0

I recently reformatted all of my openstack servers (they were on a really old version) and I installed Victoria on a fresh install of Ubuntu 20. I am starting with one controller and one compute node for simplicity, then I will add the other compute nodes.

I am installing manually using the docs here: https://docs.openstack.org/install-guide/openstack-services.html

When I am at the horizon docs: https://docs.openstack.org/horizon/victoria/install/install-ubuntu.html

and I go to verify, I see two issues:

  1. I see no option for which domain I am logging into. This used to say "Default" and when I added more I could choose them
  2. I am getting "Invalid credentials." when I login.

I know I have the correct pass. In the apache error log, I see:

[wsgi:error] [pid 1387564:tid 139949121787648] [remote 10.131.39.250:53860] INFO openstack_auth.forms Login failed for user "admin" using domain "Default", remote address 10.131.39.250.
[Fri Feb 12 15:46:29.473914 2021] [authz_core:error] [pid 1387576:tid 139947818350336] [client 10.131.39.40:42436] AH01630: client denied by server configuration: /usr/bin/keystone-wsgi-public

I do not see other errors, except that neutron is not working presently (I am going with option 2, and the previous openstack install was option 1). I am figuring that I should still be able to login even if neutron is broken (it keeps restarting every few moments and giving errors about VLANs, which would make sense as I have not added any VLANS yet... I guess).

Advice? I really do not see any more errors in the logs. Not sure what else to check (other than my configs, but I had a running openstack for a few years before this...)

I have read this post and response, but it did not help.

Update: when I look in the normal apache/error.log, I also see:

[Fri Feb 12 16:37:42.324305 2021] [core:notice] [pid 1387561:tid 139949150809152] AH00094: Command line: '/usr/sbin/apache2'

[Fri Feb 12 16:38:03.236892 2021] [wsgi:error] [pid 1397748:tid 139949113394944] /usr/lib/python3.8/warnings.py:30: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats

[Fri Feb 12 16:38:03.236961 2021] [wsgi:error] [pid 1397748:tid 139949113394944]   file.write(text)

[Fri Feb 12 16:38:03.236974 2021] [wsgi:error] [pid 1397748:tid 139949113394944] /usr/lib/python3/dist-packages/scss/types.py:6: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated since Python 3.3, and in 3.9 it will stop working

[Fri Feb 12 16:38:03.236981 2021] [wsgi:error] [pid 1397748:tid 139949113394944]   from collections import Iterable

[Fri Feb 12 16:38:03.258459 2021] [wsgi:error] [pid 1397748:tid 139949113394944] /usr/lib/python3/dist-packages/scss/namespace.py:172: DeprecationWarning: inspect.getargspec() is deprecated since Python 3.0, use inspect.signature() or inspect.getfullargspec()

[Fri Feb 12 16:38:03.258494 2021] [wsgi:error] [pid 1397748:tid 139949113394944]   argspec = inspect.getargspec(function)

[Fri Feb 12 16:38:03.263775 2021] [wsgi:error] [pid 1397748:tid 139949113394944] /usr/lib/python3/dist-packages/scss/selector.py:26: FutureWarning: Possible nested set at position 329

[Fri Feb 12 16:38:03.263789 2021] [wsgi:error] [pid 1397748:tid 139949113394944]   SELECTOR_TOKENIZER = re.compile(r'''

[Fri Feb 12 16:38:04.056002 2021] [authz_core:error] [pid 1397759:tid 139948682372864] [client 10.131.39.40:44268] AH01630: client denied by server configuration: /usr/bin/keystone-wsgi-public

[Fri Feb 12 16:38:04.058335 2021] [wsgi:error] [pid 1397748:tid 139949113394944] [remote 10.131.39.250:54556] /usr/lib/python3.8/logging/__init__.py:1084: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats

[Fri Feb 12 16:38:04.058355 2021] [wsgi:error] [pid 1397748:tid 139949113394944] [remote 10.131.39.250:54556]   stream.write(msg + self.terminator)

[Fri Feb 12 16:38:04.058366 2021] [wsgi:error] [pid 1397748:tid 139949113394944] [remote 10.131.39.250:54556] INFO openstack_auth.forms Login failed for user "demo" using domain "Default", remote address 10.131.39.250.

