starlingx/upstream
Code Issues Proposed changes

Add Debian infrastructure to build keystone package

Browse Source 
Add the Debian packaging infrastructure to package
Keystone for Debian.

Story: 2009101
Task: 43770

Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: If2944d1c6b6c2b7605b66fcc353706dcf5ee4703
This commit is contained in:
Charles Short 2021-10-26 20:08:44 -04:00
parent 39a1828ddf
commit e866623a4f
3 changed files with 792 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

781
openstack/keystone/debian/deb_patches/0001-Add-stx-support.patch Normal file
View File

@ -0,0 +1,781 @@
From ac62af6bc51c77afbc62d6166feca3187cde6d59 Mon Sep 17 00:00:00 2001
From: Charles Short <chucks@redhat.com>
Date: Tue, 23 Nov 2021 13:52:31 +0000
Subject: [PATCH] Add stx support
Apply Centos 7 patches to the debian packaging.
Signed-off-by: Charles Short <chucks@redhat.com>
---
debian/control | 3 +-
debian/keystone.dirs | 1 +
debian/keystone.install | 4 +
debian/keystone.logrotate | 8 -
debian/keystone.postinst | 40 ++++
debian/keystone.postinst.in | 220 ------------------
debian/keystone.postrm | 19 +-
debian/keystone.prerm | 15 --
debian/python3-keystone.install | 1 +
debian/rules | 10 +-
debian/stx/keystone-all | 156 +++++++++++++
debian/stx/keystone-fernet-keys-rotate-active | 64 +++++
debian/stx/keystone.service | 14 ++
debian/stx/password-rules.conf | 34 +++
debian/stx/public.py | 21 ++
15 files changed, 343 insertions(+), 267 deletions(-)
delete mode 100644 debian/keystone.logrotate
create mode 100755 debian/keystone.postinst
delete mode 100755 debian/keystone.postinst.in
delete mode 100755 debian/keystone.prerm
create mode 100644 debian/stx/keystone-all
create mode 100644 debian/stx/keystone-fernet-keys-rotate-active
create mode 100644 debian/stx/keystone.service
create mode 100644 debian/stx/password-rules.conf
create mode 100644 debian/stx/public.py
diff --git a/debian/control b/debian/control
index 9d0a3a41f..ced0c4820 100644
--- a/debian/control
+++ b/debian/control
@@ -31,6 +31,8 @@ Build-Depends-Indep:
python3-jwt,
python3-keystoneclient,
python3-keystonemiddleware (>= 7.0.0),
+ python3-keyring,
+ python3-keyrings.alt,
python3-ldap,
python3-ldappool,
python3-lxml (>= 4.5.0),
@@ -87,7 +89,6 @@ Package: keystone
Architecture: all
Depends:
adduser,
- dbconfig-common,
debconf,
python3-keystone (= ${source:Version}),
python3-keystoneclient,
diff --git a/debian/keystone.dirs b/debian/keystone.dirs
index a4b3a9e86..6c6e31faf 100644
--- a/debian/keystone.dirs
+++ b/debian/keystone.dirs
@@ -2,3 +2,4 @@
/var/lib/keystone
/var/lib/keystone/cache
/var/log/keystone
+usr/share/keystone
diff --git a/debian/keystone.install b/debian/keystone.install
index c0d62c45b..8d68859c0 100644
--- a/debian/keystone.install
+++ b/debian/keystone.install
@@ -1,3 +1,7 @@
debian/keystone-uwsgi.ini /etc/keystone
etc/default_catalog.templates /etc/keystone
etc/logging.conf.sample /usr/share/doc/keystone
