| # lib/keystone |
| # Functions to control the configuration and operation of **Keystone** |
| |
| # Dependencies: |
| # |
| # - ``functions`` file |
| # - ``tls`` file |
| # - ``DEST``, ``STACK_USER`` |
| # - ``FILES`` |
| # - ``IDENTITY_API_VERSION`` |
| # - ``BASE_SQL_CONN`` |
| # - ``SERVICE_HOST``, ``SERVICE_PROTOCOL`` |
| # - ``SERVICE_TOKEN`` |
| # - ``S3_SERVICE_PORT`` (template backend only) |
| |
| # ``stack.sh`` calls the entry points in this order: |
| # |
| # - install_keystone |
| # - configure_keystone |
| # - _config_keystone_apache_wsgi |
| # - init_keystone |
| # - start_keystone |
| # - create_keystone_accounts |
| # - stop_keystone |
| # - cleanup_keystone |
| # - _cleanup_keystone_apache_wsgi |
| |
| # Save trace setting |
| XTRACE=$(set +o | grep xtrace) |
| set +o xtrace |
| |
| # Defaults |
| # -------- |
| |
| # Set up default directories |
| KEYSTONE_DIR=$DEST/keystone |
| KEYSTONE_CONF_DIR=${KEYSTONE_CONF_DIR:-/etc/keystone} |
| KEYSTONE_CONF=$KEYSTONE_CONF_DIR/keystone.conf |
| KEYSTONE_PASTE_INI=${KEYSTONE_PASTE_INI:-$KEYSTONE_CONF_DIR/keystone-paste.ini} |
| KEYSTONE_AUTH_CACHE_DIR=${KEYSTONE_AUTH_CACHE_DIR:-/var/cache/keystone} |
| KEYSTONE_WSGI_DIR=${KEYSTONE_WSGI_DIR:-/var/www/keystone} |
| |
| KEYSTONEMIDDLEWARE_DIR=$DEST/keystonemiddleware |
| KEYSTONECLIENT_DIR=$DEST/python-keystoneclient |
| |
| # Set up additional extensions, such as oauth1, federation |
| # Example of KEYSTONE_EXTENSIONS=oauth1,federation |
| KEYSTONE_EXTENSIONS=${KEYSTONE_EXTENSIONS:-} |
| |
| # Toggle for deploying Keystone under HTTPD + mod_wsgi |
| KEYSTONE_USE_MOD_WSGI=${KEYSTONE_USE_MOD_WSGI:-${ENABLE_HTTPD_MOD_WSGI_SERVICES}} |
| |
| # Select the backend for Keystone's service catalog |
| KEYSTONE_CATALOG_BACKEND=${KEYSTONE_CATALOG_BACKEND:-sql} |
| KEYSTONE_CATALOG=$KEYSTONE_CONF_DIR/default_catalog.templates |
| |
| # Select the backend for Tokens |
| KEYSTONE_TOKEN_BACKEND=${KEYSTONE_TOKEN_BACKEND:-sql} |
| |
| # Select the backend for Identity |
| KEYSTONE_IDENTITY_BACKEND=${KEYSTONE_IDENTITY_BACKEND:-sql} |
| |
| # Select the backend for Assignment |
| KEYSTONE_ASSIGNMENT_BACKEND=${KEYSTONE_ASSIGNMENT_BACKEND:-sql} |
| |
| # Select Keystone's token format |
| # Choose from 'UUID', 'PKI', or 'PKIZ' |
| KEYSTONE_TOKEN_FORMAT=$(echo ${KEYSTONE_TOKEN_FORMAT} | tr '[:upper:]' '[:lower:]') |
| |
| # Set Keystone interface configuration |
| KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST} |
| KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357} |
| KEYSTONE_AUTH_PORT_INT=${KEYSTONE_AUTH_PORT_INT:-35358} |
| KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL} |
| |
| # Public facing bits |
| KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST} |
| KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000} |
| KEYSTONE_SERVICE_PORT_INT=${KEYSTONE_SERVICE_PORT_INT:-5001} |
| KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL} |
| |
| # Bind hosts |
| KEYSTONE_ADMIN_BIND_HOST=${KEYSTONE_ADMIN_BIND_HOST:-$KEYSTONE_SERVICE_HOST} |
| # Set the tenant for service accounts in Keystone |
| SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service} |
| |
| # valid identity backends as per dir keystone/identity/backends |
| KEYSTONE_VALID_IDENTITY_BACKENDS=kvs,ldap,pam,sql |
| |