[Fri Feb 12 16:38:06.142850 2021] [wsgi:error] [pid 1397746:tid 139949046253312] /usr/lib/python3.8/warnings.py:30: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats

[Fri Feb 12 16:38:06.142921 2021] [wsgi:error] [pid 1397746:tid 139949046253312]   file.write(text)

[Fri Feb 12 16:38:06.142934 2021] [wsgi:error] [pid 1397746:tid 139949046253312] /usr/lib/python3/dist-packages/scss/types.py:6: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated since Python 3.3, and in 3.9 it will stop working

[Fri Feb 12 16:38:06.142940 2021] [wsgi:error] [pid 1397746:tid 139949046253312]   from collections import Iterable

[Fri Feb 12 16:38:06.164363 2021] [wsgi:error] [pid 1397746:tid 139949046253312] /usr/lib/python3/dist-packages/scss/namespace.py:172: DeprecationWarning: inspect.getargspec() is deprecated sincePython 3.0, use inspect.signature() or inspect.getfullargspec()

[Fri Feb 12 16:38:06.164384 2021] [wsgi:error] [pid 1397746:tid 139949046253312]   argspec = inspect.getargspec(function)

[Fri Feb 12 16:38:06.169658 2021] [wsgi:error] [pid 1397746:tid 139949046253312] /usr/lib/python3/dist-packages/scss/selector.py:26: FutureWarning: Possible nested set at position 329

[Fri Feb 12 16:38:06.169672 2021] [wsgi:error] [pid 1397746:tid 139949046253312]   SELECTOR_TOKENIZER = re.compile(r'''

[Fri Feb 12 16:38:09.381662 2021] [wsgi:error] [pid 1397747:tid 139949088216832] /usr/lib/python3.8/warnings.py:30: DeprecationWarning: PY_SSIZE_T_CLEAN will be required for '#' formats

[Fri Feb 12 16:38:09.381736 2021] [wsgi:error] [pid 1397747:tid 139949088216832]   file.write(text)

[Fri Feb 12 16:38:09.381748 2021] [wsgi:error] [pid 1397747:tid 139949088216832] /usr/lib/python3/dist-packages/scss/types.py:6: DeprecationWarning: Using or importing the ABCs from 'collections'instead of from 'collections.abc' is deprecated since Python 3.3, and in 3.9 it will stop working

[Fri Feb 12 16:38:09.381755 2021] [wsgi:error] [pid 1397747:tid 139949088216832]   from collections import Iterable

[Fri Feb 12 16:38:09.403181 2021] [wsgi:error] [pid 1397747:tid 139949088216832] /usr/lib/python3/dist-packages/scss/namespace.py:172: DeprecationWarning: inspect.getargspec() is deprecated sincePython 3.0, use inspect.signature() or inspect.getfullargspec()

[Fri Feb 12 16:38:09.403201 2021] [wsgi:error] [pid 1397747:tid 139949088216832]   argspec = inspect.getargspec(function)

[Fri Feb 12 16:38:09.408530 2021] [wsgi:error] [pid 1397747:tid 139949088216832] /usr/lib/python3/dist-packages/scss/selector.py:26: FutureWarning: Possible nested set at position 329

[Fri Feb 12 16:38:09.408545 2021] [wsgi:error] [pid 1397747:tid 139949088216832]   SELECTOR_TOKENIZER = re.compile(r'''

I have some new info here. The default domain does come up thanks to berndbauschs comment.

I do have a keystone error in the log file, it is:

2021-02-13 06:03:46.789 1585439 WARNING keystone.server.flask.application [req-4d8bb568-3024-4506-8100-cb9ec77b21c5 - - - - -] Expecting to find application/json in Content-Type header. The server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.: keystone.exception.ValidationError: Expecting to find application/json in Content-Type header. The server could not comply with the request since it is either malformed or otherwise incorrect. The client is assumed to be in error.

2021-02-13 14:26:28.665 2104630 WARNING keystone.common.rbac_enforcer.enforcer [req-d557ae42-2432-46cf-a0d4-bb60a83334df 59cd620ab38b42ab82dcc93f2bc75f60 21486012e6174f69a62a2957731d6caf - default default] Deprecated policy rules found. Use oslopolicy-policy-generator and oslopolicy-policy-upgrade to detect and resolve deprecated policies in your configuration.

