Merge "Add $TOP_DIR to the path when calling tools' scripts"
diff --git a/extras.d/80-opendaylight.sh b/extras.d/80-opendaylight.sh
index bfbabc2..b673777 100644
--- a/extras.d/80-opendaylight.sh
+++ b/extras.d/80-opendaylight.sh
@@ -40,7 +40,9 @@
     elif [[ "$1" == "stack" && "$2" == "install" ]]; then
         install_opendaylight-compute
     elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
-        create_nova_conf_neutron
+        if is_service_enabled nova; then
+            create_nova_conf_neutron
+        fi
     elif [[ "$1" == "stack" && "$2" == "extra" ]]; then
         echo_summary "Initializing OpenDaylight"
         ODL_LOCAL_IP=${ODL_LOCAL_IP:-$HOST_IP}
diff --git a/functions b/functions
index 80f98ad..543a6fe 100644
--- a/functions
+++ b/functions
@@ -16,6 +16,10 @@
 XTRACE=$(set +o | grep xtrace)
 set +o xtrace
 
+# Check if a function already exists
+function function_exists {
+    declare -f -F $1 > /dev/null
+}
 
 # Checks if installed Apache is <= given version
 # $1 = x.y.z (version string of Apache)
@@ -527,6 +531,20 @@
     iniset $conf_file $conf_section logging_exception_prefix "%(color)s%(asctime)s.%(msecs)03d TRACE %(name)s %(instance)s"
 }
 
+# These functions are provided for basic fall-back functionality for
+# projects that include parts of devstack (grenade).  stack.sh will
+# override these with more specific versions for devstack (with fancy
+# spinners, etc).  We never override an existing version
+if ! function_exists echo_summary; then
+    function echo_summary {
+        echo $@
+    }
+fi
+if ! function_exists echo_nolog; then
+    function echo_nolog {
+        echo $@
+    }
+fi
 
 # Restore xtrace
 $XTRACE
diff --git a/lib/apache b/lib/apache
index baf0fbc..f7255be 100644
--- a/lib/apache
+++ b/lib/apache
@@ -90,7 +90,7 @@
 # /etc/apache2/sites-available/. a2ensite and a2dissite need the entire file name to work. The default
 # sites' files are default and default-ssl.
 #
-# On Fedora, any file in /etc/httpd/conf.d/ whose name ends with .conf is enabled.
+# On Fedora and openSUSE, any file in /etc/httpd/conf.d/ whose name ends with .conf is enabled.
 #
 # On RHEL and CentOS, things should hopefully work as in Fedora.
 #
@@ -113,7 +113,7 @@
             # Ubuntu 14.04 - Apache 2.4
             echo $APACHE_CONF_DIR/${site}.conf
         fi
-    elif is_fedora; then
+    elif is_fedora || is_suse; then
         # fedora conf.d is only imported if it ends with .conf so this is approx the same
         local enabled_site_file="$APACHE_CONF_DIR/${site}.conf"
         if [ -f $enabled_site_file ]; then
@@ -129,7 +129,7 @@
     local site=$@
     if is_ubuntu; then
         sudo a2ensite ${site}
-    elif is_fedora; then
+    elif is_fedora || is_suse; then
         local enabled_site_file="$APACHE_CONF_DIR/${site}.conf"
         # Do nothing if site already enabled or no site config exists
         if [[ -f ${enabled_site_file}.disabled ]] && [[ ! -f ${enabled_site_file} ]]; then
@@ -143,7 +143,7 @@
     local site=$@
     if is_ubuntu; then
         sudo a2dissite ${site}
-    elif is_fedora; then
+    elif is_fedora || is_suse; then
         local enabled_site_file="$APACHE_CONF_DIR/${site}.conf"
         # Do nothing if no site config exists
         if [[ -f ${enabled_site_file} ]]; then
diff --git a/lib/ceilometer b/lib/ceilometer
index a4be7af..286f199 100644
--- a/lib/ceilometer
+++ b/lib/ceilometer
@@ -164,9 +164,7 @@
     iniset $CEILOMETER_CONF service_credentials os_password $SERVICE_PASSWORD
     iniset $CEILOMETER_CONF service_credentials os_tenant_name $SERVICE_TENANT_NAME
 
