Devstack was setting its own default for Keystone's token format, so
when Keystone's default token format changed then devstack needed to
be updated. With this change, devstack will only override Keystone's
token format if KEYSTONE_TOKEN_FORMAT is set explicitly. PKI setup
is assumed to be needed unless the KEYSTONE_TOKEN_FORMAT is set to
UUID.
Change-Id: Idfa78e93abd80273dadcf37007a024bb6a783a48
auth_token middleware now accepts a standard URL string as the parameter
identity_uri instead of specifying protocol etc individually. Change the
services over to use this.
Also changes over some other places in which the auth fragments are used
individually to the new variables and fixes up some misconfigurations of
auth_token.
identity_uri option was release in keystoneclient 0.8.0
Change-Id: Iac13bc3d08c524a6a0f39cdfbc1009e2f5c45c2a
Ensure that apache2ctl is only called if apache2 is being used when
setting up Keystone. This patch corrects a case where apache2ctl
is being called at the time lib/keystone is being sourced. This
error breaks attempts to deploy Keystone under apache unless
apache is already installed at the time stack.sh is run.
Change-Id: I02d426438fa1246effd68c6bb3c3358910ed4c05
Keystone added support for a compressed token provider, PKIZ. This
change adds support to devstack. Set the KEYSTONE_TOKEN_FORMAT
option to "PKIZ" to configure Keystone to use it.
Change-Id: I123eef661c85cc805e950f1179b48e885078d40f
On Ubuntu 14.04, the site configuration file must have a .conf suffix for a2ensite and a2dissite to
recognise it. a2ensite and a2dissite ignore the .conf suffix used as parameter. The default sites'
files are 000-default.conf and default-ssl.conf.
On Ubuntu 12.04, the site configuration file may have any format, as long as it is in
/etc/apache2/sites-available/. a2ensite and a2dissite need the entire file name to work. The default
sites' files are default and default-ssl.
On Fedora, any file in /etc/httpd/conf.d/ whose name ends with .conf is enabled.
On RHEL and CentOS, things should hopefully work as in Fedora.
This change puts all distribution-related site configuration file name differences in lib/apache and
the other services gets the file name for its sites using the new exported function
apache_site_config_for <sitename>.
It also makes Fedora disabled sites use the .conf.disabled suffix instead of removing the .conf from
the file name.
The table below summarizes what should happen on each distribution:
+----------------------+--------------------+--------------------------+--------------------------+
| Distribution | File name | Site enabling command | Site disabling command |
+----------------------+--------------------+--------------------------+--------------------------+
| Ubuntu 12.04 | site | a2ensite site | a2dissite site |
| Ubuntu 14.04 | site.conf | a2ensite site | a2dissite site |
| Fedora, RHEL, CentOS | site.conf.disabled | mv site.conf{.disabled,} | mv site.conf{,.disabled} |
+----------------------+--------------------+--------------------------+--------------------------+
Change-Id: Ia2ba3cb7caccb6e9b65380f9d51d9d21180b894e
Closes-bug: #1313765
Ensure that the VHOST and the scripts used to enable keystone under
mod_wsgi are properly cleaned up.
Change-Id: I76a748b0fd5f1a5182d10e425202857c5621e25a
When Keystone is configured under mod_wsgi, Keystone configuration
requires debugging to be enabled as the debug flag cannot be passed
via cli arguments.
Because Apache 2.2 (default for a number of distributions) does not
support passing an explicit format to the ErrorLog, Keystone under
mod_wsgi ends up with duplicated timestamps in the Keystone log.
This patchset eliminates the %(asctime) and %(msecs) substitution
targets from the log format options when Keystone is configured
under mod_wsgi.
Change-Id: I0bf32db6e53cb653921162cb1957eb988b819815
* Move remaining role creation to create_keystone_accounts()
* Move glance creation to create_glance_accounts()
* Move nova/ec2/s3 creation to create_nova_accounts()
* Move ceilometer creation to create_ceilometer_accounts()
* Move tempest creation to create_tempest_accounts()
* Convert moved code to use OpenStackClient for setup
* files/keystone_data.sh is removed
Note that the SERVICE_TENANT and ADMIN_ROLE lookups in the other service
implementations are not necessary with OSC, all operations can be done
using names rather than requiring IDs.
