Kalle Happonen

Reins of Power

A simple generic v3 keystone admintoken openrc

Some things in OpenStack Keystone (mainly bootstrapping) really needs the admin token. As the admin token should not leave the keystone machines, here is a simple openrc for when you need the admin token.

export OS_URL=$(grep ^admin_endpoint /etc/keystone/keystone.conf |cut -f 2 -d  . . .

Read More

July 08, 2015

Pixie Queen

Or how I learned to to UEFI iPXE


  • make UEFI specifc iPXE chainloadable firmware
make bin-x86_64-efi/ipxe.efi
  • Configure DHCP server to manage both BIOS and UEFI machines
  • Add "initrd=initrd.img" to the kernel kickstart parameters
  • (Disable STP for the port of the the iPXE booting host)


. . .

Read More

June 24, 2015

Tromp the Domains

Trying Identity API v3 and Domains

General disclaimer, I'm talking about OpenStack Juno, but a lot of this applies to Kilo too.

Before getting to this post, you will need your assignment separated from identities as per my previous post.

Keystone and keystone domains

Keystone - the identity management component of OpenStack - has for a while . . .

Read More

May 25, 2015

Floating Shield

Normal disclaimer: RDO Icehouse

I ran into an issue where a VM previously had a floating IP, but it was released back to the pool. It was important to get that IP back for that VM.

Icehouse-era Neutron does not allow you to specify which specific floating ip you want, but kilo might. So how could this be fixed? I guess I . . .

Read More

Posted in: openstack

April 01, 2015

Identity Crisis

Moving Keystone from LDAP roles to SQL roles


In early versions of OpenStack keystone did all its own user management. When it matured a bit, there was a cool new feature, you can point it at LDAP for authentication and authorization. This was a big step forward when running OpenStack as a part of a larger system.

Everything wasn't perfect though. . . .

Read More

January 27, 2015

Shared Trauma

This time, I'll write about a problem I did manage to DuckDuckGo, but it did little to make me happy after I debugged the problem. Our OpenStack version is Icehouse, this issue has been actively debated and different versions might have different defaults. I'm not completely sure about the Juno status, if this is handled correctly for . . .

Read More

January 09, 2015

Grizzly Fate - Part 2


In the previous post I went through some issues we had with our OpenStack upgrade from Grizzly to Icehouse.

We had successfully run the OpenStack update scripts, and we were in the Icehouse version. We started testing, and everything worked fine... until security groups. Well, they did work, they just weren't there. There was . . .

Read More

December 29, 2014