mark.kirkwood@xxxxxxxxxxxxxxx <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>> wrote:
> > >
> > >
> > > I ran into this - needed to actually be root via sudo -i or similar,
> > > *then* it worked. Unhelpful error message is I think referring to no
> > > intialized db.
> > >
> > > On 09/10/14 16:36, lakshmi k s wrote:
> > > > Good workaround. But it did not work. Not sure what this error
> is all
> > > > about now.
> > > >
> > > > gateway@gateway <mailto:gateway@gateway>
> <mailto:gateway@gateway <mailto:gateway@gateway>>
> <mailto:gateway@gateway <mailto:gateway@gateway>
> > <mailto:gateway@gateway <mailto:gateway@gateway>>>:~$ openssl x509 -in
> > > /home/gateway/ca.pem -pubkey |
> > > > certutil -d /var/lib/ceph/nss -A -n ca -t "TCu,Cu,Tuw"
> > > > certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
> > > > certificate/key database is in an old, unsupported format.
> > > >
> > > >
> > > >
> > > > On Wednesday, October 8, 2014 7:55 PM, Mark Kirkwood
> > > > <mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
> > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>> wrote:
> > > >
> > > >
> > > > As a workaround check if your rgw host has openssl and certutil
> > > > installed, if so you can copy the relevant unconverted certs over
> > to it
> > > > and convert 'em there.
> > > >
> > > > On 09/10/14 15:07, lakshmi k s wrote:
> > > > > Tried aptitude as well, but no luck.
> > > > >
> > > > > Ceph users, have you tried to install libnss3-tools or certutil
> > > tool on
> > > > > debian/ubuntu? If so, how did you go about this problem.
> > > > >
> > > > >
> > > > > On Wednesday, October 8, 2014 7:01 PM, Mark Kirkwood
> > > > > <mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>
> > > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
> >
> > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>>> wrote:
> > >
> > > > >
> > > > >
> > > > > Ok, so that is the thing to get sorted. I'd suggest posting the
> > > error(s)
> > > > > you are getting perhaps here (someone else might know), but
> > definitely
> > > > > to one of the Debian specific lists.
> > > > >
> > > > > In the meantime perhaps try installing the packages with
> aptitude
> > > rather
> > > > > than apt-get - if there is some fancy footwork required it is
> > fairly
> > > > > smart about what needs to be done.
> > > > >
> > > > > Cheers
> > > > >
> > > > > Mark
> > > > >
> > > > > On 09/10/14 14:38, lakshmi k s wrote:
> > > > > > Thanks Mark. I have been trying to install this on controller
> > > > node. But
> > > > > > for some reason, I am unable to install certutil or
> > > libnss3-tools on
> > > > > > debian. I am not sure how to proceed.
> > > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> >
> >
> >
>
>
>
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com