starlingx
/
meta-starlingx
Code Issues Proposed changes

python-keystone: uprev to 16.0.0 for stx 5.0 

* update the branch and SRCREV
* update the preferred version
* use BPN instead of PN in some places
* inherit stx-metadata to help apply patches and
  install files from stx 'upstream' repo
* remove the local copy of stx patches

Story: 2008952
Task: 42576

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Change-Id: I8341a86f3ca45ced5bf56a89345dce82d6b714c3
This commit is contained in:
Jackie Huang 2021-06-03 14:15:10 +08:00
parent 067b37abdc
commit d77325e139
7 changed files with 31 additions and 320 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
meta-stx-distro/conf/distro/include/stx-preferred-vers.inc
View File

@ -13,7 +13,7 @@ PREFERRED_VERSION_python-expect = "4.6.0"
PREFERRED_VERSION_python-pika = "0.10.0%"
PREFERRED_VERSION_python-keyring = "5.3"
PREFERRED_VERSION_python-barbican = "8.0.%"
PREFERRED_VERSION_python-keystone = "15.0.%"
PREFERRED_VERSION_python-keystone = "16.0.%"
PREFERRED_VERSION_python-flask = "1.0.2"
PREFERRED_VERSION_python-keystonemiddleware = "5.1.%"
PREFERRED_VERSION_python-oslo.cache= "1.26.%"

156
meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/keystone-all
View File

@ -1,156 +0,0 @@
#!/bin/sh
# Copyright (c) 2013-2018 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
### BEGIN INIT INFO
# Provides: OpenStack Keystone-wsgi
# Required-Start: networking
# Required-Stop: networking
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: OpenStack Keystone
# Description: Openstack Identitiy service running on WSGI compatable gunicorn web server
#
### END INIT INFO
RETVAL=0
#public 5000
DESC_PUBLIC="openstack-keystone"
PIDFILE_PUBLIC="/var/run/$DESC_PUBLIC.pid"
PYTHON=`which python`
source /etc/keystone/keystone-extra.conf
source /etc/platform/platform.conf
if [ -n ${@:2:1} ] ; then
if [ ${@:2:1}="--public-bind-addr" ] ; then
PUBLIC_BIND_ADDR_CMD=${@:3:1}
fi
fi
###
EXEC="/usr/bin/gunicorn"
WORKER="eventlet"
# Increased timeout to facilitate large image uploads
TIMEOUT="200"
# Calculate the no of workers based on the number of workers retrieved by
# Platform Eng which is retreived from the keystone-extra.conf
if [ "$system_type" == "All-in-one" ]; then
TIS_WORKERS_FACTOR=1
else
TIS_WORKERS_FACTOR=1.5
fi
TIS_WORKERS=$(echo "${TIS_WORKERS_FACTOR}*${TIS_PUBLIC_WORKERS}"|bc )
TIS_WORKERS=${TIS_WORKERS%.*}
#--max-requests , --max-requests-jitter Configuration
#--max-requests = The max number of requests a worker will process before restarting
#--max-requests-jitter = The maximum jitter to add to the max_requests setting.
MAX_REQUESTS=100000
MAX_REQ_JITTER_CAP_FACTOR=0.5
MAX_REQ_JITTER_PUBLIC=$(echo "${TIS_WORKERS}*${MAX_REQ_JITTER_CAP_FACTOR}+1"|bc)
MAX_REQ_JITTER_PUBLIC=${MAX_REQ_JITTER_PUBLIC%.*}
start()
{
# Got proper no of workers . Starting gunicorn now
echo -e "Initialising keystone service using gunicorn .. \n"
if [ -z "$PUBLIC_BIND_ADDR" ]; then
echo "Keystone floating ip not found . Cannot start services. Exiting .."
exit 1
fi
BIND_PUBLIC=$PUBLIC_BIND_ADDR:5000
if [ -e $PIDFILE_PUBLIC ]; then
PIDDIR=/proc/$(cat $PIDFILE_PUBLIC)
if [ -d ${PIDDIR} ]; then
echo "$DESC_PUBLIC already running."
exit 1
else
echo "Removing stale PID file $PIDFILE_PUBLIC"
rm -f $PIDFILE_PUBLIC
fi
fi
echo -e "Starting $DESC_PUBLIC...\n";
echo -e "Worker is ${WORKER} --workers ${TIS_WORKERS} --timeout ${TIMEOUT} --max_requests ${MAX_REQUESTS} --max_request_jitter public ${MAX_REQ_JITTER_PUBLIC}\n" ;
echo -e "Starting keystone process at port 5000 \n" ;
start-stop-daemon --start --quiet --background --pidfile ${PIDFILE_PUBLIC} \
--make-pidfile --exec ${PYTHON} -- ${EXEC} --bind ${BIND_PUBLIC} \
--worker-class ${WORKER} --workers ${TIS_WORKERS} --timeout ${TIMEOUT} \
--max-requests ${MAX_REQUESTS} --max-requests-jitter ${MAX_REQ_JITTER_PUBLIC} \
--log-syslog \
--pythonpath '/usr/share/keystone' public:application --name keystone-public
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
echo -e "Keystone started at port 5000... \n"
else
echo -e "Failed to start Keystone .. \n"
fi
}
stop()
{
if [ -e $PIDFILE_PUBLIC ]; then
start-stop-daemon --stop --quiet --pidfile $PIDFILE_PUBLIC
RETVAL_PUBLIC=$?
if [ $RETVAL_PUBLIC -eq 0 ]; then
echo "Stopped $DESC_PUBLIC."
else
echo "Stopping failed - $PIDFILE_PUBLIC"
fi
rm -f $PIDFILE_PUBLIC
else
echo "Already stopped - $PIDFILE_PUBLIC"
fi
}
status()
{
pid_public=`cat $PIDFILE_PUBLIC 2>/dev/null`
if [ -n "$pid_public" ]; then
echo -e "\033[32m $DESC_PUBLIC is running..\033[0m"
else
echo -e "\033[31m $DESC_PUBLIC is not running..\033[0m"
fi
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart|force-reload|reload)
stop
start
;;
status)
status
;;
*)
#echo "Usage: $0 {start|stop|force-reload|restart|reload|status} OR {/usr/bin/keystone-all start --public-bind-addr xxx.xxx.xxx}"
start
#RETVAL=1
;;
esac
exit $RETVAL

