From e866623a4fe0cebc0d0f6a7b3384e5c412ed18d0 Mon Sep 17 00:00:00 2001 From: Charles Short Date: Tue, 26 Oct 2021 20:08:44 -0400 Subject: [PATCH] Add Debian infrastructure to build keystone package Add the Debian packaging infrastructure to package Keystone for Debian. Story: 2009101 Task: 43770 Signed-off-by: Charles Short Change-Id: If2944d1c6b6c2b7605b66fcc353706dcf5ee4703 --- .../deb_patches/0001-Add-stx-support.patch | 781 ++++++++++++++++++ openstack/keystone/debian/deb_patches/series | 1 + openstack/keystone/debian/meta_data.yaml | 10 + 3 files changed, 792 insertions(+) create mode 100644 openstack/keystone/debian/deb_patches/0001-Add-stx-support.patch create mode 100644 openstack/keystone/debian/deb_patches/series create mode 100644 openstack/keystone/debian/meta_data.yaml diff --git a/openstack/keystone/debian/deb_patches/0001-Add-stx-support.patch b/openstack/keystone/debian/deb_patches/0001-Add-stx-support.patch new file mode 100644 index 00000000..3aa75ef6 --- /dev/null +++ b/openstack/keystone/debian/deb_patches/0001-Add-stx-support.patch @@ -0,0 +1,781 @@ +From ac62af6bc51c77afbc62d6166feca3187cde6d59 Mon Sep 17 00:00:00 2001 +From: Charles Short +Date: Tue, 23 Nov 2021 13:52:31 +0000 +Subject: [PATCH] Add stx support + +Apply Centos 7 patches to the debian packaging. + +Signed-off-by: Charles Short +--- + debian/control | 3 +- + debian/keystone.dirs | 1 + + debian/keystone.install | 4 + + debian/keystone.logrotate | 8 - + debian/keystone.postinst | 40 ++++ + debian/keystone.postinst.in | 220 ------------------ + debian/keystone.postrm | 19 +- + debian/keystone.prerm | 15 -- + debian/python3-keystone.install | 1 + + debian/rules | 10 +- + debian/stx/keystone-all | 156 +++++++++++++ + debian/stx/keystone-fernet-keys-rotate-active | 64 +++++ + debian/stx/keystone.service | 14 ++ + debian/stx/password-rules.conf | 34 +++ + debian/stx/public.py | 21 ++ + 15 files changed, 343 insertions(+), 267 deletions(-) + delete mode 100644 debian/keystone.logrotate + create mode 100755 debian/keystone.postinst + delete mode 100755 debian/keystone.postinst.in + delete mode 100755 debian/keystone.prerm + create mode 100644 debian/stx/keystone-all + create mode 100644 debian/stx/keystone-fernet-keys-rotate-active + create mode 100644 debian/stx/keystone.service + create mode 100644 debian/stx/password-rules.conf + create mode 100644 debian/stx/public.py + +diff --git a/debian/control b/debian/control +index 9d0a3a41f..ced0c4820 100644 +--- a/debian/control ++++ b/debian/control +@@ -31,6 +31,8 @@ Build-Depends-Indep: + python3-jwt, + python3-keystoneclient, + python3-keystonemiddleware (>= 7.0.0), ++ python3-keyring, ++ python3-keyrings.alt, + python3-ldap, + python3-ldappool, + python3-lxml (>= 4.5.0), +@@ -87,7 +89,6 @@ Package: keystone + Architecture: all + Depends: + adduser, +- dbconfig-common, + debconf, + python3-keystone (= ${source:Version}), + python3-keystoneclient, +diff --git a/debian/keystone.dirs b/debian/keystone.dirs +index a4b3a9e86..6c6e31faf 100644 +--- a/debian/keystone.dirs ++++ b/debian/keystone.dirs +@@ -2,3 +2,4 @@ + /var/lib/keystone + /var/lib/keystone/cache + /var/log/keystone ++usr/share/keystone +diff --git a/debian/keystone.install b/debian/keystone.install +index c0d62c45b..8d68859c0 100644 +--- a/debian/keystone.install ++++ b/debian/keystone.install +@@ -1,3 +1,7 @@ + debian/keystone-uwsgi.ini /etc/keystone + etc/default_catalog.templates /etc/keystone + etc/logging.conf.sample /usr/share/doc/keystone ++debian/stx/keystone-fernet-keys-rotate-active usr/bin ++debian/stx/password-rules.conf /etc/keystone ++debian/stx/keystone.service lib/systemd/system ++debian/stx/keystone-all usr/bin +diff --git a/debian/keystone.logrotate b/debian/keystone.logrotate +deleted file mode 100644 +index 2709c72aa..000000000 +--- a/debian/keystone.logrotate ++++ /dev/null +@@ -1,8 +0,0 @@ +-/var/log/keystone/*.log { +- daily +- missingok +- rotate 5 +- compress +- minsize 100k +- copytruncate +-} +\ No newline at end of file +diff --git a/debian/keystone.postinst b/debian/keystone.postinst +new file mode 100755 +index 000000000..59e6c6799 +--- /dev/null ++++ b/debian/keystone.postinst +@@ -0,0 +1,40 @@ ++#!/bin/sh ++ ++set -e ++ ++if [ "$1" = "configure" ]; then ++ # create the keystone group ++ if ! getent group keystone > /dev/null 2>&1 ++ then ++ addgroup --system keystone >/dev/null || true ++ fi ++ ++ # create the keystone user to avoid running keystone as root ++ if ! getent passwd keystone > /dev/null 2>&1 ++ then ++ adduser --quiet \ ++ --system \ ++ --home /var/lib/keystone \ ++ --no-create-home \ ++ --ingroup keystone \ ++ --shell /bin/false \ ++ keystone || true ++ fi ++ ++ if [ "$(id -gn keystone)" = "nogroup" ] ++ then ++ usermod -g keystone keystone ++ fi ++ ++ # change the permissions on key directories ++ chown keystone:adm /var/log/keystone ++ chmod 0750 /var/log/keystone ++ ++ find /etc/keystone -exec chown keystone:keystone "{}" + ++ find /etc/keystone -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" + ++ ++ find /var/lib/keystone -exec chown keystone:keystone "{}" + ++ find /var/lib/keystone -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" + ++fi ++ ++#DEBHELPER# +diff --git a/debian/keystone.postinst.in b/debian/keystone.postinst.in +deleted file mode 100755 +index 207cbc22e..000000000 +--- a/debian/keystone.postinst.in ++++ /dev/null +@@ -1,220 +0,0 @@ +-#!/bin/sh +- +-set -e +- +-#PKGOS-INCLUDE# +- +-KEY_CONF=/etc/keystone/keystone.conf +- +-keystone_get_debconf_admin_credentials () { +- db_get keystone/admin-user +- ADMIN_USER_NAME=${RET:-admin} +- db_get keystone/admin-password +- ADMIN_USER_PW=${RET:-$(gen_password)} +- db_get keystone/admin-email +- ADMIN_USER_EMAIL=${RET:-root@localhost} +- db_get keystone/admin-tenant-name +- ADMIN_TENANT_NAME=${RET:-admin} +- db_get keystone/admin-role-name +- ADMIN_ROLE_NAME=${RET:-admin} +- +- # We export the retrived credentials for later use +- export OS_PROJECT_DOMAIN_ID=default +- export OS_USER_DOMAIN_ID=default +- export OS_USERNAME=admin +- export OS_PASSWORD=${ADMIN_USER_PW} +- export OS_TENANT_NAME=${ADMIN_TENANT_NAME} +- export OS_PROJECT_NAME=${ADMIN_TENANT_NAME} +- export OS_AUTH_URL=http://127.0.0.1:5000/v3/ +- export OS_IDENTITY_API_VERSION=3 +- export OS_AUTH_VERSION=3 +- export OS_PROJECT_DOMAIN_ID=default +- export OS_USER_DOMAIN_ID=default +- export OS_NO_CACHE=1 +-} +- +-keystone_bootstrap_admin () { +- # This is the new way to bootstrap the admin user of Keystone +- # and we shouldn't use the admin auth token anymore. +- export OS_BOOTSTRAP_USERNAME=${ADMIN_USER_NAME} +- export OS_BOOTSTRAP_PROJECT_NAME=${ADMIN_TENANT_NAME} +- export OS_BOOTSTRAP_PASSWORD=${ADMIN_USER_PW} +- +- REG_ENDPOINT_IPV4_REGEX='^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$' +- REG_ENDPOINT_IPV6_REGEX="^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$" +- REG_ENDPOINT_FQDN_REGEX='^((([a-z0-9]([-a-z0-9]*[a-z0-9])?)