-    iniset $CEILOMETER_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST
-    iniset $CEILOMETER_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT
-    iniset $CEILOMETER_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
+    iniset $CEILOMETER_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI
     iniset $CEILOMETER_CONF keystone_authtoken admin_user ceilometer
     iniset $CEILOMETER_CONF keystone_authtoken admin_password $SERVICE_PASSWORD
     iniset $CEILOMETER_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
diff --git a/lib/cinder b/lib/cinder
index d5ee17e..4183676 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -233,9 +233,7 @@
     inicomment $CINDER_API_PASTE_INI filter:authtoken admin_password
     inicomment $CINDER_API_PASTE_INI filter:authtoken signing_dir
 
-    iniset $CINDER_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST
-    iniset $CINDER_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT
-    iniset $CINDER_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
+    iniset $CINDER_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI
     iniset $CINDER_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA
     iniset $CINDER_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
     iniset $CINDER_CONF keystone_authtoken admin_user cinder
diff --git a/lib/glance b/lib/glance
index 51e4399..4eb0ada 100644
--- a/lib/glance
+++ b/lib/glance
@@ -89,9 +89,7 @@
     iniset $GLANCE_REGISTRY_CONF DEFAULT sql_connection $dburl
     iniset $GLANCE_REGISTRY_CONF DEFAULT use_syslog $SYSLOG
     iniset $GLANCE_REGISTRY_CONF paste_deploy flavor keystone
-    iniset $GLANCE_REGISTRY_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST
-    iniset $GLANCE_REGISTRY_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT
-    iniset $GLANCE_REGISTRY_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
+    iniset $GLANCE_REGISTRY_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI
     iniset $GLANCE_REGISTRY_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA
     configure_API_version $GLANCE_REGISTRY_CONF $IDENTITY_API_VERSION
     iniset $GLANCE_REGISTRY_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
@@ -107,9 +105,7 @@
     iniset $GLANCE_API_CONF DEFAULT filesystem_store_datadir $GLANCE_IMAGE_DIR/
     iniset $GLANCE_API_CONF DEFAULT image_cache_dir $GLANCE_CACHE_DIR/
     iniset $GLANCE_API_CONF paste_deploy flavor keystone+cachemanagement
-    iniset $GLANCE_API_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST
-    iniset $GLANCE_API_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT
-    iniset $GLANCE_API_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
+    iniset $GLANCE_API_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI
     iniset $GLANCE_API_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA
     configure_API_version $GLANCE_API_CONF $IDENTITY_API_VERSION
     iniset $GLANCE_API_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
@@ -128,7 +124,7 @@
     # Store the images in swift if enabled.
     if is_service_enabled s-proxy; then
         iniset $GLANCE_API_CONF DEFAULT default_store swift
-        iniset $GLANCE_API_CONF DEFAULT swift_store_auth_address $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/
+        iniset $GLANCE_API_CONF DEFAULT swift_store_auth_address $KEYSTONE_SERVICE_URI/v2.0/
         iniset $GLANCE_API_CONF DEFAULT swift_store_user $SERVICE_TENANT_NAME:glance-swift
         iniset $GLANCE_API_CONF DEFAULT swift_store_key $SERVICE_PASSWORD
         iniset $GLANCE_API_CONF DEFAULT swift_store_create_container_on_put True
@@ -147,7 +143,7 @@
     iniset $GLANCE_CACHE_CONF DEFAULT filesystem_store_datadir $GLANCE_IMAGE_DIR/
     iniset $GLANCE_CACHE_CONF DEFAULT image_cache_dir $GLANCE_CACHE_DIR/
     iniuncomment $GLANCE_CACHE_CONF DEFAULT auth_url
-    iniset $GLANCE_CACHE_CONF DEFAULT auth_url $KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0
+    iniset $GLANCE_CACHE_CONF DEFAULT auth_url $KEYSTONE_AUTH_URI/v2.0
     iniuncomment $GLANCE_CACHE_CONF DEFAULT auth_tenant_name
     iniset $GLANCE_CACHE_CONF DEFAULT admin_tenant_name $SERVICE_TENANT_NAME
     iniuncomment $GLANCE_CACHE_CONF DEFAULT auth_user
diff --git a/lib/heat b/lib/heat
index fe75ec9..b8c0359 100644
--- a/lib/heat
+++ b/lib/heat
@@ -107,9 +107,7 @@
     fi
 
