With latest HA build, I found keystone_modwsgi.conf in /etc/apache2/sites-available and added the chunking like below. We have many controller nodes, but single virtual IP - 192.0.2.21 for which keystone is configured. I have verified keystone setup by executing other services like nova list, cinder list, etc. They work fine. It is swift pointing to ceph object gateway that is not working.
Listen 192.0.2.24:35357
Listen 192.0.2.24:5000
<VirtualHost *:35357>
WSGIScriptAlias / /etc/keystone/admin
WSGIDaemonProcess keystoneadmin user=keystone group=keystone processes=2 threads=1 home=/opt/stack/venvs/openstack python-path=/opt/stack/venvs/openstack:/opt/stack/venvs/openstack/lib/python2.7/site-packages/
WSGIApplicationGroup keystoneadmin
WSGIProcessGroup keystoneadmin
<Directory /etc/keystone>
Options FollowSymLinks
Require all granted
WSGIChunkedRequest On
</Directory>
ErrorLog /var/log/keystone/keystone_modwsgi.log
LogLevel info
CustomLog /var/log/keystone/keystone_apache_access.log combined
</VirtualHost>
<VirtualHost *:5000>
WSGIScriptAlias / /etc/keystone/main
WSGIDaemonProcess keystonemain user=keystone group=keystone processes=2 threads=1 home=/opt/stack/venvs/openstack python-path=/opt/stack/venvs/openstack:/opt/stack/venvs/openstack/lib/python2.7/site-packages/
WSGIApplicationGroup keystonemain
WSGIProcessGroup keystonemain
<Directory /etc/keystone>
Options FollowSymLinks
WSGIChunkedRequest On
Require all granted
</Directory>
ErrorLog /var/log/keystone/keystone_modwsgi.log
LogLevel info
CustomLog /var/log/keystone/keystone_apache_access.log combined
</VirtualHost>
root@overcloud-ce-controller-controllermgmt0-pc23jdstfxy5:~# keystone service-list
+----------------------------------+----------+---------------+---------------------------+
| id | name | type | description |
+----------------------------------+----------+---------------+---------------------------+
| 642251f08a93444da1aa457c2a0ae9f3 | cinder | volume | Cinder Volume Service |
| c909ea43c9244f7c8296e870986c5fc1 | glance | image | Glance Image Service |
| bf80fcba3aec45a6988262b31b7ae12a | heat | orchestration | Heat Service |
| 3a1cf21dd3974313ba833e807b3ff997 | keystone | identity | Keystone Identity Service |
| 8abff3ea4bba41f4b9cc9a77a29191fe | neutron | network | Neutron Service |
| d87e2f24576a459495f1e08439bae238 | nova | compute | Nova Compute Service |
| 77434bc194a3495793b5b4c943248e16 | swift | object-store | |
+----------------------------------+----------+---------------+---------------------------+
root@overcloud-ce-controller-controllermgmt0-pc23jdstfxy5:~# keystone endpoint-list
+----------------------------------+-----------+---------------------------------------------------+---------------------------------------------------+-----------------------------------------+----------------------------------+
| id | region | publicurl | internalurl | adminurl | service_id |
+----------------------------------+-----------+---------------------------------------------------+---------------------------------------------------+-----------------------------------------+----------------------------------+
| 09159f243eb6457581e01af56e32bf18 | regionOne | http://192.0.2.21:8774/v3 | http://192.0.2.21:8774/v3 | http://192.0.2.21:8774/v3 | 9b431dae0ff642629ae8f5bfd006e578 |
