We currently cleanup keystone apache config during stop_keystone
when mod wsgi is enabled, but only create it during initial keystone
configuration. Grenade expects to be able to stop and start the
service without reconfiguring it, using only the respective functions.
This moves cleanup of config from stop_keystone to cleanup_keystone,
and enables/disables the apache vhost during start/stop.
Closes-bug: #1365105
Change-Id: I9e57c9a763fbdb8c5737decfe797ba0e9894150b
run_process will use screen if USE_SCREEN=True (the default),
otherwise it will simply start the requested service. Therefore
wherever screen_it used, run_process can be instead.
Where stop_screen was found it has been replaced with stop_process.
A tail_log function has been added which will tail a logfile in a
screen if USE_SCREEN is True.
lib/template has been updated to reflect the use of the new
functions.
When using sg the quoting in run_process gets very complicated.
To get around this run_process and the functions it calls accepts
an optional third argument. If set it is a group to be used with sg.
Change-Id: Ia3843818014f7c6c7526ef3aa9676bbddb8a85ca
An error occurs because ANOTHER_ROLE variable in lib/swift is not set.
This patch gets and sets the value to another_role variable.
Change-Id: I9d67ce243eb6bb42ed7e3522ef816295847d48fa
Closes-Bug: #1363884
This change uses mod_version (shipped by default on everything we care
about) to set-up version-specific config within apache rather than
within devstack scripts.
Clean up the horizon and keystone config file generation to use the
internal apache matching.
Since I6478db385fda2fa1c75ced12d3e886b2e1152852 the apache matching in
'functions' is actually duplicated. just leave get_apache_version in
lib/apache as it is used for config-file name matching in there.
Change-Id: I6478db385fda2fa1c75ced12d3e886b2e1152852
When Keystone was run in Apache Httpd the access log wasn't in a
screen. A new screen called key-access is now started with
Keystone's access log.
Change-Id: Ie1f4d4b679e1b9c87f0cea37deb25f7b6636fe01
Closes-Bug: #1359995
Keystone has moved over to using a new location for the token
persistence backends (drivers). The old values will continue to
work, but this will limit the deprecation warnings for an out
of the box devstack install.
Change-Id: I7c437788c8aee0106fa7f3c37617fbd1220291ef
bp: non-persistent-tokens
Use the new ErrorLogFormat directive to make the Keystone logs
under Apache to look like the standard oslo log format.
Change-Id: Ie823abf2fa06b8ce22027c21bef455808a4a768e
The normal extension for log files is .log. Log rotation should
work because the extension is as expected.
Change-Id: Ia5e42ea9d953e8395b86ab58cdef6c2d852efc94
Related-Bug: #1359995
Rabbitmq credentials in keystone.conf should be updated according
to localrc
This is done mostly to enable keystone notifications.
There are 2 cases where we can use notifications from keystone:
A) Collect audit notifications in ceilometer
B) Collect profiling data
Change-Id: I381d4d670755aa691743caa02df7dc55e05784c2
Make the default run mode of Keystone HTTPD + mod_wsgi. This will
enable gating on Keystone under mod_wsgi.
Depends On: https://review.openstack.org/#/c/100764/
Change-Id: I4b664a1d6c9bbb1ff999158f3a8c8ab3bd8d891b
Added a global toggle for enabling HTTPD + mod_wsgi for services
that default deploy to running under Apache. When the variable
``ENABLE_HTTPD_MOD_WSGI_SERVICES`` is set to ``True`` any service
that recommends deploying under HTTPD + mod_wsgi, will be run
under Apache.
If ``ENABLE_HTTPD_MOD_WSGI_SERVICES`` is set to ``False`` the
any service that is defaulted to running under HTTPD + mod_wsgi
will (if capable) be run in an alternate deployment strategy (e.g.
eventlet).
Updated Swift and Keystone to have individual toggles for deploying
under HTTPD + mod_wsgi. This is done to allow for gate to run on
the services under mod_wsgi where appropriate. Toggles are
``KEYSTONE_USE_MOD_WSGI`` and ``SWIFT_USE_MOD_WSGI`` and are both
defaulted to "False" (do not deploy under HTTPD + mod_wsgi).