     # keystone authtoken
-    iniset $HEAT_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST
-    iniset $HEAT_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT
-    iniset $HEAT_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
+    iniset $HEAT_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI
     configure_API_version $HEAT_CONF $IDENTITY_API_VERSION
     iniset $HEAT_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA
     iniset $HEAT_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
@@ -117,8 +115,12 @@
     iniset $HEAT_CONF keystone_authtoken admin_password $SERVICE_PASSWORD
     iniset $HEAT_CONF keystone_authtoken signing_dir $HEAT_AUTH_CACHE_DIR
 
+    if is_ssl_enabled_service "key"; then
+        iniset $HEAT_CONF clients_keystone ca_file $KEYSTONE_SSL_CA
+    fi
+
     # ec2authtoken
-    iniset $HEAT_CONF ec2authtoken auth_uri $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0
+    iniset $HEAT_CONF ec2authtoken auth_uri $KEYSTONE_SERVICE_URI/v2.0
 
     # paste_deploy
     [[ "$HEAT_STANDALONE" = "True" ]] && iniset $HEAT_CONF paste_deploy flavor standalone
@@ -269,7 +271,7 @@
     if [[ "$HEAT_STACK_DOMAIN" == "True" ]]; then
         # Note we have to pass token/endpoint here because the current endpoint and
         # version negotiation in OSC means just --os-identity-api-version=3 won't work
-        KS_ENDPOINT_V3="$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v3"
+        KS_ENDPOINT_V3="$KEYSTONE_SERVICE_URI/v3"
         D_ID=$(openstack --os-token $OS_TOKEN --os-url=$KS_ENDPOINT_V3 \
             --os-identity-api-version=3 domain create heat \
             --description "Owns users and projects created by heat" \
diff --git a/lib/ironic b/lib/ironic
index 0656980..d53e1ad 100644
--- a/lib/ironic
+++ b/lib/ironic
@@ -162,11 +162,9 @@
 function configure_ironic_api {
     iniset $IRONIC_CONF_FILE DEFAULT auth_strategy keystone
     iniset $IRONIC_CONF_FILE DEFAULT policy_file $IRONIC_POLICY_JSON
-    iniset $IRONIC_CONF_FILE keystone_authtoken auth_host $KEYSTONE_AUTH_HOST
-    iniset $IRONIC_CONF_FILE keystone_authtoken auth_port $KEYSTONE_AUTH_PORT
-    iniset $IRONIC_CONF_FILE keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
+    iniset $IRONIC_CONF_FILE keystone_authtoken identity_uri $KEYSTONE_AUTH_URI
     iniset $IRONIC_CONF_FILE keystone_authtoken cafile $KEYSTONE_SSL_CA
-    iniset $IRONIC_CONF_FILE keystone_authtoken auth_uri $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/
+    iniset $IRONIC_CONF_FILE keystone_authtoken auth_uri $KEYSTONE_SERVICE_URI
     iniset $IRONIC_CONF_FILE keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
     iniset $IRONIC_CONF_FILE keystone_authtoken admin_user ironic
     iniset $IRONIC_CONF_FILE keystone_authtoken admin_password $SERVICE_PASSWORD
diff --git a/lib/keystone b/lib/keystone
index 6b8863e..849ea75 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -55,7 +55,7 @@
 KEYSTONE_ASSIGNMENT_BACKEND=${KEYSTONE_ASSIGNMENT_BACKEND:-sql}
 
 # Select Keystone's token format
-# Choose from 'UUID' and 'PKI'
+# Choose from 'UUID', 'PKI', or 'PKIZ'
 KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-PKI}
 