+debian/stx/keystone-fernet-keys-rotate-active usr/bin
+debian/stx/password-rules.conf /etc/keystone
+debian/stx/keystone.service lib/systemd/system
+debian/stx/keystone-all usr/bin
diff --git a/debian/keystone.logrotate b/debian/keystone.logrotate
deleted file mode 100644
index 2709c72aa..000000000
--- a/debian/keystone.logrotate
+++ /dev/null
@@ -1,8 +0,0 @@
-/var/log/keystone/*.log {
- daily
- missingok
- rotate 5
- compress
- minsize 100k
- copytruncate
-}
\ No newline at end of file
diff --git a/debian/keystone.postinst b/debian/keystone.postinst
new file mode 100755
index 000000000..59e6c6799
--- /dev/null
+++ b/debian/keystone.postinst
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+set -e
+
+if [ "$1" = "configure" ]; then
+ # create the keystone group
+ if ! getent group keystone > /dev/null 2>&1
+ then
+ addgroup --system keystone >/dev/null || true
+ fi
+
+ # create the keystone user to avoid running keystone as root
+ if ! getent passwd keystone > /dev/null 2>&1
+ then
+ adduser --quiet \
+ --system \
+ --home /var/lib/keystone \
+ --no-create-home \
+ --ingroup keystone \
+ --shell /bin/false \
+ keystone || true
+ fi
+
+ if [ "$(id -gn keystone)" = "nogroup" ]
+ then
+ usermod -g keystone keystone
+ fi
+
+ # change the permissions on key directories
+ chown keystone:adm /var/log/keystone
+ chmod 0750 /var/log/keystone
+
+ find /etc/keystone -exec chown keystone:keystone "{}" +
+ find /etc/keystone -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +
+
+ find /var/lib/keystone -exec chown keystone:keystone "{}" +
+ find /var/lib/keystone -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +
+fi
+
+#DEBHELPER#
diff --git a/debian/keystone.postinst.in b/debian/keystone.postinst.in
deleted file mode 100755
index 207cbc22e..000000000
--- a/debian/keystone.postinst.in
+++ /dev/null
@@ -1,220 +0,0 @@
-#!/bin/sh
-
-set -e
-
-#PKGOS-INCLUDE#
-
-KEY_CONF=/etc/keystone/keystone.conf
-
-keystone_get_debconf_admin_credentials () {
- db_get keystone/admin-user
- ADMIN_USER_NAME=${RET:-admin}
- db_get keystone/admin-password
- ADMIN_USER_PW=${RET:-$(gen_password)}
- db_get keystone/admin-email
- ADMIN_USER_EMAIL=${RET:-root@localhost}
- db_get keystone/admin-tenant-name
- ADMIN_TENANT_NAME=${RET:-admin}
- db_get keystone/admin-role-name
- ADMIN_ROLE_NAME=${RET:-admin}
-
- # We export the retrived credentials for later use
- export OS_PROJECT_DOMAIN_ID=default
- export OS_USER_DOMAIN_ID=default
- export OS_USERNAME=admin
- export OS_PASSWORD=${ADMIN_USER_PW}
- export OS_TENANT_NAME=${ADMIN_TENANT_NAME}
- export OS_PROJECT_NAME=${ADMIN_TENANT_NAME}
- export OS_AUTH_URL=http://127.0.0.1:5000/v3/
- export OS_IDENTITY_API_VERSION=3
- export OS_AUTH_VERSION=3
- export OS_PROJECT_DOMAIN_ID=default
- export OS_USER_DOMAIN_ID=default
- export OS_NO_CACHE=1
-}
-
-keystone_bootstrap_admin () {
- # This is the new way to bootstrap the admin user of Keystone
- # and we shouldn't use the admin auth token anymore.
