keystone can't be connected outside localhost

Asked by li,chen on 2013-05-10

I have a new installed keystone with version G.

I can successfully run command :
keystone --token ADMIN --endpoint http://localhost:35357/v2.0 user-list

But, when I change "localhost" to the physical machine's IP address, the command stalled.
I add debug to run the command, it stops at:
keystone --debug --token ADMIN --endpoint http://192.168.11.11:35357/v2.0 user-list
REQ: curl -i http://192.168.11.11:35357/v2.0/users -X GET -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: ADMIN"

Anyone know why ?

Thanks.
-chen

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Identity (keystone) Edit question
Assignee:
No assignee Edit question
Solved by:
li,chen
Solved:
2013-05-10
Last query:
2013-05-10
Last reply:
xingzhou (xingzhou) said : #1

is that possible to paste your keystone.conf and log here? not sure if you can ping this physical ip

li,chen (chen-li) said : #2

I'm sure the IP is correct.

I only edit the sql connection part in keystone.conf.
All other things are default.

And, no log in keystone.
I guess the request stalled at :
REQ: curl -i http://192.168.11.11:35357/v2.0/users -X GET -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: ADMIN"
Looks like keystone never received the request.

Keystone should working fine:
netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
......
tcp 0 0 0.0.0.0:35357 0.0.0.0:* LISTEN
......
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN

IPtables is configured correct, I think:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:35357
ACCEPT tcp -- anywhere anywhere tcp dpt:5000
......

xingzhou (xingzhou) said : #3

is there any bind_host attribute set in the config file, or you may try to set bind_host=192.168.11.11?

li,chen (chen-li) said : #4

Keystone log start :