Change-Id: Id3b121b8f1cde369d184b586e0d875bdbda34813
Add the keystonemiddleware repository to devstack to support testing
with tempest and stable branches.
Change-Id: Ib635465e6568d9cd51d6e432ec8b8633a27d19ce
The check to $service_port must be done using http. It's
$KEYSTONE_SERVICE_PORT that may use either the http or https protocol.
partial blueprint devstack-https
Change-Id: I8ae081e9710c54396b765210336a7de331947086
Devstack was setting its own default for Keystone's token format, so
when Keystone's default token format changed then devstack needed to
be updated. With this change, devstack will only override Keystone's
token format if KEYSTONE_TOKEN_FORMAT is set explicitly. PKI setup
is assumed to be needed unless the KEYSTONE_TOKEN_FORMAT is set to
UUID.
Change-Id: Idfa78e93abd80273dadcf37007a024bb6a783a48
auth_token middleware now accepts a standard URL string as the parameter
identity_uri instead of specifying protocol etc individually. Change the
services over to use this.
Also changes over some other places in which the auth fragments are used
individually to the new variables and fixes up some misconfigurations of
auth_token.
identity_uri option was release in keystoneclient 0.8.0
Change-Id: Iac13bc3d08c524a6a0f39cdfbc1009e2f5c45c2a
Ensure that apache2ctl is only called if apache2 is being used when
setting up Keystone. This patch corrects a case where apache2ctl
is being called at the time lib/keystone is being sourced. This
error breaks attempts to deploy Keystone under apache unless
apache is already installed at the time stack.sh is run.
Change-Id: I02d426438fa1246effd68c6bb3c3358910ed4c05
Keystone added support for a compressed token provider, PKIZ. This
change adds support to devstack. Set the KEYSTONE_TOKEN_FORMAT
option to "PKIZ" to configure Keystone to use it.
Change-Id: I123eef661c85cc805e950f1179b48e885078d40f
On Ubuntu 14.04, the site configuration file must have a .conf suffix for a2ensite and a2dissite to
recognise it. a2ensite and a2dissite ignore the .conf suffix used as parameter. The default sites'
files are 000-default.conf and default-ssl.conf.
On Ubuntu 12.04, the site configuration file may have any format, as long as it is in
/etc/apache2/sites-available/. a2ensite and a2dissite need the entire file name to work. The default
sites' files are default and default-ssl.
On Fedora, any file in /etc/httpd/conf.d/ whose name ends with .conf is enabled.
On RHEL and CentOS, things should hopefully work as in Fedora.
This change puts all distribution-related site configuration file name differences in lib/apache and
the other services gets the file name for its sites using the new exported function
apache_site_config_for <sitename>.
It also makes Fedora disabled sites use the .conf.disabled suffix instead of removing the .conf from
the file name.
The table below summarizes what should happen on each distribution:
+----------------------+--------------------+--------------------------+--------------------------+
| Distribution | File name | Site enabling command | Site disabling command |
+----------------------+--------------------+--------------------------+--------------------------+
| Ubuntu 12.04 | site | a2ensite site | a2dissite site |
| Ubuntu 14.04 | site.conf | a2ensite site | a2dissite site |
| Fedora, RHEL, CentOS | site.conf.disabled | mv site.conf{.disabled,} | mv site.conf{,.disabled} |
+----------------------+--------------------+--------------------------+--------------------------+
Change-Id: Ia2ba3cb7caccb6e9b65380f9d51d9d21180b894e
Closes-bug: #1313765
Ensure that the VHOST and the scripts used to enable keystone under
mod_wsgi are properly cleaned up.
Change-Id: I76a748b0fd5f1a5182d10e425202857c5621e25a
When Keystone is configured under mod_wsgi, Keystone configuration
requires debugging to be enabled as the debug flag cannot be passed
via cli arguments.
Because Apache 2.2 (default for a number of distributions) does not
support passing an explicit format to the ErrorLog, Keystone under
mod_wsgi ends up with duplicated timestamps in the Keystone log.
