python-keystone: uprev to 16.0.0 for stx 5.0
* update the branch and SRCREV * update the preferred version * use BPN instead of PN in some places * inherit stx-metadata to help apply patches and install files from stx 'upstream' repo * remove the local copy of stx patches Story: 2008952 Task: 42576 Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Change-Id: I8341a86f3ca45ced5bf56a89345dce82d6b714c3
This commit is contained in:
parent
067b37abdc
commit
d77325e139
|
@ -13,7 +13,7 @@ PREFERRED_VERSION_python-expect = "4.6.0"
|
|||
PREFERRED_VERSION_python-pika = "0.10.0%"
|
||||
PREFERRED_VERSION_python-keyring = "5.3"
|
||||
PREFERRED_VERSION_python-barbican = "8.0.%"
|
||||
PREFERRED_VERSION_python-keystone = "15.0.%"
|
||||
PREFERRED_VERSION_python-keystone = "16.0.%"
|
||||
PREFERRED_VERSION_python-flask = "1.0.2"
|
||||
PREFERRED_VERSION_python-keystonemiddleware = "5.1.%"
|
||||
PREFERRED_VERSION_python-oslo.cache= "1.26.%"
|
||||
|
|
|
@ -1,156 +0,0 @@
|
|||
#!/bin/sh
|
||||
# Copyright (c) 2013-2018 Wind River Systems, Inc.
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: OpenStack Keystone-wsgi
|
||||
# Required-Start: networking
|
||||
# Required-Stop: networking
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: OpenStack Keystone
|
||||
# Description: Openstack Identitiy service running on WSGI compatable gunicorn web server
|
||||
#
|
||||
### END INIT INFO
|
||||
|
||||
RETVAL=0
|
||||
#public 5000
|
||||
|
||||
DESC_PUBLIC="openstack-keystone"
|
||||
|
||||
PIDFILE_PUBLIC="/var/run/$DESC_PUBLIC.pid"
|
||||
|
||||
PYTHON=`which python`
|
||||
|
||||
source /etc/keystone/keystone-extra.conf
|
||||
source /etc/platform/platform.conf
|
||||
|
||||
if [ -n ${@:2:1} ] ; then
|
||||
if [ ${@:2:1}="--public-bind-addr" ] ; then
|
||||
PUBLIC_BIND_ADDR_CMD=${@:3:1}
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
###
|
||||
EXEC="/usr/bin/gunicorn"
|
||||
|
||||
WORKER="eventlet"
|
||||
# Increased timeout to facilitate large image uploads
|
||||
TIMEOUT="200"
|
||||
|
||||
# Calculate the no of workers based on the number of workers retrieved by
|
||||
# Platform Eng which is retreived from the keystone-extra.conf
|
||||
|
||||
if [ "$system_type" == "All-in-one" ]; then
|
||||
TIS_WORKERS_FACTOR=1
|
||||
else
|
||||
TIS_WORKERS_FACTOR=1.5
|
||||
fi
|
||||
TIS_WORKERS=$(echo "${TIS_WORKERS_FACTOR}*${TIS_PUBLIC_WORKERS}"|bc )
|
||||
TIS_WORKERS=${TIS_WORKERS%.*}
|
||||
|
||||
#--max-requests , --max-requests-jitter Configuration
|
||||
#--max-requests = The max number of requests a worker will process before restarting
|
||||
#--max-requests-jitter = The maximum jitter to add to the max_requests setting.
|
||||
MAX_REQUESTS=100000
|
||||
MAX_REQ_JITTER_CAP_FACTOR=0.5
|
||||
MAX_REQ_JITTER_PUBLIC=$(echo "${TIS_WORKERS}*${MAX_REQ_JITTER_CAP_FACTOR}+1"|bc)
|
||||
MAX_REQ_JITTER_PUBLIC=${MAX_REQ_JITTER_PUBLIC%.*}
|
||||
|
||||
|
||||
start()
|
||||
{
|
||||
# Got proper no of workers . Starting gunicorn now
|
||||
echo -e "Initialising keystone service using gunicorn .. \n"
|
||||
|
||||
if [ -z "$PUBLIC_BIND_ADDR" ]; then
|
||||
echo "Keystone floating ip not found . Cannot start services. Exiting .."
