Bug 1170372

Summary: [RFE] Deploy Keystone in Apache httpd
Product: Red Hat OpenStack Reporter: Rich Megginson <rmeggins>
Component: rhosp-directorAssignee: Michele Baldessari <michele>
Status: CLOSED ERRATA QA Contact: Udi Shkalim <ushkalim>
Severity: unspecified Docs Contact:
Priority: urgent    
Version: 7.0 (Kilo)CC: aortega, ayoung, derekh, hbrock, jason.dobies, jcoufal, jtaleric, kbasil, markmc, mburns, mcornea, mlopes, mmagr, morazi, nkinder, nlevinki, oblaut, rduartes, rhel-osp-director-maint, rmeggins, sclewis, srevivo, tvignaud, ukalifon, ushkalim
Target Milestone: gaKeywords: FutureFeature, Tracking, Triaged
Target Release: 9.0 (Mitaka)   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Enhancement
Doc Text:
With this update, the eventlet system for keystone has been deprecated upstream. Red Hat OpenStack Platform director now configures keystone to run under apache using WSGI. This change was due to the Keystone project's recommendation that keystone deployment occurs within WSGI. As a result, the keystone service now runs under the apache httpd service.
Story Points: ---
Clone Of: 1123117 Environment:
Last Closed: 2016-08-24 13:00:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1111274, 1122764, 1122767, 1123117, 1138424, 1170218, 1170223, 1170224, 1170225, 1180230    
Bug Blocks: 1170370, 1285346, 1339058    

Description Rich Megginson 2014-12-03 22:25:26 UTC
+++ This bug was initially created as a clone of Bug #1123117 +++

+++ This bug was initially created as a clone of Bug #1122764 +++

Keystone's preferred deployment has changed to running within Apache httpd/mod_wsgi upstream.  This offers better performance, stronger authentication mechanisms, and federation capabilities over using eventlet (keystone-all).

We should deploy Keystone in httpd/mod_wsgi for RHEL OSP 6.0 via all supported installation methods.

This bug will serve as a tracker for the various sub-tasks that are needed to complete this work across components.

Comment 3 Rich Megginson 2015-06-02 18:47:02 UTC
Would really like to get this into 7.0 if at all possible.

Comment 5 Jaromir Coufal 2016-01-06 18:47:38 UTC
*** Bug 1227044 has been marked as a duplicate of this bug. ***

Comment 7 Rodrigo Duarte 2016-02-15 12:42:06 UTC
tripleo upstream patch: https://review.openstack.org/#/c/213175/

Comment 9 Hugh Brock 2016-02-28 07:21:09 UTC
This will not make OSP 8 at this point but it will land for Mitaka. Have updated the bug accordingly.

Comment 11 Jaromir Coufal 2016-05-05 18:59:36 UTC
*** Bug 1285346 has been marked as a duplicate of this bug. ***

Comment 14 Udi Shkalim 2016-07-20 12:45:12 UTC
Verified on: openstack-keystone-9.0.0-1.el7ost.noarch

httpd is holding the keystone wsgi configs:
[root@overcloud-controller-0 conf.d]# ls -ltrh
total 28K
-rw-r--r--. 1 root root  707 Jul 18 06:07 15-default.conf
-rw-r--r--. 1 root root  154 Jul 18 06:07 openstack-dashboard.conf
-rw-r--r--. 1 root root  876 Jul 18 06:07 10-gnocchi_wsgi.conf
-rw-r--r--. 1 root root  846 Jul 18 06:07 10-aodh_wsgi.conf
-rw-r--r--. 1 root root 1.1K Jul 18 06:07 10-horizon_vhost.conf
-rw-r--r--. 1 root root  972 Jul 18 06:07 10-keystone_wsgi_main.conf
-rw-r--r--. 1 root root  976 Jul 18 06:09 10-keystone_wsgi_admin.conf

httpd is holding the keystone port 5000 :
[root@overcloud-controller-0 conf.d]# netstat -natp  | grep 5000
tcp        0      0*               LISTEN      9279/httpd  

pacemaker do not have a keystone resource:
[root@overcloud-controller-0 conf.d]#  pcs status | grep -i keystone
[root@overcloud-controller-0 conf.d]#

Comment 17 errata-xmlrpc 2016-08-24 13:00:05 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.