Bug 1123117 – Deploy Keystone in Apache httpd

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1123117 - Deploy Keystone in Apache httpd

Summary:	Deploy Keystone in Apache httpd

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-packstack (Show other bugs)
Sub Component:
Version:	6.0 (Juno)
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	z2
Target Release:	6.0 (Juno)
Assigned To:	Martin Magr
QA Contact:	Mike Abrams
Docs Contact:

URL:
Whiteboard:
Keywords:	Tracking, ZStream

Depends On:	1111274 1122764 1122767 1138424 1170218 1170223 1170224 1170225 1180230
Blocks:	1170370 1170372
	Show dependency tree / graph

Reported:	2014-07-24 18:37 EDT by Rich Megginson
Modified:	2016-04-26 22:43 EDT (History)
CC List:	12 users (show)

See Also:
Fixed In Version:	openstack-packstack-2014.2-0.17.dev1462.gbb05296.el7ost
Doc Type:	Enhancement
Doc Text:	With this update, a new feature has been added that enables to install OpenStack Identity service to run via Apache httpd processes. A new parameter 'CONFIG_KEYSTONE_SERVICE_NAME' has been added. Value 'httpd' will switch on Apache support while value 'keystone' allows Identity service run in it's own process as was implemented in the previous versions.
Story Points:	---
Clone Of:	1122764
Clones:	1170370 1170372 (view as bug list)
Environment:
Last Closed:	2015-04-07 11:09:57 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Launchpad	1348729	None	None	None	Never
Launchpad	1348732	None	None	None	Never
OpenStack gerrit	138553	None	None	None	Never
Red Hat Product Errata	RHSA-2015:0789	normal	SHIPPED_LIVE	Important: openstack-packstack and openstack-puppet-modules security and bug fix update	2015-04-07 15:08:02 EDT

Groups: None (edit)

Description Rich Megginson 2014-07-24 18:37:19 EDT

+++ This bug was initially created as a clone of Bug #1122764 +++

Keystone's preferred deployment has changed to running within Apache httpd/mod_wsgi upstream.  This offers better performance, stronger authentication mechanisms, and federation capabilities over using eventlet (keystone-all).

We should deploy Keystone in httpd/mod_wsgi for RHEL OSP 6.0 via all supported installation methods.

This bug will serve as a tracker for the various sub-tasks that are needed to complete this work across components.

Comment 1 Nathan Kinder 2015-01-11 12:16:08 EST

The changes for this have been merged upstream:

  http://git.openstack.org/cgit/stackforge/packstack/commit/?id=df3acf2f47920b77d5e7c1680418185777128140

Comment 3 Mike Abrams 2015-02-09 03:00:03 EST

Nathan can you point me to the install docs for each of the supported methods for deploying keystone in httpd?  thx.

Comment 4 Rich Megginson 2015-02-09 10:25:39 EST

(In reply to Mike Abrams from comment #3)
> Nathan can you point me to the install docs for each of the supported
> methods for deploying keystone in httpd?  thx.

1) use packstack --keystone-service-name httpd .... other args ....
2) with a packstack answerfile, use the parameter CONFIG_KEYSTONE_SERVICE_NAME=httpd

Comment 5 Gaël Chamoulaud 2015-03-03 08:12:41 EST

The fix for that has been merged into the packstack juno branch with the change https://review.openstack.org/#/c/159121/

https://github.com/stackforge/packstack/blob/juno/packstack/plugins/keystone_100.py#L132-L145

Comment 7 Mike Abrams 2015-03-15 06:56:29 EDT

PASSED

answer file:
CONFIG_KEYSTONE_SERVICE_NAME=httpd

processes query:
[root@opens-vdsb ~(keystone_admin)]# ps -ef | grep keystone
keystone 11446 11445  0 12:46 ?        00:00:03 /usr/sbin/httpd -DFOREGROUND
keystone 11447 11445  0 12:46 ?        00:00:02 /usr/sbin/httpd -DFOREGROUND
root     14906 12054  0 12:54 pts/0    00:00:00 grep --color=auto keystone
[root@opens-vdsb ~(keystone_admin)]# 

command:
[root@opens-vdsb ~(keystone_admin)]# keystone user-list
+----------------------------------+------------+---------+----------------------+
|                id                |    name    | enabled |        email         |
+----------------------------------+------------+---------+----------------------+
| b3186b5b9ed84c6f976284fc2159c1a2 |   admin    |   True  |    root@localhost    |
| 62f8ce31ba9d4ea283b52065ec3f57a5 | ceilometer |   True  | ceilometer@localhost |
| 56de96a8c5d6451b825178a1a8ec160f |   cinder   |   True  |   cinder@localhost   |
| 101666c5181b4ff9829aaace027d9be2 |    demo    |   True  |                      |
| 77b3d981172d40eb943a546de2bb9600 |   glance   |   True  |   glance@localhost   |
| 41b80fbeff6745d4aa33e98091fe5499 |  neutron   |   True  |  neutron@localhost   |
| df91058373cc419a86e8ba61d775968b |    nova    |   True  |    nova@localhost    |
| 0667de90ee44400880a7b4867e6fc36c |   swift    |   True  |   swift@localhost    |
+----------------------------------+------------+---------+----------------------+
[root@opens-vdsb ~(keystone_admin)]# 

sanity check:

[root@opens-vdsb meter(keystone_admin)]# ./run-ts.sh -run keystone-sanity
TESTID         TEST                          STATUS              LOGS                
-------        -------                       -------             -------             
10011000       setup-env                     DONE                --                  
10011001       create-user-in-domain         PASS                /tmp/meter.create-user-in-domain.031515-125221.log
10011002       def-domain-exists?            PASS                /tmp/meter.def-domain-exists?.031515-125222.log
10011003       lst-supported-api             PASS                /tmp/meter.lst-supported-api.031515-125222.log
10011004       del-default-dom               PASS                /tmp/meter.del-default-dom.031515-125222.log
10011005       v2-v3-proj-access             PASS                /tmp/meter.v2-v3-proj-access.031515-125223.log
10011006       neg-token-test                PASS                /tmp/meter.neg-token-test.031515-125223.log
10011007       gen-token-test                PASS                /tmp/meter.gen-token-test.031515-125224.log
10011008       cron-exists?                  PASS                /tmp/meter.cron-exists?.031515-125224.log
10011009       token_expiration?             PASS                /tmp/meter.token_expiration?.031515-125224.log
10012000       clean-env                     DONE                /tmp/meter.clean-env.031515-125225.log
-------        -------                       -------             -------             
               aggregate score               PASS                /tmp/meter.031515-125221.logs.tar.gz
[root@opens-vdsb meter(keystone_admin)]#

Comment 9 errata-xmlrpc 2015-04-07 11:09:57 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0789.html

Note You need to log in before you can comment on or make changes to this bug.