|
||||
exit 1
|
||||
fi
|
||||
BIND_PUBLIC=$PUBLIC_BIND_ADDR:5000
|
||||
|
||||
if [ -e $PIDFILE_PUBLIC ]; then
|
||||
PIDDIR=/proc/$(cat $PIDFILE_PUBLIC)
|
||||
if [ -d ${PIDDIR} ]; then
|
||||
echo "$DESC_PUBLIC already running."
|
||||
exit 1
|
||||
else
|
||||
echo "Removing stale PID file $PIDFILE_PUBLIC"
|
||||
rm -f $PIDFILE_PUBLIC
|
||||
fi
|
||||
fi
|
||||
|
||||
echo -e "Starting $DESC_PUBLIC...\n";
|
||||
echo -e "Worker is ${WORKER} --workers ${TIS_WORKERS} --timeout ${TIMEOUT} --max_requests ${MAX_REQUESTS} --max_request_jitter public ${MAX_REQ_JITTER_PUBLIC}\n" ;
|
||||
|
||||
echo -e "Starting keystone process at port 5000 \n" ;
|
||||
|
||||
start-stop-daemon --start --quiet --background --pidfile ${PIDFILE_PUBLIC} \
|
||||
--make-pidfile --exec ${PYTHON} -- ${EXEC} --bind ${BIND_PUBLIC} \
|
||||
--worker-class ${WORKER} --workers ${TIS_WORKERS} --timeout ${TIMEOUT} \
|
||||
--max-requests ${MAX_REQUESTS} --max-requests-jitter ${MAX_REQ_JITTER_PUBLIC} \
|
||||
--log-syslog \
|
||||
--pythonpath '/usr/share/keystone' public:application --name keystone-public
|
||||
|
||||
RETVAL=$?
|
||||
if [ $RETVAL -eq 0 ]; then
|
||||
echo -e "Keystone started at port 5000... \n"
|
||||
else
|
||||
echo -e "Failed to start Keystone .. \n"
|
||||
fi
|
||||
}
|
||||
|
||||
stop()
|
||||
{
|
||||
if [ -e $PIDFILE_PUBLIC ]; then
|
||||
start-stop-daemon --stop --quiet --pidfile $PIDFILE_PUBLIC
|
||||
RETVAL_PUBLIC=$?
|
||||
if [ $RETVAL_PUBLIC -eq 0 ]; then
|
||||
echo "Stopped $DESC_PUBLIC."
|
||||
else
|
||||
echo "Stopping failed - $PIDFILE_PUBLIC"
|
||||
fi
|
||||
rm -f $PIDFILE_PUBLIC
|
||||
else
|
||||
echo "Already stopped - $PIDFILE_PUBLIC"
|
||||
fi
|
||||
}
|
||||
|
||||
status()
|
||||
{
|
||||
pid_public=`cat $PIDFILE_PUBLIC 2>/dev/null`
|
||||
|
||||
if [ -n "$pid_public" ]; then
|
||||
echo -e "\033[32m $DESC_PUBLIC is running..\033[0m"
|
||||
else
|
||||
echo -e "\033[31m $DESC_PUBLIC is not running..\033[0m"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
start
|
||||
;;
|
||||
stop)
|
||||
stop
|
||||
;;
|
||||
restart|force-reload|reload)
|
||||
stop
|
||||
start
|
||||
;;
|
||||
status)
|
||||
status
|
||||
;;
|
||||
*)
|
||||
#echo "Usage: $0 {start|stop|force-reload|restart|reload|status} OR {/usr/bin/keystone-all start --public-bind-addr xxx.xxx.xxx}"
|
||||
start
|
||||
#RETVAL=1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit $RETVAL
|
|
@ -1,64 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
#
|
||||
# Wrapper script to rotate keystone fernet keys on active controller only
|
||||
#
|
||||
KEYSTONE_KEYS_ROTATE_INFO="/var/run/keystone-keys-rotate.info"
|
||||
KEYSTONE_KEYS_ROTATE_CMD="/usr/bin/nice -n 2 /usr/bin/keystone-manage fernet_rotate --keystone-user keystone --keystone-group keystone"
|
||||
|
||||
function is_active_pgserver()
