[install-guide] [yum] use apache front-end for keystone

Replace default eventlet front-end with Apache front-end to provide
a more production-style deployment.

Partially implements bp installguide-kilo.

Change-Id: Ie5e128b6f94e29e9ef216ea668284756a69ec2b7

doc/install-guide/section_keystone-install.xml

@@ -71,7 +71,7 @@
     <step>
       <para>Run the following command to install the packages:</para>
       <screen os="ubuntu"><prompt>#</prompt> <userinput>apt-get install keystone python-openstackclient apache2 libapache2-mod-wsgi memcached python-memcache</userinput></screen>
-      <screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-keystone python-openstackclient memcached python-memcached</userinput></screen>
+      <screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-keystone httpd mod_wsgi python-openstackclient memcached python-memcached</userinput></screen>
       <screen os="sles;opensuse"><prompt>#</prompt> <userinput>zypper install openstack-keystone python-openstackclient memcached python-python-memcached</userinput></screen>
     </step>
     <step os="rhel;fedora;centos;sles;opensuse">
@@ -269,19 +269,21 @@ admin_token = <replaceable>ADMIN_TOKEN</replaceable></programlisting>
       </informalfigure>
     </step>
   </procedure>
-  <procedure os="ubuntu">
+  <procedure os="ubuntu;rhel;centos;fedora">
     <title>To configure the Apache HTTP server</title>
     <step>
-      <para>Edit the <filename>/etc/apache2/apache2.conf</filename> file and
-        configure the <literal>ServerName</literal> option to reference the
-        controller node:</para>
+      <para>Edit the <filename os="ubuntu">/etc/apache2/apache2.conf</filename>
+        <filename os="rhel;centos;fedora">/etc/httpd/conf/httpd.conf</filename>
+        file and configure the <literal>ServerName</literal> option to
+        reference the controller node:</para>
       <programlisting>ServerName <replaceable>controller</replaceable></programlisting>
     </step>
     <step>
       <para>Create the
-        <filename>/etc/apache2/sites-available/wsgi-keystone.conf</filename>
+        <filename os="ubuntu">/etc/apache2/sites-available/wsgi-keystone.conf</filename>
+        <filename os="rhel;centos;fedora">/etc/httpd/conf.d/wsgi-keystone.conf</filename>
         file with the following content:</para>
-      <programlisting>Listen 5000
+      <programlisting os="ubuntu">Listen 5000
 Listen 35357
 
 &lt;VirtualHost *:5000&gt;
@@ -310,13 +312,35 @@ Listen 35357
     LogLevel info
     ErrorLog /var/log/apache2/keystone-error.log
     CustomLog /var/log/apache2/keystone-access.log combined
+&lt;/VirtualHost&gt;</programlisting>
+      <programlisting os="rhel;fedora;centos">Listen 5000
+Listen 35357
+
+&lt;VirtualHost *:5000&gt;
+    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP}
+    WSGIProcessGroup keystone-public
+    WSGIScriptAlias / /var/www/cgi-bin/keystone/main
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+    LogLevel info
+    ErrorLogFormat "%{cu}t %M"
+    ErrorLog /var/log/httpd/keystone-error.log
+    CustomLog /var/log/httpd/keystone-access.log combined
+&lt;/VirtualHost&gt;
+
+&lt;VirtualHost *:35357&gt;
+    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone display-name=%{GROUP}
+    WSGIProcessGroup keystone-admin
+    WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+    LogLevel info
+    ErrorLogFormat "%{cu}t %M"
+    ErrorLog /var/log/httpd/keystone-error.log
+    CustomLog /var/log/httpd/keystone-access.log combined
 &lt;/VirtualHost&gt;</programlisting>
     </step>
-    <step>
-      <para>Disable the default virtual host:</para>
-      <screen><prompt>#</prompt> <userinput>rm /etc/apache2/sites-enabled/000-default.conf</userinput></screen>
-    </step>
-    <step>
+    <step os="ubuntu">
       <para>Enable the Identity service virtual hosts:</para>
       <screen><prompt>#</prompt> <userinput>ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled</userinput></screen>
     </step>
@@ -335,15 +359,24 @@ Listen 35357
         in it:</para>
       <screen><prompt>#</prompt> <userinput>chown -R keystone:keystone /var/www/cgi-bin/keystone</userinput>
 <prompt>#</prompt> <userinput>chmod 755 /var/www/cgi-bin/keystone/*</userinput></screen>
+      <screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>restorecon /var/www/cgi-bin</userinput></screen>
+    </step>
+    <step os="rhel;fedora;centos">
+      <para>Add the <literal>apache</literal> system user to the
+        <literal>keystone</literal> system group to permit access to the
+        Identity service configuration files by the Apache HTTP server:</para>
+      <screen><prompt>#</prompt> <userinput>usermod -a -G keystone apache</userinput></screen>
     </step>
   </procedure>
   <procedure>
     <title>To finalize installation</title>
-    <step os="ubuntu">
+    <step os="ubuntu;rhel;fedora;centos">
       <para>Restart the Apache HTTP server:</para>
-      <screen><prompt>#</prompt> <userinput>service apache2 restart</userinput></screen>
+      <screen os="ubuntu"><prompt>#</prompt> <userinput>service apache2 restart</userinput></screen>
+      <screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>systemctl enable httpd.service</userinput>
+<prompt>#</prompt> <userinput>systemctl start httpd.service</userinput></screen>
     </step>
-    <step os="rhel;fedora;centos;opensuse;sles">
+    <step os="opensuse;sles">
       <para>Start the Identity service and configure it to start when the
         system boots:</para>
       <screen><prompt>#</prompt> <userinput>systemctl enable openstack-keystone.service</userinput>