| 0dda582955934dc0af898ec3db2c5fbc | regionOne | http://192.0.2.21:8776/v1/%(tenant_id)s | http://192.0.2.21:8776/v1/%(tenant_id)s | http://192.0.2.21:8776/v1/%(tenant_id)s | 642251f08a93444da1aa457c2a0ae9f3 |
| 2ccd8523954c4491b08b648cfd42ae6c | regionOne | http://gateway.ex.com/swift/v1/AUTH_%(tenant_id)s | http://gateway.ex.com/swift/v1/AUTH_%(tenant_id)s | http://gateway.ex.com/swift/v1 | 77434bc194a3495793b5b4c943248e16 |
| 30ca33f2f84242c2a6ad8a91446d265b | regionOne | http://192.0.2.21:8773/services/Cloud | http://192.0.2.21:8773/services/Cloud | http://192.0.2.21:8773/services/Admin | 389b4dec8c9c479dbf46622c22da12d1 |
| 9caad71ea7144f4283509cb60faff864 | regionOne | http://192.0.2.21:8774/v2/$(tenant_id)s | http://192.0.2.21:8774/v2/$(tenant_id)s | http://192.0.2.21:8774/v2/$(tenant_id)s | d87e2f24576a459495f1e08439bae238 |
| d3a87ad4fd1c4626a499f0491cfb054a | regionOne | http://192.0.2.21:9292/ | http://192.0.2.21:9292/ | http://192.0.2.21:9292/ | c909ea43c9244f7c8296e870986c5fc1 |
| e10b562bb4b646c8a90b6a4255d7efd7 | regionOne | http://192.0.2.21:21131/v1 | http://192.0.2.21:21131/v1 | http://192.0.2.21:21131/v1 | 296f0ce272834f70af9fc6f36924c89a |
| f898c1e25d76471c8a28147e2ddfa52e | regionOne | http://192.0.2.21:8004/v1/%(tenant_id)s | http://192.0.2.21:8004/v1/%(tenant_id)s | http://192.0.2.21:8004/v1/%(tenant_id)s | bf80fcba3aec45a6988262b31b7ae12a |
| fbbc102593394c1fb7da4160dbc28f5b | regionOne | http://192.0.2.21:9696/ | http://192.0.2.21:9696/ | http://192.0.2.21:9696/ | 8abff3ea4bba41f4b9cc9a77a29191fe |
| fc8e024afc9b43308a5cf8323be76ba5 | regionOne | http://192.0.2.21:5000/v2.0 | http://192.0.2.21:5000/v2.0 | http://192.0.2.21:35357/v2.0 | 3a1cf21dd3974313ba833e807b3ff997 |
+----------------------------------+-----------+-----------------------------
ceph.conf
[global]
fsid = b35e8496-e809-416a-bd66-aba761d78fac
mon_initial_members = node1
mon_host = 192.0.2.211
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
filestore_xattr_use_omap = true
[client.admin]
keyring = /etc/ceph/ceph.client.admin.keyring
[client.radosgw.gateway]
rgw keystone url = "" style="" class="">rgw keystone admin token = 337b8816f019a04396a2e00e65e6c30ea96ba59b
rgw keystone accepted roles = admim _member_ swiftoperator
rgw keystone token cache size = 500
rgw keystone revocation interval = 500
rgw s3 auth use keystone = false
nss db path = /var/lib/ceph/nss
debug rgw = 20
host = gateway
keyring = /etc/ceph/ceph.client.radosgw.keyring
rgw socket path = /var/run/ceph/ceph.radosgw.gateway.fastcgi.sock
log file = /var/log/ceph/client.radosgw.gateway.log
rgw dns name = gateway
Listen 192.0.2.24:5000
<VirtualHost *:35357>
WSGIScriptAlias / /etc/keystone/admin
WSGIDaemonProcess keystoneadmin user=keystone group=keystone processes=2 threads=1 home=/opt/stack/venvs/openstack python-path=/opt/stack/venvs/openstack:/opt/stack/venvs/openstack/lib/python2.7/site-packages/
WSGIApplicationGroup keystoneadmin
WSGIProcessGroup keystoneadmin
<Directory /etc/keystone>
Options FollowSymLinks
Require all granted
WSGIChunkedRequest On
</Directory>
ErrorLog /var/log/keystone/keystone_modwsgi.log
LogLevel info
CustomLog /var/log/keystone/keystone_apache_access.log combined
</VirtualHost>
<VirtualHost *:5000>
WSGIScriptAlias / /etc/keystone/main
