Revert "Drop keystone dedicated ports"

This reverts commit f6286cb586. This patch is blocking glance as it needs mod_wsgi to perform new import workflow. Change-Id: I4475247dfe986114d37678b3d3d552c0c7d02ddc
2020-07-06 18:42:30 +00:00 · 2020-07-06 18:42:30 +00:00 · f8dbfd394a
parent 105b2f4ee5
commit f8dbfd394a
6 changed files with 132 additions and 7 deletions
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@ -137,7 +137,7 @@ OS\_AUTH\_URL

    ::

-        OS_AUTH_URL=http://$SERVICE_HOST/identity/v3.0
+        OS_AUTH_URL=http://$SERVICE_HOST:5000/v3.0

 KEYSTONECLIENT\_DEBUG, NOVACLIENT\_DEBUG
    Set command-line client log level to ``DEBUG``. These are commented
@ -685,6 +685,16 @@ KEYSTONE_REGION_NAME to specify the region of Keystone service.
 KEYSTONE_REGION_NAME has a default value the same as REGION_NAME thus we omit
 it in the configuration of RegionOne.

+Disabling Identity API v2
+++++++++++++++++++++++++
+
+The Identity API v2 is deprecated as of Mitaka and it is recommended to only
+use the v3 API. It is possible to setup keystone without v2 API, by doing:
+
+::
+
+    ENABLE_IDENTITY_V2=False
+
 .. _arch-configuration:

 Architectures
--- a/files/apache-keystone.template
+++ b/files/apache-keystone.template
@ -1,9 +1,39 @@
+Listen %PUBLICPORT%
+Listen %ADMINPORT%
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %D(us)" keystone_combined

 <Directory %KEYSTONE_BIN%>
    Require all granted
 </Directory>

+<VirtualHost *:%PUBLICPORT%>
+    WSGIDaemonProcess keystone-public processes=3 threads=1 user=%USER% display-name=%{GROUP} %VIRTUALENV%
+    WSGIProcessGroup keystone-public
+    WSGIScriptAlias / %KEYSTONE_BIN%/keystone-wsgi-public
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+    ErrorLogFormat "%M"
+    ErrorLog /var/log/%APACHE_NAME%/keystone.log
+    CustomLog /var/log/%APACHE_NAME%/keystone_access.log keystone_combined
+    %SSLENGINE%
+    %SSLCERTFILE%
+    %SSLKEYFILE%
+</VirtualHost>
+
+<VirtualHost *:%ADMINPORT%>
+    WSGIDaemonProcess keystone-admin processes=3 threads=1 user=%USER% display-name=%{GROUP} %VIRTUALENV%
+    WSGIProcessGroup keystone-admin
+    WSGIScriptAlias / %KEYSTONE_BIN%/keystone-wsgi-admin
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+    ErrorLogFormat "%M"
+    ErrorLog /var/log/%APACHE_NAME%/keystone.log
+    CustomLog /var/log/%APACHE_NAME%/keystone_access.log keystone_combined
+    %SSLENGINE%
+    %SSLCERTFILE%
+    %SSLKEYFILE%
+</VirtualHost>
+
 %SSLLISTEN%<VirtualHost *:443>
 %SSLLISTEN%    %SSLENGINE%
 %SSLLISTEN%    %SSLCERTFILE%
--- a/lib/keystone
+++ b/lib/keystone
@ -83,10 +83,14 @@ KEYSTONE_TOKEN_FORMAT=$(echo ${KEYSTONE_TOKEN_FORMAT} | tr '[:upper:]' '[:lower:

 # Set Keystone interface configuration
 KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
+KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357}
+KEYSTONE_AUTH_PORT_INT=${KEYSTONE_AUTH_PORT_INT:-35358}
 KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL}

 # Public facing bits
 KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST}
+KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000}
+KEYSTONE_SERVICE_PORT_INT=${KEYSTONE_SERVICE_PORT_INT:-5001}
 KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}