 # Set Keystone interface configuration
@@ -87,6 +87,10 @@
     KEYSTONE_SERVICE_PROTOCOL="https"
 fi
 
+# complete URIs
+KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT}
+KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT}
+
 # Functions
 # ---------
 # cleanup_keystone() - Remove residual data files, anything left over from previous
@@ -202,6 +206,8 @@
 
     if [[ "$KEYSTONE_TOKEN_FORMAT" = "UUID" ]]; then
         iniset $KEYSTONE_CONF token provider keystone.token.providers.uuid.Provider
+    elif [[ "$KEYSTONE_TOKEN_FORMAT" = "PKIZ" ]]; then
+        iniset $KEYSTONE_CONF token provider keystone.token.providers.pkiz.Provider
     fi
 
     iniset $KEYSTONE_CONF database connection `database_connection_url keystone`
@@ -382,7 +388,7 @@
     # Initialize keystone database
     $KEYSTONE_DIR/bin/keystone-manage db_sync
 
-    if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" ]]; then
+    if [[ "$KEYSTONE_TOKEN_FORMAT" == "PKI" || "$KEYSTONE_TOKEN_FORMAT" == "PKIZ" ]]; then
         # Set up certificates
         rm -rf $KEYSTONE_CONF_DIR/ssl
         $KEYSTONE_DIR/bin/keystone-manage pki_setup
diff --git a/lib/neutron b/lib/neutron
index e918286..6c0ca06 100644
--- a/lib/neutron
+++ b/lib/neutron
@@ -726,7 +726,7 @@
     iniset $Q_META_CONF_FILE DEFAULT nova_metadata_ip $Q_META_DATA_IP
     iniset $Q_META_CONF_FILE DEFAULT root_helper "$Q_RR_COMMAND"
 
-    _neutron_setup_keystone $Q_META_CONF_FILE DEFAULT True True True
+    _neutron_setup_keystone $Q_META_CONF_FILE DEFAULT True True
 
 }
 
@@ -868,18 +868,9 @@
     local section=$2
     local use_auth_url=$3
     local skip_auth_cache=$4
-    local use_service_port=$5
-    local keystone_port=$KEYSTONE_AUTH_PORT
-    if [[ -n $use_service_port ]]; then
-        keystone_port=$KEYSTONE_SERVICE_PORT
-    fi
-    if [[ -n $use_auth_url ]]; then
-        iniset $conf_file $section auth_url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_AUTH_HOST:$keystone_port/v2.0"
-    else
-        iniset $conf_file $section auth_host $KEYSTONE_SERVICE_HOST
-        iniset $conf_file $section auth_port $keystone_port
-        iniset $conf_file $section auth_protocol $KEYSTONE_SERVICE_PROTOCOL
-    fi
+
+    iniset $conf_file $section auth_uri $KEYSTONE_SERVICE_URI
+    iniset $conf_file $section identity_uri $KEYSTONE_AUTH_URI
     iniset $conf_file $section admin_tenant_name $SERVICE_TENANT_NAME
     iniset $conf_file $section admin_user $Q_ADMIN_USERNAME
     iniset $conf_file $section admin_password $SERVICE_PASSWORD
diff --git a/lib/nova b/lib/nova
index 76929b1..9dd6bb0 100644
--- a/lib/nova
+++ b/lib/nova
@@ -456,9 +456,7 @@
 
         # Add keystone authtoken configuration
 
-        iniset $NOVA_CONF keystone_authtoken auth_host $KEYSTONE_AUTH_HOST
-        iniset $NOVA_CONF keystone_authtoken auth_port $KEYSTONE_AUTH_PORT
-        iniset $NOVA_CONF keystone_authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
+        iniset $NOVA_CONF keystone_authtoken identity_uri $KEYSTONE_AUTH_URI
         iniset $NOVA_CONF keystone_authtoken admin_tenant_name $SERVICE_TENANT_NAME
         iniset $NOVA_CONF keystone_authtoken cafile $KEYSTONE_SSL_CA
         iniset $NOVA_CONF keystone_authtoken admin_user nova
diff --git a/lib/nova_plugins/hypervisor-ironic b/lib/nova_plugins/hypervisor-ironic
index e72f7c1..c068c74 100644
--- a/lib/nova_plugins/hypervisor-ironic
+++ b/lib/nova_plugins/hypervisor-ironic
@@ -48,7 +48,7 @@
     # ironic section
     iniset $NOVA_CONF ironic admin_username admin
     iniset $NOVA_CONF ironic admin_password $ADMIN_PASSWORD
-    iniset $NOVA_CONF ironic admin_url $KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0
+    iniset $NOVA_CONF ironic admin_url $KEYSTONE_AUTH_URI/v2.0
     iniset $NOVA_CONF ironic admin_tenant_name demo
     iniset $NOVA_CONF ironic api_endpoint http://$SERVICE_HOST:6385/v1
     iniset $NOVA_CONF ironic sql_connection `database_connection_url nova_bm`
diff --git a/lib/tempest b/lib/tempest
index af32a9d..1e98bec 100644
--- a/lib/tempest
+++ b/lib/tempest
@@ -149,6 +149,7 @@
     TEMPEST_TENANT_NAME=${TEMPEST_TENANT_NAME:-demo}
     ALT_USERNAME=${ALT_USERNAME:-alt_demo}
     ALT_TENANT_NAME=${ALT_TENANT_NAME:-alt_demo}
+    ADMIN_TENANT_ID=$(openstack project list | awk "/ admin / { print \$2 }")
 
