Merge "Revert "Drop keystone dedicated ports""
This commit is contained in:
commit
3e0960d78f
@ -137,7 +137,7 @@ OS\_AUTH\_URL
|
|||||||
|
|
||||||
::
|
::
|
||||||
|
|
||||||
OS_AUTH_URL=http://$SERVICE_HOST/identity/v3.0
|
OS_AUTH_URL=http://$SERVICE_HOST:5000/v3.0
|
||||||
|
|
||||||
KEYSTONECLIENT\_DEBUG, NOVACLIENT\_DEBUG
|
KEYSTONECLIENT\_DEBUG, NOVACLIENT\_DEBUG
|
||||||
Set command-line client log level to ``DEBUG``. These are commented
|
Set command-line client log level to ``DEBUG``. These are commented
|
||||||
@ -685,6 +685,16 @@ KEYSTONE_REGION_NAME to specify the region of Keystone service.
|
|||||||
KEYSTONE_REGION_NAME has a default value the same as REGION_NAME thus we omit
|
KEYSTONE_REGION_NAME has a default value the same as REGION_NAME thus we omit
|
||||||
it in the configuration of RegionOne.
|
it in the configuration of RegionOne.
|
||||||
|
|
||||||
|
Disabling Identity API v2
|
||||||
|
+++++++++++++++++++++++++
|
||||||
|
|
||||||
|
The Identity API v2 is deprecated as of Mitaka and it is recommended to only
|
||||||
|
use the v3 API. It is possible to setup keystone without v2 API, by doing:
|
||||||
|
|
||||||
|
::
|
||||||
|
|
||||||
|
ENABLE_IDENTITY_V2=False
|
||||||
|
|
||||||
.. _arch-configuration:
|
.. _arch-configuration:
|
||||||
|
|
||||||
Architectures
|
Architectures
|
||||||
|
@ -1,9 +1,39 @@
|
|||||||
|
Listen %PUBLICPORT%
|
||||||
|
Listen %ADMINPORT%
|
||||||
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %D(us)" keystone_combined
|
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %D(us)" keystone_combined
|
||||||
|
|
||||||
<Directory %KEYSTONE_BIN%>
|
<Directory %KEYSTONE_BIN%>
|
||||||
Require all granted
|
Require all granted
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
|
<VirtualHost *:%PUBLICPORT%>
|
||||||
|
WSGIDaemonProcess keystone-public processes=3 threads=1 user=%USER% display-name=%{GROUP} %VIRTUALENV%
|
||||||
|
WSGIProcessGroup keystone-public
|
||||||
|
WSGIScriptAlias / %KEYSTONE_BIN%/keystone-wsgi-public
|
||||||
|
WSGIApplicationGroup %{GLOBAL}
|
||||||
|
WSGIPassAuthorization On
|
||||||
|
ErrorLogFormat "%M"
|
||||||
|
ErrorLog /var/log/%APACHE_NAME%/keystone.log
|
||||||
|
CustomLog /var/log/%APACHE_NAME%/keystone_access.log keystone_combined
|
||||||
|
%SSLENGINE%
|
||||||
|
%SSLCERTFILE%
|
||||||
|
%SSLKEYFILE%
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
<VirtualHost *:%ADMINPORT%>
|
||||||
|
WSGIDaemonProcess keystone-admin processes=3 threads=1 user=%USER% display-name=%{GROUP} %VIRTUALENV%
|
||||||
|
WSGIProcessGroup keystone-admin
|
||||||
|
WSGIScriptAlias / %KEYSTONE_BIN%/keystone-wsgi-admin
|
||||||
|
WSGIApplicationGroup %{GLOBAL}
|
||||||
|
WSGIPassAuthorization On
|
||||||
|
ErrorLogFormat "%M"
|
||||||
|
ErrorLog /var/log/%APACHE_NAME%/keystone.log
|
||||||
|
CustomLog /var/log/%APACHE_NAME%/keystone_access.log keystone_combined