| # valid assignment backends as per dir keystone/identity/backends |
| KEYSTONE_VALID_ASSIGNMENT_BACKENDS=kvs,ldap,sql |
| |
| # if we are running with SSL use https protocols |
| if is_ssl_enabled_service "key"; then |
| KEYSTONE_AUTH_PROTOCOL="https" |
| KEYSTONE_SERVICE_PROTOCOL="https" |
| fi |
| |
| # complete URIs |
| KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT} |
| KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT} |
| |
| # Functions |
| # --------- |
| # cleanup_keystone() - Remove residual data files, anything left over from previous |
| # runs that a clean run would need to clean up |
| function cleanup_keystone { |
| _cleanup_keystone_apache_wsgi |
| } |
| |
| # _cleanup_keystone_apache_wsgi() - Remove wsgi files, disable and remove apache vhost file |
| function _cleanup_keystone_apache_wsgi { |
| sudo rm -f $KEYSTONE_WSGI_DIR/*.wsgi |
| sudo rm -f $(apache_site_config_for keystone) |
| } |
| |
| # _config_keystone_apache_wsgi() - Set WSGI config files of Keystone |
| function _config_keystone_apache_wsgi { |
| sudo mkdir -p $KEYSTONE_WSGI_DIR |
| |
| local keystone_apache_conf=$(apache_site_config_for keystone) |
| local apache_version=$(get_apache_version) |
| |
| if [[ ${apache_version#*\.} -ge 4 ]]; then |
| # Apache 2.4 supports custom error log formats |
| # this should mirror the original log formatting. |
| local errorlogformat='ErrorLogFormat "%{cu}t %M"' |
| fi |
| |
| # copy proxy vhost and wsgi file |
| sudo cp $KEYSTONE_DIR/httpd/keystone.py $KEYSTONE_WSGI_DIR/main |
| sudo cp $KEYSTONE_DIR/httpd/keystone.py $KEYSTONE_WSGI_DIR/admin |
| |
| sudo cp $FILES/apache-keystone.template $keystone_apache_conf |
| sudo sed -e " |
| s|%PUBLICPORT%|$KEYSTONE_SERVICE_PORT|g; |
| s|%ADMINPORT%|$KEYSTONE_AUTH_PORT|g; |
| s|%APACHE_NAME%|$APACHE_NAME|g; |
| s|%PUBLICWSGI%|$KEYSTONE_WSGI_DIR/main|g; |
| s|%ADMINWSGI%|$KEYSTONE_WSGI_DIR/admin|g; |
| s|%USER%|$STACK_USER|g |
| s|%ERRORLOGFORMAT%|$errorlogformat|g; |
| " -i $keystone_apache_conf |
| } |
| |
| # configure_keystone() - Set config files, create data dirs, etc |
| function configure_keystone { |
| if [[ ! -d $KEYSTONE_CONF_DIR ]]; then |
| sudo mkdir -p $KEYSTONE_CONF_DIR |
| fi |
| sudo chown $STACK_USER $KEYSTONE_CONF_DIR |
| |
| if [[ "$KEYSTONE_CONF_DIR" != "$KEYSTONE_DIR/etc" ]]; then |
| cp -p $KEYSTONE_DIR/etc/keystone.conf.sample $KEYSTONE_CONF |
| chmod 600 $KEYSTONE_CONF |
| cp -p $KEYSTONE_DIR/etc/policy.json $KEYSTONE_CONF_DIR |
| if [[ -f "$KEYSTONE_DIR/etc/keystone-paste.ini" ]]; then |
| cp -p "$KEYSTONE_DIR/etc/keystone-paste.ini" "$KEYSTONE_PASTE_INI" |
| fi |
| fi |
| if [[ -f "$KEYSTONE_PASTE_INI" ]]; then |
| iniset "$KEYSTONE_CONF" paste_deploy config_file "$KEYSTONE_PASTE_INI" |
| else |
| # compatibility with mixed cfg and paste.deploy configuration |
| KEYSTONE_PASTE_INI="$KEYSTONE_CONF" |
| fi |
| |
| configure_keystone_extensions |
| |
| # Rewrite stock ``keystone.conf`` |
| |
| if is_service_enabled ldap; then |
| #Set all needed ldap values |
| iniset $KEYSTONE_CONF ldap password $LDAP_PASSWORD |
| iniset $KEYSTONE_CONF ldap user $LDAP_MANAGER_DN |
| iniset $KEYSTONE_CONF ldap suffix $LDAP_BASE_DN |
| iniset $KEYSTONE_CONF ldap use_dumb_member "True" |
| iniset $KEYSTONE_CONF ldap user_attribute_ignore "enabled,email,tenants,default_project_id" |
