When setting ENABLE_DEBUG_LOG_LEVEL the keystone screen would ignore
this setting and always use the debug mode.
Change-Id: I934443c2976e936198fc93da4cca717e6cb84e6f
Configure nova, cinder, glance, swift and neutron to use SSL
on the endpoints using either SSL natively or via a TLS proxy
using stud.
To enable SSL via proxy, in local.conf add
ENABLED_SERVICES+=,tls-proxy
This will create a new test root CA, a subordinate CA and an SSL
server cert. It uses the value of hostname -f for the certificate
subject. The CA certicates are also added to the system CA bundle.
To enable SSL natively, in local.conf add:
USE_SSL=True
Native SSL by default will also use the devstack-generate root and
subordinate CA.
You can override this on a per-service basis by setting
<SERVICE>_SSL_CERT=/path/to/cert
<SERVICE>_SSL_KEY=/path/to/key
<SERVICE>_SSL_PATH=/path/to/ca
You should also set SERVICE_HOST to the FQDN of the host. This
value defaults to the host IP address.
Change-Id: I36fe56c063ca921131ad98439bd452cb135916ac
Closes-Bug: 1328226
The current default (/var/www) leads to:
AH01797: client denied by server configuration:
/var/www/keystone/admin
For /var/www the needed permissions on SUSE are not set.
For /srv/www/htdocs/ the permissions are correct on SUSE systems.
Change-Id: I3f2df896daecdfe510d45ff121af2a8433a4d5be
The Keystone server and auth_token middleware were enhanced to
support a configurable hash algorithm.
With this change, the user can set
KEYSTONE_TOKEN_HASH_ALGORITHM=sha256
in their localrc to use the SHA256 algorithm rather than the
default md5. Any hash algorithm supported by Python's hashlib can
be used. The MD5 algorithm doesn't provide enough protection from
hash collisions and some security standards mandate a SHA2 hash
algorithm.
Change-Id: I8b373291ceb760a03c4c14aebfeb53d8d0dfbcc1
Closes-Bug: #1174499
Each project was configuring the auth_token middleware using several
lines of inisets. Since all the projects should configure the
auth_token middleware in the same way create a function and call it.
Change-Id: I3b6727d5a3bdc0ca600d8faa23bc6db32bb32260
The API_WORKERS option wasn't setting the number of admin workers
for the Keystone server when running in eventlet mode. This will
allow for control of throughput and memory usage.
Change-Id: Iecbce4a601f93784164e53d8b0c542d48f7b5650
We currently cleanup keystone apache config during stop_keystone
when mod wsgi is enabled, but only create it during initial keystone
configuration. Grenade expects to be able to stop and start the
service without reconfiguring it, using only the respective functions.
This moves cleanup of config from stop_keystone to cleanup_keystone,
and enables/disables the apache vhost during start/stop.
Closes-bug: #1365105
Change-Id: I9e57c9a763fbdb8c5737decfe797ba0e9894150b
run_process will use screen if USE_SCREEN=True (the default),
otherwise it will simply start the requested service. Therefore
wherever screen_it used, run_process can be instead.
Where stop_screen was found it has been replaced with stop_process.
A tail_log function has been added which will tail a logfile in a
screen if USE_SCREEN is True.
lib/template has been updated to reflect the use of the new
functions.
When using sg the quoting in run_process gets very complicated.
To get around this run_process and the functions it calls accepts
an optional third argument. If set it is a group to be used with sg.
Change-Id: Ia3843818014f7c6c7526ef3aa9676bbddb8a85ca
An error occurs because ANOTHER_ROLE variable in lib/swift is not set.
This patch gets and sets the value to another_role variable.
Change-Id: I9d67ce243eb6bb42ed7e3522ef816295847d48fa
Closes-Bug: #1363884
This change uses mod_version (shipped by default on everything we care
about) to set-up version-specific config within apache rather than
within devstack scripts.
Clean up the horizon and keystone config file generation to use the
internal apache matching.
Since I6478db385fda2fa1c75ced12d3e886b2e1152852 the apache matching in
'functions' is actually duplicated. just leave get_apache_version in
lib/apache as it is used for config-file name matching in there.
Change-Id: I6478db385fda2fa1c75ced12d3e886b2e1152852
When Keystone was run in Apache Httpd the access log wasn't in a
screen. A new screen called key-access is now started with
Keystone's access log.
Change-Id: Ie1f4d4b679e1b9c87f0cea37deb25f7b6636fe01
Closes-Bug: #1359995
Keystone has moved over to using a new location for the token
persistence backends (drivers). The old values will continue to
work, but this will limit the deprecation warnings for an out
of the box devstack install.
Change-Id: I7c437788c8aee0106fa7f3c37617fbd1220291ef
bp: non-persistent-tokens
Use the new ErrorLogFormat directive to make the Keystone logs
under Apache to look like the standard oslo log format.
Change-Id: Ie823abf2fa06b8ce22027c21bef455808a4a768e
The normal extension for log files is .log. Log rotation should
work because the extension is as expected.
Change-Id: Ia5e42ea9d953e8395b86ab58cdef6c2d852efc94
Related-Bug: #1359995
Rabbitmq credentials in keystone.conf should be updated according
to localrc
This is done mostly to enable keystone notifications.
There are 2 cases where we can use notifications from keystone:
A) Collect audit notifications in ceilometer
B) Collect profiling data
Change-Id: I381d4d670755aa691743caa02df7dc55e05784c2
Make the default run mode of Keystone HTTPD + mod_wsgi. This will
enable gating on Keystone under mod_wsgi.