WSGIDaemonProcess keystonemain user=keystone group=keystone processes=2 threads=1 home=/opt/stack/venvs/openstack python-path=/opt/stack/venvs/openstack:/opt/stack/venvs/openstack/lib/python2.7/site-packages/
WSGIApplicationGroup keystonemain
WSGIProcessGroup keystonemain
<Directory /etc/keystone>
Options FollowSymLinks
WSGIChunkedRequest On
Require all granted
</Directory>
ErrorLog /var/log/keystone/keystone_modwsgi.log
LogLevel info
CustomLog /var/log/keystone/keystone_apache_access.log combined
</VirtualHost>
root@overcloud-ce-controller-controllermgmt0-pc23jdstfxy5:~# keystone service-list
+----------------------------------+----------+---------------+---------------------------+
| id | name | type | description |
+----------------------------------+----------+---------------+---------------------------+
| 642251f08a93444da1aa457c2a0ae9f3 | cinder | volume | Cinder Volume Service |
| c909ea43c9244f7c8296e870986c5fc1 | glance | image | Glance Image Service |
| bf80fcba3aec45a6988262b31b7ae12a | heat | orchestration | Heat Service |
| 3a1cf21dd3974313ba833e807b3ff997 | keystone | identity | Keystone Identity Service |
| 8abff3ea4bba41f4b9cc9a77a29191fe | neutron | network | Neutron Service |
| d87e2f24576a459495f1e08439bae238 | nova | compute | Nova Compute Service |
| 77434bc194a3495793b5b4c943248e16 | swift | object-store | |
+----------------------------------+----------+---------------+---------------------------+
root@overcloud-ce-controller-controllermgmt0-pc23jdstfxy5:~# keystone endpoint-list
+----------------------------------+-----------+---------------------------------------------------+---------------------------------------------------+-----------------------------------------+----------------------------------+
| id | region | publicurl | internalurl | adminurl | service_id |
+----------------------------------+-----------+---------------------------------------------------+---------------------------------------------------+-----------------------------------------+----------------------------------+
| 09159f243eb6457581e01af56e32bf18 | regionOne | http://192.0.2.21:8774/v3 | http://192.0.2.21:8774/v3 | http://192.0.2.21:8774/v3 | 9b431dae0ff642629ae8f5bfd006e578 |
| 0dda582955934dc0af898ec3db2c5fbc | regionOne | http://192.0.2.21:8776/v1/%(tenant_id)s | http://192.0.2.21:8776/v1/%(tenant_id)s | http://192.0.2.21:8776/v1/%(tenant_id)s | 642251f08a93444da1aa457c2a0ae9f3 |
| 2ccd8523954c4491b08b648cfd42ae6c | regionOne | http://gateway.ex.com/swift/v1/AUTH_%(tenant_id)s | http://gateway.ex.com/swift/v1/AUTH_%(tenant_id)s | http://gateway.ex.com/swift/v1 | 77434bc194a3495793b5b4c943248e16 |
| 30ca33f2f84242c2a6ad8a91446d265b | regionOne | http://192.0.2.21:8773/services/Cloud | http://192.0.2.21:8773/services/Cloud | http://192.0.2.21:8773/services/Admin | 389b4dec8c9c479dbf46622c22da12d1 |
| 9caad71ea7144f4283509cb60faff864 | regionOne | http://192.0.2.21:8774/v2/$(tenant_id)s | http://192.0.2.21:8774/v2/$(tenant_id)s | http://192.0.2.21:8774/v2/$(tenant_id)s | d87e2f24576a459495f1e08439bae238 |
| d3a87ad4fd1c4626a499f0491cfb054a | regionOne | http://192.0.2.21:9292/ | http://192.0.2.21:9292/ | http://192.0.2.21:9292/ | c909ea43c9244f7c8296e870986c5fc1 |
| e10b562bb4b646c8a90b6a4255d7efd7 | regionOne | http://192.0.2.21:21131/v1 | http://192.0.2.21:21131/v1 | http://192.0.2.21:21131/v1 | 296f0ce272834f70af9fc6f36924c89a |