| iniset $KEYSTONE_CONF ldap tenant_attribute_ignore "enabled" |
| iniset $KEYSTONE_CONF ldap tenant_domain_id_attribute "businessCategory" |
| iniset $KEYSTONE_CONF ldap tenant_desc_attribute "description" |
| iniset $KEYSTONE_CONF ldap tenant_tree_dn "ou=Projects,$LDAP_BASE_DN" |
| iniset $KEYSTONE_CONF ldap user_domain_id_attribute "businessCategory" |
| iniset $KEYSTONE_CONF ldap user_tree_dn "ou=Users,$LDAP_BASE_DN" |
| iniset $KEYSTONE_CONF DEFAULT member_role_id "9fe2ff9ee4384b1894a90878d3e92bab" |
| iniset $KEYSTONE_CONF DEFAULT member_role_name "_member_" |
| fi |
| |
| # check if identity backend is valid |
| if [[ "$KEYSTONE_VALID_IDENTITY_BACKENDS" =~ "$KEYSTONE_IDENTITY_BACKEND" ]]; then |
| iniset $KEYSTONE_CONF identity driver "keystone.identity.backends.$KEYSTONE_IDENTITY_BACKEND.Identity" |
| fi |
| |
| # check if assignment backend is valid |
| if [[ "$KEYSTONE_VALID_ASSIGNMENT_BACKENDS" =~ "$KEYSTONE_ASSIGNMENT_BACKEND" ]]; then |
| iniset $KEYSTONE_CONF assignment driver "keystone.assignment.backends.$KEYSTONE_ASSIGNMENT_BACKEND.Assignment" |
| fi |
| |
| # Configure rabbitmq credentials |
| if is_service_enabled rabbit; then |
| iniset $KEYSTONE_CONF DEFAULT rabbit_password $RABBIT_PASSWORD |
| iniset $KEYSTONE_CONF DEFAULT rabbit_host $RABBIT_HOST |
| fi |
| |
| # Set the URL advertised in the ``versions`` structure returned by the '/' route |
| iniset $KEYSTONE_CONF DEFAULT public_endpoint "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:%(public_port)s/" |
| iniset $KEYSTONE_CONF DEFAULT admin_endpoint "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:%(admin_port)s/" |
| iniset $KEYSTONE_CONF DEFAULT admin_bind_host "$KEYSTONE_ADMIN_BIND_HOST" |
| |
| # Register SSL certificates if provided |
| if is_ssl_enabled_service key; then |
| ensure_certificates KEYSTONE |
| |
| iniset $KEYSTONE_CONF ssl enable True |
| iniset $KEYSTONE_CONF ssl certfile $KEYSTONE_SSL_CERT |
| iniset $KEYSTONE_CONF ssl keyfile $KEYSTONE_SSL_KEY |
| fi |
| |
| if is_service_enabled tls-proxy; then |
| # Set the service ports for a proxy to take the originals |
| iniset $KEYSTONE_CONF DEFAULT public_port $KEYSTONE_SERVICE_PORT_INT |
| iniset $KEYSTONE_CONF DEFAULT admin_port $KEYSTONE_AUTH_PORT_INT |
| fi |
| |
| iniset $KEYSTONE_CONF DEFAULT admin_token "$SERVICE_TOKEN" |
| |
| if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then |
| iniset $KEYSTONE_CONF token provider keystone.token.providers.$KEYSTONE_TOKEN_FORMAT.Provider |
| fi |
| |
| iniset $KEYSTONE_CONF database connection `database_connection_url keystone` |
| iniset $KEYSTONE_CONF ec2 driver "keystone.contrib.ec2.backends.sql.Ec2" |
| |
| if [[ "$KEYSTONE_TOKEN_BACKEND" = "sql" ]]; then |
| iniset $KEYSTONE_CONF token driver keystone.token.persistence.backends.sql.Token |
| elif [[ "$KEYSTONE_TOKEN_BACKEND" = "memcache" ]]; then |
| iniset $KEYSTONE_CONF token driver keystone.token.persistence.backends.memcache.Token |
| else |
| iniset $KEYSTONE_CONF token driver keystone.token.persistence.backends.kvs.Token |
| fi |
| |
| if [[ "$KEYSTONE_CATALOG_BACKEND" = "sql" ]]; then |
| # Configure ``keystone.conf`` to use sql |
| iniset $KEYSTONE_CONF catalog driver keystone.catalog.backends.sql.Catalog |
| inicomment $KEYSTONE_CONF catalog template_file |
| else |