|
||||
{
|
||||
# Determine whether we're running on the same controller as the service.
|
||||
local service=postgres
|
||||
local enabledactive=$(/usr/bin/sm-query service $service| grep enabled-active)
|
||||
if [ "x$enabledactive" == "x" ]
|
||||
then
|
||||
# enabled-active not found for that service on this controller
|
||||
return 1
|
||||
else
|
||||
# enabled-active found for that resource
|
||||
return 0
|
||||
fi
|
||||
}
|
||||
|
||||
if is_active_pgserver
|
||||
then
|
||||
if [ ! -f ${KEYSTONE_KEYS_ROTATE_INFO} ]
|
||||
then
|
||||
echo delay_count=0 > ${KEYSTONE_KEYS_ROTATE_INFO}
|
||||
fi
|
||||
|
||||
source ${KEYSTONE_KEYS_ROTATE_INFO}
|
||||
sudo -u postgres psql -d sysinv -c "SELECT alarm_id, entity_instance_id from i_alarm;" | grep -P "^(?=.*100.101)(?=.*${HOSTNAME})" &>/dev/null
|
||||
if [ $? -eq 0 ]
|
||||
then
|
||||
source /etc/platform/platform.conf
|
||||
if [ "${system_type}" = "All-in-one" ]
|
||||
then
|
||||
source /etc/init.d/task_affinity_functions.sh
|
||||
idle_core=$(get_most_idle_core)
|
||||
if [ "$idle_core" -ne "0" ]
|
||||
then
|
||||
sh -c "exec taskset -c $idle_core ${KEYSTONE_KEYS_ROTATE_CMD}"
|
||||
sed -i "/delay_count/s/=.*/=0/" ${KEYSTONE_KEYS_ROTATE_INFO}
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$delay_count" -lt "3" ]
|
||||
then
|
||||
newval=$(($delay_count+1))
|
||||
sed -i "/delay_count/s/=.*/=$newval/" ${KEYSTONE_KEYS_ROTATE_INFO}
|
||||
(sleep 3600; /usr/bin/keystone-fernet-keys-rotate-active) &
|
||||
exit 0
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
eval ${KEYSTONE_KEYS_ROTATE_CMD}
|
||||
sed -i "/delay_count/s/=.*/=0/" ${KEYSTONE_KEYS_ROTATE_INFO}
|
||||
|
||||
fi
|
||||
|
||||
exit 0
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
[Unit]
|
||||
Description=OpenStack Identity Service (code-named Keystone)
|
||||
After=syslog.target network.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
#ReminAfterExit is set to yes as we have 2 pids to monitor
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/bin/keystone-all start
|
||||
ExecStop=/usr/bin/keystone-all stop
|
||||
ExecReload=/usr/bin/keystone-all reload
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -1,35 +0,0 @@
|
|||
|
||||
# The password rules captures the [security_compliance]
|
||||
# section of the generic Keystone configuration (keystone.conf)
|
||||
# This configuration is used to statically define the password
|
||||
# rules for password validation in pre-Keystone environments
|
||||
#
|
||||
# N.B: Only set non-default keys here (default commented configuration
|
||||
# items not needed)
|
||||
|
||||
[security_compliance]
|
||||
|
||||
#
|
||||
# From keystone
|
||||
#
|
||||
|
||||
# This controls the number of previous user password iterations to keep in
|
||||
# history, in order to enforce that newly created passwords are unique. Setting
|
||||
# the value to one (the default) disables this feature. Thus, to enable this
|
||||
# feature, values must be greater than 1. This feature depends on the `sql`
|
||||
# backend for the `[identity] driver`. (integer value)
|
||||
# Minimum value: 1
|
||||
unique_last_password_count = 2
|
||||
|
||||
# The regular expression used to validate password strength requirements. By
|
||||
# default, the regular expression will match any password. The following is an
|
