Bug 1573316 - Include mod_auth_mellon in keystone container
Summary: Include mod_auth_mellon in keystone container
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-containers
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Unspecified
Target Milestone: z3
: 12.0 (Pike)
Assignee: Dan Prince
QA Contact: Pavan
Andrew Burden
Depends On:
Blocks: 1609045
TreeView+ depends on / blocked
Reported: 2018-04-30 20:21 UTC by David Critch
Modified: 2018-08-20 22:06 UTC (History)
16 users (show)

Fixed In Version: openstack-keystone-base-container-12.0-20180727.1
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1609045 (view as bug list)
Last Closed: 2018-08-20 22:06:27 UTC
Target Upstream Version:

Attachments (Terms of Use)
hotfix-tarball with Dockerfile for local build (1.50 MB, application/x-gzip)
2018-07-24 15:40 UTC, Dan Prince
no flags Details

System ID Private Priority Status Summary Last Updated
OpenStack gerrit 583683 0 None None None 2018-07-18 18:16:49 UTC
Red Hat Product Errata RHBA-2018:2509 0 None None None 2018-08-20 22:06:46 UTC

Description David Critch 2018-04-30 20:21:01 UTC
Description of problem:
We provide documentation on setting up RH-SSO with OSP12/Keystone. The setup requires an apache module that is not available in the current keystone container (mod_auth_mellon).

To make RH-SSO work you need to add that package to the container. That addition would get blown away in the event of an undercloud update, unless the customer starts maintaining their own custom keystone image.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Attempt to follow instructions on integrating w/ RH-SSO
2. Hit step where a yum install is required
3. Cringe when you need to install a package in a container

Actual results:
Require modification of the keystone image for proper integration

Expected results:
All requirements met in the keystone image to RH-SSO

Additional info:
Documentation on setup/install module step: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html-single/federate_with_identity_service/#install_mod_auth_mellon_on_each_controller_node

(The doc itself has some issues since installing the package on the controller node itself serves no purpose.)

Comment 2 Irina Petrova 2018-07-18 09:21:27 UTC
This is not an RFE but a BUG! SSO is coughing errors in RHOSP-12.

I'm reopening this BZ. BZ 1572154 is targeting RHOSP-13. This is for RHOSP-12.

RHOSP-12 is still well-alive and supported.

Can we, please, have those containers updated?

Comment 22 Dan Prince 2018-07-24 15:40:31 UTC
Created attachment 1470327 [details]
hotfix-tarball with Dockerfile for local build

Tarball with Dockerfile plus RPMs. See instructions in BZ for details.

Comment 23 Dan Prince 2018-07-24 15:48:03 UTC
See the attachment 1470327 [details] which contains a tarball with the Dockerfile along with the required RPMs.

To build a new container layer/hotfix for this issue please do the following on your Undercloud.

1) Download tarball.

2) Extract to a directory named hotfix-bz1573316.

3) Run command: 'docker build hotfix-bz1573316'

4) Run command: 'docker tag <layer ID>'. NOTE: use output from command #3 above as the <layer ID>

5) Run command: 'docker push'

The hotfix should now be deployed to the local registry.


At this point you can update your Heat environment to use the new Keystone container hotfix as noted in the comment above (see the docker_registry.yaml file). Once you have done this re-deploy/update per normal.

Comment 32 errata-xmlrpc 2018-08-20 22:06:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.