首先说下环境,centos7.9,安装openstack train
做到openstack domain create --description "An Example Domain" example
这一步,报http 500错误
[root@controller ~]# openstack domain create --description "An Example Domain" example
Internal Server Error (HTTP 500)
网上各种方法都试了,都无效,大体方案无非是加35357端口(明显不适合)
官网教程有提示,翻译过来就是v2版本的API才需要两个端口,现在用的是v3版本的
Note
Before the Queens release, keystone needed to be run on two separate ports to accommodate the Identity v2 API which ran a separate admin-only service commonly on port 35357. With the removal of the v2 API, keystone can be run on the same port for all interfaces.
还有各种改配置文件的方法,也都不对。
最后还是查看日志,/var/log/keystone/keystone.log
和/var/log/httpd/error_log
里面都没有Error的信息,在/var/log/httpd/keystone.log
里有错误信息。如下
2022-10-24 10:34:06.729534 mod_wsgi (pid=3869): Target WSGI script '/usr/bin/keystone-wsgi-public' cannot be loaded as Python module.
2022-10-24 10:34:06.729574 mod_wsgi (pid=3869): Exception occurred processing WSGI script '/usr/bin/keystone-wsgi-public'.
2022-10-24 10:34:06.729602 Traceback (most recent call last):
2022-10-24 10:34:06.729626 File "/usr/bin/keystone-wsgi-public", line 52, in <module>
2022-10-24 10:34:06.729664 application = initialize_public_application()
2022-10-24 10:34:06.729677 File "/usr/lib/python2.7/site-packages/keystone/server/wsgi.py", line 24, in initialize_public_application
2022-10-24 10:34:06.729704 name='public', config_files=flask_core._get_config_files())
2022-10-24 10:34:06.729715 File "/usr/lib/python2.7/site-packages/keystone/server/flask/core.py", line 157, in initialize_application
2022-10-24 10:34:06.729738 keystone.server.configure(config_files=config_files)
2022-10-24 10:34:06.729749 File "/usr/lib/python2.7/site-packages/keystone/server/__init__.py", line 28, in configure
2022-10-24 10:34:06.729770 keystone.conf.configure()
2022-10-24 10:34:06.729781 File "/usr/lib/python2.7/site-packages/keystone/conf/__init__.py", line 137, in configure
2022-10-24 10:34:06.729803 deprecated_since=versionutils.deprecated.STEIN))
2022-10-24 10:34:06.729814 File "/usr/lib/python2.7/site-packages/oslo_config/cfg.py", line 2055, in __inner
2022-10-24 10:34:06.729836 result = f(self, *args, **kwargs)
2022-10-24 10:34:06.729847 File "/usr/lib/python2.7/site-packages/oslo_config/cfg.py", line 2333, in register_cli_opt
2022-10-24 10:34:06.729868 raise ArgsAlreadyParsedError("cannot register CLI option")
2022-10-24 10:34:06.729891 ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option
2022-10-24 10:36:32.153022 mod_wsgi (pid=6854): Target WSGI script '/usr/bin/keystone-wsgi-public' cannot be loaded as Python module.
2022-10-24 10:36:32.153113 mod_wsgi (pid=6854): Exception occurred processing WSGI script '/usr/bin/keystone-wsgi-public'.
2022-10-24 10:36:32.153189 Traceback (most recent call last):
2022-10-24 10:36:32.153233 File "/usr/bin/keystone-wsgi-public", line 52, in <module>
2022-10-24 10:36:32.153385 application = initialize_public_application()
2022-10-24 10:36:32.153426 File "/usr/lib/python2.7/site-packages/keystone/server/wsgi.py", line 24, in initialize_public_application
2022-10-24 10:36:32.153505 name='public', config_files=flask_core._get_config_files())
2022-10-24 10:36:32.153519 File "/usr/lib/python2.7/site-packages/keystone/server/flask/core.py", line 157, in initialize_application
2022-10-24 10:36:32.153642 keystone.server.configure(config_files=config_files)
2022-10-24 10:36:32.153665 File "/usr/lib/python2.7/site-packages/keystone/server/__init__.py", line 36, in configure
2022-10-24 10:36:32.153744 keystone.conf.setup_logging()
2022-10-24 10:36:32.153764 File "/usr/lib/python2.7/site-packages/keystone/conf/__init__.py", line 124, in setup_logging
2022-10-24 10:36:32.153898 log.setup(CONF, 'keystone')
2022-10-24 10:36:32.153920 File "/usr/lib/python2.7/site-packages/oslo_log/log.py", line 274, in setup
2022-10-24 10:36:32.154186 _setup_logging_from_conf(conf, product_name, version)
2022-10-24 10:36:32.154203 File "/usr/lib/python2.7/site-packages/oslo_log/log.py", line 382, in _setup_logging_from_conf
2022-10-24 10:36:32.154233 filelog = file_handler(logpath)
2022-10-24 10:36:32.154252 File "/usr/lib64/python2.7/logging/handlers.py", line 392, in __init__
2022-10-24 10:36:32.154788 logging.FileHandler.__init__(self, filename, mode, encoding, delay)
2022-10-24 10:36:32.154820 File "/usr/lib64/python2.7/logging/__init__.py", line 902, in __init__
2022-10-24 10:36:32.155443 StreamHandler.__init__(self, self._open())
2022-10-24 10:36:32.155459 File "/usr/lib64/python2.7/logging/__init__.py", line 925, in _open
2022-10-24 10:36:32.155489 stream = open(self.baseFilename, self.mode)
2022-10-24 10:36:32.155531 IOError: [Errno 13] Permission denied: '/var/log/keystone/keystone.log'
最后一行IOError: [Errno 13] Permission denied: '/var/log/keystone/keystone.log'
说这个文件没有权限,看了下这个文件归属root用户,可以用chown修改成keystone或者直接删除这个文件。试了之后还是不行
经过一天的折腾,看到这篇文章https://stackoverflow.com/questions/51336502/openstack-keystone-command-fails-with-internal-server-error-500-python-target 受到启发,可能又是selinux 的问题,看了下selinu的日志``tail /var/log/audit/audit.log`有以下错误信息。
type=AVC msg=audit(1666579099.930:198): avc: denied { open } for pid=6857 comm="httpd" path="/var/log/keystone/keystone.log" dev="dm-0" ino=653341 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:keystone_log_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1666579099.930:198): arch=c000003e syscall=2 success=no exit=-13 a0=7f920580ef30 a1=441 a2=1b6 a3=24 items=0 ppid=6853 pid=6857 auid=4294967295 uid=163 gid=163 euid=163 suid=163 fsuid=163 egid=163 sgid=163 fsgid=163 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
果然还是keystone.log的权限问题,看下/var/log/keystone
文件夹和下面日志文件的SELinux上下文标识:
[root@controller ~]# ls -Zd /var/log/keystone
drwxrw-r--. keystone keystone system_u:object_r:keystone_log_t:s0 /var/log/keystone
[root@controller ~]# ls -Z /var/log/keystone/keystone.log
-rwxrw-r--. keystone keystone unconfined_u:object_r:keystone_log_t:s0 /var/log/keystone/keystone.log
# 以下是http的文件上下文
[root@controller ~]# ls -Z /var/log/httpd/access_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 /var/log/httpd/access_log
根据http的日志上下文改一下keystone的
semanage fcontext -a -t httpd_log_t /var/log/keystone
restorecon -RF /var/log/keystone
最后检查一下
[root@controller ~]# ls -Zd /var/log/keystone
drwxrw-r--. keystone keystone system_u:object_r:httpd_log_t:s0 /var/log/keystone
[root@controller ~]# ls -Zd /var/log/keystone/keystone.log
-rwxrw-r--. keystone keystone system_u:object_r:httpd_log_t:s0 /var/log/keystone/keystone.log
再次创建域,还是报http500错误,再查看/var/log/keystone/keystone.log
信息,这次报数据库连接错误
2022-10-24 10:49:03.045 6855 WARNING oslo_db.sqlalchemy.engines [req-1fafda76-ed96-45aa-a524-cde1f771981e - - - - -] SQL connection failed. 2 attempts left.: DBConnectionError: (pymysql.err.OperationalError) (2003, "Can't connect to MySQL server on 'controller' ([Errno 13] Permission denied)") (Background on this error at: http://sqlalche.me/e/e3q8)
首先要保证mysql的配置以及/etc/keystone/keystone.conf
中数据库部分的配置正确,keystone账号密码的权限正确,最后要打开http连接数据库的SElinux布尔值。
查看http的selinux 布尔值,httpd_can_network_connect_db
是off状态,打开http连接数据库setsebool -P httpd_can_network_connect_db on
。
[root@controller keystone]# getsebool -a | grep httpd
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
然后把配置keystone的部分重新执行下就行了
# su -s /bin/sh -c "keystone-manage db_sync" keystone
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
# systemctl restart httpd.service
$ export OS_USERNAME=admin
$ export OS_PASSWORD=ADMIN_PASS
$ export OS_PROJECT_NAME=admin
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_AUTH_URL=http://controller:5000/v3
$ export OS_IDENTITY_API_VERSION=3
总结一下,主要就是selinux的问题,实在不行就关掉吧。
另外,如果不是在root权限下创建域(root下正常),还是会报HTTP500的错误,可以在/etc/httpd/conf.d/wsgi-keystone.conf中添加一句,可能是权限不够
WSGIApplicationGroup %{GLOBAL}