     # If the ``DEFAULT_INSTANCE_TYPE`` not declared, use the new behavior
     # Tempest creates instane types for himself
@@ -256,6 +257,7 @@
     iniset $TEMPEST_CONFIG identity admin_username $ADMIN_USERNAME
     iniset $TEMPEST_CONFIG identity admin_password "$password"
     iniset $TEMPEST_CONFIG identity admin_tenant_name $ADMIN_TENANT_NAME
+    iniset $TEMPEST_CONFIG identity admin_tenant_id $ADMIN_TENANT_ID
     iniset $TEMPEST_CONFIG identity admin_domain_name $ADMIN_DOMAIN_NAME
     iniset $TEMPEST_CONFIG identity auth_version ${TEMPEST_AUTH_VERSION:-v2}
 
@@ -281,6 +283,7 @@
     iniset $TEMPEST_CONFIG compute ssh_connect_method $ssh_connect_method
 
     # Compute Features
+    iniset $TEMPEST_CONFIG compute-feature-enabled api_v3 ${TEMPEST_NOVA_API_V3:-False}
     iniset $TEMPEST_CONFIG compute-feature-enabled resize True
     iniset $TEMPEST_CONFIG compute-feature-enabled live_migration ${LIVE_MIGRATION_AVAILABLE:-False}
     iniset $TEMPEST_CONFIG compute-feature-enabled change_password False
@@ -316,10 +319,10 @@
         if [[ ! -z "$HEAT_CFN_IMAGE_URL" ]]; then
             iniset $TEMPEST_CONFIG orchestration image_ref $(basename "$HEAT_CFN_IMAGE_URL" ".qcow2")
         fi
-        # build a specialized heat flavor that is likely to be fast
+        # build a specialized heat flavor
         available_flavors=$(nova flavor-list)
         if [[ ! ( $available_flavors =~ 'm1.heat' ) ]]; then
-            nova flavor-create m1.heat 451 1024 0 2
+            nova flavor-create m1.heat 451 512 0 1
         fi
         iniset $TEMPEST_CONFIG orchestration instance_type "m1.heat"
         iniset $TEMPEST_CONFIG orchestration build_timeout 900
diff --git a/lib/trove b/lib/trove
index 82c8c96..e467c90 100644
--- a/lib/trove
+++ b/lib/trove
@@ -133,9 +133,8 @@
     # Copy api-paste file over to the trove conf dir and configure it
     cp $TROVE_LOCAL_CONF_DIR/api-paste.ini $TROVE_CONF_DIR/api-paste.ini
     TROVE_API_PASTE_INI=$TROVE_CONF_DIR/api-paste.ini
-    iniset $TROVE_API_PASTE_INI filter:authtoken auth_host $KEYSTONE_AUTH_HOST
-    iniset $TROVE_API_PASTE_INI filter:authtoken auth_port $KEYSTONE_AUTH_PORT
-    iniset $TROVE_API_PASTE_INI filter:authtoken auth_protocol $KEYSTONE_AUTH_PROTOCOL
+
+    iniset $TROVE_API_PASTE_INI filter:authtoken identity_uri $KEYSTONE_AUTH_URI
     iniset $TROVE_API_PASTE_INI filter:authtoken cafile $KEYSTONE_SSL_CA
     iniset $TROVE_API_PASTE_INI filter:authtoken admin_tenant_name $SERVICE_TENANT_NAME
     iniset $TROVE_API_PASTE_INI filter:authtoken admin_user trove
@@ -158,7 +157,7 @@
 