- export OS_BOOTSTRAP_USERNAME=${ADMIN_USER_NAME}
- export OS_BOOTSTRAP_PROJECT_NAME=${ADMIN_TENANT_NAME}
- export OS_BOOTSTRAP_PASSWORD=${ADMIN_USER_PW}
-
- REG_ENDPOINT_IPV4_REGEX='^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'
- REG_ENDPOINT_IPV6_REGEX="^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$"
- REG_ENDPOINT_FQDN_REGEX='^((([a-z0-9]([-a-z0-9]*[a-z0-9])?)|(#[0-9]+)|(\[((([01]?[0-9]{0,2})|(2(([0-4][0-9])|(5[0-5]))))\.){3}(([01]?[0-9]{0,2})|(2(([0-4][0-9])|(5[0-5]))))\]))\.)*(([a-z]([-a-z0-9]*[a-z0-9])?)|(#[0-9]+)|(\[((([01]?[0-9]{0,2})|(2(([0-4][0-9])|(5[0-5]))))\.){3}(([01]?[0-9]{0,2})|(2(([0-4][0-9])|(5[0-5]))))\]))$'
- REG_ENDPOINT_REGION_REGEX="^([_a-zA-Z0-9]+)([_.a-zA-Z0-9-]*)([_.a-zA-Z0-9]+)\$"
-
-
- db_get keystone/register-endpoint
- if [ "$RET" = "true" ] ; then
- do_REGISTER_THE_KS_ENDPOINT=yes
- db_get keystone/region-name
- my_REGION_NAME=${RET}
- REGION_NAME=${RET}
-
- db_get keystone/endpoint-ip
- # Validate that the choosen endpoint is an IPv4, IPv6 or FQDN
- KEYSTONE_ENDPOINT_IP=`echo "${RET}" | egrep ${REG_ENDPOINT_IPV4_REGEX}` || true
- if [ -z "${KEYSTONE_ENDPOINT_IP}" ] ; then
- KEYSTONE_ENDPOINT_IP=`echo "${RET}" | egrep ${REG_ENDPOINT_IPV6_REGEX}` || true
- if [ -z ${KEYSTONE_ENDPOINT_IP} ] ; then
- KEYSTONE_ENDPOINT_IP=`echo ${RET} | egrep ${REG_ENDPOINT_FQDN_REGEX}` || true
- if [ -z ${KEYSTONE_ENDPOINT_IP} ] ; then
- echo "Keystone's address could not be validated: will not register endpoint."
- do_REGISTER_THE_KS_ENDPOINT=no
- fi
- fi
- fi
-
- # Validate that the region name has only chars, dashes and dots
- my_REGION_NAME=`echo "${REGION_NAME}" | egrep ${REG_ENDPOINT_REGION_REGEX}` || true
- if [ -z "${my_REGION_NAME}" ] ; then
- echo "This region could not be validated: will not register endpoint."
- do_REGISTER_THE_KS_ENDPOINT=no
- fi
-
- if [ "${do_REGISTER_THE_KS_ENDPOINT}" = "yes" ] ; then
- db_get keystone/endpoint-proto
- PROTO=${RET}
- BOOTSTRAP_ADDED_PARAMS="--bootstrap-region-id ${REGION_NAME} --bootstrap-admin-url ${PROTO}://${KEYSTONE_ENDPOINT_IP}:5000 --bootstrap-public-url ${PROTO}://${KEYSTONE_ENDPOINT_IP}:5000 --bootstrap-internal-url ${PROTO}://${KEYSTONE_ENDPOINT_IP}:5000"
- else
- BOOTSTRAP_ADDED_PARAMS=""
- fi
- else
- BOOTSTRAP_ADDED_PARAMS=""
- fi
- echo "Now doing: su keystone -s /bin/sh -c 'keystone-manage bootstrap --bootstrap-role-name admin --bootstrap-service-name keystone ${BOOTSTRAP_ADDED_PARAMS}'"
- su keystone -s /bin/sh -c "keystone-manage bootstrap --bootstrap-role-name admin --bootstrap-service-name keystone ${BOOTSTRAP_ADDED_PARAMS}"
-}
-
-keystone_create_admin_tenant () {
- echo -n "Fixing-up: admin-project-desc "
- openstack project set --description "Default Debian admin project" $ADMIN_TENANT_NAME
- echo -n "service-project "
- openstack project create --or-show service --description "Default Debian service project" >/dev/null
- echo -n "default-admin-email "
- openstack user set --description "Default Debian admin user" --email ${ADMIN_USER_EMAIL} --enable $ADMIN_USER_NAME
- echo "...done!"
-
- # Note: heat_stack_owner, heat_stack_user is needed for heat to work, and Member ResellerAdmin
- # are needed for swift auto account creation.
- echo -n "Adding roles: "
- for i in KeystoneAdmin KeystoneServiceAdmin heat_stack_owner \
- heat_stack_user Member ResellerAdmin rating service \
- owner k8s_admin k8s_developer k8s_viewer \
- load-balancer_admin load-balancer_member; do
- echo -n "${i} "
- openstack role create --or-show ${i} >/dev/null
- # Note: If heat_stack_user role is adding, don't assing it to admin user.