| cp -p $FILES/default_catalog.templates $KEYSTONE_CATALOG |
| |
| # Add swift endpoints to service catalog if swift is enabled |
| if is_service_enabled s-proxy; then |
| echo "catalog.RegionOne.object_store.publicURL = http://%SERVICE_HOST%:8080/v1/AUTH_\$(tenant_id)s" >> $KEYSTONE_CATALOG |
| echo "catalog.RegionOne.object_store.adminURL = http://%SERVICE_HOST%:8080/" >> $KEYSTONE_CATALOG |
| echo "catalog.RegionOne.object_store.internalURL = http://%SERVICE_HOST%:8080/v1/AUTH_\$(tenant_id)s" >> $KEYSTONE_CATALOG |
| echo "catalog.RegionOne.object_store.name = Swift Service" >> $KEYSTONE_CATALOG |
| fi |
| |
| # Add neutron endpoints to service catalog if neutron is enabled |
| if is_service_enabled neutron; then |
| echo "catalog.RegionOne.network.publicURL = http://%SERVICE_HOST%:$Q_PORT/" >> $KEYSTONE_CATALOG |
| echo "catalog.RegionOne.network.adminURL = http://%SERVICE_HOST%:$Q_PORT/" >> $KEYSTONE_CATALOG |
| echo "catalog.RegionOne.network.internalURL = http://%SERVICE_HOST%:$Q_PORT/" >> $KEYSTONE_CATALOG |
| echo "catalog.RegionOne.network.name = Neutron Service" >> $KEYSTONE_CATALOG |
| fi |
| |
| sed -e " |
| s,%SERVICE_HOST%,$SERVICE_HOST,g; |
| s,%S3_SERVICE_PORT%,$S3_SERVICE_PORT,g; |
| " -i $KEYSTONE_CATALOG |
| |
| # Configure ``keystone.conf`` to use templates |
| iniset $KEYSTONE_CONF catalog driver "keystone.catalog.backends.templated.TemplatedCatalog" |
| iniset $KEYSTONE_CONF catalog template_file "$KEYSTONE_CATALOG" |
| fi |
| |
| # Set up logging |
| if [ "$SYSLOG" != "False" ]; then |
| iniset $KEYSTONE_CONF DEFAULT use_syslog "True" |
| fi |
| |
| # Format logging |
| if [ "$LOG_COLOR" == "True" ] && [ "$SYSLOG" == "False" ] && [ "$KEYSTONE_USE_MOD_WSGI" == "False" ] ; then |
| setup_colorized_logging $KEYSTONE_CONF DEFAULT |
| fi |
| |
| if [ "$KEYSTONE_USE_MOD_WSGI" == "True" ]; then |
| iniset $KEYSTONE_CONF DEFAULT debug "True" |
| # Eliminate the %(asctime)s.%(msecs)03d from the log format strings |
| iniset $KEYSTONE_CONF DEFAULT logging_context_format_string "%(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s" |
| iniset $KEYSTONE_CONF DEFAULT logging_default_format_string "%(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s" |
| iniset $KEYSTONE_CONF DEFAULT logging_debug_format_suffix "%(funcName)s %(pathname)s:%(lineno)d" |
| iniset $KEYSTONE_CONF DEFAULT logging_exception_prefix "%(process)d TRACE %(name)s %(instance)s" |
| _config_keystone_apache_wsgi |
| fi |
| |
| iniset $KEYSTONE_CONF DEFAULT max_token_size 16384 |
| } |
| |
| function configure_keystone_extensions { |
| # Add keystone extension into keystone v3 application pipeline |
| local extension_value |
| local api_v3 |
| local extension |
| local api_v3_extension |
| for extension_value in ${KEYSTONE_EXTENSIONS//,/ }; do |
| if [[ -z "${extension_value}" ]]; then |
| continue |
| fi |
| api_v3=$(iniget $KEYSTONE_PASTE_INI pipeline:api_v3 pipeline) |
| extension=$(echo $api_v3 | sed -ne "/${extension_value}/ p;" ) |
| if [[ -z $extension ]]; then |
| api_v3_extension=$(echo $api_v3 | sed -ne "s/service_v3/${extension_value}_extension service_v3/p;" ) |
| iniset $KEYSTONE_PASTE_INI pipeline:api_v3 pipeline "$api_v3_extension" |
| fi |
| done |
| } |
| |
| # create_keystone_accounts() - Sets up common required keystone accounts |
| |
