1054826 – Keystone init.d relies on the use of keystone discover command

RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 1054826 - Keystone init.d relies on the use of keystone discover command

Summary: Keystone init.d relies on the use of keystone discover command

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	RDO
Classification:	Community
Component:	openstack-keystone
Sub Component:
Version:	unspecified
Hardware:	noarch
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	Alan Pevec
QA Contact:	Ami Jeain
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-01-17 14:44 UTC by Joe Harrison
Modified:	2016-04-26 15:37 UTC (History)
CC List:	4 users (show)
Fixed In Version:	openstack-keystone-2013.2.2-1.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-19 22:54:24 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Joe Harrison 2014-01-17 14:44:36 UTC

Description of problem:

/etc/init.d/openstack-keystone relies on the use of the `keystone discover` command to check that the service is available.

This command does not work correctly against SSL endpoints, nonstandard keystone ports or SSL endpoints with self-signed certificates.

This causes the init script to hang on a service start, trying to check the connectivity of an endpoint which does not exist.

The `keystone discover` command either needs to be patched to check SSL endpoints insecurely, or the use of it needs to be removed from the script.

Version-Release number of selected component (if applicable):

openstack-keystone OpenStack Havana 2013.2.1-1.el6

How reproducible:

Configure keystone to use SSL or a non-standard port and then restart the keystone service


Steps to Reproduce:
1. Change the public and admin port numbers in /etc/keystone/keystone.conf or 
2. Restart the keystone service via `service openstack-keystone restart` or `/etc/init.d/openstack-keystone restart`

Actual results:

Aborting wait for keystone to start or init script hangs for a long time, leading to abort to be used if invoked by a user directly.


Expected results:

Init script should check local keystone configuration for ports and ssl settings and then attempt to connect itself.

Additional info:
The discover command is not planned to be implemented in the openstack common cli.
https://wiki.openstack.org/wiki/OpenStackClient/Commands#.3Cother.3E

Comment 1 Lars Kellogg-Stedman 2014-02-12 15:20:51 UTC

We could solve this problem by dumping "keystone discover" and just
using curl in the keystone_available function, like this:

  ssl_enabled=$(crudini --get /etc/keystone/keystone.conf ssl enable 2> /dev/null || echo False)
  public_port=$(crudini --get /etc/keystone/keystone.conf DEFAULT public_port)

  if [ "$ssl_enabled" = True ]; then
    schema=https
  else
    schema=http
  fi

  keystone_url="${schema}://localhost:${public_port}/"

  keystone_available()
  {
    curl -sfk $keystone_url > /dev/null
  }

Comment 2 Lars Kellogg-Stedman 2014-02-14 17:31:37 UTC

This can also be fixed by the changes to "keystone discovehttps://bugzilla.redhat.com/show_bug.cgi?id=1058291#c15r" referenced in

Comment 3 Alan Pevec 2014-02-17 09:16:54 UTC

http://pkgs.fedoraproject.org/cgit/openstack-keystone.git/commit/?h=el6-havana&id=de327d38ca6cfbbcbf4560ea3fa73daec60e9132

Comment 4 Alan Pevec 2014-02-17 09:17:51 UTC

http://koji.fedoraproject.org/koji/buildinfo?buildID=498406

Note You need to log in before you can comment on or make changes to this bug.