|(#[0-9]+)|(\[((([01]?[0-9]{0,2})|(2(([0-4][0-9])|(5[0-5]))))\.){3}(([01]?[0-9]{0,2})|(2(([0-4][0-9])|(5[0-5]))))\]))\.)*(([a-z]([-a-z0-9]*[a-z0-9])?)|(#[0-9]+)|(\[((([01]?[0-9]{0,2})|(2(([0-4][0-9])|(5[0-5]))))\.){3}(([01]?[0-9]{0,2})|(2(([0-4][0-9])|(5[0-5]))))\]))$' +- REG_ENDPOINT_REGION_REGEX="^([_a-zA-Z0-9]+)([_.a-zA-Z0-9-]*)([_.a-zA-Z0-9]+)\$" +- +- +- db_get keystone/register-endpoint +- if [ "$RET" = "true" ] ; then +- do_REGISTER_THE_KS_ENDPOINT=yes +- db_get keystone/region-name +- my_REGION_NAME=${RET} +- REGION_NAME=${RET} +- +- db_get keystone/endpoint-ip +- # Validate that the choosen endpoint is an IPv4, IPv6 or FQDN +- KEYSTONE_ENDPOINT_IP=`echo "${RET}" | egrep ${REG_ENDPOINT_IPV4_REGEX}` || true +- if [ -z "${KEYSTONE_ENDPOINT_IP}" ] ; then +- KEYSTONE_ENDPOINT_IP=`echo "${RET}" | egrep ${REG_ENDPOINT_IPV6_REGEX}` || true +- if [ -z ${KEYSTONE_ENDPOINT_IP} ] ; then +- KEYSTONE_ENDPOINT_IP=`echo ${RET} | egrep ${REG_ENDPOINT_FQDN_REGEX}` || true +- if [ -z ${KEYSTONE_ENDPOINT_IP} ] ; then +- echo "Keystone's address could not be validated: will not register endpoint." +- do_REGISTER_THE_KS_ENDPOINT=no +- fi +- fi +- fi +- +- # Validate that the region name has only chars, dashes and dots +- my_REGION_NAME=`echo "${REGION_NAME}" | egrep ${REG_ENDPOINT_REGION_REGEX}` || true +- if [ -z "${my_REGION_NAME}" ] ; then +- echo "This region could not be validated: will not register endpoint." +- do_REGISTER_THE_KS_ENDPOINT=no +- fi +- +- if [ "${do_REGISTER_THE_KS_ENDPOINT}" = "yes" ] ; then +- db_get keystone/endpoint-proto +- PROTO=${RET} +- BOOTSTRAP_ADDED_PARAMS="--bootstrap-region-id ${REGION_NAME} --bootstrap-admin-url ${PROTO}://${KEYSTONE_ENDPOINT_IP}:5000 --bootstrap-public-url ${PROTO}://${KEYSTONE_ENDPOINT_IP}:5000 --bootstrap-internal-url ${PROTO}://${KEYSTONE_ENDPOINT_IP}:5000" +- else +- BOOTSTRAP_ADDED_PARAMS="" +- fi +- else +- BOOTSTRAP_ADDED_PARAMS="" +- fi +- echo "Now doing: su keystone -s /bin/sh -c 'keystone-manage bootstrap --bootstrap-role-name admin --bootstrap-service-name keystone ${BOOTSTRAP_ADDED_PARAMS}'" +- su keystone -s /bin/sh -c "keystone-manage bootstrap --bootstrap-role-name admin --bootstrap-service-name keystone ${BOOTSTRAP_ADDED_PARAMS}" +-} +- +-keystone_create_admin_tenant () { +- echo -n "Fixing-up: admin-project-desc " +- openstack project set --description "Default Debian admin project" $ADMIN_TENANT_NAME +- echo -n "service-project " +- openstack project create --or-show service --description "Default Debian service project" >/dev/null +- echo -n "default-admin-email " +- openstack user set --description "Default Debian admin user" --email ${ADMIN_USER_EMAIL} --enable $ADMIN_USER_NAME +- echo "...done!" +- +- # Note: heat_stack_owner, heat_stack_user is needed for heat to work, and Member ResellerAdmin +- # are needed for swift auto account creation. +- echo -n "Adding roles: " +- for i in KeystoneAdmin KeystoneServiceAdmin heat_stack_owner \ +- heat_stack_user Member ResellerAdmin rating service \ +- owner k8s_admin k8s_developer k8s_viewer \ +- load-balancer_admin load-balancer_member; do +- echo -n "${i} " +- openstack role create --or-show ${i} >/dev/null +- # Note: If heat_stack_user role is adding, don't assing it to admin user. +- # This role is automatically assigned by Heat to the users it creates. +- # This role is restricted from all API access, and it never should be assigned to any user