Troubleshooting your Barbican Setup¶

What you might see¶

You get a HTTP 401 Unauthorized response even with a valid token

curl -X POST -H "X-Auth-Token: $TOKEN" -H "Content-type: application/json" \
-d '{"payload": "my-secret-here", "payload_content_type": "text/plain"}' \
http://localhost:9311/v1/secrets

Caused by¶

Expired signing cert on the Barbican server.

How to avoid¶

Check for an expired Keystone signing certificate on your Barbican server. Look at the expiration date in /tmp/barbican/cache/signing_cert.pem. If it is expired then follow these steps.

1. On your Keystone server, verify that signing_cert.pem has the same expiration date as the one on your Barbican machine. You can normally find signing_cert.pem on your Keystone server in /etc/keystone/ssl/certs.
2. If the cert matches then follow these steps to create a new one
   1. Delete it from both your Barbican and Keystone servers.
   2. Edit /etc/keystone/ssl/certs/index.txt.attr and set unique_subject to no.
   3. Run keystone-manage pki_setup to create a new signing_cert.pem
   4. The updated cert will be downloaded to your Barbican server the next time you hit the Barbican API.
3. If the cert doesn’t match then delete the signing_cert.pem from your Barbican server. Do not delete from Keystone. The cert from Keystone will be downloaded to your machine the next time you hit the Barbican API.

What you might see¶

curl -X POST \
-H "Content-type: application/json" -H "X-Auth-Token: $TOKEN" -d \
'{"payload": "my-secret-here", "payload_content_type": "text/plain"}' \
http://myhostname.com/v1/secrets

# Response:
{
  "secret_ref": "http://localhost:9311/v1/secrets/UUID_HERE"
}

Caused by¶

The default configuration on the response host name is not modified to the endpoint’s host name (typically the load balancer’s DNS name and port).

How to avoid¶

Change your barbican.conf file’s host_href setting from localhost:9311 to the correct host name (myhostname.com in the example above).

What you might see¶

clang: error: unknown argument: '-mno-fused-madd'

How to avoid¶

There is a great blog article that provides more details on the error and how to work around it. This link provides more details on the error and how to work around it.

What you might see¶

c/_cffi_backend.c:13:10: fatal error: 'ffi.h' file not found
...
ERROR: could not install deps [...]; v = InvocationError('...', 1)

How to avoid¶

Be sure that xcode and cmd line tools are up to date. Easiest way is to run xcode-select --install from an OS X command line. Be sure to say yes when asked if you want to install the command line tools. Now ls /usr/include/ffi/ffi.h should show that missing file exists, and the tox tests should run.

What you might see¶

ImportError: No module named _bsddb

How to avoid¶

Running tests via tox (which uses testr) will create a .testrepository directory containing, among other things, data files. Those datafiles may be created with bsddb, if it is available in the environment. This can cause problems if you run in an environment that does not have bsddb. To resolve this, delete your .testrepository directory and run tox again.

What you might see¶

...
spawned uWSGI master process (pid: 59190)
spawned uWSGI worker 1 (pid: 59191, cores: 1)
spawned uWSGI worker 1 (pid: 59192, cores: 1)
Loading paste environment: config:/etc/barbican/barbican-api-paste.ini
WSGI app 0 (mountpoint='') ready in 0 seconds on interpreter \
    0x7fd098c08520 pid: 59191 (default app)
OOPS ! failed loading app in worker 1 (pid 59192) :( trying again...
Respawned uWSGI worker 1 (new pid: 59193)
Loading paste environment: config:/etc/barbican/barbican-api-paste.ini
OOPS ! failed loading app in worker 1 (pid 59193) :( trying again...
worker respawning too fast !!! i have to sleep a bit (2 seconds)...
...

Caused by¶

The vassal (worker) processes are not able to access the datastore.

How to avoid¶

Check the sql_connection in your barbican.conf file, to make sure that it references a valid reachable database.

What you might see¶

...
File ".../oslo_config/cfg.py", line 1275, in register_cli_opt
raise ArgsAlreadyParsedError("cannot register CLI option")
ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option

Caused by¶

An attempt to call the olso.config’s register_cli_opt() function after the configuration arguments were ‘parsed’ (see the comments and method in the oslo.config project’s cfg.py file for details.

How to avoid¶

Instead of calling import barbican.openstack.common.log as logging to get a logger, call from barbican.common import config with this to get a logger to use in your source file: LOG = config.getLogger(__name__).

What you might see¶

...
2013-04-14 14:17:56 [FALCON] [ERROR] POST \
/da71dfbc-a959-4ad3-bdab-5ee190ce7515/csrs? => Responder raised \
TypeError: 'NoneType' object has no attribute '__getitem__'

Caused by¶

Forgetting to set your non-nullable FKs in entities you create via XxxxResource classes.