|
||||||
|
%SSLENGINE%
|
||||||
|
%SSLCERTFILE%
|
||||||
|
%SSLKEYFILE%
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
%SSLLISTEN%<VirtualHost *:443>
|
%SSLLISTEN%<VirtualHost *:443>
|
||||||
%SSLLISTEN% %SSLENGINE%
|
%SSLLISTEN% %SSLENGINE%
|
||||||
%SSLLISTEN% %SSLCERTFILE%
|
%SSLLISTEN% %SSLCERTFILE%
|
||||||
|
59
lib/keystone
59
lib/keystone
@ -83,10 +83,14 @@ KEYSTONE_TOKEN_FORMAT=$(echo ${KEYSTONE_TOKEN_FORMAT} | tr '[:upper:]' '[:lower:
|
|||||||
|
|
||||||
# Set Keystone interface configuration
|
# Set Keystone interface configuration
|
||||||
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
|
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
|
||||||
|
KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357}
|
||||||
|
KEYSTONE_AUTH_PORT_INT=${KEYSTONE_AUTH_PORT_INT:-35358}
|
||||||
KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL}
|
KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL}
|
||||||
|
|
||||||
# Public facing bits
|
# Public facing bits
|
||||||
KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST}
|
KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST}
|
||||||
|
KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000}
|
||||||
|
KEYSTONE_SERVICE_PORT_INT=${KEYSTONE_SERVICE_PORT_INT:-5001}
|
||||||
KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
|
KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
|
||||||
|
|
||||||
# Bind hosts
|
# Bind hosts
|
||||||
@ -166,14 +170,22 @@ function _config_keystone_apache_wsgi {
|
|||||||
local keystone_ssl=""
|
local keystone_ssl=""
|
||||||
local keystone_certfile=""
|
local keystone_certfile=""
|
||||||
local keystone_keyfile=""
|
local keystone_keyfile=""
|
||||||
|
local keystone_service_port=$KEYSTONE_SERVICE_PORT
|
||||||
|
local keystone_auth_port=$KEYSTONE_AUTH_PORT
|
||||||
local venv_path=""
|
local venv_path=""
|
||||||
|
|
||||||
|
if is_service_enabled tls-proxy; then
|
||||||
|
keystone_service_port=$KEYSTONE_SERVICE_PORT_INT
|
||||||
|
keystone_auth_port=$KEYSTONE_AUTH_PORT_INT
|
||||||
|
fi
|
||||||
if [[ ${USE_VENV} = True ]]; then
|
if [[ ${USE_VENV} = True ]]; then
|
||||||
venv_path="python-path=${PROJECT_VENV["keystone"]}/lib/$(python_version)/site-packages"
|
venv_path="python-path=${PROJECT_VENV["keystone"]}/lib/$(python_version)/site-packages"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
sudo cp $FILES/apache-keystone.template $keystone_apache_conf
|
sudo cp $FILES/apache-keystone.template $keystone_apache_conf
|
||||||
sudo sed -e "
|
sudo sed -e "
|
||||||
|
s|%PUBLICPORT%|$keystone_service_port|g;
|
||||||
|
s|%ADMINPORT%|$keystone_auth_port|g;
|
||||||
s|%APACHE_NAME%|$APACHE_NAME|g;
|
s|%APACHE_NAME%|$APACHE_NAME|g;
|
||||||
s|%SSLLISTEN%|$keystone_ssl_listen|g;
|
s|%SSLLISTEN%|$keystone_ssl_listen|g;
|
||||||
s|%SSLENGINE%|$keystone_ssl|g;
|
s|%SSLENGINE%|$keystone_ssl|g;