2013-05-10 09:49:31 DEBUG [keystone-all] ********************************************************************************
2013-05-10 09:49:31 DEBUG [keystone-all] Configuration options gathered from:
2013-05-10 09:49:31 DEBUG [keystone-all] command line args: []
2013-05-10 09:49:31 DEBUG [keystone-all] config files: ['/etc/keystone/keystone.conf']
2013-05-10 09:49:31 DEBUG [keystone-all] ================================================================================
2013-05-10 09:49:31 DEBUG [keystone-all] admin_endpoint = http://localhost:%(admin_port)d/
2013-05-10 09:49:31 DEBUG [keystone-all] admin_port = 35357
2013-05-10 09:49:31 DEBUG [keystone-all] admin_token = ADMIN
2013-05-10 09:49:31 DEBUG [keystone-all] auth_admin_prefix =
2013-05-10 09:49:31 DEBUG [keystone-all] bind_host = 0.0.0.0
2013-05-10 09:49:31 DEBUG [keystone-all] compute_port = 8774
2013-05-10 09:49:31 DEBUG [keystone-all] config_dir = None
2013-05-10 09:49:31 DEBUG [keystone-all] config_file = ['/etc/keystone/keystone.conf']
2013-05-10 09:49:31 DEBUG [keystone-all] crypt_strength = 40000
2013-05-10 09:49:31 DEBUG [keystone-all] debug = True
2013-05-10 09:49:31 DEBUG [keystone-all] log_config = None
2013-05-10 09:49:31 DEBUG [keystone-all] log_date_format = %Y-%m-%d %H:%M:%S
2013-05-10 09:49:31 DEBUG [keystone-all] log_dir = /var/log/keystone
2013-05-10 09:49:31 DEBUG [keystone-all] log_file = keystone.log
2013-05-10 09:49:31 DEBUG [keystone-all] log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s
2013-05-10 09:49:31 DEBUG [keystone-all] max_param_size = 64
2013-05-10 09:49:31 DEBUG [keystone-all] max_request_body_size = 114688
2013-05-10 09:49:31 DEBUG [keystone-all] max_token_size = 8192
2013-05-10 09:49:31 DEBUG [keystone-all] member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab
2013-05-10 09:49:31 DEBUG [keystone-all] member_role_name = _member_
2013-05-10 09:49:31 DEBUG [keystone-all] onready = None
2013-05-10 09:49:31 DEBUG [keystone-all] policy_default_rule = None
2013-05-10 09:49:31 DEBUG [keystone-all] policy_file = policy.json
2013-05-10 09:49:31 DEBUG [keystone-all] public_endpoint = http://localhost:%(public_port)d/
2013-05-10 09:49:31 DEBUG [keystone-all] public_port = 5000
2013-05-10 09:49:31 DEBUG [keystone-all] pydev_debug_host = None
2013-05-10 09:49:31 DEBUG [keystone-all] pydev_debug_port = None
2013-05-10 09:49:31 DEBUG [keystone-all] standard_threads = False
2013-05-10 09:49:31 DEBUG [keystone-all] syslog_log_facility = LOG_USER
2013-05-10 09:49:31 DEBUG [keystone-all] use_syslog = False
2013-05-10 09:49:31 DEBUG [keystone-all] verbose = True
2013-05-10 09:49:31 DEBUG [keystone-all] signing.ca_certs = /etc/keystone/ssl/certs/ca.pem
2013-05-10 09:49:31 DEBUG [keystone-all] signing.ca_password = None
2013-05-10 09:49:31 DEBUG [keystone-all] signing.certfile = /etc/keystone/ssl/certs/signing_cert.pem
2013-05-10 09:49:31 DEBUG [keystone-all] signing.key_size = 1024
2013-05-10 09:49:31 DEBUG [keystone-all] signing.keyfile = /etc/keystone/ssl/private/signing_key.pem
2013-05-10 09:49:31 DEBUG [keystone-all] signing.token_format = PKI
2013-05-10 09:49:31 DEBUG [keystone-all] signing.valid_days = 3650
2013-05-10 09:49:31 DEBUG [keystone-all] stats.driver = keystone.contrib.stats.backends.kvs.Stats
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.alias_dereferencing = default
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.allow_subtree_delete = False
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.domain_allow_create = True
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.domain_allow_delete = True
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.domain_allow_update = True
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.domain_attribute_ignore =
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.domain_desc_attribute = description
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.domain_enabled_attribute = enabled
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.domain_enabled_emulation = False
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.domain_enabled_emulation_dn = None
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.domain_filter = None
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.domain_id_attribute = cn
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.domain_member_attribute = member
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.domain_name_attribute = ou
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.domain_objectclass = groupOfNames
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.domain_tree_dn = None
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.dumb_member = cn=dumb,dc=nonexistent
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.group_allow_create = True
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.group_allow_delete = True
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.group_allow_update = True
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.group_attribute_ignore =
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.group_desc_attribute = description
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.group_domain_id_attribute = businessCategory
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.group_filter = None
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.group_id_attribute = cn
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.group_member_attribute = member
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.group_name_attribute = ou
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.group_objectclass = groupOfNames
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.group_tree_dn = None
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.page_size = 0
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.password = None