64
meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/keystone-fernet-keys-rotate-active
View File

@ -1,64 +0,0 @@
#!/bin/bash
#
# Wrapper script to rotate keystone fernet keys on active controller only
#
KEYSTONE_KEYS_ROTATE_INFO="/var/run/keystone-keys-rotate.info"
KEYSTONE_KEYS_ROTATE_CMD="/usr/bin/nice -n 2 /usr/bin/keystone-manage fernet_rotate --keystone-user keystone --keystone-group keystone"
function is_active_pgserver()
{
# Determine whether we're running on the same controller as the service.
local service=postgres
local enabledactive=$(/usr/bin/sm-query service $service| grep enabled-active)
if [ "x$enabledactive" == "x" ]
then
# enabled-active not found for that service on this controller
return 1
else
# enabled-active found for that resource
return 0
fi
}
if is_active_pgserver
then
if [ ! -f ${KEYSTONE_KEYS_ROTATE_INFO} ]
then
echo delay_count=0 > ${KEYSTONE_KEYS_ROTATE_INFO}
fi
source ${KEYSTONE_KEYS_ROTATE_INFO}
sudo -u postgres psql -d sysinv -c "SELECT alarm_id, entity_instance_id from i_alarm;" | grep -P "^(?=.*100.101)(?=.*${HOSTNAME})" &>/dev/null
if [ $? -eq 0 ]
then
source /etc/platform/platform.conf
if [ "${system_type}" = "All-in-one" ]
then
source /etc/init.d/task_affinity_functions.sh
idle_core=$(get_most_idle_core)
if [ "$idle_core" -ne "0" ]
then
sh -c "exec taskset -c $idle_core ${KEYSTONE_KEYS_ROTATE_CMD}"
sed -i "/delay_count/s/=.*/=0/" ${KEYSTONE_KEYS_ROTATE_INFO}
exit 0
fi
fi
if [ "$delay_count" -lt "3" ]
then
newval=$(($delay_count+1))
sed -i "/delay_count/s/=.*/=$newval/" ${KEYSTONE_KEYS_ROTATE_INFO}
(sleep 3600; /usr/bin/keystone-fernet-keys-rotate-active) &
exit 0
fi
fi
eval ${KEYSTONE_KEYS_ROTATE_CMD}
sed -i "/delay_count/s/=.*/=0/" ${KEYSTONE_KEYS_ROTATE_INFO}
fi
exit 0