| f898c1e25d76471c8a28147e2ddfa52e | regionOne | http://192.0.2.21:8004/v1/%(tenant_id)s | http://192.0.2.21:8004/v1/%(tenant_id)s | http://192.0.2.21:8004/v1/%(tenant_id)s | bf80fcba3aec45a6988262b31b7ae12a |
| fbbc102593394c1fb7da4160dbc28f5b | regionOne | http://192.0.2.21:9696/ | http://192.0.2.21:9696/ | http://192.0.2.21:9696/ | 8abff3ea4bba41f4b9cc9a77a29191fe |
| fc8e024afc9b43308a5cf8323be76ba5 | regionOne | http://192.0.2.21:5000/v2.0 | http://192.0.2.21:5000/v2.0 | http://192.0.2.21:35357/v2.0 | 3a1cf21dd3974313ba833e807b3ff997 |
+----------------------------------+-----------+-----------------------------
ceph.conf
[global]
fsid = b35e8496-e809-416a-bd66-aba761d78fac
mon_initial_members = node1
mon_host = 192.0.2.211
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
filestore_xattr_use_omap = true
[client.admin]
keyring = /etc/ceph/ceph.client.admin.keyring
[client.radosgw.gateway]
rgw keystone url = "" style="" class="">rgw keystone admin token = 337b8816f019a04396a2e00e65e6c30ea96ba59b
rgw keystone accepted roles = admim _member_ swiftoperator
rgw keystone token cache size = 500
rgw keystone revocation interval = 500
rgw s3 auth use keystone = false
nss db path = /var/lib/ceph/nss
debug rgw = 20
host = gateway
keyring = /etc/ceph/ceph.client.radosgw.keyring
rgw socket path = /var/run/ceph/ceph.radosgw.gateway.fastcgi.sock
log file = /var/log/ceph/client.radosgw.gateway.log
rgw dns name = gateway
>
> On Friday, October 10, 2014 9:20 AM, lakshmi k s <lux_ks@xxxxxxxxx> wrote:
>
>
> Mark, I am going no where with this. I am going to try with latest
> OpenStack build (build internal to my company) that has HA support. I
> will keep you posted.
>
>
> On Thursday, October 9, 2014 10:46 PM, Mark Kirkwood
> <mark.kirkwood@xxxxxxxxxxxxxxx> wrote:
>
>
> Oh, I see. That complicates it a wee bit (looks back at your messages).
> I see you have:
>
> rgw_keystone_url = http://192.0.8.2:5000 <http://192.0.8.2:5000/>
>
> So you'll need to amend/create etc a
>
> <Virtualhost *:5000>
>
> and put it in there. I suspect you might be better off changing your rgw
> kesytone url to use port 35357 (the public one). However I think that is
> a side issue.
>
> Also just to double check - 192.0.8.2 *is* the server you are showing us
> the sites-available from?
>
> Cheers
>
> Mark
>
> On 10/10/14 12:50, lakshmi k s wrote:
> > Yes Mark, but there is no keystone.conf in this modified Openstack code.
> > There is only horizon.conf under /etc/apache2/sites-available folder.
> > And that has virtual host 80 only. Should I simply add :35357?
> >
> > root@overcloud-controller0-fjvtpqjip2hl
> <mailto:root@overcloud-controller0-fjvtpqjip2hl>
> > <mailto:root@overcloud-controller0-fjvtpqjip2hl
> <mailto:root@overcloud-controller0-fjvtpqjip2hl>>:/etc/apache2/sites-available#
> > ls
> > 000-default.conf default-ssl.conf horizon.conf
> >
> >
> >
> >
> > On Thursday, October 9, 2014 4:45 PM, Mark Kirkwood
> > <mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>> wrote:
> >
> >
> > Hmm - It looks to me like you added the chunked request into Horizon
> > instead of Keystone. You want virtual host *:35357
> >
> >
> > On 10/10/14 12:32, lakshmi k s wrote:
> > > Have done this too, but in vain. I made changes to Horizon.conf as
> shown
> > > below. I had only I do not see the user being validated in radosgw log
> > > at all.
