Bug 1573316

Summary:

Include mod_auth_mellon in keystone container

Product:

Red Hat OpenStack

Reporter:

David Critch <dcritch>

Component:

openstack-containers

Assignee:

Dan Prince <dprince>

Status:

CLOSED ERRATA

QA Contact:

Pavan <pkesavar>

Severity:

high

Docs Contact:

Andrew Burden <aburden>

Priority:

high

Version:

12.0 (Pike)

CC:

aglotov, akaris, dprince, hrybacki, ipetrova, jamsmith, jdennis, jsaucier, m.andre, nkinder, pablo.iranzo, pgrist, pkesavar, pmorey, rmascena, srevivo

Target Milestone:

Keywords:

Reopened, Triaged, ZStream

Target Release:

12.0 (Pike)

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

openstack-keystone-base-container-12.0-20180727.1

Doc Type:

No Doc Update

Doc Text:

undefined

Story Points:

---

Clone Of:

Clones:

1609045 (view as bug list)

Environment:

Last Closed:

2018-08-20 22:06:27 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

1609045

Attachments:

Description	Flags
hotfix-tarball with Dockerfile for local build	none

Description David Critch 2018-04-30 20:21:01 UTC

Description of problem:
We provide documentation on setting up RH-SSO with OSP12/Keystone. The setup requires an apache module that is not available in the current keystone container (mod_auth_mellon).

To make RH-SSO work you need to add that package to the container. That addition would get blown away in the event of an undercloud update, unless the customer starts maintaining their own custom keystone image.

Version-Release number of selected component (if applicable):
registry.access.redhat.com/rhosp12/openstack-keystone/images/12.0-20180319.1

How reproducible:
Always


Steps to Reproduce:
1. Attempt to follow instructions on integrating w/ RH-SSO
2. Hit step where a yum install is required
3. Cringe when you need to install a package in a container

Actual results:
Require modification of the keystone image for proper integration

Expected results:
All requirements met in the keystone image to RH-SSO

Additional info:
Documentation on setup/install module step: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html-single/federate_with_identity_service/#install_mod_auth_mellon_on_each_controller_node

(The doc itself has some issues since installing the package on the controller node itself serves no purpose.)

Comment 2 Irina Petrova 2018-07-18 09:21:27 UTC

This is not an RFE but a BUG! SSO is coughing errors in RHOSP-12.

I'm reopening this BZ. BZ 1572154 is targeting RHOSP-13. This is for RHOSP-12.

RHOSP-12 is still well-alive and supported.

Can we, please, have those containers updated?

Comment 22 Dan Prince 2018-07-24 15:40:31 UTC

Created attachment 1470327 [details]
hotfix-tarball with Dockerfile for local build

Tarball with Dockerfile plus RPMs. See instructions in BZ for details.

Comment 23 Dan Prince 2018-07-24 15:48:03 UTC

See the attachment 1470327 [details] which contains a tarball with the Dockerfile along with the required RPMs.

To build a new container layer/hotfix for this issue please do the following on your Undercloud.

1) Download tarball.

2) Extract to a directory named hotfix-bz1573316.

3) Run command: 'docker build hotfix-bz1573316'

4) Run command: 'docker tag <layer ID> 172.16.10.16:8787/rhosp12/openstack-keystone:12.0-20180529.1-hotfix-BZ1573316'. NOTE: use output from command #3 above as the <layer ID>

5) Run command: 'docker push 172.16.10.16:8787/rhosp12/openstack-keystone:12.0-20180529.1-hotfix-BZ1573316'

The hotfix should now be deployed to the local registry.

---

At this point you can update your Heat environment to use the new Keystone container hotfix as noted in the comment above (see the docker_registry.yaml file). Once you have done this re-deploy/update per normal.

Comment 32 errata-xmlrpc 2018-08-20 22:06:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2509