Bug 1223094

Summary: Remove distro default database.connection
Product: [Community] RDO Reporter: Ricardo Katz <ricardo.katz>
Component: openstack-keystoneAssignee: Alan Pevec <apevec>
Status: CLOSED UPSTREAM QA Contact: yeylon <yeylon>
Severity: high Docs Contact:
Priority: unspecified    
Version: KiloCC: apevec, ayoung, jlennox, jpena, nkinder, ricardo.katz, srevivo, yeylon
Target Milestone: ---   
Target Release: Kilo   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
CentOS 7.1 64 bits
Last Closed: 2015-07-31 00:15:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ricardo Katz 2015-05-19 20:03:58 UTC 
Description of problem:

While following the guide (http://docs.openstack.org/kilo/install-guide/install/yum/content/keystone-services.html), just found a problem:

Keystone service (WSGI + python scripts) searches the wrong keystone.conf file. While it's documented to use the /etc/keystone/keystone.conf (and this was the default file on previous releases), this version searchs for the /usr/share/keystone/keystone-dist.conf

Version-Release number of selected component (if applicable):

Kilo


How reproducible:

Configure keystone following the Openstack documentation. Then try to add a new tenant, and an error 500 is shown.

Look on the /var/log/keystone/keystone.log to face that the system complains about a wrong mysql credentials (even they're right on the /etc/keystone/keystone.conf).

Change those credentials on the /usr/share/keystone/keystone-dist.conf and this works;

Actual results:

Failure to use the right configuration file

Expected results:


Additional info:
Comment 1 Jamie Lennox 2015-05-28 04:39:23 UTC 
So there is a mismatch in what is expected from the RDO package and the upstream wsgi file.

The upstream wsgi file specifies running the keystone as the keystone user but maintaining the apache group: https://github.com/openstack/keystone/blob/master/httpd/wsgi-keystone.conf#L5

The RDO packaging files specify that /etc/keystone/keystone.conf is owned by root and the keystone group https://github.com/openstack-packages/keystone/blob/rpm-master/openstack-keystone.spec#L197 

What's happening here in the linked bug is the order of precedence of reading config files.

The apache process tries to read the /etc/keystone/keystone.conf file and doesn't have appropriate permissions and then falls back to the /usr/share/keystone/keystone-dist.conf file where those credentials are being read from. 

We either need to update upstream to package the wsgi file specifying a group='keystone' tag so that it can read /etc/keystone/keystone.conf or change the ownership permissions. 

In addition i think it's a bad idea that we put default database strings in the dist file as they should never be useful and it makes the error a permission error connecting to the db with these bad creds rather than options missing.
Comment 2 Alan Pevec 2015-05-28 09:17:13 UTC 
Yeah, I'm not sure why we have db connection string in default, RPM installation doesn't create default db. I guess it was done in the past when default was sqlite which was created by default? I'll have a look at this.

Re. group - I'd check what puppet-keystone is doing and make upstream match this, so that we have same result after Packstack installation.
Comment 3 Javier Peña 2015-05-28 10:15:50 UTC 
Looking at what puppet-keystone does, it sets ownership for /etc/keystone as keystone:keystone, then also to /etc/keystone/keystone.conf 

If we all agree on this, we can go ahead and change the packaging. I'm ok with it.
Comment 4 Jamie Lennox 2015-05-28 12:40:12 UTC 
I think making the ownership keystone:keystone makes sense and is certainly the easier option. 

In looking at the packaging of other services it looks like shipping a database connection string is normal. I see it set in the dist files for nova, cinder and glance (all the ones i checked). Ideally we'd remove all of these.
Comment 5 Jamie Lennox 2015-05-28 12:44:35 UTC 
Also in looking this will make keystone different to the other services.

For example cinder-api.conf is installed with root:cinder and run by user cinder. This will be ok because cinder-api is an application and not run by apache so the group permissions will get picked up.

I don't think this is a problem but i just thought i'd mention it.
Comment 6 Alan Pevec 2015-06-02 22:34:10 UTC 
> Looking at what puppet-keystone does, it sets ownership for /etc/keystone as
> keystone:keystone, then also to /etc/keystone/keystone.conf 

That's not what I meant! Changing ownership of /etc/keystone doesn't seem right, why is puppet-keystone doing that?

I meant to say that puppet-keystone sets group=keystone in wsgi file:
https://github.com/stackforge/puppet-keystone/blob/master/manifests/wsgi/apache.pp#L167
and httpd/wsgi-keystone.conf in upstream Keystone should do the same.
I've added comment in https://bugs.launchpad.net/keystone/+bug/1456441
Comment 7 Alan Pevec 2015-06-02 22:48:34 UTC 
...and proposed https://review.openstack.org/187800
Comment 8 Javier Peña 2015-06-03 07:39:57 UTC 
(In reply to Alan Pevec from comment #6)
> > Looking at what puppet-keystone does, it sets ownership for /etc/keystone as
> > keystone:keystone, then also to /etc/keystone/keystone.conf 
> 
> That's not what I meant! Changing ownership of /etc/keystone doesn't seem
> right, why is puppet-keystone doing that?
> 

Not sure, I see the code has been there for quite long.