> > >
> > > root@overcloud-controller0-fjvtpqjip2hl
> <mailto:root@overcloud-controller0-fjvtpqjip2hl>
> > <mailto:root@overcloud-controller0-fjvtpqjip2hl
> <mailto:root@overcloud-controller0-fjvtpqjip2hl>>:/etc/apache2/sites-available#
> > ls
> > > 000-default.conf default-ssl.conf horizon.conf
> > >
> > > ----------------------------------------------------
> > > <VirtualHost *:80>
> > > WSGIScriptAlias /
> > >
> >
> /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard/wsgi/django.wsgi
> > > WSGIDaemonProcess horizon user=horizon group=horizon processes=3
> > > threads=10 home=/opt/stack/venvs/horizon
> > >
> >
> python-path=/opt/stack/venvs/horizon:/opt/stack/venvs/horizon/lib/python2.7/site-packages/
> > > WSGIApplicationGroup %{GLOBAL}
> > >
> > > SetEnv APACHE_RUN_USER horizon
> > > SetEnv APACHE_RUN_GROUP horizon
> > > WSGIProcessGroup horizon
> > > WSGIChunkedRequest On
> > >
> > > DocumentRoot
> > >
> >
> /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard/static
> > > Alias /static
> > >
> >
> /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard/static
> > > Alias /media
> > >
> >
> /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard/static
> > >
> > > <Directory />
> > > Options FollowSymLinks
> > > AllowOverride None
> > > </Directory>
> > >
> > > <Directory
> > >
> >
> /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard/static>
> > > Options Indexes FollowSymLinks MultiViews
> > > Require all granted
> > > AllowOverride None
> > > Order allow,deny
> > > allow from all
> > > </Directory>
> > >
> > > <Directory
> > >
> /opt/stack/venvs/horizon/lib/python2.7/site-packages/openstack_dashboard>
> > > Options Indexes FollowSymLinks MultiViews
> > > Require all granted
> > > AllowOverride None
> > > Order allow,deny
> > > allow from all
> > > </Directory>
> > >
> > > ErrorLog /var/log/httpd/horizon_error.log
> > > LogLevel debug
> > > CustomLog /var/log/httpd/horizon_access.log combined
> > > </VirtualHost>
> > >
> > > WSGISocketPrefix /var/run/httpd
> > >
> > > ----------------------------------
> > >
> > >
> > >
> > >
> > > On Thursday, October 9, 2014 3:51 PM, Mark Kirkwood
> > > <mark.kirkwood@xxxxxxxxxxxxxxx <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>> wrote:
> > >
> > >
> > > No, I don't have any explicit ssl enabled in the rgw site.
> > >
> > > Now you might be running into http://tracker.ceph.com/issues/7796
> > > <http://tracker.ceph.com/issues/7796>. So
> > > check if you have enabled
> > >
> > > WSGIChunkedRequest On
> > >
> > > In your keystone virtualhost setup (explained in the issue).
> > >
> > > Cheers
> > >
> > > Mark
> > >
> > >
> > > On 10/10/14 11:03, lakshmi k s wrote:
> > > > Right, I have these certs on both nodes - keystone node and rgw
> > gateway
> > > > node. Not sure where I am going wrong. And what about SSL?
> Should the
> > > > following be in rgw.conf in gateway node? I am not using this as
> > it was
> > > > optional.