||||
# example of a pattern which requires at least 1 letter, 1 digit, and have a
|
||||
# minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature
|
||||
# depends on the `sql` backend for the `[identity] driver`. (string value)
|
||||
password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{7,}$
|
||||
|
||||
# Describe your password regular expression here in language for humans. If a
|
||||
# password fails to match the regular expression, the contents of this
|
||||
# configuration variable will be returned to users to explain why their
|
||||
# requested password was insufficient. (string value)
|
||||
password_regex_description = Password must have a minimum length of 7 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character
|
|
@ -1,21 +0,0 @@
|
|||
# Copyright (c) 2013-2017 Wind River Systems, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
from keystone.server import wsgi as wsgi_server
|
||||
|
||||
import sys
|
||||
sys.argv = sys.argv[:1]
|
||||
|
||||
application = wsgi_server.initialize_public_application()
|
|
@ -5,32 +5,33 @@ SECTION = "devel/python"
|
|||
LICENSE = "Apache-2.0"
|
||||
LIC_FILES_CHKSUM = "file://LICENSE;md5=1dece7821bf3fd70fe1309eaa37d52a2"
|
||||
|
||||
SRCREV = "c78581b4608f3dc10e945d358963000f284f188a"
|
||||
SRCREV = "dc9e9e32dfbf9fd9c58f9f8e2b35f0bcfd62328e"
|
||||
SRCNAME = "keystone"
|
||||
PROTOCOL = "git"
|
||||
BRANCH = "stable/stein"
|
||||
PROTOCOL = "https"
|
||||
BRANCH = "stable/train"
|
||||
S = "${WORKDIR}/git"
|
||||
PV = "15.0.0+git${SRCPV}"
|
||||
|
||||
PV = "16.0.0+git${SRCPV}"
|
||||
|
||||
SRC_URI = " \
|
||||
git://opendev.org/openstack/${SRCNAME}.git;protocol=${PROTOCOL};branch=${BRANCH} \
|
||||
file://${PN}/keystone.conf \
|
||||
file://${PN}/identity.sh \
|
||||
file://${PN}/convert_keystone_backend.py \
|
||||
file://${PN}/wsgi-keystone.conf \
|
||||
file://${PN}/admin-openrc \
|
||||
file://${PN}/keystone-init.service \
|
||||
file://${PN}/stx-files/openstack-keystone.service \
|
||||
file://${PN}/stx-files/keystone-all \
|
||||
file://${PN}/stx-files/keystone-fernet-keys-rotate-active \
|
||||
file://${PN}/stx-files/public.py \
|
||||
file://${PN}/stx-files/password-rules.conf \
|
||||
git://github.com/openstack/${SRCNAME}.git;protocol=${PROTOCOL};branch=${BRANCH} \
|
||||
file://${BPN}/keystone.conf \
|
||||
file://${BPN}/identity.sh \
|
||||
file://${BPN}/convert_keystone_backend.py \
|
||||
file://${BPN}/wsgi-keystone.conf \
|
||||
file://${BPN}/admin-openrc \
|
||||
file://${BPN}/keystone-init.service \
|
||||
"
|
||||
|
||||
|
||||
inherit setuptools identity hosts default_configs monitor useradd systemd
|
||||
|
||||
inherit stx-metadata
|
||||
|
||||
STX_REPO = "upstream"
|
||||
STX_SUBPATH = "openstack/python-keystone/centos"
|
||||
|
||||
SRC_URI_STX = " \
|
||||
file://patches/0001-Rebasing-Keyring-integration.patch \
|
||||
"
|
||||
|
||||
SERVICE_TOKEN = "password"
|
||||
TOKEN_FORMAT ?= "PKI"
|
||||
|
||||
|
@ -83,14 +84,14 @@ do_install_append() {
|
|||
|
||||
# Setup the systemd service file
|
||||
install -d ${D}${systemd_system_unitdir}/
|
||||
install -m 644 ${WORKDIR}/${PN}/keystone-init.service ${D}${systemd_system_unitdir}/keystone-init.service
|
||||
install -m 644 ${WORKDIR}/${BPN}/keystone-init.service ${D}${systemd_system_unitdir}/keystone-init.service