Change-Id: I4283ca0036ae39fd44ed2eed834b69d78e4f8257
Check that function calls look like ^function foo {$ in bash8, and fix
all existing failures of that check. Add a note to HACKING.rst
Change-Id: Ic19eecb39e0b20273d1bcd551a42fe400d54e938
If we start keystone with an SSL endpoint then the curl check to see if
it is running will fail because it cannot create a secure connection.
This check can be done insecurely as all we care about is that the
service has started.
Change-Id: I826753d4d46e9956f443110029346bc70282951a
The use case is running devstack inside an OpenStack vm and running tempest
from some other machine. To make the catalog export urls that can be accessed
from off the devstack machine, you need to set KEYSTONE_SERVICE_HOST to an
external IP. But devstack uses that address in its setup of keystone in
addition to exporting in the catalog. Because OpenStack has an issue where
a vm cannot access itself through its own floating ip, devstack fails. There
is no way to have this use case by providing an ip address. The workaround
is to use the hostname of the devstack machine. That worked until recently
when a change was made to set admin_bind_host to the value of
KEYSTONE_SERVICE_HOST. The result is that port 35357 is only opened locally.
This change allows the devstack user to restore the original behavior
allowing this use case.
Change-Id: I97b938b305b7dd878397e7e64462650064e59cd2
Closes-Bug: #1283803
migrated most keystoneclient commands from the following libs:
ceilometer
cinder
ironic
keystone
marconi
neutron
nova
savanna
swift
trove
Also need to set and unset openstackclient specific environment
variables from stack.sh
Change-Id: I725f30bc08e1df5a4c5770576c19ad1ddaeb843a
The keystone configuration used the 'connection' option in the
'sql' section of the keystone.conf file. This option is deprecated
in favor of 'connection' in the 'database' section.
The keystone setup code is changed to use the option in the new
section rather than the deprecated one.
Change-Id: I62fd2f50ded3b8848e9e5225e88c80ed8fed3bff
On Linux ports 32768-61000 can be used by just about
anything needing a socket. Keystone's IANA assigned port is 35357.
Occasionally something else will be using port 35357 first because Linux
allows this. Workaround is to bind to port 127.0.0.1 instead of 0.0.0.0.
$KEYSTONE_SERVICE_HOST gets its value from $SERVICE_HOST which is set to
127.0.0.1 in the gate.
"Ephemeral (client) ports will *never* be sourced from 0.0.0.0, and are
uniquely identified by the full connection five-tuple (proto, src IP,
src port, dst IP, dst port) anyway, allowing them to overlap src IP/src
port as long as proto/dst IP/dst port are different. Thus it is up to
keystone/devstack to bind more appropriately and not use wildcard bind
addresses unless explicitly necessary for some reason. For example, in
the log output, the URLs are configured with dst IPs of 127.0.0.1
anyway, so binding explicitly to localhost would change nothing, while
skirting this particular edge case nicely." ~Evan Callicoat
This doesn't fix bug 1253482 it works around it while a better solution
is prepared (running keystone behind apache in devstack).
Co-Authored-By: Joe Gordon <joe.gordon0@gmail.com>
Change-Id: I112309661dadf8b753c3311182f82464d9d3595e
Related-bug: #1253482
The Keystone setup was using logging.conf to configure logging,
unlike other projects. This may have been left over from before
Keystone switched to oslo logging.
Switching to common logging configuration allows:
- Common format for logs for easier parsing
- Pretty colorized logs
- Keystone can control the default logging levels for libraries
that are used by setting the defaults in keystone.
- Potentially using a function to setup logging for all components
using oslo-logging (e.g., share with lib/nova).
Change-Id: I4e9b1e6cffce30f16a1e039224312852b8abda07
Closes-Bug: #1271775
Closes-Bug: #1269987
unstack.sh and stack.sh both have to "configure projects", but the
code was different. This change makes it so the 2 sections of the
files are the same.
Change-Id: Ia06f8bbfbe2a6e87fb406e34e13a39bd7fa9e5af
- add lib/ceilometer and lib/heat to source list for when stop_heat
and stop_ceilometer functions are called.
- add lib/tls source to lib/keystone for when is_ssl_enabled_service
function called.
Change-Id: Ief05766e9cfda71fb6392c8a757d04751283414e
Closes-Bug: #1269047
* Save PID when using screen in screen_it()
* Add screen_stop()
* Call out service stop_*() in unstack.sh functions so screen_stop()
can do its thing
Closes-bug: 1183449
Change-Id: Iac84231cfda960c4197de5b6e8ba6eb19225169a
The version of the authentication url is set to v1.0 for some
projects by default. We can make it configurable via the parameter
"$IDENTITY_API_VERSION".