> > > >
> > > > SSLEngine on
> > > > SSLCertificateFile /etc/apache2/ssl/apache.crt
> > > > SSLCertificateKeyFile /etc/apache2/ssl/apache.key
> > > > SetEnv SERVER_PORT_SECURE 443
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On Thursday, October 9, 2014 2:48 PM, Mark Kirkwood
> > > > <mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
> > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>> wrote:
> > > >
> > > >
> > > > Almost - the converted certs need to be saved on your *rgw* host in
> > > > nss_db_path (default is /var/ceph/nss but wherever you have it
> > > > configured should be ok). Then restart the gateway.
> > > >
> > > > What is happening is the the rgw needs these certs to speak with
> > > > encryption to the keystone server (the latter does not need
> anything
> > > > changed, as it is already using encryption).
> > > >
> > > > Regards
> > > >
> > > > Mark
> > > >
> > > > On 10/10/14 08:31, lakshmi k s wrote:
> > > > > Thanks Mark. I got past this error being root. So essentially, I
> > > copied
> > > > > the certs from openstack controller node to gateway node.
> Did the
> > > > > conversion using certutil and copied the files back to
> > controller node
> > > > > under /var/lib/ceph/nss directory. Is this the correct
> > directory? Ceph
> > > > > doc says /var/ceph/nss though.
> > > > >
> > > > > But after this, I tried to use curl GET command, but in
> > vain.Same old
> > > > > 401 - Authorization failure.
> > > > >
> > > > > curl -i -X GET
> > > > >
> > http://gateway.ex.com/swift/v1/AUTH_bad9e2232b304f89acb03436635b80cc
> > > >
> > <http://gateway.ex.com/swift/v1/AUTH_bad9e2232b304f89acb03436635b80cc>-H
> > > > > "X-Auth-
> > > > > Token: a510edb22f074946940cd4c07aafcd9d"
> > > > >
> > > > > HTTP/1.1 401 Unauthorized
> > > > > Date: Thu, 09 Oct 2014 19:17:31 GMT
> > > > > Server: Apache/2.4.7 (Ubuntu)
> > > > > Accept-Ranges: bytes
> > > > > Content-Length: 12
> > > > > Content-Type: text/plain; charset=utf-8
> > > > > AccessDeniedroot
> > > > >
> > > > > Not much difference in radosgw logs too. Note that the token used
> > > above
> > > > > is same one in ceph.conf file too. Please help.
> > > > >
> > > > > [client.radosgw.gateway]
> > > > > rgw keystone url = "" style="" class="" rel="nofollow" shape="rect" target="_blank" href="http://192.0.8.2:5000/">http://192.0.8.2:5000
> <http://192.0.8.2:5000/><http://192.0.8.2:5000/>
> > > <http://192.0.8.2:5000/><http://192.0.8.2:5000/>
> > > > > rgw keystone admin token = a510edb22f074946940cd4c07aafcd9d
> > > > > rgw keystone accepted roles = admim Member _member_
> swiftoperator
> > > > > rgw keystone token cache size = 500
> > > > > rgw keystone revocation interval = 500
> > > > > rgw s3 auth use keystone = false
> > > > > nss db path = /var/lib/ceph/nss
> > > > > debug rgw = 20
> > > > > host = gateway
> > > > > keyring = /etc/ceph/ceph.client.radosgw.keyring
> > > > > rgw socket path =
> /var/run/ceph/ceph.radosgw.gateway.fastcgi.sock
> > > > > log file = /var/log/ceph/client.radosgw.gateway.log
> > > > > rgw dns name = gateway
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Thursday, October 9, 2014 1:15 AM, Mark Kirkwood
> > > > > <mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>
> > > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
> > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>>> wrote:
> > > > >
> > > > >
> > > > > I ran into this - needed to actually be root via sudo -i or
> > similar,
> > > > > *then* it worked. Unhelpful error message is I think referring
> > to no
> > > > > intialized db.
> > > > >
> > > > > On 09/10/14 16:36, lakshmi k s wrote:
> > > > > > Good workaround. But it did not work. Not sure what this
> error
> > > is all
> > > > > > about now.
