Troubleshooting your Barbican Setup

If you cannot find the answers you’re looking for within this document, you can ask questions on the OFTC IRC channel #openstack-barbican

Getting a Barbican HTTP 401 error after a successful authentication to Keystone

What you might see

You get a HTTP 401 Unauthorized response even with a valid token

curl -X POST -H "X-Auth-Token: $TOKEN" -H "Content-type: application/json" \
-d '{"payload": "my-secret-here", "payload_content_type": "text/plain"}' \
http://localhost:9311/v1/secrets

Caused by

Expired signing cert on the Barbican server.

How to avoid

Check for an expired Keystone signing certificate on your Barbican server. Look at the expiration date in /tmp/barbican/cache/signing_cert.pem. If it is expired then follow these steps.

  1. On your Keystone server, verify that signing_cert.pem has the same expiration date as the one on your Barbican machine. You can normally find signing_cert.pem on your Keystone server in /etc/keystone/ssl/certs.

  2. If the cert matches then follow these steps to create a new one

    1. Delete it from both your Barbican and Keystone servers.

    2. Edit /etc/keystone/ssl/certs/index.txt.attr and set unique_subject to no.

    3. Run keystone-manage pki_setup to create a new signing_cert.pem

    4. The updated cert will be downloaded to your Barbican server the next time you hit the Barbican API.

  3. If the cert doesn’t match then delete the signing_cert.pem from your Barbican server. Do not delete from Keystone. The cert from Keystone will be downloaded to your machine the next time you hit the Barbican API.

Returned refs use localhost instead of the correct hostname

What you might see

curl -X POST -H "X-Auth-Token: $TOKEN" -H "Content-type: application/json" \
-d '{"payload": "my-secret-here", "payload_content_type": "text/plain"}' \
http://myhostname.com/v1/secrets

# Response:
{
  "secret_ref": "http://localhost:9311/v1/secrets/UUID_HERE"
}

Caused by

The default configuration on the response host name is not modified to the endpoint’s host name (typically the load balancer’s DNS name and port).

How to avoid

Change your barbican.conf file’s host_href setting from localhost:9311 to the correct host name (myhostname.com in the example above).

Barbican’s tox tests fail to run on my Mac

What you might see

clang: error: unknown argument: '-mno-fused-madd'

How to avoid

There is a great blog article that provides more details on the error and how to work around it. This link provides more details on the error and how to work around it.

Barbican’s tox tests fail to find ffi.h on my Mac

What you might see

c/_cffi_backend.c:13:10: fatal error: 'ffi.h' file not found
...
ERROR: could not install deps [...]; v = InvocationError('...', 1)

How to avoid

Be sure that xcode and cmd line tools are up to date. Easiest way is to run xcode-select --install from an OS X command line. Be sure to say yes when asked if you want to install the command line tools. Now ls /usr/include/ffi/ffi.h should show that missing file exists, and the tox tests should run.

Barbican’s tox tests fail with “ImportError: No module named _bsddb”

What you might see

ImportError: No module named _bsddb

How to avoid

Running tests via tox (which uses testr) will create a .testrepository directory containing, among other things, data files. Those datafiles may be created with bsddb, if it is available in the environment. This can cause problems if you run in an environment that does not have bsddb. To resolve this, delete your .testrepository directory and run tox again.

uWSGI logs ‘OOPS ! failed loading app’

What you might see

...
spawned uWSGI master process (pid: 59190)
spawned uWSGI worker 1 (pid: 59191, cores: 1)
spawned uWSGI worker 1 (pid: 59192, cores: 1)
Loading paste environment: config:/etc/barbican/barbican-api-paste.ini
WSGI app 0 (mountpoint='') ready in 0 seconds on interpreter \
    0x7fd098c08520 pid: 59191 (default app)
OOPS ! failed loading app in worker 1 (pid 59192) :( trying again...
Respawned uWSGI worker 1 (new pid: 59193)
Loading paste environment: config:/etc/barbican/barbican-api-paste.ini
OOPS ! failed loading app in worker 1 (pid 59193) :( trying again...
worker respawning too fast !!! i have to sleep a bit (2 seconds)...
...

Note

You will not see any useful logs or stack traces with this error!

Caused by

The vassal (worker) processes are not able to access the datastore.

How to avoid

Check the sql_connection in your barbican.conf file, to make sure that it references a valid reachable database.

“Cannot register CLI option” error when importing logging

What you might see

...
  File ".../oslo_config/cfg.py", line 1275, in register_cli_opt
    raise ArgsAlreadyParsedError("cannot register CLI option")
ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option

Caused by

An attempt to call the olso.config’s register_cli_opt() function after the configuration arguments were ‘parsed’ (see the comments and method in the oslo.config project’s cfg.py file for details.

How to avoid

Instead of calling import barbican.openstack.common.log as logging to get a logger, call from barbican.common import config with this to get a logger to use in your source file: LOG = config.getLogger(__name__).