- # This role is automatically assigned by Heat to the users it creates.
- # This role is restricted from all API access, and it never should be assigned to any user explicitly.
- if [ "${i}" != "heat_stack_user" ]; then
- openstack role add --project $ADMIN_TENANT_NAME --user $ADMIN_USER_NAME ${i} >/dev/null
- fi
- done
- echo "...done!"
-}
-
-if [ "$1" = "configure" ] ; then
- . /usr/share/debconf/confmodule
- . /usr/share/dbconfig-common/dpkg/postinst
-
- # Create user and group keystone, plus /var/log and /var/lib owned by it
- # We need a bash shell so that keystone-manage pkg_setup works, and the
- # Wheezy package doesn't have it, failing upgrades
- pkgos_var_user_group keystone /bin/sh
- # Make sure we have a folder to create certs, that isn't world readable
- mkdir -p /etc/keystone/ssl/certs
- chown keystone:keystone /etc/keystone/ssl/certs
- chmod 750 /etc/keystone/ssl/certs
- chown keystone:keystone /etc/keystone/ssl
- chmod 750 /etc/keystone/ssl
-
- # Create keystone.conf if it's not there
- pkgos_write_new_conf keystone keystone.conf
-
- # The on-disk policy file is currently broken for Keystone.
- # The admin bootstraping will not work anymore, due to enforcing of system-scope:all.
- rm -f /etc/keystone/policy.json
-# pkgos_write_new_conf keystone policy.json
-# if ! [ -e /etc/keystone/policy.json ] ; then
-# touch /etc/keystone/policy.json
-# chown 0640 /etc/keystone/policy.json
-# chown root:keystone /etc/keystone/policy.json
-# fi
-
- OSTACKCLI_PARAMS="--os-url=http://127.0.0.1:5000/v3/ --os-domain-name default --os-identity-api-version=3"
-
- # Make sure /var/log/keystone/keystone.log is owned by keystone
- # BEFORE any keystone-manage calls.
- chown -R keystone:keystone /var/log/keystone
-
- # Upgrade or create the db if directed to do so
- db_get keystone/configure_db
- if [ "$RET" = "true" ] ; then
- # Configure the SQL connection of keystone.conf according to dbconfig-common
- pkgos_dbc_postinst ${KEY_CONF} database connection keystone $@
- echo "Running: su keystone -s /bin/sh -c 'keystone-manage db_sync'..."
- su keystone -s /bin/sh -c "keystone-manage db_sync"
- fi
-
- db_get keystone/create-admin-tenant
- if [ "$RET" = "true" ] ; then
- mkdir -p /etc/keystone/fernet-keys
- chown keystone:keystone /etc/keystone/fernet-keys
- chmod 700 /etc/keystone/fernet-keys
- echo "Running: su keystone -s /bin/sh -c 'keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone'..."
- su keystone -s /bin/sh -c 'keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone'
- echo "Running: su keystone -s /bin/sh -c 'keystone-manage credential_setup --keystone-user keystone --keystone-group keystone'..."
- su keystone -s /bin/sh -c 'keystone-manage credential_setup --keystone-user keystone --keystone-group keystone'
- fi
-
- chown keystone:adm /var/log/keystone
-
- if [ -n $(which systemctl)"" ] ; then
- systemctl enable keystone
- fi
- if [ -n $(which update-rc.d)"" ] ; then
- update-rc.d keystone defaults
- fi
- invoke-rc.d keystone start
-
- db_get keystone/create-admin-tenant
- if [ "$RET" = "true" ] ; then
- echo -n "Sleeping 10 seconds to make sure the keystone daemon is up and running: 10..."
- sleep 1
- echo -n "9..."
- sleep 1
- echo -n "8..."
- sleep 1
- echo -n "7..."
- sleep 1
- echo -n "6..."
- sleep 1
- echo -n "5..."
- sleep 1
- echo -n "4..."
- sleep 1
- echo -n "3..."
- sleep 1
- echo -n "2..."
- sleep 1
- echo -n "1..."