 # Bind hosts
@ -166,14 +170,22 @@ function _config_keystone_apache_wsgi {
    local keystone_ssl=""
    local keystone_certfile=""
    local keystone_keyfile=""
+    local keystone_service_port=$KEYSTONE_SERVICE_PORT
+    local keystone_auth_port=$KEYSTONE_AUTH_PORT
    local venv_path=""

+    if is_service_enabled tls-proxy; then
+        keystone_service_port=$KEYSTONE_SERVICE_PORT_INT
+        keystone_auth_port=$KEYSTONE_AUTH_PORT_INT
+    fi
    if [[ ${USE_VENV} = True ]]; then
        venv_path="python-path=${PROJECT_VENV["keystone"]}/lib/$(python_version)/site-packages"
    fi

    sudo cp $FILES/apache-keystone.template $keystone_apache_conf
    sudo sed -e "
+        s|%PUBLICPORT%|$keystone_service_port|g;
+        s|%ADMINPORT%|$keystone_auth_port|g;
        s|%APACHE_NAME%|$APACHE_NAME|g;
        s|%SSLLISTEN%|$keystone_ssl_listen|g;
        s|%SSLENGINE%|$keystone_ssl|g;
@ -210,8 +222,21 @@ function configure_keystone {

    iniset_rpc_backend keystone $KEYSTONE_CONF oslo_messaging_notifications

+    local service_port=$KEYSTONE_SERVICE_PORT
+    local auth_port=$KEYSTONE_AUTH_PORT
+
+    if is_service_enabled tls-proxy; then
+        # Set the service ports for a proxy to take the originals
+        service_port=$KEYSTONE_SERVICE_PORT_INT
+        auth_port=$KEYSTONE_AUTH_PORT_INT
+    fi
+
    # Override the endpoints advertised by keystone (the public_endpoint and
-    # admin_endpoint) so that clients use the correct endpoint.
+    # admin_endpoint) so that clients use the correct endpoint. By default, the
+    # keystone server uses the public_port and admin_port which isn't going to
+    # work when you want to use a different port (in the case of proxy), or you
+    # don't want the port (in the case of putting keystone on a path in
+    # apache).
    iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI
    iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI

@ -245,6 +270,12 @@ function configure_keystone {

    iniset $KEYSTONE_CONF credential key_repository "$KEYSTONE_CONF_DIR/credential-keys/"

+    # Configure the project created by the 'keystone-manage bootstrap' as the cloud-admin project.
+    # The users from this project are globally admin as before, but it also
+    # allows policy changes in order to clarify the adminess scope.
+    #iniset $KEYSTONE_CONF resource admin_project_domain_name Default
+    #iniset $KEYSTONE_CONF resource admin_project_name admin
+
    if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then
        iniset $KEYSTONE_CONF security_compliance lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS
        iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
@ -479,6 +510,14 @@ function install_keystone {

 # start_keystone() - Start running processes
 function start_keystone {
+    # Get right service port for testing
+    local service_port=$KEYSTONE_SERVICE_PORT
+    local auth_protocol=$KEYSTONE_AUTH_PROTOCOL
+    if is_service_enabled tls-proxy; then
+        service_port=$KEYSTONE_SERVICE_PORT_INT
+        auth_protocol="http"
+    fi
+
    if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
        enable_apache_site keystone
        restart_apache_server
@ -487,13 +526,23 @@ function start_keystone {
    fi

    echo "Waiting for keystone to start..."
-    # Check that the keystone service is running.
+    # Check that the keystone service is running. Even if the tls tunnel
+    # should be enabled, make sure the internal port is checked using
+    # unencryted traffic at this point.
+    # If running in Apache, use the path rather than port.
+
    local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/

    if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then
        die $LINENO "keystone did not start"
    fi

