Contents:
Section 1 Multi-node OpenStack Charms Deployment Guide 0.0.1.dev223–1--OpenStack Charms Deployment Guide
Section 2 Multi-node OpenStack Charms Deployment Guide 0.0.1.dev223–2-Install MAAS
Section 3 Multi-node OpenStack Charms Deployment Guide 0.0.1.dev223–3-Install Juju
Section 4 Multi-node OpenStack Charms Deployment Guide 0.0.1.dev223–4-Install openstack
Section 8 Multi-node OpenStack Charms Deployment Guide 0.0.1.dev223–8--Configure OpenStack
Section 9 Multi-node OpenStack Charms Deployment Guide 0.0.1.dev223–9--Network Topology
Section 11 Multi-node OpenStack Charms Deployment Guide 0.0.1.dev223–11–Access Juju Dashboard
After redeploying openstack-base70 for a long time, I did not configure it. Before the Spring Festival, I thought about the configuration, and then ran k8s on it. Unfortunately, after source openrcv3_project, something went wrong:
source openrcv3_project
echo $OS_USERNAME
admin
openstack endpoint list --interface admin
Failed to discover available identity versions when contacting https://10.0.2.81:5000/v3. Attempting to parse version from URL.
SSL exception connecting to https://10.0.2.81:5000/v3/auth/tokens: HTTPSConnectionPool(host=‘10.0.2.81’, port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError(“bad handshake: Error([(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)],)”,),))
Source openrc again:
source openrc
openstack endpoint list --interface admin
Could not find a suitable TLS CA certificate bundle, invalid path: /tmp/root-ca.crt
I was a little confused at first, thinking it was necessary to do TLS configuration, but there were problems with the configuration several times, and the configuration failed.
After being confused for a few days, I went to the forum to ask questions. The respondent said that I hope I will post bundle.yaml to him.
After posting, the panelist replied that your OS_CACERT=/home/ubuntu/snap/openstackclients/common/root-ca.crt, not in /tmp/root-ca.crt
At that time, I was even more confused. Didn't the documents I read say that the generated root certificate is in /tmp/root-ca.crt?
Then I looked at openrc again and found no special problems.
Suddenly I discovered how the version of openstack base has changed to openstack base#72, and the author has always deployed #70.
Later, again directly deployed bundle openstack-base # 72, in juju run-action --wait vault/leader 'generate-root-ca'
front, and will remove /root/snap/openstackclient/common/root-ca.crt /tmp/root-ca.crt, then juju run-action --wait vault /leader'generate-root-ca', I found that the root-ca.crt root certificate file was not generated in the /tmp directory, but in /root/snap/openstackclient/common/root-ca.crt, again source openrc
, smoothly Successful deployment of openstack
openstack endpoint list --interface admin
+----------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------------------+
| 075e5dbf0bf94c99b1863441ce7cab42 | RegionOne | swift | object-store | True | admin | https://10.0.2.103:443/swift |
| 2a91f454e99c47bbae6959be815e4f76 | RegionOne | cinderv2 | volumev2 | True | admin | https://10.0.2.110:8776/v2/$(tenant_id)s |
| 522bdd0accc64aeba73d1ad9414765da | RegionOne | s3 | s3 | True | admin | https://10.0.2.103:443/ |
| 5763f522530145ed90513f97fd734fdd | RegionOne | glance | image | True | admin | https://10.0.2.96:9292 |
| 5dcf573397954218917df491e7f868b9 | RegionOne | keystone | identity | True | admin | https://10.0.2.101:35357/v3 |
| a17a3f32438640f68dfce72763390765 | RegionOne | neutron | network | True | admin | https://10.0.2.113:9696 |
| daaa222120dc4ed2bbc7341590a3acdb | RegionOne | placement | placement | True | admin | https://10.0.2.99:8778 |
| dfab9da33a974dc1b15228a18fac90c7 | RegionOne | cinderv3 | volumev3 | True | admin | https://10.0.2.110:8776/v3/$(tenant_id)s |
| f4b5e242719a48088df20621dea5d643 | RegionOne | nova | compute | True | admin | https://10.0.2.105:8774/v2.1 |
+----------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------------------+
。
It seems that in the bundle, juju run-action --wait vault/leader 'generate-root-ca'
after execution , the generated root certificate file directory has changed.
Compare openrc:
openstack-base#70:
if [ ! -z $JUJU_MODEL ]; then
_juju_model_arg="-m $JUJU_MODEL"
fi
_keystone_major_version=$(juju status $_juju_model_arg keystone --format yaml| \
awk '/^ version:/ {print $2; exit}' | cut -f1 -d\.)
_keystone_preferred_api_version=$(juju config $_juju_model_arg keystone preferred-api-version)
_root_ca=/tmp/root-ca.crt
juju run $_juju_model_arg --unit vault/leader 'leader-get root-ca' > /tmp/root-ca.crt 2>/dev/null
if [ $_keystone_major_version -ge 13 -o \
"$_keystone_preferred_api_version" = '3' ]; then
echo Using Keystone v3 API
. $(dirname ${BASH_SOURCE[0]})/openrcv3_project
else
echo Using Keystone v2.0 API
. $(dirname ${BASH_SOURCE[0]})/openrcv2
fi
openstack-base#72:
if [ ! -z $JUJU_MODEL ]; then
_juju_model_arg="-m $JUJU_MODEL"
fi
_keystone_major_version=$(juju status $_juju_model_arg keystone --format yaml| \
awk '/^ version:/ {print $2; exit}' | cut -f1 -d\.)
_keystone_preferred_api_version=$(juju config $_juju_model_arg keystone preferred-api-version)
# The per user snap data directory is not created until first execution of snap
openstack --version 2>&1 > /dev/null || true
if [ -d ~/snap/openstackclients/common/ ]; then
# When using the openstackclients confined snap the certificate has to be
# placed in a location reachable by the clients in the snap.
_root_ca=~/snap/openstackclients/common/root-ca.crt
else
_root_ca=/tmp/root-ca.crt
fi
juju run $_juju_model_arg --unit vault/leader 'leader-get root-ca' > $_root_ca 2>/dev/null
if [ $_keystone_major_version -ge 13 -o \
"$_keystone_preferred_api_version" = '3' ]; then
echo Using Keystone v3 API
. $(dirname ${BASH_SOURCE[0]})/openrcv3_project
else
echo Using Keystone v2.0 API
. $(dirname ${BASH_SOURCE[0]})/openrcv2
fi
It seems source openrc
to use /tmp/root-ca.crt when setting environment variables, but when executing bundle openstack-base, the generated root certificate is in the /root/snap/openstackclient/common/root-ca.crt directory , So the source fails.