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.query_scope = one
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.role_allow_create = True
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.role_allow_delete = True
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.role_allow_update = True
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.role_attribute_ignore =
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.role_filter = None
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.role_id_attribute = cn
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.role_member_attribute = roleOccupant
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.role_name_attribute = ou
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.role_objectclass = organizationalRole
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.role_tree_dn = None
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.suffix = cn=example,cn=com
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.tenant_allow_create = True
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.tenant_allow_delete = True
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.tenant_allow_update = True
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.tenant_attribute_ignore =
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.tenant_desc_attribute = description
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.tenant_domain_id_attribute = businessCategory
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.tenant_enabled_attribute = enabled
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.tenant_enabled_emulation = False
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.tenant_enabled_emulation_dn = None
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.tenant_filter = None
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.tenant_id_attribute = cn
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.tenant_member_attribute = member
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.tenant_name_attribute = ou
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.tenant_objectclass = groupOfNames
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.tenant_tree_dn = None
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.url = ldap://localhost
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.use_dumb_member = False
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.user = None
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.user_allow_create = True
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.user_allow_delete = True
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.user_allow_update = True
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.user_attribute_ignore = tenant_id,tenants
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.user_domain_id_attribute = businessCategory
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.user_enabled_attribute = enabled
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.user_enabled_default = True
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.user_enabled_emulation = False
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.user_enabled_emulation_dn = None
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.user_enabled_mask = 0
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.user_filter = None
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.user_id_attribute = cn
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.user_mail_attribute = email
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.user_name_attribute = sn
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.user_objectclass = inetOrgPerson
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.user_pass_attribute = userPassword
2013-05-10 09:49:31 DEBUG [keystone-all] ldap.user_tree_dn = None
2013-05-10 09:49:31 DEBUG [keystone-all] token.driver = keystone.token.backends.sql.Token
2013-05-10 09:49:31 DEBUG [keystone-all] auth.methods = ['password', 'token']
2013-05-10 09:49:31 DEBUG [keystone-all] auth.password = keystone.auth.plugins.password.Password
2013-05-10 09:49:31 DEBUG [keystone-all] auth.token = keystone.auth.plugins.token.Token
2013-05-10 09:49:31 DEBUG [keystone-all] ssl.ca_certs = None
2013-05-10 09:49:31 DEBUG [keystone-all] ssl.cert_required = False
2013-05-10 09:49:31 DEBUG [keystone-all] ssl.certfile = None
2013-05-10 09:49:31 DEBUG [keystone-all] ssl.enable = False
2013-05-10 09:49:31 DEBUG [keystone-all] ssl.keyfile = None
2013-05-10 09:49:31 DEBUG [keystone-all] catalog.driver = keystone.catalog.backends.sql.Catalog
2013-05-10 09:49:31 DEBUG [keystone-all] ec2.driver = keystone.contrib.ec2.backends.sql.Ec2
2013-05-10 09:49:31 DEBUG [keystone-all] sql.connection = mysql://keystone:keystone@mysql/keystone
2013-05-10 09:49:31 DEBUG [keystone-all] sql.idle_timeout = 200
2013-05-10 09:49:31 DEBUG [keystone-all] policy.driver = keystone.policy.backends.sql.Policy
2013-05-10 09:49:31 DEBUG [keystone-all] trust.driver = keystone.trust.backends.sql.Trust
2013-05-10 09:49:31 DEBUG [keystone-all] trust.enabled = True
2013-05-10 09:49:31 DEBUG [keystone-all] pam.password = None
2013-05-10 09:49:31 DEBUG [keystone-all] pam.url = None
2013-05-10 09:49:31 DEBUG [keystone-all] pam.userid = None
2013-05-10 09:49:31 DEBUG [keystone-all] identity.default_domain_id = default
2013-05-10 09:49:31 DEBUG [keystone-all] identity.driver = keystone.identity.backends.sql.Identity
2013-05-10 09:49:31 DEBUG [keystone-all] ********************************************************************************
2013-05-10 09:49:31 DEBUG [keystone.common.wsgi] Starting /usr/bin/keystone-all on 0.0.0.0:35357
2013-05-10 09:49:31 DEBUG [keystone.common.wsgi] Starting /usr/bin/keystone-all on 0.0.0.0:5000
2013-05-10 09:49:31 DEBUG [eventlet.wsgi.server] (32403) wsgi starting up on http://0.0.0.0:35357/