Responder raised TypeError: 'NoneType' object has no attribute '__getitem__'

What you might see

...
2013-04-14 14:17:56 [FALCON] [ERROR] POST \
/da71dfbc-a959-4ad3-bdab-5ee190ce7515/csrs? => Responder raised \
TypeError: 'NoneType' object has no attribute '__getitem__'

Caused by

Forgetting to set your non-nullable FKs in entities you create via XxxxResource classes.

How to avoid

Don’t forget to set any FKs defined on an entity prior to using the repository to create it.

uWSGI config issue: ImportError: No module named site

What you might see

...
uwsgi socket 0 bound to TCP address :9311 fd 3
Python version: 2.7.3 (...)  [...]
Set PythonHome to ./.venv
ImportError: No module named site

Caused by

  • Can’t locate the Python virtualenv for the Barbican project.

  • Either the ‘broker’ setting above is incorrect, or else you haven’t started a queue process yet (such as RabbitMQ)

How to avoid

Make sure the uWSGI config file at etc/barbican/barbican-api-paste.ini is configured correctly (see installation steps above), esp. if the virtualenv folder is named differently than the .ini file has.

REST Request Fails with JSON error

What you might see

{
    "title": "Malformed JSON"
}

Caused by

Barbican REST server cannot parse the incoming JSON message from your REST client.

How to avoid

Make sure you are submitting properly formed JSON. For example, are there commas after all but the last name/value pair in a list? Are there quotes around all name/values that are text-based? Are the types of values matching what is expected (i.e. integer and boolean types instead of quoted text)?

If you are using the Advanced REST Client with Chrome, and you tried to upload a file to the secrets PUT call, not only will this fail due to the multi-part format it uses, but it will also try to submit this file for every REST request you make thereafter, causing this error. Close the tab/window with the client, and restart it again.

Crypto Mime Type Not Supported when I try to run tests or hit the API

What you might see

A stack trace that has this in it (for example):

CryptoMimeTypeNotSupportedException: Crypto Mime Type of 'text/plain' not supported

Caused by

The Barbican plugins are not installed into a place where the Python plugin manager can find them.

How to avoid

Make sure you run the pip install -e ..

Python “can’t find module errors” with the uWSGI scripts

What you might see

*** has_emperor mode detected (fd: 6) ***
...
!!! UNABLE to load uWSGI plugin: dlopen(./python_plugin.so, 10): image not found !!!
...
  File "./site-packages/paste/deploy/loadwsgi.py", line 22, in import_string
      return pkg_resources.EntryPoint.parse("x=" + s).load(False)
  File "./site-packages/distribute-0.6.35-py2.7.egg/pkg_resources.py", line 2015, in load
      entry = __import__(self.module_name, globals(),globals(), ['__name__'])
ImportError: No module named barbican.api.app
...
*** Starting uWSGI 1.9.13 (64bit) on [Fri Jul  5 09:59:29 2013] ***

Caused by

The Barbican source modules are not found in the Python path of applications such as uwsgi.

How to avoid

Make sure you are running from your virtual env, and that pip was executed after you activated your virtual environment. This especially includes the pip install -e command. Also, it is possible that your virtual env gets corrupted, so you might need to rebuild it.

‘unable to open database file None None’ errors running scripts

What you might see

...
  File "./site-packages/sqlalchemy/engine/strategies.py", line 80, in connect
    return dialect.connect(*cargs, **cparams)
  File "./site-packages/sqlalchemy/engine/default.py", line 283, in connect
    return self.dbapi.connect(*cargs, **cparams)
OperationalError: (OperationalError) unable to open database file None None
[emperor] removed uwsgi instance barbican-api.ini
...

Caused by

Destination folder for the sqlite database is not found, or is not writable.

How to avoid

Make sure the /var/lib/barbican/ folder exists and is writable by the user that is running the Barbican API process.

‘ValueError: No JSON object could be decoded’ with Keystoneclient middleware

What you might see

...
2013-08-15 16:55:15.759 2445 DEBUG keystoneclient.middleware.auth_token \
[-] Token validation failure. _validate_user_token \
./site-packages/keystoneclient/middleware/auth_token.py:711
...
2013-08-15 16:55:15.759 2445 TRACE keystoneclient.middleware.auth_token \
raise ValueError("No JSON object could be decoded")
2013-08-15 16:55:15.759 24458 TRACE keystoneclient.middleware.auth_token \
ValueError: No JSON object could be decoded
...
2013-08-15 16:55:15.766 2445 WARNING keystoneclient.middleware.auth_token \
[-] Authorization failed for token ...
2013-08-15 16:55:15.766 2445 INFO keystoneclient.middleware.auth_token \
[-] Invalid user token - rejecting request...

Caused by

The keystoneclient middleware component is looking for a cms command in openssl that wasn’t available before version 1.0.1.

How to avoid

Update openssl.

“accept-encoding of ‘gzip,deflate,sdch’ not supported”

What you might see

Secret retrieval issue seen - accept-encoding of 'gzip,deflate,sdch' not supported

Caused by

This might be an issue with the browser you are using, as performing the request via curl doesn’t seem to be affected.

How to avoid

Other than using an command such as curl to make the REST request you may not have many other options.