possible bug in docker-machine openstack: calls v2 of API for tenants when given v3 auth?

[cboettig]

When calling docker-machine using the openstack interface with V3 of the API, I get an unexpected error which seems to suggest that docker-machine is calling v2 of the API for the tenants. Perhaps I'm doing something wrong in my call here, but given that the v2 appears to come out of nowhere I wonder if this is a bug?

I'm calling against the openstack setup of the NSF Jetstream system; trying to debug with the devs there but think it might be a docker-machine issue?

After sourcing in my openrc.sh env vars appropriately, here's the docker-machine command I am using (with secure/personal variables replaced):

docker-machine --debug create --driver openstack --openstack-flavor-id m1.tiny --openstack-image-id IMAGEIDHASH --openstack-keypair-name KEYPAIR --openstack-sec-groups default --openstack-tenant-name TENANTNAME --openstack-domain-name DOMAIN  --openstack-private-key-file ~/.ssh/id_rsa --openstack-auth-url  https://jblb.jetstream-cloud.org:XXXX/v3  testbed

Which gives the following:

Docker Machine Version:  0.8.1, build 41b3b25
Found binary path at /usr/local/bin/docker-machine
Launching plugin server for driver openstack
Plugin server listening at address 127.0.0.1:39073
() Calling .GetVersion
Using API Version  1
() Calling .SetConfigRaw
() Calling .GetMachineName
(flag-lookup) Calling .GetMachineName
(flag-lookup) Calling .DriverName
(flag-lookup) Calling .GetCreateFlags
Found binary path at /usr/local/bin/docker-machine
Launching plugin server for driver openstack
Plugin server listening at address 127.0.0.1:44650
() Calling .GetVersion
Using API Version  1
() Calling .SetConfigRaw
() Calling .GetMachineName
(testbed) Calling .GetMachineName
(testbed) Calling .DriverName
(testbed) Calling .GetCreateFlags
(testbed) Calling .SetConfigFromFlags
Running pre-create checks...
(testbed) Calling .PreCreateCheck
(testbed) Calling .GetConfigRaw
Creating machine...
(testbed) Calling .Create
(testbed) DBG | Authenticating... map[DomainName:tacc Username:cboettig TenantName:TG-DEB160003 TenantID: AuthUrl:https://jblb.jetstream-cloud.org:XXXXX/v3 Insecure:false DomainID:]

Error creating machine: Error in driver during machine creation: Expected HTTP response code [200 204] when accessing [GET https://jblb.jetstream-cloud.org:XXXXX/v2.0/tenants], but got 403 instead
{"error": {"message": "You are not authorized to perform the requested action: admin_required", "code": 403, "title": "Forbidden"}}

I find it strange that the error message occurs on a call to GET https://jblb.jetstream-cloud.org:XXXXX/v2.0/tenants, surely this should be v3.0 instead? (Also confusing that it says earlier in the debug trace Using API Version 1, though perhaps that refers to something else?)

[nathanleclaire]

@fsoppelsa

[fsoppelsa]

What is OS_AUTH_URL and/or OS_IDENTITY_API_VERSION here?

[cboettig]

Thanks. OS_AUTH_URL is set to the same value as it has in the command line option shown above (I assume the latter takes precedence anyhow) --openstack-auth-url https://jblb.jetstream-cloud.org:XXXX/v3 (made anonymous obviously).

The OS_IDENTITY_API_VERSION is set to 3, and is specified in the openrc.sh file I linked in the above, OS_IDENTITY_API_VERSION=3.

[Hodgegoblin]

Were you able to resolve this issue? I am having the same issue trying to create to a devstack installation.

[jscottsf]

Having the same issue here. Any resolution?

Error creating machine: Error in driver during machine creation: Expected HTTP response code [200 204] when accessing [GET https://iu.jetstream-cloud.org:5000/v2.0/tenants], but got 404 instead
{"error": {"message": "(http://iu.jetstream-cloud.org:5000/v2.0/tenants): The resource could not be found.", "code": 404, "title": "Not Found"}}

Seems this issue has been Open for two years? Would love to use docker-machine with OS.

[kevinkjt2000]

It seems that several of the imports are for v2 support only

machine/drivers/openstack/client.go

Lines 16 to 25 in 61ef47d

	compute_ips "github.com/rackspace/gophercloud/openstack/compute/v2/extensions/floatingip"
	"github.com/rackspace/gophercloud/openstack/compute/v2/extensions/keypairs"
	"github.com/rackspace/gophercloud/openstack/compute/v2/extensions/startstop"
	"github.com/rackspace/gophercloud/openstack/compute/v2/flavors"
	"github.com/rackspace/gophercloud/openstack/compute/v2/images"
	"github.com/rackspace/gophercloud/openstack/compute/v2/servers"
	"github.com/rackspace/gophercloud/openstack/identity/v2/tenants"
	"github.com/rackspace/gophercloud/openstack/networking/v2/extensions/layer3/floatingips"
	"github.com/rackspace/gophercloud/openstack/networking/v2/networks"
	"github.com/rackspace/gophercloud/openstack/networking/v2/ports"

v3 would be an awesome feature!

[lcaflc]

I also have this issue. Moreover identity / keystone API v2 is now deprecated and no longuer available in rocky release and more. So since we upgraded docker-machine is no longuer usable.

[kayrus]

It would be great if someone can take a look on the #4755, which has to resolve this issue.

[doug-ba]

Is there anybody who can look at kayrus's PR? This issue is preventing my team from giving rancher a real evaluation.