|
||||
|
||||
mv ${D}/${datadir}/etc/keystone/sso_callback_template.html ${KEYSTONE_CONF_DIR}/
|
||||
rm -rf ${D}/${datadir}
|
||||
|
||||
# Setup the admin-openrc file
|
||||
KS_OPENRC_FILE=${KEYSTONE_CONF_DIR}/admin-openrc
|
||||
install -m 600 ${WORKDIR}/${PN}/admin-openrc ${KS_OPENRC_FILE}
|
||||
install -m 600 ${WORKDIR}/${BPN}/admin-openrc ${KS_OPENRC_FILE}
|
||||
sed -e "s:%CONTROLLER_IP%:${CONTROLLER_IP}:g" -i ${KS_OPENRC_FILE}
|
||||
sed -e "s:%ADMIN_USER%:${ADMIN_USER}:g" -i ${KS_OPENRC_FILE}
|
||||
sed -e "s:%ADMIN_PASSWORD%:${ADMIN_PASSWORD}:g" -i ${KS_OPENRC_FILE}
|
||||
|
@ -99,9 +100,9 @@ do_install_append() {
|
|||
# permissions as packages such as Apache require read access.
|
||||
#
|
||||
# Apache needs to read the keystone.conf
|
||||
install -m 644 ${WORKDIR}/${PN}/keystone.conf ${KEYSTONE_CONF_DIR}/
|
||||
install -m 644 ${WORKDIR}/${BPN}/keystone.conf ${KEYSTONE_CONF_DIR}/
|
||||
# Apache needs to read the wsgi-keystone.conf
|
||||
install -m 644 ${WORKDIR}/${PN}/wsgi-keystone.conf ${APACHE_CONF_DIR}/keystone.conf
|
||||
install -m 644 ${WORKDIR}/${BPN}/wsgi-keystone.conf ${APACHE_CONF_DIR}/keystone.conf
|
||||
install -m 600 ${S}${sysconfdir}/logging.conf.sample ${KEYSTONE_CONF_DIR}/logging.conf
|
||||
|
||||
# Copy examples from upstream
|
||||
|
@ -170,17 +171,17 @@ role_name_attribute = ou \
|
|||
role_tree_dn = ou=Roles,${LDAP_DN} \
|
||||
' ${KEYSTONE_CONF_FILE}
|
||||
|
||||
install -m 0755 ${WORKDIR}/${PN}/convert_keystone_backend.py \
|
||||
install -m 0755 ${WORKDIR}/${BPN}/convert_keystone_backend.py \
|
||||
${D}${sysconfdir}/keystone/convert_keystone_backend.py
|
||||
fi
|
||||
|
||||
|
||||
install -m 755 ${WORKDIR}/${PN}/stx-files/keystone-fernet-keys-rotate-active ${D}/${bindir}/keystone-fernet-keys-rotate-active
|
||||
install -m 440 ${WORKDIR}/${PN}/stx-files/password-rules.conf ${KEYSTONE_CONF_DIR}/password-rules.conf
|
||||
install -m 755 ${STX_METADATA_PATH}/files/keystone-fernet-keys-rotate-active ${D}/${bindir}/keystone-fernet-keys-rotate-active
|
||||
install -m 440 ${STX_METADATA_PATH}/files/password-rules.conf ${KEYSTONE_CONF_DIR}/password-rules.conf
|
||||
install -m 755 -d ${KEYSTONE_DATA_DIR}
|
||||
install -m 755 ${WORKDIR}/${PN}/stx-files/public.py ${KEYSTONE_DATA_DIR}/public.py
|
||||
install -m 644 ${WORKDIR}/${PN}/stx-files/openstack-keystone.service ${D}${systemd_system_unitdir}/openstack-keystone.service
|
||||
install -m 755 ${WORKDIR}/${PN}/stx-files/keystone-all ${D}${bindir}/keystone-all
|
||||
install -m 755 ${STX_METADATA_PATH}/files/public.py ${KEYSTONE_DATA_DIR}/public.py
|
||||
install -m 644 ${STX_METADATA_PATH}/files/openstack-keystone.service ${D}${systemd_system_unitdir}/openstack-keystone.service
|
||||
install -m 755 ${STX_METADATA_PATH}/files/keystone-all ${D}${bindir}/keystone-all
|
||||
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue