[DevStack][Ceilometer][Gnocchi] Error 403

Question

I am currently on an Openstack Project and I'm trying to use Ceilometer and Gnocchi. I've installed DevStack with the following lines in the local.conf file to install and configure Ceilometer and Gnocchi:

enable_plugin gnocchi https://github.com/gnocchixyz/gnocchi master
enable_plugin ceilometer https://git.openstack.org/openstack/ceilometer
enable_service gnocchi-grafana

The installation was successful, the Metric service has been created along with the ceilometer and gnocchi users. The [keystone_authtoken] sections of the Ceilometer and Gnocchi configuration files are apparently correctly set, I set Gnocchi as the meter dispatcher in the Ceilometer config file.

But with commands related to the metricargument like openstack metric status I get a 403 error, though I sourced the admin-openrc.sh file before. I tried with both versions 2.0 and 3 API.

I thought that adding the admin user as a member and admin of the service project in OpenStack would solve the problem, but I'm still getting the error.

I looked through the Apache logs involving Gnocchi: - in /var/log/apache2/gnocchi.log there is the "client denied by server configuration: /usr/local/bin/gnocchi-api" error, - in var/log/apache2/gnocchi-acces.log there are 403 errors like this:

10.0.3.29 - - [28/Jul/2017:16:24:34 +0300] "POST /v1/batch/resources/metrics/measures?create_metrics=True HTTP/1.1" 403 501 "-" "ceilometer-agent-notification keystoneauth1/3.1.0 python-requests/2.18.2 CPython/2.7.12"
10.0.3.29 - - [28/Jul/2017:16:24:34 +0300] "PATCH /v1/resource/image/bc130fad-36f6-48a5-852b-b78e41863d09 HTTP/1.1" 403 520 "-" "ceilometer-agent-notification keystoneauth1/3.1.0 python-requests/2.18.2 CPython/2.7.12"

Is it any misconfigurations I didn't notice?

If you want any more information, just ask me.

Thanks for your help.

Answer 1

Based on answer from Q&A of OpenStack here:

Following config for /etc/apache2/sites-available/gnocchi.conf works fine at this moment:

Listen 8041

<VirtualHost *:8041>
    WSGIDaemonProcess gnocchi lang='en_US.UTF-8' locale='en_US.UTF-8' user=stack display-name=%{GROUP} processes=2 threads=32
    WSGIProcessGroup gnocchi
    WSGIScriptAlias / /usr/local/bin/gnocchi-api
    WSGIApplicationGroup %{GLOBAL}

    <IfVersion >= 2.4>
        ErrorLogFormat "%{cu}t %M"
    </IfVersion>


    <Directory />
        Options FollowSymLinks
        AllowOverride None
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>

    ErrorLog /var/log/apache2/gnocchi.log
    CustomLog /var/log/apache2/gnocchi-access.log combined
</VirtualHost>

WSGISocketPrefix /var/run/apache2

After service apache2 restart output for command gnocchi status is following:

$ gnocchi status
+-----------------------------------------------------+-------+
| Field                                               | Value |
+-----------------------------------------------------+-------+
| storage/number of metric having measures to process | 0     |
| storage/total number of measures to process         | 0     |
+-----------------------------------------------------+-------+

Not like before:

$ gnocchi status
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /v1/status
on this server.<br />
</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 10.92.76.44 Port 8041</address>
</body></html>
 (HTTP 403)