explicitly. +- if [ "${i}" != "heat_stack_user" ]; then +- openstack role add --project $ADMIN_TENANT_NAME --user $ADMIN_USER_NAME ${i} >/dev/null +- fi +- done +- echo "...done!" +-} +- +-if [ "$1" = "configure" ] ; then +- . /usr/share/debconf/confmodule +- . /usr/share/dbconfig-common/dpkg/postinst +- +- # Create user and group keystone, plus /var/log and /var/lib owned by it +- # We need a bash shell so that keystone-manage pkg_setup works, and the +- # Wheezy package doesn't have it, failing upgrades +- pkgos_var_user_group keystone /bin/sh +- # Make sure we have a folder to create certs, that isn't world readable +- mkdir -p /etc/keystone/ssl/certs +- chown keystone:keystone /etc/keystone/ssl/certs +- chmod 750 /etc/keystone/ssl/certs +- chown keystone:keystone /etc/keystone/ssl +- chmod 750 /etc/keystone/ssl +- +- # Create keystone.conf if it's not there +- pkgos_write_new_conf keystone keystone.conf +- +- # The on-disk policy file is currently broken for Keystone. +- # The admin bootstraping will not work anymore, due to enforcing of system-scope:all. +- rm -f /etc/keystone/policy.json +-# pkgos_write_new_conf keystone policy.json +-# if ! [ -e /etc/keystone/policy.json ] ; then +-# touch /etc/keystone/policy.json +-# chown 0640 /etc/keystone/policy.json +-# chown root:keystone /etc/keystone/policy.json +-# fi +- +- OSTACKCLI_PARAMS="--os-url=http://127.0.0.1:5000/v3/ --os-domain-name default --os-identity-api-version=3" +- +- # Make sure /var/log/keystone/keystone.log is owned by keystone +- # BEFORE any keystone-manage calls. +- chown -R keystone:keystone /var/log/keystone +- +- # Upgrade or create the db if directed to do so +- db_get keystone/configure_db +- if [ "$RET" = "true" ] ; then +- # Configure the SQL connection of keystone.conf according to dbconfig-common +- pkgos_dbc_postinst ${KEY_CONF} database connection keystone $@ +- echo "Running: su keystone -s /bin/sh -c 'keystone-manage db_sync'..." +- su keystone -s /bin/sh -c "keystone-manage db_sync" +- fi +- +- db_get keystone/create-admin-tenant +- if [ "$RET" = "true" ] ; then +- mkdir -p /etc/keystone/fernet-keys +- chown keystone:keystone /etc/keystone/fernet-keys +- chmod 700 /etc/keystone/fernet-keys +- echo "Running: su keystone -s /bin/sh -c 'keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone'..." +- su keystone -s /bin/sh -c 'keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone' +- echo "Running: su keystone -s /bin/sh -c 'keystone-manage credential_setup --keystone-user keystone --keystone-group keystone'..." +- su keystone -s /bin/sh -c 'keystone-manage credential_setup --keystone-user keystone --keystone-group keystone' +- fi +- +- chown keystone:adm /var/log/keystone +- +- if [ -n $(which systemctl)"" ] ; then +- systemctl enable keystone +- fi +- if [ -n $(which update-rc.d)"" ] ; then +- update-rc.d keystone defaults +- fi +- invoke-rc.d keystone start +- +- db_get keystone/create-admin-tenant +- if [ "$RET" = "true" ] ; then +- echo -n "Sleeping 10 seconds to make sure the keystone daemon is up and running: 10..." +- sleep 1 +- echo -n "9..." +- sleep 1 +- echo -n "8..." +- sleep 1 +- echo -n "7..." +- sleep 1 +- echo -n "6..." +- sleep 1 +- echo -n "5..." +- sleep 1 +- echo -n "4..." +- sleep 1 +- echo -n "3..." +- sleep 1 +- echo -n "2..." +- sleep 1 +- echo -n "1..." +- sleep 1 +- echo "0" +- +- keystone_get_debconf_admin_credentials +- echo "===> Bootstraping tenants with 'keystone-manage