14
meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/openstack-keystone.service
View File

@ -1,14 +0,0 @@
[Unit]
Description=OpenStack Identity Service (code-named Keystone)
After=syslog.target network.target
[Service]
Type=forking
#ReminAfterExit is set to yes as we have 2 pids to monitor
RemainAfterExit=yes
ExecStart=/usr/bin/keystone-all start
ExecStop=/usr/bin/keystone-all stop
ExecReload=/usr/bin/keystone-all reload
[Install]
WantedBy=multi-user.target

35
meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/password-rules.conf
View File

@ -1,35 +0,0 @@
# The password rules captures the [security_compliance]
# section of the generic Keystone configuration (keystone.conf)
# This configuration is used to statically define the password
# rules for password validation in pre-Keystone environments
#
# N.B: Only set non-default keys here (default commented configuration
# items not needed)
[security_compliance]
#
# From keystone
#
# This controls the number of previous user password iterations to keep in
# history, in order to enforce that newly created passwords are unique. Setting
# the value to one (the default) disables this feature. Thus, to enable this
# feature, values must be greater than 1. This feature depends on the `sql`
# backend for the `[identity] driver`. (integer value)
# Minimum value: 1
unique_last_password_count = 2
# The regular expression used to validate password strength requirements. By
# default, the regular expression will match any password. The following is an
# example of a pattern which requires at least 1 letter, 1 digit, and have a
# minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature
# depends on the `sql` backend for the `[identity] driver`. (string value)
password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{7,}$
# Describe your password regular expression here in language for humans. If a
# password fails to match the regular expression, the contents of this
# configuration variable will be returned to users to explain why their
# requested password was insufficient. (string value)
password_regex_description = Password must have a minimum length of 7 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character

21
meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/public.py
View File

@ -1,21 +0,0 @@
# Copyright (c) 2013-2017 Wind River Systems, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from keystone.server import wsgi as wsgi_server
import sys
sys.argv = sys.argv[:1]
application = wsgi_server.initialize_public_application()

