From 6c57fbab26e40af5c5b19b46fb3da39341f34dab Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Wed, 20 Nov 2013 17:00:21 -0800 Subject: [PATCH] Set keystone admin_bind_host to KEYSTONE_SERVICE_HOST On Linux ports 32768-61000 can be used by just about anything needing a socket. Keystone's IANA assigned port is 35357. Occasionally something else will be using port 35357 first because Linux allows this. Workaround is to bind to port 127.0.0.1 instead of 0.0.0.0. $KEYSTONE_SERVICE_HOST gets its value from $SERVICE_HOST which is set to 127.0.0.1 in the gate. "Ephemeral (client) ports will *never* be sourced from 0.0.0.0, and are uniquely identified by the full connection five-tuple (proto, src IP, src port, dst IP, dst port) anyway, allowing them to overlap src IP/src port as long as proto/dst IP/dst port are different. Thus it is up to keystone/devstack to bind more appropriately and not use wildcard bind addresses unless explicitly necessary for some reason. For example, in the log output, the URLs are configured with dst IPs of 127.0.0.1 anyway, so binding explicitly to localhost would change nothing, while skirting this particular edge case nicely." ~Evan Callicoat This doesn't fix bug 1253482 it works around it while a better solution is prepared (running keystone behind apache in devstack). Co-Authored-By: Joe Gordon Change-Id: I112309661dadf8b753c3311182f82464d9d3595e Related-bug: #1253482 --- lib/keystone | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/keystone b/lib/keystone index 0850fb219e..4f7f68b57f 100644 --- a/lib/keystone +++ b/lib/keystone @@ -178,6 +178,7 @@ function configure_keystone() { # Set the URL advertised in the ``versions`` structure returned by the '/' route iniset $KEYSTONE_CONF DEFAULT public_endpoint "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:%(public_port)s/" iniset $KEYSTONE_CONF DEFAULT admin_endpoint "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:%(admin_port)s/" + iniset $KEYSTONE_CONF DEFAULT admin_bind_host "$KEYSTONE_SERVICE_HOST" # Register SSL certificates if provided if is_ssl_enabled_service key; then