bootstrap':" +- keystone_get_debconf_admin_credentials +- keystone_bootstrap_admin +- db_unregister keystone/register-endpoint +- echo "===> Editing bootstraped tenants and adding default roles" +- keystone_create_admin_tenant +- echo "done!" +- fi +- db_unregister keystone/create-admin-tenant +- db_stop +-fi +- +-exit 0 +diff --git a/debian/keystone.postrm b/debian/keystone.postrm +index 230a08730..847076d3f 100755 +--- a/debian/keystone.postrm ++++ b/debian/keystone.postrm +@@ -2,20 +2,9 @@ + + set -e + +-if [ "${1}" = "purge" ] ; then +- if [ -f /usr/share/debconf/confmodule ] && [ -f /usr/share/dbconfig-common/dpkg/postrm ] ; then +- . /usr/share/debconf/confmodule +- +- db_get keystone/configure_db +- if [ "$RET" = "true" ] ; then +- . /usr/share/dbconfig-common/dpkg/postrm +- dbc_go keystone $@ +- fi +- fi +- rm -rf /var/log/keystone /var/lib/keystone /etc/keystone +- if [ -x `which a2dissite`"" ] ; then +- a2dissite wsgi-keystone.conf || true +- fi +-fi ++case "$1" in ++ purge) ++ rm -rf /var/log/keystone ++esac + + #DEBHELPER# +diff --git a/debian/keystone.prerm b/debian/keystone.prerm +deleted file mode 100755 +index 9f89a1ae0..000000000 +--- a/debian/keystone.prerm ++++ /dev/null +@@ -1,15 +0,0 @@ +-#!/bin/sh +- +-set -e +- +-. /usr/share/debconf/confmodule +- +-db_get keystone/configure_db +-if [ "$RET" = "true" ]; then +- . /usr/share/dbconfig-common/dpkg/prerm +- dbc_go keystone $@ +-fi +- +-#DEBHELPER# +- +-exit 0 +diff --git a/debian/python3-keystone.install b/debian/python3-keystone.install +index 44d7fcb64..3c76ffb99 100644 +--- a/debian/python3-keystone.install ++++ b/debian/python3-keystone.install +@@ -1,2 +1,3 @@ + usr/bin/* + usr/lib/python3/* ++debian/stx/public.py usr/share/keystone +diff --git a/debian/rules b/debian/rules +index 3744142f9..bb6f72302 100755 +--- a/debian/rules ++++ b/debian/rules +@@ -11,7 +11,7 @@ export KSCTEST_PATH=/usr/lib/python3/dist-packages/keystoneclient + include /usr/share/openstack-pkg-tools/pkgos.make + + %: +- dh $@ --buildsystem=python_distutils --with python3,sphinxdoc,systemd ++ dh $@ --buildsystem=pybuild --with python3,sphinxdoc,systemd + + override_dh_clean: + rm -rf $(CURDIR)/build $(CURDIR)/keystone.egg-info $(CURDIR)/.cache +@@ -35,10 +35,6 @@ override_dh_clean: + rm -f AUTHORS ChangeLog + dh_clean + +-override_dh_auto_build: +- /usr/share/openstack-pkg-tools/pkgos_insert_include pkgos_func keystone.config +- /usr/share/openstack-pkg-tools/pkgos_insert_include pkgos_func keystone.postinst +- + override_dh_auto_clean: + python3 setup.py clean + +@@ -78,11 +74,9 @@ endif + --namespace oslo.db \ + --namespace oslo.middleware \ + --namespace osprofiler +- pkgos-fix-config-default $(CURDIR)/debian/keystone/usr/share/keystone/keystone.conf catalog template_file /etc/keystone/default_catalog.templates +- pkgos-fix-config-default $(CURDIR)/debian/keystone/usr/share/keystone/keystone.conf DEFAULT log_dir /var/log/keystone +- pkgos-fix-config-default $(CURDIR)/debian/keystone/usr/share/keystone/keystone.conf DEFAULT log_file keystone.log + + mkdir -p $(CURDIR)/debian/keystone/etc/keystone/policy.d ++ mkdir -p $(CURDIR)/debian/keystone/etc/keystone/credential-keys + PYTHONPATH=$(CURDIR)/debian/tmp/usr/lib/python3/dist-packages oslopolicy-sample-generator \ + --output-file $(CURDIR)/debian/keystone/etc/keystone/policy.d/00_default_policy.yaml \ + --format yaml \ +diff --git a/debian/stx/keystone-all b/debian/stx/keystone-all +new file mode 100644 +index 000000000..de339caa6 +--- /dev/null ++++ b/debian/stx/keystone-all +@@ -0,0 +1,156 @@ ++#!