While establishing a new OpenStack Newton installation on CentOS7 using packstack, I encountered the following error after running
packstack --allinone (doing a multi-node install made no difference, though)
Applying Puppet manifests [ ERROR ] ERROR : Error appeared during Puppet run: 172.16.83.2_controller.pp Error: Could not prefetch keystone_role provider 'openstack': Could not authenticate You will find full trace in log /var/tmp/packstack/20170210-132054-KQp_cn/manifests/172.16.83.2_controller.pp.log Please check log file /var/tmp/packstack/20170210-132054-KQp_cn/openstack-setup.log for more information Additional information:
This stumped me for days, until I thought to check the Keystone http logs at /var/log/httpd/keystone_wsgi_admin_error.log
[Fri Feb 10 14:03:51.563880 2017] [core:error] [pid 8667] (13)Permission denied: [client 172.16.83.2:59776] AH00035: access to / denied (filesystem path '/var/www/cgi-bin/keystone/keystone-admin') because search permissions are missing on a component of the path [Fri Feb 10 14:04:41.853147 2017] [core:error] [pid 8671] (13)Permission denied: [client 172.16.83.2:59780] AH00035: access to / denied (filesystem path '/var/www/cgi-bin/keystone/keystone-admin') because search permissions are missing on a component of the path
Finally, a clue! This led me to a bug affecting the permissions when $keystone_wsgi_script_path is created, if this system is using a more-restrictive-than-usual umask (mine is). The bug has been fixed in puppet-keystone 10.1.0, but RDO’s CentOS7 repo only includes puppet-keystone-9.4.0-1.el7.noarch.
I fixed this in the short term after the failure, by running:
chmod 755 /var/www/cgi-bin/keystone.
I then re-ran
packstack --allinone, and my installation completed successfully.