OpenStack部署记录-Keystone创建域失败

首先说下环境,centos7.9,安装openstack train
做到openstack domain create --description "An Example Domain" example这一步,报http 500错误

[root@controller ~]# openstack domain create --description "An Example Domain" example
Internal Server Error (HTTP 500)

网上各种方法都试了,都无效,大体方案无非是加35357端口(明显不适合)
官网教程有提示,翻译过来就是v2版本的API才需要两个端口,现在用的是v3版本的

 Note
Before the Queens release, keystone needed to be run on two separate ports to accommodate the Identity v2 API which ran a separate admin-only service commonly on port 35357. With the removal of the v2 API, keystone can be run on the same port for all interfaces.

还有各种改配置文件的方法,也都不对。
最后还是查看日志,/var/log/keystone/keystone.log/var/log/httpd/error_log里面都没有Error的信息,在/var/log/httpd/keystone.log里有错误信息。如下

2022-10-24 10:34:06.729534 mod_wsgi (pid=3869): Target WSGI script '/usr/bin/keystone-wsgi-public' cannot be loaded as Python module.
2022-10-24 10:34:06.729574 mod_wsgi (pid=3869): Exception occurred processing WSGI script '/usr/bin/keystone-wsgi-public'.
2022-10-24 10:34:06.729602 Traceback (most recent call last):
2022-10-24 10:34:06.729626   File "/usr/bin/keystone-wsgi-public", line 52, in <module>
2022-10-24 10:34:06.729664     application = initialize_public_application()
2022-10-24 10:34:06.729677   File "/usr/lib/python2.7/site-packages/keystone/server/wsgi.py", line 24, in initialize_public_application
2022-10-24 10:34:06.729704     name='public', config_files=flask_core._get_config_files())
2022-10-24 10:34:06.729715   File "/usr/lib/python2.7/site-packages/keystone/server/flask/core.py", line 157, in initialize_application
2022-10-24 10:34:06.729738     keystone.server.configure(config_files=config_files)
2022-10-24 10:34:06.729749   File "/usr/lib/python2.7/site-packages/keystone/server/__init__.py", line 28, in configure
2022-10-24 10:34:06.729770     keystone.conf.configure()
2022-10-24 10:34:06.729781   File "/usr/lib/python2.7/site-packages/keystone/conf/__init__.py", line 137, in configure
2022-10-24 10:34:06.729803     deprecated_since=versionutils.deprecated.STEIN))
2022-10-24 10:34:06.729814   File "/usr/lib/python2.7/site-packages/oslo_config/cfg.py", line 2055, in __inner
2022-10-24 10:34:06.729836     result = f(self, *args, **kwargs)
2022-10-24 10:34:06.729847   File "/usr/lib/python2.7/site-packages/oslo_config/cfg.py", line 2333, in register_cli_opt
2022-10-24 10:34:06.729868     raise ArgsAlreadyParsedError("cannot register CLI option")
2022-10-24 10:34:06.729891 ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option
2022-10-24 10:36:32.153022 mod_wsgi (pid=6854): Target WSGI script '/usr/bin/keystone-wsgi-public' cannot be loaded as Python module.
2022-10-24 10:36:32.153113 mod_wsgi (pid=6854): Exception occurred processing WSGI script '/usr/bin/keystone-wsgi-public'.
2022-10-24 10:36:32.153189 Traceback (most recent call last):
2022-10-24 10:36:32.153233   File "/usr/bin/keystone-wsgi-public", line 52, in <module>
2022-10-24 10:36:32.153385     application = initialize_public_application()
2022-10-24 10:36:32.153426   File "/usr/lib/python2.7/site-packages/keystone/server/wsgi.py", line 24, in initialize_public_application
2022-10-24 10:36:32.153505     name='public', config_files=flask_core._get_config_files())
2022-10-24 10:36:32.153519   File "/usr/lib/python2.7/site-packages/keystone/server/flask/core.py", line 157, in initialize_application
2022-10-24 10:36:32.153642     keystone.server.configure(config_files=config_files)
2022-10-24 10:36:32.153665   File "/usr/lib/python2.7/site-packages/keystone/server/__init__.py", line 36, in configure
2022-10-24 10:36:32.153744     keystone.conf.setup_logging()
2022-10-24 10:36:32.153764   File "/usr/lib/python2.7/site-packages/keystone/conf/__init__.py", line 124, in setup_logging
2022-10-24 10:36:32.153898     log.setup(CONF, 'keystone')
2022-10-24 10:36:32.153920   File "/usr/lib/python2.7/site-packages/oslo_log/log.py", line 274, in setup
2022-10-24 10:36:32.154186     _setup_logging_from_conf(conf, product_name, version)
2022-10-24 10:36:32.154203   File "/usr/lib/python2.7/site-packages/oslo_log/log.py", line 382, in _setup_logging_from_conf
2022-10-24 10:36:32.154233     filelog = file_handler(logpath)
2022-10-24 10:36:32.154252   File "/usr/lib64/python2.7/logging/handlers.py", line 392, in __init__
2022-10-24 10:36:32.154788     logging.FileHandler.__init__(self, filename, mode, encoding, delay)
2022-10-24 10:36:32.154820   File "/usr/lib64/python2.7/logging/__init__.py", line 902, in __init__
2022-10-24 10:36:32.155443     StreamHandler.__init__(self, self._open())
2022-10-24 10:36:32.155459   File "/usr/lib64/python2.7/logging/__init__.py", line 925, in _open
2022-10-24 10:36:32.155489     stream = open(self.baseFilename, self.mode)
2022-10-24 10:36:32.155531 IOError: [Errno 13] Permission denied: '/var/log/keystone/keystone.log'

最后一行IOError: [Errno 13] Permission denied: '/var/log/keystone/keystone.log'说这个文件没有权限,看了下这个文件归属root用户,可以用chown修改成keystone或者直接删除这个文件。试了之后还是不行
经过一天的折腾,看到这篇文章https://stackoverflow.com/questions/51336502/openstack-keystone-command-fails-with-internal-server-error-500-python-target 受到启发,可能又是selinux 的问题,看了下selinu的日志``tail /var/log/audit/audit.log`有以下错误信息。

type=AVC msg=audit(1666579099.930:198): avc:  denied  { open } for  pid=6857 comm="httpd" path="/var/log/keystone/keystone.log" dev="dm-0" ino=653341 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:keystone_log_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1666579099.930:198): arch=c000003e syscall=2 success=no exit=-13 a0=7f920580ef30 a1=441 a2=1b6 a3=24 items=0 ppid=6853 pid=6857 auid=4294967295 uid=163 gid=163 euid=163 suid=163 fsuid=163 egid=163 sgid=163 fsgid=163 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

果然还是keystone.log的权限问题,看下/var/log/keystone文件夹和下面日志文件的SELinux上下文标识:

[root@controller ~]# ls -Zd /var/log/keystone
drwxrw-r--. keystone keystone system_u:object_r:keystone_log_t:s0 /var/log/keystone
[root@controller ~]# ls -Z /var/log/keystone/keystone.log 
-rwxrw-r--. keystone keystone unconfined_u:object_r:keystone_log_t:s0 /var/log/keystone/keystone.log
# 以下是http的文件上下文
[root@controller ~]# ls -Z /var/log/httpd/access_log 
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 /var/log/httpd/access_log

根据http的日志上下文改一下keystone的

semanage fcontext -a -t httpd_log_t /var/log/keystone
restorecon -RF /var/log/keystone

最后检查一下

[root@controller ~]# ls -Zd /var/log/keystone
drwxrw-r--. keystone keystone system_u:object_r:httpd_log_t:s0 /var/log/keystone
[root@controller ~]# ls -Zd /var/log/keystone/keystone.log 
-rwxrw-r--. keystone keystone system_u:object_r:httpd_log_t:s0 /var/log/keystone/keystone.log

再次创建域,还是报http500错误,再查看/var/log/keystone/keystone.log信息,这次报数据库连接错误

2022-10-24 10:49:03.045 6855 WARNING oslo_db.sqlalchemy.engines [req-1fafda76-ed96-45aa-a524-cde1f771981e - - - - -] SQL connection failed. 2 attempts left.: DBConnectionError: (pymysql.err.OperationalError) (2003, "Can't connect to MySQL server on 'controller' ([Errno 13] Permission denied)") (Background on this error at: http://sqlalche.me/e/e3q8)

首先要保证mysql的配置以及/etc/keystone/keystone.conf中数据库部分的配置正确,keystone账号密码的权限正确,最后要打开http连接数据库的SElinux布尔值。
查看http的selinux 布尔值,httpd_can_network_connect_db是off状态,打开http连接数据库setsebool -P httpd_can_network_connect_db on

[root@controller keystone]# getsebool -a | grep httpd
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off

然后把配置keystone的部分重新执行下就行了

# su -s /bin/sh -c "keystone-manage db_sync" keystone
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
  --bootstrap-admin-url http://controller:5000/v3/ \
  --bootstrap-internal-url http://controller:5000/v3/ \
  --bootstrap-public-url http://controller:5000/v3/ \
  --bootstrap-region-id RegionOne
# systemctl restart httpd.service
$ export OS_USERNAME=admin
$ export OS_PASSWORD=ADMIN_PASS
$ export OS_PROJECT_NAME=admin
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_AUTH_URL=http://controller:5000/v3
$ export OS_IDENTITY_API_VERSION=3

总结一下,主要就是selinux的问题,实在不行就关掉吧。

另外,如果不是在root权限下创建域(root下正常),还是会报HTTP500的错误,可以在/etc/httpd/conf.d/wsgi-keystone.conf中添加一句,可能是权限不够
WSGIApplicationGroup %{GLOBAL}

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 211,743评论 6 492
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 90,296评论 3 385
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 157,285评论 0 348
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 56,485评论 1 283
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 65,581评论 6 386
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 49,821评论 1 290
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 38,960评论 3 408
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 37,719评论 0 266
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 44,186评论 1 303
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 36,516评论 2 327
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 38,650评论 1 340
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 34,329评论 4 330
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 39,936评论 3 313
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 30,757评论 0 21
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 31,991评论 1 266
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 46,370评论 2 360
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 43,527评论 2 349

推荐阅读更多精彩内容