+    # Start proxies if enabled
+    if is_service_enabled tls-proxy; then
+        start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT
+        start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT
+    fi
+
    # (re)start memcached to make sure we have a clean memcache.
    restart_service memcached
 }
@ -512,9 +561,11 @@ function stop_keystone {
 # This function uses the following GLOBAL variables:
 # - ``KEYSTONE_BIN_DIR``
 # - ``ADMIN_PASSWORD``
-# - ``KEYSTONE_AUTH_URI``
+# - ``IDENTITY_API_VERSION``
 # - ``REGION_NAME``
-# - ``KEYSTONE_SERVICE_URI``
+# - ``KEYSTONE_SERVICE_PROTOCOL``
+# - ``KEYSTONE_SERVICE_HOST``
+# - ``KEYSTONE_SERVICE_PORT``
 function bootstrap_keystone {
    $KEYSTONE_BIN_DIR/keystone-manage bootstrap \
        --bootstrap-username admin \
--- a/2
+++ b/2
@ -86,7 +86,7 @@ export OS_AUTH_TYPE=password
 #

 # If you don't have a working .stackenv, this is the backup position
-KEYSTONE_BACKUP=$SERVICE_PROTOCOL://$SERVICE_HOST/identity
+KEYSTONE_BACKUP=$SERVICE_PROTOCOL://$SERVICE_HOST:5000
 KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_URI:-$KEYSTONE_BACKUP}

 export OS_AUTH_URL=${OS_AUTH_URL:-$KEYSTONE_SERVICE_URI}
--- a/tools/create_userrc.sh
+++ b/tools/create_userrc.sh
@ -152,7 +152,7 @@ if [ -z "$OS_USERNAME" ]; then
 fi

 if [ -z "$OS_AUTH_URL" ]; then
-    export OS_AUTH_URL=http://localhost/identity/v3/
+    export OS_AUTH_URL=http://localhost:5000/v3/
 fi

 if [ -z "$OS_USER_DOMAIN_ID" -a -z "$OS_USER_DOMAIN_NAME" ]; then
--- a/tools/fixup_stuff.sh
+++ b/tools/fixup_stuff.sh
@ -26,6 +26,39 @@ if [[ -z "$TOP_DIR" ]]; then
    FILES=$TOP_DIR/files
 fi

+# Keystone Port Reservation
+# -------------------------
+# Reserve and prevent ``KEYSTONE_AUTH_PORT`` and ``KEYSTONE_AUTH_PORT_INT`` from
+# being used as ephemeral ports by the system. The default(s) are 35357 and
+# 35358 which are in the Linux defined ephemeral port range (in disagreement
+# with the IANA ephemeral port range). This is a workaround for bug #1253482
+# where Keystone will try and bind to the port and the port will already be
+# in use as an ephemeral port by another process. This places an explicit
+# exception into the Kernel for the Keystone AUTH ports.
+function fixup_keystone {
+    keystone_ports=${KEYSTONE_AUTH_PORT:-35357},${KEYSTONE_AUTH_PORT_INT:-35358}
+
+    # Only do the reserved ports when available, on some system (like containers)
+    # where it's not exposed we are almost pretty sure these ports would be
+    # exclusive for our DevStack.
+    if sysctl net.ipv4.ip_local_reserved_ports >/dev/null 2>&1; then
+        # Get any currently reserved ports, strip off leading whitespace
+        reserved_ports=$(sysctl net.ipv4.ip_local_reserved_ports | awk -F'=' '{print $2;}' | sed 's/^ //')
+
+        if [[ -z "${reserved_ports}" ]]; then
+            # If there are no currently reserved ports, reserve the keystone ports
+            sudo sysctl -w net.ipv4.ip_local_reserved_ports=${keystone_ports}
+        else
+            # If there are currently reserved ports, keep those and also reserve the
+            # Keystone specific ports. Duplicate reservations are merged into a single
+            # reservation (or range) automatically by the kernel.
+            sudo sysctl -w net.ipv4.ip_local_reserved_ports=${keystone_ports},${reserved_ports}
+        fi
+    else
+        echo_summary "WARNING: unable to reserve keystone ports"
+    fi
+}
+
 # Ubuntu Repositories
 #--------------------
 # Enable universe for bionic since it is missing when installing from ISO.
@ -175,6 +208,7 @@ function fixup_suse {
 }

 function fixup_all {
+    fixup_keystone
    fixup_ubuntu
    fixup_fedora
    fixup_suse