/bin/sh ++# Copyright (c) 2013-2018 Wind River Systems, Inc. ++# ++# SPDX-License-Identifier: Apache-2.0 ++# ++ ++### BEGIN INIT INFO ++# Provides: OpenStack Keystone-wsgi ++# Required-Start: networking ++# Required-Stop: networking ++# Default-Start: 2 3 4 5 ++# Default-Stop: 0 1 6 ++# Short-Description: OpenStack Keystone ++# Description: Openstack Identitiy service running on WSGI compatable gunicorn web server ++# ++### END INIT INFO ++ ++RETVAL=0 ++#public 5000 ++ ++DESC_PUBLIC="openstack-keystone" ++ ++PIDFILE_PUBLIC="/var/run/$DESC_PUBLIC.pid" ++ ++PYTHON=`which python` ++ ++source /etc/keystone/keystone-extra.conf ++source /etc/platform/platform.conf ++ ++if [ -n ${@:2:1} ] ; then ++ if [ ${@:2:1}="--public-bind-addr" ] ; then ++ PUBLIC_BIND_ADDR_CMD=${@:3:1} ++ fi ++fi ++ ++ ++### ++EXEC="/usr/bin/gunicorn" ++ ++WORKER="eventlet" ++# Increased timeout to facilitate large image uploads ++TIMEOUT="200" ++ ++# Calculate the no of workers based on the number of workers retrieved by ++# Platform Eng which is retreived from the keystone-extra.conf ++ ++if [ "$system_type" == "All-in-one" ]; then ++ TIS_WORKERS_FACTOR=1 ++else ++ TIS_WORKERS_FACTOR=1.5 ++fi ++TIS_WORKERS=$(echo "${TIS_WORKERS_FACTOR}*${TIS_PUBLIC_WORKERS}"|bc ) ++TIS_WORKERS=${TIS_WORKERS%.*} ++ ++#--max-requests , --max-requests-jitter Configuration ++#--max-requests = The max number of requests a worker will process before restarting ++#--max-requests-jitter = The maximum jitter to add to the max_requests setting. ++MAX_REQUESTS=100000 ++MAX_REQ_JITTER_CAP_FACTOR=0.5 ++MAX_REQ_JITTER_PUBLIC=$(echo "${TIS_WORKERS}*${MAX_REQ_JITTER_CAP_FACTOR}+1"|bc) ++MAX_REQ_JITTER_PUBLIC=${MAX_REQ_JITTER_PUBLIC%.*} ++ ++ ++start() ++{ ++ # Got proper no of workers . Starting gunicorn now ++ echo -e "Initialising keystone service using gunicorn .. \n" ++ ++ if [ -z "$PUBLIC_BIND_ADDR" ]; then ++ echo "Keystone floating ip not found . Cannot start services. Exiting .." ++ exit 1 ++ fi ++ BIND_PUBLIC=$PUBLIC_BIND_ADDR:5000 ++ ++ if [ -e $PIDFILE_PUBLIC ]; then ++ PIDDIR=/proc/$(cat $PIDFILE_PUBLIC) ++ if [ -d ${PIDDIR} ]; then ++ echo "$DESC_PUBLIC already running." ++ exit 1 ++ else ++ echo "Removing stale PID file $PIDFILE_PUBLIC" ++ rm -f $PIDFILE_PUBLIC ++ fi ++ fi ++ ++ echo -e "Starting $DESC_PUBLIC...\n"; ++ echo -e "Worker is ${WORKER} --workers ${TIS_WORKERS} --timeout ${TIMEOUT} --max_requests ${MAX_REQUESTS} --max_request_jitter public ${MAX_REQ_JITTER_PUBLIC}\n" ; ++ ++ echo -e "Starting keystone process at port 5000 \n" ; ++ ++ start-stop-daemon --start --quiet --background --pidfile ${PIDFILE_PUBLIC} \ ++ --make-pidfile --exec ${PYTHON} -- ${EXEC} --bind ${BIND_PUBLIC} \ ++ --worker-class ${WORKER} --workers ${TIS_WORKERS} --timeout ${TIMEOUT} \ ++ --max-requests ${MAX_REQUESTS} --max-requests-jitter ${MAX_REQ_JITTER_PUBLIC} \ ++ --log-syslog \ ++ --pythonpath '/usr/share/keystone' public:application --name keystone-public ++ ++ RETVAL=$? ++ if [ $RETVAL -eq 0 ]; then ++ echo -e "Keystone started at port 5000... \n" ++ else ++ echo -e "Failed to start Keystone .. \n" ++ fi ++} ++ ++stop() ++{ ++ if [ -e $PIDFILE_PUBLIC ]; then ++ start-stop-daemon --stop --quiet --pidfile $PIDFILE_PUBLIC ++ RETVAL_PUBLIC=$? ++ if [ $RETVAL_PUBLIC -eq 0 ]; then ++ echo "Stopped $DESC_PUBLIC." ++ else ++ echo "Stopping failed - $PIDFILE_PUBLIC" ++ fi ++ rm -f $PIDFILE_PUBLIC ++ else ++ echo "Already stopped - $PIDFILE_PUBLIC" ++ fi ++} ++ ++status() ++{ ++ pid_public=`cat $PIDFILE_PUBLIC 2>/dev/null` ++ ++ if [ -n "$pid_public" ]; then ++ echo -e "\033[32m $DESC_PUBLIC is running..