2013-05-10 09:49:31 DEBUG [eventlet.wsgi.server] (32403) wsgi starting up on http://0.0.0.0:5000/

The part ask user-list from localhost:

2013-05-10 09:51:35 DEBUG [eventlet.wsgi.server] (32403) accepted ('127.0.0.1', 40618)

2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] ******************** REQUEST ENVIRON ********************
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] SCRIPT_NAME = /v2.0
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] webob.adhoc_attrs = {'response': <Response at 0x3754850 200 OK>}
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] REQUEST_METHOD = GET
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] PATH_INFO = /users
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] SERVER_PROTOCOL = HTTP/1.0
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] REMOTE_ADDR = 127.0.0.1
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] HTTP_X_AUTH_TOKEN = ADMIN
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] HTTP_USER_AGENT = python-keystoneclient
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] eventlet.posthooks = []
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] RAW_PATH_INFO = /v2.0/users
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] REMOTE_PORT = 40618
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] eventlet.input = <eventlet.wsgi.Input object at 0x374ee10>
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] wsgi.url_scheme = http
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] webob._body_file = (<_io.BufferedReader>, <eventlet.wsgi.Input object at 0x374ee10>)
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] SERVER_PORT = 35357
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] wsgi.input = <_io.BytesIO object at 0x310fdd0>
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] openstack.context = {'token_id': 'ADMIN', 'is_admin': True}
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] HTTP_HOST = localhost:35357
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] wsgi.multithread = True
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] HTTP_ACCEPT = */*
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] wsgi.version = (1, 0)
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] SERVER_NAME = 127.0.0.1
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] GATEWAY_INTERFACE = CGI/1.1
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] wsgi.run_once = False
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] wsgi.errors = <open file '<stderr>', mode 'w' at 0x7f00c95d1270>
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] wsgi.multiprocess = False
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] CONTENT_TYPE = text/plain
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] HTTP_ACCEPT_ENCODING = gzip, deflate, compress
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi]
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] ******************** REQUEST BODY ********************
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi]
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] arg_dict: {}
2013-05-10 09:51:35 INFO [sqlalchemy.engine.base.Engine] SELECT DATABASE()
2013-05-10 09:51:35 INFO [sqlalchemy.engine.base.Engine] ()
2013-05-10 09:51:35 INFO [sqlalchemy.engine.base.Engine] SHOW VARIABLES LIKE 'character_set%%'
2013-05-10 09:51:35 INFO [sqlalchemy.engine.base.Engine] ()
2013-05-10 09:51:35 INFO [sqlalchemy.engine.base.Engine] SHOW VARIABLES LIKE 'lower_case_table_names'
2013-05-10 09:51:35 INFO [sqlalchemy.engine.base.Engine] ()
2013-05-10 09:51:35 INFO [sqlalchemy.engine.base.Engine] SHOW COLLATION
2013-05-10 09:51:35 INFO [sqlalchemy.engine.base.Engine] ()
2013-05-10 09:51:35 INFO [sqlalchemy.engine.base.Engine] SHOW VARIABLES LIKE 'sql_mode'
2013-05-10 09:51:35 INFO [sqlalchemy.engine.base.Engine] ()
2013-05-10 09:51:35 INFO [sqlalchemy.engine.base.Engine] SELECT user.id AS user_id, user.name AS user_name, user.domain_id AS user_domain_id, user.password AS user_password, user.enabled AS user_enabled, user.extra AS user_extra
FROM user
2013-05-10 09:51:35 INFO [sqlalchemy.engine.base.Engine] ()
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] ******************** RESPONSE HEADERS ********************
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] Vary = X-Auth-Token
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] Content-Type = application/json
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] Content-Length = 13
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi]
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] ******************** RESPONSE BODY ********************
2013-05-10 09:51:35 DEBUG [keystone.common.wsgi] {"users": []}
2013-05-10 09:51:35 INFO [access] 127.0.0.1 - - [10/May/2013:01:51:35 +0000] "GET http://localhost:35357/v2.0/users HTTP/1.0" 200 13
2013-05-10 09:51:35 DEBUG [eventlet.wsgi.server] 127.0.0.1 - - [10/May/2013 09:51:35] "GET /v2.0/users HTTP/1.1" 200 141 0.035297

li,chen (chen-li) said : #5

Default in keystone.conf:
bind_host = 0.0.0.0

In log, after keystone start, it print out :
2013-05-10 09:49:31 DEBUG [eventlet.wsgi.server] (32403) wsgi starting up on http://0.0.0.0:35357/
2013-05-10 09:49:31 DEBUG [eventlet.wsgi.server] (32403) wsgi starting up on http://0.0.0.0:5000/

And netstat shows:
tcp 0 0 0.0.0.0:35357 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN

I edit keystone.conf:
public_endpoint = http://192.168.11.11:5000/
admin_endpoint = http://192.168.11.11:35357/
(Default they're using localhost)

Not working.

Thanks.
-chen

li,chen (chen-li) said : #6

I forgot to unset the proxy on the node.
Really sorry.

Thanks.
-chen

xingzhou (xingzhou) said : #7

re #6, I thought the default conf should be comment out, not sure whether this is different in product env and dev env.