puppet-keystone

creating a keystone_domain can make it the default even though is_default is false

Bug #1614141 reported by Franciraldo Cavalcante on 2016-08-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	puppet-keystone	Triaged	Undecided	Unassigned

Bug Description

We're trying to create a new domain, for Heat, for our OpenStack deployment. In this catalog we are not defining the default_domain variable in keystone's init.pp. That seems to be relevant but is perhaps not.

Here is our manifest:

...
  $heat_api_cfn_enabled = hiera('heat_api_cfn_enabled', false),
  $heat_domain_enabled = hiera('heat_domain_enabled', false),
  $heat_domain_name = 'heat',
  $heat_domain_admin = 'heat_admin',
  $heat_domain_admin_email = 'heat_admin@localhost',
  $heat_domain_password = hiera('heat_domain_password', undef),
...

    ensure_resource('keystone_domain', $heat_domain_name, {
      'ensure' => 'present',
      'enabled' => true,
    })
    ensure_resource('keystone_user', "${heat_domain_admin}::${heat_domain_name}", {
      'ensure' => 'present',
      'enabled' => true,
      'email' => $heat_domain_admin_email,
      'password' => $heat_domain_password,
    })
    ensure_resource('keystone_user_role', "${heat_domain_admin}::${heat_domain_name}@::${heat_domain_name}", {
      'roles' => ['admin'],
    })

Here is the output, note the last line warning and note how what puppet thinks the default_domain_id is:

DEBUG[default_domain_id/in]:
DEBUG[default_domain_from_ini_file]: default
DEBUG[default_domain_id/out]: default
Debug: Executing '/usr/bin/openstack project list --quiet --format csv --long'
Debug: Executing '/usr/bin/openstack domain list --quiet --format csv'
Debug: Prefetching openstack resources for keystone_role
Debug: Executing '/usr/bin/openstack role list --quiet --format csv'
Debug: Prefetching openstack resources for keystone_domain
Debug: Executing '/usr/bin/openstack domain list --quiet --format csv'
DEBUG[default_domain_id/in]: default
DEBUG[default_domain_id/out]: default
Debug: Executing '/usr/bin/openstack domain create --format shell heat --enable'
DEBUG[default_domain_id/in]: default
DEBUG[default_domain_id/out]: default
Notice: /Stage[main]/Cirrus::Profile::Keystone/Keystone_domain[heat]/ensure: created
Debug: /Stage[main]/Cirrus::Profile::Keystone/Keystone_domain[heat]: The container Class[Cirrus::Profile::Keystone] will propagate my refresh event
Debug: Prefetching openstack resources for keystone_user
DEBUG[default_domain_id/in]: 637c781d30714a2aa5eefbf437ce738e
DEBUG[default_domain_id/out]: 637c781d30714a2aa5eefbf437ce738e
DEBUG[./lib/puppet/provider/keystone_user/openstack.rb]
DEBUG[default_domain_id/in]: 637c781d30714a2aa5eefbf437ce738e
DEBUG[default_domain_id/out]: 637c781d30714a2aa5eefbf437ce738e
Warning: Puppet::Type::Keystone_user::ProviderOpenstack: Support for a resource without the domain set is deprecated in Liberty cycle. It will be dropped in the M-cycle. Currently using 'Default' as default domain name while the default domain id is '637c781d30714a2aa5eefbf437ce738e'.

See original description

Franciraldo Cavalcante (c-franciraldo-cavalcante) on 2016-08-17

description:	updated
description:	updated

Franciraldo Cavalcante (c-franciraldo-cavalcante) on 2016-08-17

description:

updated

Revision history for this message

Emilien Macchi (emilienm) wrote on 2016-08-17:

It sounds like you don't but should use this class:
https://github.com/openstack/puppet-heat/blob/master/manifests/keystone/domain.pp

Revision history for this message

Emilien Macchi (emilienm) wrote on 2016-08-17:

The bug report is clearly now enough to understand what is your problem.
Can you paste heat.conf and keystone.conf generated by your puppet runs ? (without manual actions)

mfish mentioned on IRC some idempotency problem, I don't see it in bug report.

Also, your manifest is not way to go.
You should patch https://github.com/openstack/puppet-heat/blob/master/manifests/keystone/domain.pp upstream to add a boolean to whether or not configure heat_config (could me $manage_heat_config) and set it to True on heat nodes and False on keystone nodes. Also set the manage_domain, etc to True on keystone nodes only.

Changed in puppet-keystone:
status:	New → Incomplete

Matt Fischer (mfisch) on 2016-08-17

summary:

- Need to create heat domain without changing the default_domain_id
+ creating a keystone_domain can make it the default even though
+ is_default is false

Revision history for this message

Matt Fischer (mfisch) wrote on 2016-08-17:

We have a work-around here. By changing the manifest to include is_default => false, we can convince puppet that the heat domain is not default.

I suspect that since this catalog only has 1 domain resource, which is the heat domain, that it's assuming it's the default domain since there's nothing else in the catalog but that's a guess.

description:

updated

Revision history for this message

Emilien Macchi (emilienm) wrote on 2016-08-17:

Before setting the severity I would like to see an example in our CI where you could reproduce it. Thanks

Changed in puppet-keystone:
status:	Incomplete → New
status:	New → Triaged

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.