|
||||||
@ -210,8 +222,21 @@ function configure_keystone {
|
|||||||
|
|
||||||
iniset_rpc_backend keystone $KEYSTONE_CONF oslo_messaging_notifications
|
iniset_rpc_backend keystone $KEYSTONE_CONF oslo_messaging_notifications
|
||||||
|
|
||||||
|
local service_port=$KEYSTONE_SERVICE_PORT
|
||||||
|
local auth_port=$KEYSTONE_AUTH_PORT
|
||||||
|
|
||||||
|
if is_service_enabled tls-proxy; then
|
||||||
|
# Set the service ports for a proxy to take the originals
|
||||||
|
service_port=$KEYSTONE_SERVICE_PORT_INT
|
||||||
|
auth_port=$KEYSTONE_AUTH_PORT_INT
|
||||||
|
fi
|
||||||
|
|
||||||
# Override the endpoints advertised by keystone (the public_endpoint and
|
# Override the endpoints advertised by keystone (the public_endpoint and
|
||||||
# admin_endpoint) so that clients use the correct endpoint.
|
# admin_endpoint) so that clients use the correct endpoint. By default, the
|
||||||
|
# keystone server uses the public_port and admin_port which isn't going to
|
||||||
|
# work when you want to use a different port (in the case of proxy), or you
|
||||||
|
# don't want the port (in the case of putting keystone on a path in
|
||||||
|
# apache).
|
||||||
iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI
|
iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI
|
||||||
iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI
|
iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI
|
||||||
|
|
||||||
@ -245,6 +270,12 @@ function configure_keystone {
|
|||||||
|
|
||||||
iniset $KEYSTONE_CONF credential key_repository "$KEYSTONE_CONF_DIR/credential-keys/"
|
iniset $KEYSTONE_CONF credential key_repository "$KEYSTONE_CONF_DIR/credential-keys/"
|
||||||
|
|
||||||
|
# Configure the project created by the 'keystone-manage bootstrap' as the cloud-admin project.
|
||||||
|
# The users from this project are globally admin as before, but it also
|
||||||
|
# allows policy changes in order to clarify the adminess scope.
|
||||||
|
#iniset $KEYSTONE_CONF resource admin_project_domain_name Default
|
||||||
|
#iniset $KEYSTONE_CONF resource admin_project_name admin
|
||||||
|
|
||||||
if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then
|
if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then
|
||||||
iniset $KEYSTONE_CONF security_compliance lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS
|
iniset $KEYSTONE_CONF security_compliance lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS
|
||||||
iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
|
iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
|
||||||
@ -479,6 +510,14 @@ function install_keystone {
|
|||||||
|
|
||||||
# start_keystone() - Start running processes
|
# start_keystone() - Start running processes
|
||||||
function start_keystone {
|
function start_keystone {
|
||||||
|
# Get right service port for testing
|
||||||
|
local service_port=$KEYSTONE_SERVICE_PORT
|
||||||
|
local auth_protocol=$KEYSTONE_AUTH_PROTOCOL
|
||||||
|
if is_service_enabled tls-proxy; then
|
||||||
|
service_port=$KEYSTONE_SERVICE_PORT_INT
|
||||||
|
auth_protocol="http"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
|
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
|
||||||
enable_apache_site keystone
|
enable_apache_site keystone
|
||||||
restart_apache_server
|
restart_apache_server
|
||||||
@ -487,13 +526,23 @@ function start_keystone {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Waiting for keystone to start..."
|
echo "Waiting for keystone to start..."
|
||||||
# Check that the keystone service is running.
|
# Check that the keystone service is running. Even if the tls tunnel
|
||||||
|
# should be enabled, make sure the internal port is checked using
|
||||||
|
# unencryted traffic at this point.
|
||||||
|
# If running in Apache, use the path rather than port.
|
||||||
|
|
||||||
local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/
|
local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/
|
||||||
|
|
||||||
if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then
|
if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then
|
||||||
die $LINENO "keystone did not start"
|
die $LINENO "keystone did not start"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Start proxies if enabled
|
||||||
|
if is_service_enabled tls-proxy; then
|
||||||
|
start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT
|
||||||
|
start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT
|
||||||
|
fi
|
||||||
|
|
||||||
# (re)start memcached to make sure we have a clean memcache.
|
# (re)start memcached to make sure we have a clean memcache.
|
||||||
restart_service memcached
|
restart_service memcached
|
||||||
}
|
