From f8dbfd394a826779f3af403fd5316b9d86492802 Mon Sep 17 00:00:00 2001 From: Abhishek Kekane Date: Mon, 6 Jul 2020 18:42:30 +0000 Subject: [PATCH] Revert "Drop keystone dedicated ports" This reverts commit f6286cb586eb1f861866bfdf85c4f873c79fd592. This patch is blocking glance as it needs mod_wsgi to perform new import workflow. Change-Id: I4475247dfe986114d37678b3d3d552c0c7d02ddc --- doc/source/configuration.rst | 12 ++++++- files/apache-keystone.template | 30 +++++++++++++++++ lib/keystone | 59 +++++++++++++++++++++++++++++++--- openrc | 2 +- tools/create_userrc.sh | 2 +- tools/fixup_stuff.sh | 34 ++++++++++++++++++++ 6 files changed, 132 insertions(+), 7 deletions(-) diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index ec4a9c84e4..22f5999174 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -137,7 +137,7 @@ OS\_AUTH\_URL :: - OS_AUTH_URL=http://$SERVICE_HOST/identity/v3.0 + OS_AUTH_URL=http://$SERVICE_HOST:5000/v3.0 KEYSTONECLIENT\_DEBUG, NOVACLIENT\_DEBUG Set command-line client log level to ``DEBUG``. These are commented @@ -685,6 +685,16 @@ KEYSTONE_REGION_NAME to specify the region of Keystone service. KEYSTONE_REGION_NAME has a default value the same as REGION_NAME thus we omit it in the configuration of RegionOne. +Disabling Identity API v2 ++++++++++++++++++++++++++ + +The Identity API v2 is deprecated as of Mitaka and it is recommended to only +use the v3 API. It is possible to setup keystone without v2 API, by doing: + +:: + + ENABLE_IDENTITY_V2=False + .. _arch-configuration: Architectures diff --git a/files/apache-keystone.template b/files/apache-keystone.template index cf26c216f5..128436027d 100644 --- a/files/apache-keystone.template +++ b/files/apache-keystone.template @@ -1,9 +1,39 @@ +Listen %PUBLICPORT% +Listen %ADMINPORT% LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %D(us)" keystone_combined Require all granted + + WSGIDaemonProcess keystone-public processes=3 threads=1 user=%USER% display-name=%{GROUP} %VIRTUALENV% + WSGIProcessGroup keystone-public + WSGIScriptAlias / %KEYSTONE_BIN%/keystone-wsgi-public + WSGIApplicationGroup %{GLOBAL} + WSGIPassAuthorization On + ErrorLogFormat "%M" + ErrorLog /var/log/%APACHE_NAME%/keystone.log + CustomLog /var/log/%APACHE_NAME%/keystone_access.log keystone_combined + %SSLENGINE% + %SSLCERTFILE% + %SSLKEYFILE% + + + + WSGIDaemonProcess keystone-admin processes=3 threads=1 user=%USER% display-name=%{GROUP} %VIRTUALENV% + WSGIProcessGroup keystone-admin + WSGIScriptAlias / %KEYSTONE_BIN%/keystone-wsgi-admin + WSGIApplicationGroup %{GLOBAL} + WSGIPassAuthorization On + ErrorLogFormat "%M" + ErrorLog /var/log/%APACHE_NAME%/keystone.log + CustomLog /var/log/%APACHE_NAME%/keystone_access.log keystone_combined + %SSLENGINE% + %SSLCERTFILE% + %SSLKEYFILE% + + %SSLLISTEN% %SSLLISTEN% %SSLENGINE% %SSLLISTEN% %SSLCERTFILE% diff --git a/lib/keystone b/lib/keystone index 29407a0e69..d4c7b063bb 100644 --- a/lib/keystone +++ b/lib/keystone @@ -83,10 +83,14 @@ KEYSTONE_TOKEN_FORMAT=$(echo ${KEYSTONE_TOKEN_FORMAT} | tr '[:upper:]' '[:lower: # Set Keystone interface configuration KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST} +KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357} +KEYSTONE_AUTH_PORT_INT=${KEYSTONE_AUTH_PORT_INT:-35358} KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL} # Public facing bits KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST} +KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000} +KEYSTONE_SERVICE_PORT_INT=${KEYSTONE_SERVICE_PORT_INT:-5001} KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL} # Bind