Bug 1170372 - [RFE] Deploy Keystone in Apache httpd
Summary: [RFE] Deploy Keystone in Apache httpd
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: rhosp-director
Version: 7.0 (Kilo)
Hardware: Unspecified
OS: Unspecified
Target Milestone: ga
: 9.0 (Mitaka)
Assignee: Michele Baldessari
QA Contact: Udi Shkalim
: 1227044 1285346 (view as bug list)
Depends On: 1111274 1122764 1122767 1123117 1138424 1170218 1170223 1170224 1170225 1180230
Blocks: 1170370 1285346 1339058
TreeView+ depends on / blocked
Reported: 2014-12-03 22:25 UTC by Rich Megginson
Modified: 2019-12-16 04:39 UTC (History)
25 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
With this update, the eventlet system for keystone has been deprecated upstream. Red Hat OpenStack Platform director now configures keystone to run under apache using WSGI. This change was due to the Keystone project's recommendation that keystone deployment occurs within WSGI. As a result, the keystone service now runs under the apache httpd service.
Clone Of: 1123117
Last Closed: 2016-08-24 13:00:05 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Launchpad 1348729 None None None Never
Launchpad 1348732 None None None Never
OpenStack gerrit 213175 None None None 2016-02-15 17:44:14 UTC
OpenStack gerrit 270477 None None None 2016-02-19 20:28:27 UTC
OpenStack gerrit 302235 None None None 2016-06-23 13:35:23 UTC
Red Hat Product Errata RHEA-2016:1762 normal SHIPPED_LIVE Red Hat OpenStack Platform 9 director Advisory 2016-08-24 16:59:57 UTC

Description Rich Megginson 2014-12-03 22:25:26 UTC
+++ This bug was initially created as a clone of Bug #1123117 +++

+++ This bug was initially created as a clone of Bug #1122764 +++

Keystone's preferred deployment has changed to running within Apache httpd/mod_wsgi upstream.  This offers better performance, stronger authentication mechanisms, and federation capabilities over using eventlet (keystone-all).

We should deploy Keystone in httpd/mod_wsgi for RHEL OSP 6.0 via all supported installation methods.

This bug will serve as a tracker for the various sub-tasks that are needed to complete this work across components.

Comment 3 Rich Megginson 2015-06-02 18:47:02 UTC
Would really like to get this into 7.0 if at all possible.

Comment 5 Jaromir Coufal 2016-01-06 18:47:38 UTC
*** Bug 1227044 has been marked as a duplicate of this bug. ***

Comment 7 Rodrigo Duarte 2016-02-15 12:42:06 UTC
tripleo upstream patch: https://review.openstack.org/#/c/213175/

Comment 9 Hugh Brock 2016-02-28 07:21:09 UTC
This will not make OSP 8 at this point but it will land for Mitaka. Have updated the bug accordingly.

Comment 11 Jaromir Coufal 2016-05-05 18:59:36 UTC
*** Bug 1285346 has been marked as a duplicate of this bug. ***

Comment 14 Udi Shkalim 2016-07-20 12:45:12 UTC
Verified on: openstack-keystone-9.0.0-1.el7ost.noarch

httpd is holding the keystone wsgi configs:
[root@overcloud-controller-0 conf.d]# ls -ltrh
total 28K
-rw-r--r--. 1 root root  707 Jul 18 06:07 15-default.conf
-rw-r--r--. 1 root root  154 Jul 18 06:07 openstack-dashboard.conf
-rw-r--r--. 1 root root  876 Jul 18 06:07 10-gnocchi_wsgi.conf
-rw-r--r--. 1 root root  846 Jul 18 06:07 10-aodh_wsgi.conf
-rw-r--r--. 1 root root 1.1K Jul 18 06:07 10-horizon_vhost.conf
-rw-r--r--. 1 root root  972 Jul 18 06:07 10-keystone_wsgi_main.conf
-rw-r--r--. 1 root root  976 Jul 18 06:09 10-keystone_wsgi_admin.conf

httpd is holding the keystone port 5000 :
[root@overcloud-controller-0 conf.d]# netstat -natp  | grep 5000
tcp        0      0*               LISTEN      9279/httpd  

pacemaker do not have a keystone resource:
[root@overcloud-controller-0 conf.d]#  pcs status | grep -i keystone
[root@overcloud-controller-0 conf.d]#

Comment 17 errata-xmlrpc 2016-08-24 13:00:05 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.