     # (Re)create trove taskmanager conf file if needed
     if is_service_enabled tr-tmgr; then
-        TROVE_AUTH_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT//v$IDENTITY_API_VERSION
+        TROVE_AUTH_ENDPOINT=$KEYSTONE_AUTH_URI/v$IDENTITY_API_VERSION
 
         iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT rabbit_password $RABBIT_PASSWORD
         iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT sql_connection `database_connection_url trove`
diff --git a/stack.sh b/stack.sh
index 6452563..bd99b5b 100755
--- a/stack.sh
+++ b/stack.sh
@@ -246,7 +246,12 @@
 
     # ... and also optional to be enabled
     is_package_installed yum-utils || install_package yum-utils
-    sudo yum-config-manager --enable rhel-6-server-optional-rpms
+    if [[ $DISTRO =~ (rhel7) ]]; then
+        OPTIONAL_REPO=rhel-7-server-optional-rpms
+    else
+        OPTIONAL_REPO=rhel-6-server-optional-rpms
+    fi
+    sudo yum-config-manager --enable ${OPTIONAL_REPO}
 
 fi
 
@@ -913,7 +918,7 @@
     start_keystone
 
     # Set up a temporary admin URI for Keystone
-    SERVICE_ENDPOINT=$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v2.0
+    SERVICE_ENDPOINT=$KEYSTONE_AUTH_URI/v2.0
 
     if is_service_enabled tls-proxy; then
         export OS_CACERT=$INT_CA_DIR/ca-chain.pem
@@ -1346,7 +1351,7 @@
 
 # If Keystone is present you can point ``nova`` cli to this server
 if is_service_enabled key; then
-    echo "Keystone is serving at $KEYSTONE_AUTH_PROTOCOL://$SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v2.0/"
+    echo "Keystone is serving at $KEYSTONE_SERVICE_URI/v2.0/"
     echo "Examples on using novaclient command line is in exercise.sh"
     echo "The default users are: admin and demo"
     echo "The password: $ADMIN_PASSWORD"
diff --git a/tools/fixup_stuff.sh b/tools/fixup_stuff.sh
index a410543..f1dc76a 100755
--- a/tools/fixup_stuff.sh
+++ b/tools/fixup_stuff.sh
@@ -35,6 +35,30 @@
 
 FILES=$TOP_DIR/files
 
+# Keystone Port Reservation
+# -------------------------
+# Reserve and prevent $KEYSTONE_AUTH_PORT and $KEYSTONE_AUTH_PORT_INT from
+# being used as ephemeral ports by the system. The default(s) are 35357 and
+# 35358 which are in the Linux defined ephemeral port range (in disagreement
+# with the IANA ephemeral port range). This is a workaround for bug #1253482
+# where Keystone will try and bind to the port and the port will already be
+# in use as an ephemeral port by another process. This places an explicit
+# exception into the Kernel for the Keystone AUTH ports.
+keystone_ports=${KEYSTONE_AUTH_PORT:-35357},${KEYSTONE_AUTH_PORT_INT:-35358}
+
+# Get any currently reserved ports, strip off leading whitespace
+reserved_ports=$(sysctl net.ipv4.ip_local_reserved_ports | awk -F'=' '{print $2;}' | sed 's/^ //')
+
+if [[ -z "${reserved_ports}" ]]; then
+    # If there are no currently reserved ports, reserve the keystone ports
+    sudo sysctl -w net.ipv4.ip_local_reserved_ports=${keystone_ports}
+else
+    # If there are currently reserved ports, keep those and also reserve the
+    # keystone specific ports. Duplicate reservations are merged into a single
+    # reservation (or range) automatically by the kernel.
+    sudo sysctl -w net.ipv4.ip_local_reserved_ports=${keystone_ports},${reserved_ports}
+fi
+
 
 # Python Packages
 # ---------------