Depends On: https://review.openstack.org/#/c/100764/
Change-Id: I4b664a1d6c9bbb1ff999158f3a8c8ab3bd8d891b
Added a global toggle for enabling HTTPD + mod_wsgi for services
that default deploy to running under Apache. When the variable
``ENABLE_HTTPD_MOD_WSGI_SERVICES`` is set to ``True`` any service
that recommends deploying under HTTPD + mod_wsgi, will be run
under Apache.
If ``ENABLE_HTTPD_MOD_WSGI_SERVICES`` is set to ``False`` the
any service that is defaulted to running under HTTPD + mod_wsgi
will (if capable) be run in an alternate deployment strategy (e.g.
eventlet).
Updated Swift and Keystone to have individual toggles for deploying
under HTTPD + mod_wsgi. This is done to allow for gate to run on
the services under mod_wsgi where appropriate. Toggles are
``KEYSTONE_USE_MOD_WSGI`` and ``SWIFT_USE_MOD_WSGI`` and are both
defaulted to "False" (do not deploy under HTTPD + mod_wsgi).
Change-Id: Id3b121b8f1cde369d184b586e0d875bdbda34813
Add the keystonemiddleware repository to devstack to support testing
with tempest and stable branches.
Change-Id: Ib635465e6568d9cd51d6e432ec8b8633a27d19ce
The check to $service_port must be done using http. It's
$KEYSTONE_SERVICE_PORT that may use either the http or https protocol.
partial blueprint devstack-https
Change-Id: I8ae081e9710c54396b765210336a7de331947086
Devstack was setting its own default for Keystone's token format, so
when Keystone's default token format changed then devstack needed to
be updated. With this change, devstack will only override Keystone's
token format if KEYSTONE_TOKEN_FORMAT is set explicitly. PKI setup
is assumed to be needed unless the KEYSTONE_TOKEN_FORMAT is set to
UUID.
Change-Id: Idfa78e93abd80273dadcf37007a024bb6a783a48
auth_token middleware now accepts a standard URL string as the parameter
identity_uri instead of specifying protocol etc individually. Change the
services over to use this.
Also changes over some other places in which the auth fragments are used
individually to the new variables and fixes up some misconfigurations of
auth_token.
identity_uri option was release in keystoneclient 0.8.0
Change-Id: Iac13bc3d08c524a6a0f39cdfbc1009e2f5c45c2a
Ensure that apache2ctl is only called if apache2 is being used when
setting up Keystone. This patch corrects a case where apache2ctl
is being called at the time lib/keystone is being sourced. This
error breaks attempts to deploy Keystone under apache unless
apache is already installed at the time stack.sh is run.
Change-Id: I02d426438fa1246effd68c6bb3c3358910ed4c05
Keystone added support for a compressed token provider, PKIZ. This
change adds support to devstack. Set the KEYSTONE_TOKEN_FORMAT
option to "PKIZ" to configure Keystone to use it.
Change-Id: I123eef661c85cc805e950f1179b48e885078d40f
On Ubuntu 14.04, the site configuration file must have a .conf suffix for a2ensite and a2dissite to
recognise it. a2ensite and a2dissite ignore the .conf suffix used as parameter. The default sites'
files are 000-default.conf and default-ssl.conf.
On Ubuntu 12.04, the site configuration file may have any format, as long as it is in
/etc/apache2/sites-available/. a2ensite and a2dissite need the entire file name to work. The default
sites' files are default and default-ssl.
On Fedora, any file in /etc/httpd/conf.d/ whose name ends with .conf is enabled.
On RHEL and CentOS, things should hopefully work as in Fedora.
This change puts all distribution-related site configuration file name differences in lib/apache and
the other services gets the file name for its sites using the new exported function
apache_site_config_for <sitename>.
It also makes Fedora disabled sites use the .conf.disabled suffix instead of removing the .conf from
the file name.
The table below summarizes what should happen on each distribution:
+----------------------+--------------------+--------------------------+--------------------------+
| Distribution | File name | Site enabling command | Site disabling command |
+----------------------+--------------------+--------------------------+--------------------------+
| Ubuntu 12.04 | site | a2ensite site | a2dissite site |
| Ubuntu 14.04 | site.conf | a2ensite site | a2dissite site |
| Fedora, RHEL, CentOS | site.conf.disabled | mv site.conf{.disabled,} | mv site.conf{,.disabled} |
+----------------------+--------------------+--------------------------+--------------------------+
Change-Id: Ia2ba3cb7caccb6e9b65380f9d51d9d21180b894e
Closes-bug: #1313765
Ensure that the VHOST and the scripts used to enable keystone under
mod_wsgi are properly cleaned up.
Change-Id: I76a748b0fd5f1a5182d10e425202857c5621e25a
When Keystone is configured under mod_wsgi, Keystone configuration
requires debugging to be enabled as the debug flag cannot be passed
via cli arguments.
Because Apache 2.2 (default for a number of distributions) does not
support passing an explicit format to the ErrorLog, Keystone under
mod_wsgi ends up with duplicated timestamps in the Keystone log.
This patchset eliminates the %(asctime) and %(msecs) substitution
targets from the log format options when Keystone is configured
under mod_wsgi.
Change-Id: I0bf32db6e53cb653921162cb1957eb988b819815
* Move remaining role creation to create_keystone_accounts()
* Move glance creation to create_glance_accounts()
* Move nova/ec2/s3 creation to create_nova_accounts()
* Move ceilometer creation to create_ceilometer_accounts()
* Move tempest creation to create_tempest_accounts()
* Convert moved code to use OpenStackClient for setup
* files/keystone_data.sh is removed
Note that the SERVICE_TENANT and ADMIN_ROLE lookups in the other service
implementations are not necessary with OSC, all operations can be done
using names rather than requiring IDs.
Change-Id: I4283ca0036ae39fd44ed2eed834b69d78e4f8257