Closes-Bug: #1253539
Change-Id: I6640e345d1317b1308403c95b13f8a998320241b
The keystone server was started with the options like
keystone-all ... -d --debug ...
The -d and --debug options are the same so one of them is
redundant.
This will make it less confusing if someone removes --debug and
thinks that debug is off, but debug is still on because they
didn't notice there was an extra -d.
Change-Id: I1ac977e6b12f1cc44f02b636c1bfb5c115b5b3e4
* Build the base DN from a given domain name
* Remove all hard-coded names to allow configuration of base DN
* Fix manager DN (cn=Manager,dc=...)
* Add ldap init_ldap()
* Add support for clean.sh
Change-Id: Ieb69be9740653645b8e000574ad3fe59a0f97540
Allow providing certificates through environment variables to be used
for keystone, and provide the basis for doing this for other services.
It cannot be used in conjunction with tls-proxy as the service provides
it's own encrypted endpoint.
Impletmenting: blueprint devstack-https
Change-Id: I8cf4c9c8c8a6911ae56ebcd14600a9d24cca99a0
devstack was setting the token_format option in the keystone
configuration file. This option is deprecated so should not be
used.
Change-Id: I047de155f0d9d2a1c009533c2f97f505cc80c6de
Address miscellaneous issues with Markdown formatting in comments which
are consumed by shocco when generating the online documentation.
Change-Id: I953075cdbddbf1f119c6c7e35f039e2e54b79078
When end users specify proxy settings in config file for wget /etc/wgetrc:
http_proxy = http://...
or for curl ${HOME}/.curlrc:
proxy = http://...
Using `http_proxy="" wget' can not skip the proxy setting in the
config files, also it can skip proxy settings in env viriables.
In order to skip proxy setting in both env and config file, we pass
--no-proxy option for wget, and --noproxy '*' for curl.
Fixes bug #1224836
Change-Id: I2b25aeca9edf2ce4525fb1db325e5e24c18b4d55
With a recent patch to keystone, the use of tenantId, tenant_id, and
default_project_id was normalized to reference default_project_id for
all cases internally and translate to the expected results at the
controller (v2.0 returns tenantId, v3 returns default_project_id).
Devstack must now properly ignore the expected mapped LDAP attribute
of 'default_project_id' instead of the old 'tenantId'. Without this
fix devstack will fail when using the LDAP identity backend because
the 'default_project_id' has been made a special case that requires
the operator of a Openstack cloud to explicitly choose an attribute
to map 'default_project_id' to if storing that value is desired.
Without explicitly mapping that attribute and not having it in the
'user_attribute_ignore' config option, the user_creates can fail.
related-bug: 1219739
Change-Id: I1dd3719de50f6d0948b3a9743e32a03d0ac56b3c
Provide a template for running keystone as a mod_wsgi process and enable
it from configuration.
Based on: https://review.openstack.org/#/c/36474/
Also-by: zhang-hare <zhuadl@cn.ibm.com>
Implements: blueprint devstack-setup-apache-keystone
Change-Id: Icc9d7ddfa4a488c08816ff4ae0b53c0134a1016b
Added KEYSTONE_ASSIGNMENT_BACKEND to support mixed backend
Modified code for KEYSTONE_IDENTITY_BACKEND according to comments.
Implemented the check for variables instead of case statements.
UPD: Removed arrays.
UPD2: fixed spacing issues
Change-Id: Ie92eed1fb5be5f875ef6633ede9c9e08daf6bf4f
Implements: devstack-support-for-keystone-mixbackend
Update keystone cli by changing parameter options (user_id, role_id and tenant_id)
to use '-' rather than '_' in the method user_role_add and consequently the method
user_role_remove without maintain backward compatibility because these are deprecated.
python-keystoneclient - Bug #1150434
Change-Id: Ia5113718eb050cf7dba443b8d0caf3bdaa1730f0
Add bash completion rules to the /etc/bash_completion.d from the
cinder, neutron, keystone, nova and nova-manage.
This is very fast operation and makes the cli usage easier.
Change-Id: Icdcdaf55d58efaaa1afe25fd55f088bf7dc8b3f1
Token provider needs to be set to uuid.Provider when the token format is
UUID. PKI is the default.
Change-Id: I967289524a50f650cdf2476d5067d263dbf55b03
Fixes: bug #1201639