This patchset eliminates the %(asctime) and %(msecs) substitution
targets from the log format options when Keystone is configured
under mod_wsgi.
Change-Id: I0bf32db6e53cb653921162cb1957eb988b819815
* Move remaining role creation to create_keystone_accounts()
* Move glance creation to create_glance_accounts()
* Move nova/ec2/s3 creation to create_nova_accounts()
* Move ceilometer creation to create_ceilometer_accounts()
* Move tempest creation to create_tempest_accounts()
* Convert moved code to use OpenStackClient for setup
* files/keystone_data.sh is removed
Note that the SERVICE_TENANT and ADMIN_ROLE lookups in the other service
implementations are not necessary with OSC, all operations can be done
using names rather than requiring IDs.
Change-Id: I4283ca0036ae39fd44ed2eed834b69d78e4f8257
Check that function calls look like ^function foo {$ in bash8, and fix
all existing failures of that check. Add a note to HACKING.rst
Change-Id: Ic19eecb39e0b20273d1bcd551a42fe400d54e938
If we start keystone with an SSL endpoint then the curl check to see if
it is running will fail because it cannot create a secure connection.
This check can be done insecurely as all we care about is that the
service has started.
Change-Id: I826753d4d46e9956f443110029346bc70282951a
The use case is running devstack inside an OpenStack vm and running tempest
from some other machine. To make the catalog export urls that can be accessed
from off the devstack machine, you need to set KEYSTONE_SERVICE_HOST to an
external IP. But devstack uses that address in its setup of keystone in
addition to exporting in the catalog. Because OpenStack has an issue where
a vm cannot access itself through its own floating ip, devstack fails. There
is no way to have this use case by providing an ip address. The workaround
is to use the hostname of the devstack machine. That worked until recently
when a change was made to set admin_bind_host to the value of
KEYSTONE_SERVICE_HOST. The result is that port 35357 is only opened locally.
This change allows the devstack user to restore the original behavior
allowing this use case.
Change-Id: I97b938b305b7dd878397e7e64462650064e59cd2
Closes-Bug: #1283803
migrated most keystoneclient commands from the following libs:
ceilometer
cinder
ironic
keystone
marconi
neutron
nova
savanna
swift
trove
Also need to set and unset openstackclient specific environment
variables from stack.sh
Change-Id: I725f30bc08e1df5a4c5770576c19ad1ddaeb843a
The keystone configuration used the 'connection' option in the
'sql' section of the keystone.conf file. This option is deprecated
in favor of 'connection' in the 'database' section.
The keystone setup code is changed to use the option in the new
section rather than the deprecated one.
Change-Id: I62fd2f50ded3b8848e9e5225e88c80ed8fed3bff
On Linux ports 32768-61000 can be used by just about
anything needing a socket. Keystone's IANA assigned port is 35357.
Occasionally something else will be using port 35357 first because Linux
allows this. Workaround is to bind to port 127.0.0.1 instead of 0.0.0.0.
$KEYSTONE_SERVICE_HOST gets its value from $SERVICE_HOST which is set to
127.0.0.1 in the gate.
"Ephemeral (client) ports will *never* be sourced from 0.0.0.0, and are
uniquely identified by the full connection five-tuple (proto, src IP,
src port, dst IP, dst port) anyway, allowing them to overlap src IP/src
port as long as proto/dst IP/dst port are different. Thus it is up to
keystone/devstack to bind more appropriately and not use wildcard bind
addresses unless explicitly necessary for some reason. For example, in
the log output, the URLs are configured with dst IPs of 127.0.0.1
anyway, so binding explicitly to localhost would change nothing, while
skirting this particular edge case nicely." ~Evan Callicoat
This doesn't fix bug 1253482 it works around it while a better solution
is prepared (running keystone behind apache in devstack).
Co-Authored-By: Joe Gordon <joe.gordon0@gmail.com>
Change-Id: I112309661dadf8b753c3311182f82464d9d3595e
Related-bug: #1253482