59
meta-stx-integ/recipes-devtools/python/python-keystone_git.bb
View File

@ -5,32 +5,33 @@ SECTION = "devel/python"
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=1dece7821bf3fd70fe1309eaa37d52a2"
SRCREV = "c78581b4608f3dc10e945d358963000f284f188a"
SRCREV = "dc9e9e32dfbf9fd9c58f9f8e2b35f0bcfd62328e"
SRCNAME = "keystone"
PROTOCOL = "git"
BRANCH = "stable/stein"
PROTOCOL = "https"
BRANCH = "stable/train"
S = "${WORKDIR}/git"
PV = "15.0.0+git${SRCPV}"
PV = "16.0.0+git${SRCPV}"
SRC_URI = " \
git://opendev.org/openstack/${SRCNAME}.git;protocol=${PROTOCOL};branch=${BRANCH} \
file://${PN}/keystone.conf \
file://${PN}/identity.sh \
file://${PN}/convert_keystone_backend.py \
file://${PN}/wsgi-keystone.conf \
file://${PN}/admin-openrc \
file://${PN}/keystone-init.service \
file://${PN}/stx-files/openstack-keystone.service \
file://${PN}/stx-files/keystone-all \
file://${PN}/stx-files/keystone-fernet-keys-rotate-active \
file://${PN}/stx-files/public.py \
file://${PN}/stx-files/password-rules.conf \
git://github.com/openstack/${SRCNAME}.git;protocol=${PROTOCOL};branch=${BRANCH} \
file://${BPN}/keystone.conf \
file://${BPN}/identity.sh \
file://${BPN}/convert_keystone_backend.py \
file://${BPN}/wsgi-keystone.conf \
file://${BPN}/admin-openrc \
file://${BPN}/keystone-init.service \
"
inherit setuptools identity hosts default_configs monitor useradd systemd
inherit stx-metadata
STX_REPO = "upstream"
STX_SUBPATH = "openstack/python-keystone/centos"
SRC_URI_STX = " \
file://patches/0001-Rebasing-Keyring-integration.patch \
"
SERVICE_TOKEN = "password"
TOKEN_FORMAT ?= "PKI"
@ -83,14 +84,14 @@ do_install_append() {
# Setup the systemd service file
install -d ${D}${systemd_system_unitdir}/
install -m 644 ${WORKDIR}/${PN}/keystone-init.service ${D}${systemd_system_unitdir}/keystone-init.service
install -m 644 ${WORKDIR}/${BPN}/keystone-init.service ${D}${systemd_system_unitdir}/keystone-init.service
mv ${D}/${datadir}/etc/keystone/sso_callback_template.html ${KEYSTONE_CONF_DIR}/
rm -rf ${D}/${datadir}
# Setup the admin-openrc file
KS_OPENRC_FILE=${KEYSTONE_CONF_DIR}/admin-openrc
install -m 600 ${WORKDIR}/${PN}/admin-openrc ${KS_OPENRC_FILE}
install -m 600 ${WORKDIR}/${BPN}/admin-openrc ${KS_OPENRC_FILE}
sed -e "s:%CONTROLLER_IP%:${CONTROLLER_IP}:g" -i ${KS_OPENRC_FILE}
sed -e "s:%ADMIN_USER%:${ADMIN_USER}:g" -i ${KS_OPENRC_FILE}
sed -e "s:%ADMIN_PASSWORD%:${ADMIN_PASSWORD}:g" -i ${KS_OPENRC_FILE}
@ -99,9 +100,9 @@ do_install_append() {
# permissions as packages such as Apache require read access.
#
# Apache needs to read the keystone.conf
install -m 644 ${WORKDIR}/${PN}/keystone.conf ${KEYSTONE_CONF_DIR}/
install -m 644 ${WORKDIR}/${BPN}/keystone.conf ${KEYSTONE_CONF_DIR}/
# Apache needs to read the wsgi-keystone.conf
install -m 644 ${WORKDIR}/${PN}/wsgi-keystone.conf ${APACHE_CONF_DIR}/keystone.conf
install -m 644 ${WORKDIR}/${BPN}/wsgi-keystone.conf ${APACHE_CONF_DIR}/keystone.conf
install -m 600 ${S}${sysconfdir}/logging.conf.sample ${KEYSTONE_CONF_DIR}/logging.conf
# Copy examples from upstream
@ -170,17 +171,17 @@ role_name_attribute = ou \
role_tree_dn = ou=Roles,${LDAP_DN} \
' ${KEYSTONE_CONF_FILE}
install -m 0755 ${WORKDIR}/${PN}/convert_keystone_backend.py \
install -m 0755 ${WORKDIR}/${BPN}/convert_keystone_backend.py \
${D}${sysconfdir}/keystone/convert_keystone_backend.py
fi
install -m 755 ${WORKDIR}/${PN}/stx-files/keystone-fernet-keys-rotate-active ${D}/${bindir}/keystone-fernet-keys-rotate-active
install -m 440 ${WORKDIR}/${PN}/stx-files/password-rules.conf ${KEYSTONE_CONF_DIR}/password-rules.conf
install -m 755 ${STX_METADATA_PATH}/files/keystone-fernet-keys-rotate-active ${D}/${bindir}/keystone-fernet-keys-rotate-active
install -m 440 ${STX_METADATA_PATH}/files/password-rules.conf ${KEYSTONE_CONF_DIR}/password-rules.conf
install -m 755 -d ${KEYSTONE_DATA_DIR}
install -m 755 ${WORKDIR}/${PN}/stx-files/public.py ${KEYSTONE_DATA_DIR}/public.py
install -m 644 ${WORKDIR}/${PN}/stx-files/openstack-keystone.service ${D}${systemd_system_unitdir}/openstack-keystone.service
install -m 755 ${WORKDIR}/${PN}/stx-files/keystone-all ${D}${bindir}/keystone-all
install -m 755 ${STX_METADATA_PATH}/files/public.py ${KEYSTONE_DATA_DIR}/public.py
install -m 644 ${STX_METADATA_PATH}/files/openstack-keystone.service ${D}${systemd_system_unitdir}/openstack-keystone.service
install -m 755 ${STX_METADATA_PATH}/files/keystone-all ${D}${bindir}/keystone-all
}