nova image-list ERROR (ClientException): Unexpected API Error. Please report this at http://bugs.launchpad.net/nova/ and attach the Nova API log if possible. <class 'glanceclient.exc.HTTPInternalServerError'> (HTTP 500) (Request-ID: req-5c463162-0e93-4114-93e0-19134f77439e)
How to change keystone API V2 to V3 Posted on November 26, 2014 by Gopalakrishnan S 0 Comments The Keystone Identity Service allows clients to obtain tokens that can be used to access OpenStack cloud services. This document is intended for software developers interested in developing applications that utilize the Keystone Identity Service API for authentication. The OpenStack Identity API is implemented using a RESTful web service interface. All requests to authenticate and operate against the OpenStack Identity API should be performed using SSL over HTTP (HTTPS) on TCP port 443. keystone V3 Advantages 1) Authentication is totally pluggable. You can write our own custom auth method. Beause of this extensible auth method, now keystone supports oauth1, federation ( federation is not fully done) 2) Authorization : V2 is either “admin” or none. In v3 you can control who can call each method. ( Provided you define your own policy file ) 3) Separate drivers for assignments and identity 4) Rich set of APIs. There are lot more API available than v2.0. Also there are no vendor specic extension. If you check v2.0, most of the role apis are Rackspace extensions Before proceed to migrate keystone v2 to v3, you must check previous services are working fine. Use the following commands to verify the list of services works. How to change keystone API V2 to V3? [root@localhost ~(keystone_admin)]# keystone user-list WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored). +———————————-+————+———+———————-+ | id | name | enabled | email | +———————————-+————+———+———————-+ | ed03407c56054729bee58be7f7710786 | admin | True | root@localhost | | 3b52f88a70f149a791e295b1859ae8f4 | ceilometer | True | ceilometer@localhost | [root@localhost ~(keystone_admin)]# nova service-list +——————+———–+———-+———+——-+—————————-+—————–+ | Binary | Host | Zone | Status | State | Updated_at | Disabled Reason | +——————+———–+———-+———+——-+—————————-+—————–+ | nova-consoleauth | packstack | internal | enabled | up | 2014-12-13T10:45:52.000000 | – | | nova-scheduler | packstack | internal | enabled | up | 2014-12-13T10:45:50.000000 | – | | nova-conductor | packstack | internal | enabled | up | 2014-12-13T10:45:54.000000 | – | | nova-compute | packstack | nova | enabled | up | 2014-12-13T10:45:51.000000 | – | | nova-cert | packstack | internal | enabled | up | 2014-12-13T10:45:52.000000 | – | | nova-console | packstack | internal | enabled | up | 2014-12-13T10:45:51.000000 | – | +——————+———–+———-+———+——-+—————————-+—————–+ [root@localhost ~(keystone_admin)]# glance image-list +————————————–+——–+————-+——————+———-+——–+ | ID | Name | Disk Format | Container Format | Size | Status | +————————————–+——–+————-+——————+———-+——–+ | f4c137ca-8dd8-47f3-be70-106eac2f241f | cirros | qcow2 | bare | 13147648 | active | +————————————–+——–+————-+——————+———-+——–+ If all the services are working fine then proceed to migrate endpoint urls to V3 in your keystone databases. Login your mysql server and change endpoint URLs. mysql> use keystone; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> select interface, url from endpoint e, service s where s.id=e.service_id and s.type=”identity”; +———–+———————————-+ | interface | url | +———–+———————————-+ | admin | http://192.168.1.133:35357/v2.0 | | internal | http://192.168.1.133:5000/v2.0 | | public | http://192.168.1.133:5000/v2.0 | +———–+———————————-+ 3 rows in set (0.01 sec) Get the identity service ID mysql> select id from service where type=”identity”; +———————————-+ | id | +———————————-+ | e32101fdfe4145d1a6a22351b41d88e5 | +———————————-+ 1 row in set (0.00 sec) Use this query to replace URLs as per service id where 5000 ports mysql> update endpoint set url=”http://192.168.1.196:5000/v3″ where url=”http://192.168.1.196:5000/v2.0″ and service_id=”76e23f322c2a48d18293db89dbca9e70″; Query OK, 2 rows affected (0.00 sec) Rows matched: 2 Changed: 2 Warnings: 0 Use this query to replace 35357 ports mysql> update endpoint set url=”http://192.168.1.196:35357/v3″ where url=”http://192.168.1.196:35357/v2.0″ and service_id=”76e23f322c2a48d18293db89dbca9e70″; Query OK, 1 row affected (0.00 sec) Rows matched: 1 Changed: 1 Warnings: 0 Thats all, you can verify the changed URLs. mysql> select interface, url from endpoint e, service s where s.id=e.service_id and s.type=”identity”; +———–+——————————–+ | interface | url | +———–+——————————–+ | admin | http://192.168.1.133:35357/v3 | | internal | http://192.168.1.133:5000/v3 | | public | http://192.168.1.133:5000/v3 | +———–+——————————–+ 3 rows in set (0.00 sec) mysql> upgrade Keystone Policy File Policy is just a set of rules combined by or/and logic. It should become more readable in future releases, The Openstack Identity v3 API, provided by Keystone, offers features that were lacking in the previous version. Among these features, it introduces the concept of domains, allowing isolation of projects and users. For instance, an administrator allowed to create projects and users in a given domain, may not have any right in another one. While these features look very exciting, some configuration needs to be done to have a working identity v3 service with domains properly set. Download policy.v3cloudsample.json file wget https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json mv /etc/keystone/policy.json /etc/keystone/policy.json.V2 mv policy.v3cloudsample.json /etc/keystone/policy.json chown keystone.keystone policy.json Update Keystone Endpoint Environment. export OS_USERNAME=admin export OS_TENANT_NAME=admin export OS_PASSWORD=<password> export OS_AUTH_URL=http://192.168.1.133:5000/v3 export SERVICE_ENDPOINT=http://192.168.1.133:35357/v3 export SERVICE_TOKEN=c50f58a02dde43f286517af102786be0 Restart OpenStack Services /etc/init.d/openstack-keystone restart Troubleshooting If you received “horizon unauthorized (http 401)” errors, you can revert back policy.json v2 file and try to restart services. How to Enable Multi Domains on openstack horizon Horizon supports multi domains as well. You need to add only a few changes to local_setting. Apply the correct policy.json file for keystone. vi /etc/openstack-dashboard/local_settings uncommand the following settings. OPENSTACK_API_VERSIONS = { “identity”: 3 } OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True OPENSTACK_KEYSTONE_URL = “http://192.168.1.133:5000/v3” Save local_settings and restart openstack-dashboard. /etc/init.d/httpd restart
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 开发者必知的日志记录最佳实践
· SQL Server 2025 AI相关能力初探
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 开源Multi-agent AI智能体框架aevatar.ai,欢迎大家贡献代码
· Manus重磅发布:全球首款通用AI代理技术深度解析与实战指南
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 园子的第一款AI主题卫衣上架——"HELLO! HOW CAN I ASSIST YOU TODAY