I can not replicate the first error from the above. Using oslopolicy-policy-generator gives python errors. I am not sure if that is supposed to work or not. I am guessing I am supposed to do it on the keystone dir... for example

oslopolicy-policy-generator --config-dir /etc/keystone
Traceback (most recent call last):
  File "/usr/bin/oslopolicy-policy-generator", line 10, in <module>
    sys.exit(generate_policy())
  File "/usr/lib/python3/dist-packages/oslo_policy/generator.py", line 520, in generate_policy
    _check_for_namespace_opt(conf)
  File "/usr/lib/python3/dist-packages/oslo_policy/generator.py", line 499, in _check_for_namespace_opt
    raise cfg.RequiredOptError('namespace', 'DEFAULT')
oslo_config.cfg.RequiredOptError: <exception str() failed>

Not sure where to go from here. I see no other apache errors.

UPDATE with SOLUTION from neal_utas:

The docs for horizon at docs.openstack.org (at least for ubuntu) are incorrect. When editing /etc/openstack-dashboard/local_settings.py, the online docs are missing port 5000. The correct entry for OPENSTACK_KEYSTONE_URL is:

OPENSTACK_KEYSTONE_URL = "http://%s:5000/identity/v3" % OPENSTACK_HOST

After making that change and then restarting (systemctl reload apache2.service) it works.

number9
  • 233
  • 2
  • 11
  • To see the domain option, you need to enable multi-domain support as a minimum: https://docs.openstack.org/horizon/victoria/configuration/settings.html#openstack-keystone-multidomain-support. For the athentication error, also check the keystone logs. – berndbausch Feb 12 '21 at 20:48
  • Are you able to use the cloud from the command line? If yes, your problem is related to the web server configuration. – berndbausch Feb 12 '21 at 20:54
  • There are no errors in keystone. When you say use the cloud from the command line, you mean perform openstack commands as the admin user? I can do that. The only webserver cfg changes I made were in the manual. Apache error appears to be when it asks /usr/bin/keystone-wsgi-public... but that confguration looks correct (e.g. like the manual). I will admit, there is no specific victoria manual for several sections, so you end up using the ussarri manual (they always seem to be behind in the docs). – number9 Feb 13 '21 at 12:49
  • FWIW - I'm fighting this exact error on victoria+ubuntu20.04: client denied by server configuration. Tokens issue from command line, web server fails all attempts. Encountered same limitations with install docs. Once note of concern is Horizon stated dependency of python 3.6 or 3.7; I'm on 3.8.5 – JPua Feb 17 '21 at 16:39
  • Interesting, I suppose backing off to Python 3.7 on Ubuntu 20 is not an option. I actually tried to install Usarri on 18 and that was a total no-go. The docs are not up to date (I have never seen Openstack docs up to date, actually), but then they closed down the openstack forums, so now we are left here... I will try to work on it more today. – number9 Feb 17 '21 at 18:38
  • Hallifrikkinluya, thank you neal_utas for the timely fix, and number9 for bringing me here via google. – JPua Feb 18 '21 at 15:11

1 Answers1

2

I am also in the same state. Fresh Install of Ubuntu 20.04 and OpenStack Victoria. Everything is working from openstack client - can start Instances, etc. Dashboard login fails with the errors described by number9.

I was able to generate the oslo policies using:

`oslopolicy-policy-generator --namespace keystone > keystone.policy.yaml`

But this hasn't fixed the dashboard authentication error.

AH01630: client denied by server configuration: /usr/bin/keystone-wsgi-public
DEBUG keystoneauth.session Request returned failure status: 403
DEBUG openstack_auth.plugin.base Forbidden (HTTP 403)

UPDATE: Including the port for KEYSTONE_URL in the file /etc/openstack_dashboard/local_settings.py fixed this for me and I can now login.

OPENSTACK_KEYSTONE_URL = "http://%s:5000/identity/v3" % OPENSTACK_HOST
neal_utas
  • 36
  • 3
  • I could not find the oslopolicy-policy-generator, it does not come up even after sourcing the admin script... Do you know what package installed the binary? – number9 Feb 18 '21 at 00:42
  • Which file did you add this to?? I see it in /etc/openstack-dashboard/local_settings.py But no where else (other than some alternatives/openstack_dashboard examples): UPDATE: I added the :5000 which was missing from my config in /etc/openstack_dashboard/local_settings.py... it is still not working, but I am now getting a different error, which is literally a "Something went wrong" screen, which is some progress. Thanks. – number9 Feb 18 '21 at 03:09
  • This answer is correct. I found out that I was missing a table in my DB... so the actual issue was the above OPENSTACK_KEYSTONE_URL in the online docs is missing the 5000 port number after %s, which was causing failure. Thank you for pointing this out. – number9 Feb 18 '21 at 13:19
  • Now I get "An error occurred authenticating. Please try again later." – user1305332 Jun 24 '22 at 00:25