- sleep 1
- echo "0"
-
- keystone_get_debconf_admin_credentials
- echo "===> Bootstraping tenants with 'keystone-manage bootstrap':"
- keystone_get_debconf_admin_credentials
- keystone_bootstrap_admin
- db_unregister keystone/register-endpoint
- echo "===> Editing bootstraped tenants and adding default roles"
- keystone_create_admin_tenant
- echo "done!"
- fi
- db_unregister keystone/create-admin-tenant
- db_stop
-fi
-
-exit 0
diff --git a/debian/keystone.postrm b/debian/keystone.postrm
index 230a08730..847076d3f 100755
--- a/debian/keystone.postrm
+++ b/debian/keystone.postrm
@@ -2,20 +2,9 @@
set -e
-if [ "${1}" = "purge" ] ; then
- if [ -f /usr/share/debconf/confmodule ] && [ -f /usr/share/dbconfig-common/dpkg/postrm ] ; then
- . /usr/share/debconf/confmodule
-
- db_get keystone/configure_db
- if [ "$RET" = "true" ] ; then
- . /usr/share/dbconfig-common/dpkg/postrm
- dbc_go keystone $@
- fi
- fi
- rm -rf /var/log/keystone /var/lib/keystone /etc/keystone
- if [ -x `which a2dissite`"" ] ; then
- a2dissite wsgi-keystone.conf || true
- fi
-fi
+case "$1" in
+ purge)
+ rm -rf /var/log/keystone
+esac
#DEBHELPER#
diff --git a/debian/keystone.prerm b/debian/keystone.prerm
deleted file mode 100755
index 9f89a1ae0..000000000
--- a/debian/keystone.prerm
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/sh
-
-set -e
-
-. /usr/share/debconf/confmodule
-
-db_get keystone/configure_db
-if [ "$RET" = "true" ]; then
- . /usr/share/dbconfig-common/dpkg/prerm
- dbc_go keystone $@
-fi
-
-#DEBHELPER#
-
-exit 0
diff --git a/debian/python3-keystone.install b/debian/python3-keystone.install
index 44d7fcb64..3c76ffb99 100644
--- a/debian/python3-keystone.install
+++ b/debian/python3-keystone.install
@@ -1,2 +1,3 @@
usr/bin/*
usr/lib/python3/*
+debian/stx/public.py usr/share/keystone
diff --git a/debian/rules b/debian/rules
index 3744142f9..bb6f72302 100755
--- a/debian/rules
+++ b/debian/rules
@@ -11,7 +11,7 @@ export KSCTEST_PATH=/usr/lib/python3/dist-packages/keystoneclient
include /usr/share/openstack-pkg-tools/pkgos.make
%:
- dh $@ --buildsystem=python_distutils --with python3,sphinxdoc,systemd
+ dh $@ --buildsystem=pybuild --with python3,sphinxdoc,systemd
override_dh_clean:
rm -rf $(CURDIR)/build $(CURDIR)/keystone.egg-info $(CURDIR)/.cache
@@ -35,10 +35,6 @@ override_dh_clean:
rm -f AUTHORS ChangeLog
dh_clean
-override_dh_auto_build:
- /usr/share/openstack-pkg-tools/pkgos_insert_include pkgos_func keystone.config
- /usr/share/openstack-pkg-tools/pkgos_insert_include pkgos_func keystone.postinst
-
override_dh_auto_clean:
python3 setup.py clean
@@ -78,11 +74,9 @@ endif
--namespace oslo.db \
--namespace oslo.middleware \
--namespace osprofiler
- pkgos-fix-config-default $(CURDIR)/debian/keystone/usr/share/keystone/keystone.conf catalog template_file /etc/keystone/default_catalog.templates
- pkgos-fix-config-default $(CURDIR)/debian/keystone/usr/share/keystone/keystone.conf DEFAULT log_dir /var/log/keystone
- pkgos-fix-config-default $(CURDIR)/debian/keystone/usr/share/keystone/keystone.conf DEFAULT log_file keystone.log
mkdir -p $(CURDIR)/debian/keystone/etc/keystone/policy.d
+ mkdir -p $(CURDIR)/debian/keystone/etc/keystone/credential-keys