hosts @@ -166,14 +170,22 @@ function _config_keystone_apache_wsgi { local keystone_ssl="" local keystone_certfile="" local keystone_keyfile="" + local keystone_service_port=$KEYSTONE_SERVICE_PORT + local keystone_auth_port=$KEYSTONE_AUTH_PORT local venv_path="" + if is_service_enabled tls-proxy; then + keystone_service_port=$KEYSTONE_SERVICE_PORT_INT + keystone_auth_port=$KEYSTONE_AUTH_PORT_INT + fi if [[ ${USE_VENV} = True ]]; then venv_path="python-path=${PROJECT_VENV["keystone"]}/lib/$(python_version)/site-packages" fi sudo cp $FILES/apache-keystone.template $keystone_apache_conf sudo sed -e " + s|%PUBLICPORT%|$keystone_service_port|g; + s|%ADMINPORT%|$keystone_auth_port|g; s|%APACHE_NAME%|$APACHE_NAME|g; s|%SSLLISTEN%|$keystone_ssl_listen|g; s|%SSLENGINE%|$keystone_ssl|g; @@ -210,8 +222,21 @@ function configure_keystone { iniset_rpc_backend keystone $KEYSTONE_CONF oslo_messaging_notifications + local service_port=$KEYSTONE_SERVICE_PORT + local auth_port=$KEYSTONE_AUTH_PORT + + if is_service_enabled tls-proxy; then + # Set the service ports for a proxy to take the originals + service_port=$KEYSTONE_SERVICE_PORT_INT + auth_port=$KEYSTONE_AUTH_PORT_INT + fi + # Override the endpoints advertised by keystone (the public_endpoint and - # admin_endpoint) so that clients use the correct endpoint. + # admin_endpoint) so that clients use the correct endpoint. By default, the + # keystone server uses the public_port and admin_port which isn't going to + # work when you want to use a different port (in the case of proxy), or you + # don't want the port (in the case of putting keystone on a path in + # apache). iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI @@ -245,6 +270,12 @@ function configure_keystone { iniset $KEYSTONE_CONF credential key_repository "$KEYSTONE_CONF_DIR/credential-keys/" + # Configure the project created by the 'keystone-manage bootstrap' as the cloud-admin project. + # The users from this project are globally admin as before, but it also + # allows policy changes in order to clarify the adminess scope. + #iniset $KEYSTONE_CONF resource admin_project_domain_name Default + #iniset $KEYSTONE_CONF resource admin_project_name admin + if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then iniset $KEYSTONE_CONF security_compliance lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION @@ -479,6 +510,14 @@ function install_keystone { # start_keystone() - Start running processes function start_keystone { + # Get right service port for testing + local service_port=$KEYSTONE_SERVICE_PORT + local auth_protocol=$KEYSTONE_AUTH_PROTOCOL + if is_service_enabled tls-proxy; then + service_port=$KEYSTONE_SERVICE_PORT_INT + auth_protocol="http" + fi + if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then enable_apache_site keystone restart_apache_server @@ -487,13 +526,23 @@ function start_keystone { fi echo "Waiting for keystone to start..." - # Check that the keystone service is running. + # Check that the keystone service is running. Even if the tls tunnel + # should be enabled, make sure the internal port is checked using + # unencryted traffic at this point. + # If running in Apache, use the path rather than port. + local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/ if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then die $LINENO "keystone did not start" fi + # Start proxies if enabled + if is_service_enabled tls-proxy; then + start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT + start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT + fi + # (re)start memcached to make sure we have a clean memcache. restart_service memcached } @@ -512,9 +561,11 @@ function stop_keystone { # This function uses the following GLOBAL variables: # - ``KEYSTONE_BIN_DIR`` # - ``ADMIN_PASSWORD`` -# - ``KEYSTONE_AUTH_URI`` +# - ``IDENTITY_API_VERSION`` # - ``REGION_NAME`` -# - ``KEYSTONE_SERVICE_URI`` +# - ``KEYSTONE_SERVICE_PROTOCOL`` +# - ``KEYSTONE_SERVICE_HOST`` +# - ``KEYSTONE_SERVICE_PORT`` function bootstrap_keystone { $KEYSTONE_BIN_DIR/keystone-manage bootstrap \ --bootstrap-username admin \ diff --git a/openrc b/openrc index 28f388be4c..beeaebea42 100644 --- a/openrc +++ b/openrc @@ -86,7 +86,7 @@ export OS_AUTH_TYPE=password # # If you don't have a working .stackenv, this is the backup position -KEYSTONE_BACKUP=$SERVICE_PROTOCOL://$SERVICE_HOST/identity +KEYSTONE_BACKUP=$SERVICE_PROTOCOL://$SERVICE_HOST:5000 KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_URI:-$KEYSTONE_BACKUP} export OS_AUTH_URL=${OS_AUTH_URL:-$KEYSTONE_SERVICE_URI} diff --git a/tools/create_userrc.sh b/tools/create_userrc.sh index c7bea4ac08..f4a4edcbe2 100755 --- a/tools/create_userrc.sh +++ b/tools/create_userrc.sh @@ -152,7 +152,7 @@ if [ -z "$OS_USERNAME" ]; then fi if [ -z "$OS_AUTH_URL" ]; then - export OS_AUTH_URL=http://localhost/identity/v3/ + export OS_AUTH_URL=http://localhost:5000/v3/ fi if [ -z "$OS_USER_DOMAIN_ID" -a -z "$OS_USER_DOMAIN_NAME" ]; then diff --git a/tools/fixup_stuff.sh b/tools/fixup_stuff.sh index 2ac8a47ca7..e1409291b9 100755 --- a/tools/fixup_stuff.sh +++ b/tools/fixup_stuff.sh @@ -26,6 +26,39 @@ if [[ -z "$TOP_DIR" ]]; then FILES=$TOP_DIR/files fi +# Keystone Port Reservation +# ------------------------- +# Reserve and prevent ``KEYSTONE_AUTH_PORT`` and ``KEYSTONE_AUTH_PORT_INT`` from +# being used as ephemeral ports by the system. The default(s) are 35357 and +# 35358 which are in the Linux defined ephemeral port range (in disagreement +# with the IANA ephemeral port range). This is a workaround for bug #1253482 +# where Keystone will try and bind to the port and the port will already be +# in use as an ephemeral port by another process. This places an explicit +# exception into the Kernel for the Keystone AUTH ports. +function fixup_keystone { + keystone_ports=${KEYSTONE_AUTH_PORT:-35357},${KEYSTONE_AUTH_PORT_INT:-35358} + + # Only do the reserved ports when available, on some system (like containers) + # where it's not exposed we are almost pretty sure these ports would be + # exclusive for our DevStack. + if sysctl net.ipv4.ip_local_reserved_ports >/dev/null 2>&1; then + # Get any currently reserved ports, strip off leading whitespace + reserved_ports=$(sysctl net.ipv4.ip_local_reserved_ports | awk -F'=' '{print $2;}' | sed 's/^ //') + + if [[ -z "${reserved_ports}" ]]; then + # If there are no currently reserved ports, reserve the keystone ports + sudo sysctl -w net.ipv4.ip_local_reserved_ports=${keystone_ports} + else + # If there are currently reserved ports, keep those and also reserve the + # Keystone specific ports. Duplicate reservations are merged into a single + # reservation (or range) automatically by the kernel. + sudo sysctl -w net.ipv4.ip_local_reserved_ports=${keystone_ports},${reserved_ports} + fi + else + echo_summary "WARNING: unable to reserve keystone ports" + fi +} + # Ubuntu Repositories #-------------------- # Enable universe for bionic since it is missing when installing from ISO. @@ -175,6 +208,7 @@ function fixup_suse { } function fixup_all { + fixup_keystone fixup_ubuntu fixup_fedora fixup_suse