> > > > > >
> > > > > > gateway@gateway <mailto:gateway@gateway>
> <mailto:gateway@gateway <mailto:gateway@gateway>>
> > <mailto:gateway@gateway <mailto:gateway@gateway>
> <mailto:gateway@gateway <mailto:gateway@gateway>>>
> > > <mailto:gateway@gateway <mailto:gateway@gateway>
> <mailto:gateway@gateway <mailto:gateway@gateway>>
> > <mailto:gateway@gateway <mailto:gateway@gateway>
> <mailto:gateway@gateway <mailto:gateway@gateway>>>>
> > > <mailto:gateway@gateway <mailto:gateway@gateway>
> <mailto:gateway@gateway <mailto:gateway@gateway>>
> > <mailto:gateway@gateway <mailto:gateway@gateway>
> <mailto:gateway@gateway <mailto:gateway@gateway>>>
> > > > <mailto:gateway@gateway <mailto:gateway@gateway>
> <mailto:gateway@gateway <mailto:gateway@gateway>>
> > <mailto:gateway@gateway <mailto:gateway@gateway>
> <mailto:gateway@gateway <mailto:gateway@gateway>>>>>:~$ openssl x509 -in
> > > > > /home/gateway/ca.pem -pubkey |
> > > > > > certutil -d /var/lib/ceph/nss -A -n ca -t "TCu,Cu,Tuw"
> > > > > > certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
> > > > > > certificate/key database is in an old, unsupported format.
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Wednesday, October 8, 2014 7:55 PM, Mark Kirkwood
> > > > > > <mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
> > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>
> > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
> > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>>
> > > > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
> > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>
> > > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
> > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>>>> wrote:
> > > > > >
> > > > > >
> > > > > > As a workaround check if your rgw host has openssl and
> certutil
> > > > > > installed, if so you can copy the relevant unconverted certs
> > over
> > > > to it
> > > > > > and convert 'em there.
> > > > > >
> > > > > > On 09/10/14 15:07, lakshmi k s wrote:
> > > > > > > Tried aptitude as well, but no luck.
> > > > > > >
> > > > > > > Ceph users, have you tried to install libnss3-tools or
> > certutil
> > > > > tool on
> > > > > > > debian/ubuntu? If so, how did you go about this problem.
> > > > > > >
> > > > > > >
> > > > > > > On Wednesday, October 8, 2014 7:01 PM, Mark Kirkwood
> > > > > > > <mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
> > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>
> > > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
> > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>>
> >
> > > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
> > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>
> > >
> > > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
> > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>>>
> > > > > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
> > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>
> > > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
> > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>>
> > > >
> > > > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
> > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>
> > > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>
> > > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>
> > <mailto:mark.kirkwood@xxxxxxxxxxxxxxx
> <mailto:mark.kirkwood@xxxxxxxxxxxxxxx>>>>>>> wrote:
> > > > >
> > > > > > >
> > > > > > >
> > > > > > > Ok, so that is the thing to get sorted. I'd suggest
> > posting the
> > > > > error(s)
> > > > > > > you are getting perhaps here (someone else might
> know), but
> > > > definitely
> > > > > > > to one of the Debian specific lists.
> > > > > > >
> > > > > > > In the meantime perhaps try installing the packages with
> > > aptitude
> > > > > rather
> > > > > > > than apt-get - if there is some fancy footwork
> required it is
> > > > fairly
> > > > > > > smart about what needs to be done.
> > > > > > >
> > > > > > > Cheers
> > > > > > >
> > > > > > > Mark
> > > > > > >
> > > > > > > On 09/10/14 14:38, lakshmi k s wrote:
> > > > > > > > Thanks Mark. I have been trying to install this on
> > controller
> > > > > > node. But
> > > > > > > > for some reason, I am unable to install certutil or
> > > > > libnss3-tools on
> > > > > > > > debian. I am not sure how to proceed.
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> >
> >
> >
>
>
>
>
>
_______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com