No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionCloud 6.3.1.1 Troubleshooting Guide 03

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Nodes Management Failure Due to IAM-Proxy Exceptions

Nodes Management Failure Due to IAM-Proxy Exceptions

Symptom

The following error information is displayed on the page during node management:

Failed to decode private key: error getting aeskey when trying to decode private key:error statusCode from PaaS-PSM:401, error message is:Get token from IAMProxy error:http post failed, statuscode: 500

Perform the following steps to view the IAM-Proxy service logs:

  1. Use PuTTY to log in to the om_paas_vip node.

    The default username is paas, and the default password is QAZ2wsx@123!.

  2. Run the following command to view the pod name of IAM-Proxy:

    kubectl get po -nmanage|grep iam-proxy

    The first column in the preceding figure indicates the pod name.

  3. Run the following command to query the IP address of any IAM-Proxy node:

    kubectl describe pod {Pod name} -nmanage | grep Node

  4. Run the following commands to log in to the node with the queried IP address in SSH mode and go to the /var/paas/sys/log/iam-proxy/ directory:

    ssh IP address of the node

    cd /var/paas/sys/log/iam-proxy/

  5. Run the following command to view the iam-proxy.log file:

    vi iam-proxy.log

    The following error information is displayed:

    You are not authorized to perform the requested action: identity:get_sk", "code":403, "title":"Forbidden"

Possible Causes

When IAM-Proxy invokes IAM to obtain the SK using the AK, the token of paasadmin transferred in the request header expires.

Troubleshooting Method

  1. Log in to the OM-Core01 node using the VIP as the paas user.
  2. Run the following command to obtain the pods where IAM-Proxy resides in the tenant management zone:

    kubectl get pod -n manage | grep iam-proxy

    The following output is displayed:

    iam-proxy-1172747584-wd06h                 1/1       Running             19         1h
    iam-proxy-1172747584-xgs41                 1/1       Running             19         1h

    In the preceding command output, iam-proxy-1172747584-wd06h is the first pod name, and iam-proxy-1172747584-xgs41 is the second pod name.

  3. Run the following commands to delete the IAM-Proxy pods:

    kubectl delete {First pod name} -n manage

    kubectl delete {Second pod name} -n manage

    Wait for about 5 minutes until the two pods are restarted.

  4. Run the following command to check whether the IAM-Proxy pods are started and in Running state:

    kubectl get pod -n manage | grep iam-proxy

    iam-proxy-1172747584-wd06h                 1/1       Running             19         1h
    iam-proxy-1172747584-xgs41                 1/1       Running             19         1h

    In the preceding command output, the third column indicates the pods status. If the status changes to Running, the pods are started.

  5. Perform the node management operation again.

    If the node is successfully managed, the fault is rectified.

Translation
Download
Updated: 2019-08-16

Document ID: EDOC1100063248

Views: 25109

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next