PYTHONPATH=$(CURDIR)/debian/tmp/usr/lib/python3/dist-packages oslopolicy-sample-generator \
--output-file $(CURDIR)/debian/keystone/etc/keystone/policy.d/00_default_policy.yaml \
--format yaml \
diff --git a/debian/stx/keystone-all b/debian/stx/keystone-all
new file mode 100644
index 000000000..de339caa6
--- /dev/null
+++ b/debian/stx/keystone-all
@@ -0,0 +1,156 @@
+#!/bin/sh
+# Copyright (c) 2013-2018 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+### BEGIN INIT INFO
+# Provides: OpenStack Keystone-wsgi
+# Required-Start: networking
+# Required-Stop: networking
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: OpenStack Keystone
+# Description: Openstack Identitiy service running on WSGI compatable gunicorn web server
+#
+### END INIT INFO
+
+RETVAL=0
+#public 5000
+
+DESC_PUBLIC="openstack-keystone"
+
+PIDFILE_PUBLIC="/var/run/$DESC_PUBLIC.pid"
+
+PYTHON=`which python`
+
+source /etc/keystone/keystone-extra.conf
+source /etc/platform/platform.conf
+
+if [ -n ${@:2:1} ] ; then
+ if [ ${@:2:1}="--public-bind-addr" ] ; then
+ PUBLIC_BIND_ADDR_CMD=${@:3:1}
+ fi
+fi
+
+
+###
+EXEC="/usr/bin/gunicorn"
+
+WORKER="eventlet"
+# Increased timeout to facilitate large image uploads
+TIMEOUT="200"
+
+# Calculate the no of workers based on the number of workers retrieved by
+# Platform Eng which is retreived from the keystone-extra.conf
+
+if [ "$system_type" == "All-in-one" ]; then
+ TIS_WORKERS_FACTOR=1
+else
+ TIS_WORKERS_FACTOR=1.5
+fi
+TIS_WORKERS=$(echo "${TIS_WORKERS_FACTOR}*${TIS_PUBLIC_WORKERS}"|bc )
+TIS_WORKERS=${TIS_WORKERS%.*}
+
+#--max-requests , --max-requests-jitter Configuration
+#--max-requests = The max number of requests a worker will process before restarting
+#--max-requests-jitter = The maximum jitter to add to the max_requests setting.
+MAX_REQUESTS=100000
+MAX_REQ_JITTER_CAP_FACTOR=0.5
+MAX_REQ_JITTER_PUBLIC=$(echo "${TIS_WORKERS}*${MAX_REQ_JITTER_CAP_FACTOR}+1"|bc)
+MAX_REQ_JITTER_PUBLIC=${MAX_REQ_JITTER_PUBLIC%.*}
+
+
+start()
+{
+ # Got proper no of workers . Starting gunicorn now
+ echo -e "Initialising keystone service using gunicorn .. \n"
+
+ if [ -z "$PUBLIC_BIND_ADDR" ]; then
+ echo "Keystone floating ip not found . Cannot start services. Exiting .."
+ exit 1
+ fi
+ BIND_PUBLIC=$PUBLIC_BIND_ADDR:5000
+
+ if [ -e $PIDFILE_PUBLIC ]; then
+ PIDDIR=/proc/$(cat $PIDFILE_PUBLIC)
+ if [ -d ${PIDDIR} ]; then
+ echo "$DESC_PUBLIC already running."
+ exit 1
+ else
+ echo "Removing stale PID file $PIDFILE_PUBLIC"
+ rm -f $PIDFILE_PUBLIC
+ fi
+ fi
+
+ echo -e "Starting $DESC_PUBLIC...\n";
+ echo -e "Worker is ${WORKER} --workers ${TIS_WORKERS} --timeout ${TIMEOUT} --max_requests ${MAX_REQUESTS} --max_request_jitter public ${MAX_REQ_JITTER_PUBLIC}\n" ;
+
+ echo -e "Starting keystone process at port 5000 \n" ;
+
+ start-stop-daemon --start --quiet --background --pidfile ${PIDFILE_PUBLIC} \
+ --make-pidfile --exec ${PYTHON} -- ${EXEC} --bind ${BIND_PUBLIC} \
+ --worker-class ${WORKER} --workers ${TIS_WORKERS} --timeout ${TIMEOUT} \
+ --max-requests ${MAX_REQUESTS} --max-requests-jitter ${MAX_REQ_JITTER_PUBLIC} \
+ --log-syslog \
+ --pythonpath '/usr/share/keystone' public:application --name keystone-public
+
+ RETVAL=$?