\033[0m" ++ else ++ echo -e "\033[31m $DESC_PUBLIC is not running..\033[0m" ++ fi ++} ++ ++ ++ ++case "$1" in ++ start) ++ start ++ ;; ++ stop) ++ stop ++ ;; ++ restart|force-reload|reload) ++ stop ++ start ++ ;; ++ status) ++ status ++ ;; ++ *) ++ #echo "Usage: $0 {start|stop|force-reload|restart|reload|status} OR {/usr/bin/keystone-all start --public-bind-addr xxx.xxx.xxx}" ++ start ++ #RETVAL=1 ++ ;; ++esac ++ ++exit $RETVAL +diff --git a/debian/stx/keystone-fernet-keys-rotate-active b/debian/stx/keystone-fernet-keys-rotate-active +new file mode 100644 +index 000000000..e2124eee3 +--- /dev/null ++++ b/debian/stx/keystone-fernet-keys-rotate-active +@@ -0,0 +1,64 @@ ++#!/bin/bash ++ ++# ++# Wrapper script to rotate keystone fernet keys on active controller only ++# ++KEYSTONE_KEYS_ROTATE_INFO="/var/run/keystone-keys-rotate.info" ++KEYSTONE_KEYS_ROTATE_CMD="/usr/bin/nice -n 2 /usr/bin/keystone-manage fernet_rotate --keystone-user keystone --keystone-group keystone" ++ ++function is_active_pgserver() ++{ ++ # Determine whether we're running on the same controller as the service. ++ local service=postgres ++ local enabledactive=$(/usr/bin/sm-query service $service| grep enabled-active) ++ if [ "x$enabledactive" == "x" ] ++ then ++ # enabled-active not found for that service on this controller ++ return 1 ++ else ++ # enabled-active found for that resource ++ return 0 ++ fi ++} ++ ++if is_active_pgserver ++then ++ if [ ! -f ${KEYSTONE_KEYS_ROTATE_INFO} ] ++ then ++ echo delay_count=0 > ${KEYSTONE_KEYS_ROTATE_INFO} ++ fi ++ ++ source ${KEYSTONE_KEYS_ROTATE_INFO} ++ sudo -u postgres psql -d fm -c "SELECT alarm_id, entity_instance_id from alarm;" | grep -P "^(?=.*100.101)(?=.*${HOSTNAME})" &>/dev/null ++ if [ $? -eq 0 ] ++ then ++ source /etc/platform/platform.conf ++ if [ "${system_type}" = "All-in-one" ] ++ then ++ source /etc/init.d/task_affinity_functions.sh ++ idle_core=$(get_most_idle_core) ++ if [ "$idle_core" -ne "0" ] ++ then ++ sh -c "exec taskset -c $idle_core ${KEYSTONE_KEYS_ROTATE_CMD}" ++ sed -i "/delay_count/s/=.*/=0/" ${KEYSTONE_KEYS_ROTATE_INFO} ++ exit 0 ++ fi ++ fi ++ ++ if [ "$delay_count" -lt "3" ] ++ then ++ newval=$(($delay_count+1)) ++ sed -i "/delay_count/s/=.*/=$newval/" ${KEYSTONE_KEYS_ROTATE_INFO} ++ (sleep 3600; /usr/bin/keystone-fernet-keys-rotate-active) & ++ exit 0 ++ fi ++ ++ fi ++ ++ eval ${KEYSTONE_KEYS_ROTATE_CMD} ++ sed -i "/delay_count/s/=.*/=0/" ${KEYSTONE_KEYS_ROTATE_INFO} ++ ++fi ++ ++exit 0 ++ +diff --git a/debian/stx/keystone.service b/debian/stx/keystone.service +new file mode 100644 +index 000000000..a72aa84be +--- /dev/null ++++ b/debian/stx/keystone.service +@@ -0,0 +1,14 @@ ++[Unit] ++Description=OpenStack Identity Service (code-named Keystone) ++After=syslog.target network.target ++ ++[Service] ++Type=forking ++#ReminAfterExit is set to yes as we have 2 pids to monitor ++RemainAfterExit=yes ++ExecStart=/usr/bin/keystone-all start ++ExecStop=/usr/bin/keystone-all stop ++ExecReload=/usr/bin/keystone-all reload ++ ++[Install] ++WantedBy=multi-user.target +diff --git a/debian/stx/password-rules.conf b/debian/stx/password-rules.conf +new file mode 100644 +index 000000000..e7ce65602 +--- /dev/null ++++ b/debian/stx/password-rules.conf +@@ -0,0 +1,34 @@ ++# The password rules captures the [security_compliance] ++# section of the generic Keystone configuration (keystone.conf) ++# This configuration is used to statically define the password ++# rules for password validation in pre-Keystone environments ++# ++# N.B: Only set non-default keys here (default commented configuration ++# items not needed) ++ ++[security_compliance] ++ ++# ++# From keystone ++# ++ ++# This controls the number of previous user password iterations to keep in ++# history, in order to enforce that newly created passwords are unique. Setting ++# the value to one (the default) disables this feature. Thus, to enable this ++# feature, values must be greater than 1. This feature depends on the `sql` ++# backend for the `[identity] driver`. (integer value) ++# Minimum value: 1 ++unique_last_password_count = 3 ++ ++# The regular expression used to validate password strength requirements. By ++# default, the regular expression will match any password. The following is an ++# example of a pattern which requires at least 1 letter, 1 digit, and have a ++# minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature ++# depends on the `sql` backend for the `[identity] driver`. (string value) ++password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{7,}$ ++ ++# Describe your password regular expression here in language for humans. If a ++# password fails to match the regular expression, the contents of this ++# configuration variable will be returned to users to explain why their ++# requested password was insufficient. (string value) ++password_regex_description = Password must have a minimum length of 7 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character +diff --git a/debian/stx/public.py b/debian/stx/public.py +new file mode 100644 +index 000000000..d3a29f3b3 +--- /dev/null ++++ b/debian/stx/public.py +@@ -0,0 +1,21 @@ ++# Copyright (c) 2013-2017 Wind River Systems, Inc. ++# ++# Licensed under the Apache License, Version 2.0 (the "License"); you may ++# not use this file except in compliance with the License. You may obtain ++# a copy of the License at ++# ++# http://www.apache.org/licenses/LICENSE-2.0 ++# ++# Unless required by applicable law or agreed to in writing, software ++# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT ++# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the ++# License for the specific language governing permissions and limitations ++# under the License. ++ ++ ++from keystone.server import wsgi as wsgi_server ++ ++import sys ++sys.argv = sys.argv[:1] ++ ++application = wsgi_server.initialize_public_application() +-- +2.30.2 + diff --git a/openstack/keystone/debian/deb_patches/series b/openstack/keystone/debian/deb_patches/series new file mode 100644 index 00000000..0f1e4261 --- /dev/null +++ b/openstack/keystone/debian/deb_patches/series @@ -0,0 +1 @@ +0001-Add-stx-support.patch diff --git a/openstack/keystone/debian/meta_data.yaml b/openstack/keystone/debian/meta_data.yaml new file mode 100644 index 00000000..2be630da --- /dev/null +++ b/openstack/keystone/debian/meta_data.yaml @@ -0,0 +1,10 @@ +--- +debname: keystone +debver: 2:18.0.0-3 +dl_path: + name: keystone-debian-18.0.0-3.tar.gz + url: https://salsa.debian.org/openstack-team/services/keystone/-/archive/debian/18.0.0-3/keystone-debian-18.0.0-3.tar.gz + md5sum: fba7c47672b976cdcab5c33f49a5d2fd +revision: + dist: $STX_DIST + PKG_GITREVCOUNT: true