How to avoid¶

Don’t forget to set any FKs defined on an entity prior to using the repository to create it.

What you might see¶

...
uwsgi socket 0 bound to TCP address :9311 fd 3
Python version: 2.7.3 (...)  [...]
Set PythonHome to ./.venv
ImportError: No module named site

Caused by¶

• Can’t locate the Python virtualenv for the Barbican project.
• Either the ‘broker’ setting above is incorrect, or else you haven’t started a queue process yet (such as RabbitMQ)

How to avoid¶

Make sure the uWSGI config file at etc/barbican/barbican-api-paste.ini is configured correctly (see installation steps above), esp. if the virtualenv folder is named differently than the .ini file has.

What you might see¶

{
    "title": "Malformed JSON"
}

Caused by¶

Barbican REST server cannot parse the incoming JSON message from your REST client.

How to avoid¶

Make sure you are submitting properly formed JSON. For example, are there commas after all but the last name/value pair in a list? Are there quotes around all name/values that are text-based? Are the types of values matching what is expected (i.e. integer and boolean types instead of quoted text)?

If you are using the Advanced REST Client with Chrome, and you tried to upload a file to the secrets PUT call, not only will this fail due to the multi-part format it uses, but it will also try to submit this file for every REST request you make thereafter, causing this error. Close the tab/window with the client, and restart it again.

What you might see¶

A stack trace that has this in it (for example):

CryptoMimeTypeNotSupportedException: Crypto Mime Type of 'text/plain' not \
supported

Caused by¶

The Barbican plugins are not installed into a place where the Python plugin manager can find them.

How to avoid¶

Make sure you run the pip install -e ..

What you might see¶

*** has_emperor mode detected (fd: 6) ***
...
!!! UNABLE to load uWSGI plugin: dlopen(./python_plugin.so, 10): image not \
found !!!
...
File "./site-packages/paste/deploy/loadwsgi.py", line 22, in import_string
  return pkg_resources.EntryPoint.parse("x=" + s).load(False)
File "./site-packages/distribute-0.6.35-py2.7.egg/pkg_resources.py", line \
2015, in load
  entry = __import__(self.module_name, globals(),globals(), ['__name__'])
ImportError: No module named barbican.api.app
...
*** Starting uWSGI 1.9.13 (64bit) on [Fri Jul  5 09:59:29 2013] ***

Caused by¶

The Barbican source modules are not found in the Python path of applications such as uwsgi.

How to avoid¶

Make sure you are running from your virtual env, and that pip was executed after you activated your virtual environment. This especially includes the pip install -e command. Also, it is possible that your virtual env gets corrupted, so you might need to rebuild it.

What you might see¶

...
File "./site-packages/sqlalchemy/engine/strategies.py", line 80, in connect
  return dialect.connect(*cargs, **cparams)
File "./site-packages/sqlalchemy/engine/default.py", line 283, in connect
  return self.dbapi.connect(*cargs, **cparams)
OperationalError: (OperationalError) unable to open database file None None
[emperor] removed uwsgi instance barbican-api.ini
...

Caused by¶

Destination folder for the sqlite database is not found, or is not writable.

How to avoid¶

Make sure the /var/lib/barbican/ folder exists and is writable by the user that is running the Barbican API process.

What you might see¶

...
2013-08-15 16:55:15.759 2445 DEBUG keystoneclient.middleware.auth_token \
[-] Token validation failure. _validate_user_token \
./site-packages/keystoneclient/middleware/auth_token.py:711
...
2013-08-15 16:55:15.759 2445 TRACE keystoneclient.middleware.auth_token \
raise ValueError("No JSON object could be decoded")
2013-08-15 16:55:15.759 24458 TRACE keystoneclient.middleware.auth_token \
ValueError: No JSON object could be decoded
...
2013-08-15 16:55:15.766 2445 WARNING keystoneclient.middleware.auth_token \
[-] Authorization failed for token ...
2013-08-15 16:55:15.766 2445 INFO keystoneclient.middleware.auth_token \
[-] Invalid user token - rejecting request...

Caused by¶

The keystoneclient middleware component is looking for a cms command in openssl that wasn’t available before version 1.0.1.

How to avoid¶

Update openssl.

What you might see¶

Secret retrieval issue seen - accept-encoding of 'gzip,deflate,sdch' not \
supported

Caused by¶

This might be an issue with the browser you are using, as performing the request via curl doesn’t seem to be affected.

How to avoid¶

Other than using an command such as curl to make the REST request you may not have many other options.