+ if [ $RETVAL -eq 0 ]; then
+ echo -e "Keystone started at port 5000... \n"
+ else
+ echo -e "Failed to start Keystone .. \n"
+ fi
+}
+
+stop()
+{
+ if [ -e $PIDFILE_PUBLIC ]; then
+ start-stop-daemon --stop --quiet --pidfile $PIDFILE_PUBLIC
+ RETVAL_PUBLIC=$?
+ if [ $RETVAL_PUBLIC -eq 0 ]; then
+ echo "Stopped $DESC_PUBLIC."
+ else
+ echo "Stopping failed - $PIDFILE_PUBLIC"
+ fi
+ rm -f $PIDFILE_PUBLIC
+ else
+ echo "Already stopped - $PIDFILE_PUBLIC"
+ fi
+}
+
+status()
+{
+ pid_public=`cat $PIDFILE_PUBLIC 2>/dev/null`
+
+ if [ -n "$pid_public" ]; then
+ echo -e "\033[32m $DESC_PUBLIC is running..\033[0m"
+ else
+ echo -e "\033[31m $DESC_PUBLIC is not running..\033[0m"
+ fi
+}
+
+
+
+case "$1" in
+ start)
+ start
+ ;;
+ stop)
+ stop
+ ;;
+ restart|force-reload|reload)
+ stop
+ start
+ ;;
+ status)
+ status
+ ;;
+ *)
+ #echo "Usage: $0 {start|stop|force-reload|restart|reload|status} OR {/usr/bin/keystone-all start --public-bind-addr xxx.xxx.xxx}"
+ start
+ #RETVAL=1
+ ;;
+esac
+
+exit $RETVAL
diff --git a/debian/stx/keystone-fernet-keys-rotate-active b/debian/stx/keystone-fernet-keys-rotate-active
new file mode 100644
index 000000000..e2124eee3
--- /dev/null
+++ b/debian/stx/keystone-fernet-keys-rotate-active
@@ -0,0 +1,64 @@
+#!/bin/bash
+
+#
+# Wrapper script to rotate keystone fernet keys on active controller only
+#
+KEYSTONE_KEYS_ROTATE_INFO="/var/run/keystone-keys-rotate.info"
+KEYSTONE_KEYS_ROTATE_CMD="/usr/bin/nice -n 2 /usr/bin/keystone-manage fernet_rotate --keystone-user keystone --keystone-group keystone"
+
+function is_active_pgserver()
+{
+ # Determine whether we're running on the same controller as the service.