}
|
||||||
@ -512,9 +561,11 @@ function stop_keystone {
|
|||||||
# This function uses the following GLOBAL variables:
|
# This function uses the following GLOBAL variables:
|
||||||
# - ``KEYSTONE_BIN_DIR``
|
# - ``KEYSTONE_BIN_DIR``
|
||||||
# - ``ADMIN_PASSWORD``
|
# - ``ADMIN_PASSWORD``
|
||||||
# - ``KEYSTONE_AUTH_URI``
|
# - ``IDENTITY_API_VERSION``
|
||||||
# - ``REGION_NAME``
|
# - ``REGION_NAME``
|
||||||
# - ``KEYSTONE_SERVICE_URI``
|
# - ``KEYSTONE_SERVICE_PROTOCOL``
|
||||||
|
# - ``KEYSTONE_SERVICE_HOST``
|
||||||
|
# - ``KEYSTONE_SERVICE_PORT``
|
||||||
function bootstrap_keystone {
|
function bootstrap_keystone {
|
||||||
$KEYSTONE_BIN_DIR/keystone-manage bootstrap \
|
$KEYSTONE_BIN_DIR/keystone-manage bootstrap \
|
||||||
--bootstrap-username admin \
|
--bootstrap-username admin \
|
||||||
|
2
openrc
2
openrc
@ -86,7 +86,7 @@ export OS_AUTH_TYPE=password
|
|||||||
#
|
#
|
||||||
|
|
||||||
# If you don't have a working .stackenv, this is the backup position
|
# If you don't have a working .stackenv, this is the backup position
|
||||||
KEYSTONE_BACKUP=$SERVICE_PROTOCOL://$SERVICE_HOST/identity
|
KEYSTONE_BACKUP=$SERVICE_PROTOCOL://$SERVICE_HOST:5000
|
||||||
KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_URI:-$KEYSTONE_BACKUP}
|
KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_URI:-$KEYSTONE_BACKUP}
|
||||||
|
|
||||||
export OS_AUTH_URL=${OS_AUTH_URL:-$KEYSTONE_SERVICE_URI}
|
export OS_AUTH_URL=${OS_AUTH_URL:-$KEYSTONE_SERVICE_URI}
|
||||||
|
@ -152,7 +152,7 @@ if [ -z "$OS_USERNAME" ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$OS_AUTH_URL" ]; then
|
if [ -z "$OS_AUTH_URL" ]; then
|
||||||
export OS_AUTH_URL=http://localhost/identity/v3/
|
export OS_AUTH_URL=http://localhost:5000/v3/
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$OS_USER_DOMAIN_ID" -a -z "$OS_USER_DOMAIN_NAME" ]; then
|
if [ -z "$OS_USER_DOMAIN_ID" -a -z "$OS_USER_DOMAIN_NAME" ]; then
|
||||||
|
@ -26,6 +26,39 @@ if [[ -z "$TOP_DIR" ]]; then
|
|||||||
FILES=$TOP_DIR/files
|
FILES=$TOP_DIR/files
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Keystone Port Reservation
|
||||||
|
# -------------------------
|
||||||
|
# Reserve and prevent ``KEYSTONE_AUTH_PORT`` and ``KEYSTONE_AUTH_PORT_INT`` from
|
||||||
|
# being used as ephemeral ports by the system. The default(s) are 35357 and
|
||||||
|
# 35358 which are in the Linux defined ephemeral port range (in disagreement
|
||||||
|
# with the IANA ephemeral port range). This is a workaround for bug #1253482
|
||||||
|
# where Keystone will try and bind to the port and the port will already be
|
||||||
|
# in use as an ephemeral port by another process. This places an explicit
|
||||||
|
# exception into the Kernel for the Keystone AUTH ports.
|
||||||
|
function fixup_keystone {
|
||||||
|
keystone_ports=${KEYSTONE_AUTH_PORT:-35357},${KEYSTONE_AUTH_PORT_INT:-35358}
|
||||||
|
|
||||||
|
# Only do the reserved ports when available, on some system (like containers)
|
||||||
|
# where it's not exposed we are almost pretty sure these ports would be
|
||||||
|
# exclusive for our DevStack.
|
||||||
|
if sysctl net.ipv4.ip_local_reserved_ports >/dev/null 2>&1; then
|
||||||
|
# Get any currently reserved ports, strip off leading whitespace
|
||||||
|
reserved_ports=$(sysctl net.ipv4.ip_local_reserved_ports | awk -F'=' '{print $2;}' | sed 's/^ //')
|
||||||
|
|
||||||
|
if [[ -z "${reserved_ports}" ]]; then
|
||||||
|
# If there are no currently reserved ports, reserve the keystone ports
|
||||||
|
sudo sysctl -w net.ipv4.ip_local_reserved_ports=${keystone_ports}
|
||||||
|
else
|
||||||
|
# If there are currently reserved ports, keep those and also reserve the
|
||||||
|
# Keystone specific ports. Duplicate reservations are merged into a single
|
||||||
|
# reservation (or range) automatically by the kernel.
|
||||||
|
sudo sysctl -w net.ipv4.ip_local_reserved_ports=${keystone_ports},${reserved_ports}
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo_summary "WARNING: unable to reserve keystone ports"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
# Ubuntu Repositories
|
# Ubuntu Repositories
|
||||||
#--------------------
|
#--------------------
|
||||||
# Enable universe for bionic since it is missing when installing from ISO.
|
# Enable universe for bionic since it is missing when installing from ISO.
|
||||||
@ -175,6 +208,7 @@ function fixup_suse {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function fixup_all {
|
function fixup_all {
|
||||||
|
fixup_keystone
|
||||||
fixup_ubuntu
|
fixup_ubuntu
|
||||||
fixup_fedora
|
fixup_fedora
|
||||||
fixup_suse
|
fixup_suse
|
||||||
|
Loading…
Reference in New Issue
Block a user