+ local service=postgres
+ local enabledactive=$(/usr/bin/sm-query service $service| grep enabled-active)
+ if [ "x$enabledactive" == "x" ]
+ then
+ # enabled-active not found for that service on this controller
+ return 1
+ else
+ # enabled-active found for that resource
+ return 0
+ fi
+}
+
+if is_active_pgserver
+then
+ if [ ! -f ${KEYSTONE_KEYS_ROTATE_INFO} ]
+ then
+ echo delay_count=0 > ${KEYSTONE_KEYS_ROTATE_INFO}
+ fi
+
+ source ${KEYSTONE_KEYS_ROTATE_INFO}
+ sudo -u postgres psql -d fm -c "SELECT alarm_id, entity_instance_id from alarm;" | grep -P "^(?=.*100.101)(?=.*${HOSTNAME})" &>/dev/null
+ if [ $? -eq 0 ]
+ then
+ source /etc/platform/platform.conf
+ if [ "${system_type}" = "All-in-one" ]
+ then
+ source /etc/init.d/task_affinity_functions.sh
+ idle_core=$(get_most_idle_core)
+ if [ "$idle_core" -ne "0" ]
+ then
+ sh -c "exec taskset -c $idle_core ${KEYSTONE_KEYS_ROTATE_CMD}"
+ sed -i "/delay_count/s/=.*/=0/" ${KEYSTONE_KEYS_ROTATE_INFO}
+ exit 0
+ fi
+ fi
+
+ if [ "$delay_count" -lt "3" ]
+ then
+ newval=$(($delay_count+1))
+ sed -i "/delay_count/s/=.*/=$newval/" ${KEYSTONE_KEYS_ROTATE_INFO}
+ (sleep 3600; /usr/bin/keystone-fernet-keys-rotate-active) &
+ exit 0
+ fi
+
+ fi
+
+ eval ${KEYSTONE_KEYS_ROTATE_CMD}
+ sed -i "/delay_count/s/=.*/=0/" ${KEYSTONE_KEYS_ROTATE_INFO}
+
+fi
+
+exit 0
+
diff --git a/debian/stx/keystone.service b/debian/stx/keystone.service
new file mode 100644
index 000000000..a72aa84be
--- /dev/null
+++ b/debian/stx/keystone.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=OpenStack Identity Service (code-named Keystone)
+After=syslog.target network.target
+
+[Service]
+Type=forking
+#ReminAfterExit is set to yes as we have 2 pids to monitor
+RemainAfterExit=yes
+ExecStart=/usr/bin/keystone-all start
+ExecStop=/usr/bin/keystone-all stop
+ExecReload=/usr/bin/keystone-all reload
+
+[Install]
+WantedBy=multi-user.target
diff --git a/debian/stx/password-rules.conf b/debian/stx/password-rules.conf
new file mode 100644
index 000000000..e7ce65602
--- /dev/null
+++ b/debian/stx/password-rules.conf
@@ -0,0 +1,34 @@
+# The password rules captures the [security_compliance]
+# section of the generic Keystone configuration (keystone.conf)
+# This configuration is used to statically define the password
+# rules for password validation in pre-Keystone environments
+#
+# N.B: Only set non-default keys here (default commented configuration
+# items not needed)
+
+[security_compliance]
+
+#
+# From keystone
+#
+
+# This controls the number of previous user password iterations to keep in
+# history, in order to enforce that newly created passwords are unique. Setting
+# the value to one (the default) disables this feature. Thus, to enable this
+# feature, values must be greater than 1. This feature depends on the `sql`
+# backend for the `[identity] driver`. (integer value)
+# Minimum value: 1
+unique_last_password_count = 3
+
+# The regular expression used to validate password strength requirements. By
+# default, the regular expression will match any password. The following is an
+# example of a pattern which requires at least 1 letter, 1 digit, and have a
+# minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature
+# depends on the `sql` backend for the `[identity] driver`. (string value)
+password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{7,}$
+
+# Describe your password regular expression here in language for humans. If a
+# password fails to match the regular expression, the contents of this
+# configuration variable will be returned to users to explain why their
+# requested password was insufficient. (string value)
+password_regex_description = Password must have a minimum length of 7 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character
diff --git a/debian/stx/public.py b/debian/stx/public.py
new file mode 100644
index 000000000..d3a29f3b3
--- /dev/null
+++ b/debian/stx/public.py
@@ -0,0 +1,21 @@
+# Copyright (c) 2013-2017 Wind River Systems, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+from keystone.server import wsgi as wsgi_server
+
+import sys
+sys.argv = sys.argv[:1]
+
+application = wsgi_server.initialize_public_application()
--
2.30.2

1
openstack/keystone/debian/deb_patches/series Normal file
View File

@ -0,0 +1 @@
0001-Add-stx-support.patch

10
openstack/keystone/debian/meta_data.yaml Normal file
View File

@ -0,0 +1,10 @@
---
debname: keystone
debver: 2:18.0.0-3
dl_path:
name: keystone-debian-18.0.0-3.tar.gz
url: https://salsa.debian.org/openstack-team/services/keystone/-/archive/debian/18.0.0-3/keystone-debian-18.0.0-3.tar.gz
md5sum: fba7c47672b976cdcab5c33f49a5d2fd
revision:
dist: $STX_DIST
PKG_GITREVCOUNT: true