| # Tenant User Roles |
| # ------------------------------------------------------------------ |
| # admin admin admin |
| # service -- -- |
| # -- -- service |
| # -- -- ResellerAdmin |
| # -- -- Member |
| # demo admin admin |
| # demo demo Member, anotherrole |
| # invisible_to_admin demo Member |
| |
| # Migrated from keystone_data.sh |
| function create_keystone_accounts { |
| |
| # admin |
| local admin_tenant=$(get_or_create_project "admin") |
| local admin_user=$(get_or_create_user "admin" \ |
| "$ADMIN_PASSWORD" "$admin_tenant") |
| local admin_role=$(get_or_create_role "admin") |
| get_or_add_user_role $admin_role $admin_user $admin_tenant |
| |
| # Create service project/role |
| get_or_create_project "$SERVICE_TENANT_NAME" |
| |
| # Service role, so service users do not have to be admins |
| get_or_create_role service |
| |
| # The ResellerAdmin role is used by Nova and Ceilometer so we need to keep it. |
| # The admin role in swift allows a user to act as an admin for their tenant, |
| # but ResellerAdmin is needed for a user to act as any tenant. The name of this |
| # role is also configurable in swift-proxy.conf |
| get_or_create_role ResellerAdmin |
| |
| # The Member role is used by Horizon and Swift so we need to keep it: |
| local member_role=$(get_or_create_role "Member") |
| |
| # another_role demonstrates that an arbitrary role may be created and used |
| # TODO(sleepsonthefloor): show how this can be used for rbac in the future! |
| local another_role=$(get_or_create_role "anotherrole") |
| |
| # invisible tenant - admin can't see this one |
| local invis_tenant=$(get_or_create_project "invisible_to_admin") |
| |
| # demo |
| local demo_tenant=$(get_or_create_project "demo") |
| local demo_user=$(get_or_create_user "demo" \ |
| "$ADMIN_PASSWORD" "$demo_tenant" "demo@example.com") |
| |
| get_or_add_user_role $member_role $demo_user $demo_tenant |
| get_or_add_user_role $admin_role $admin_user $demo_tenant |
| get_or_add_user_role $another_role $demo_user $demo_tenant |
| get_or_add_user_role $member_role $demo_user $invis_tenant |
| |
| # Keystone |
| if [[ "$KEYSTONE_CATALOG_BACKEND" = 'sql' ]]; then |
| |
| KEYSTONE_SERVICE=$(get_or_create_service "keystone" \ |
| "identity" "Keystone Identity Service") |
| get_or_create_endpoint $KEYSTONE_SERVICE \ |
| "$REGION_NAME" \ |
| "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION" \ |
| "$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT/v$IDENTITY_API_VERSION" \ |
| "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$IDENTITY_API_VERSION" |
| fi |
| } |
| |
| # Configure the API version for the OpenStack projects. |
| # configure_API_version conf_file version |
| function configure_API_version { |
| local conf_file=$1 |
| local api_version=$2 |
| iniset $conf_file keystone_authtoken auth_uri $KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT/v$api_version |
| } |
| |
| # init_keystone() - Initialize databases, etc. |
| function init_keystone { |
| if is_service_enabled ldap; then |
| init_ldap |
| fi |
| |
| # (Re)create keystone database |
| recreate_database keystone utf8 |
| |
| # Initialize keystone database |
| $KEYSTONE_DIR/bin/keystone-manage db_sync |
| |
| local extension_value |
| for extension_value in ${KEYSTONE_EXTENSIONS//,/ }; do |
| if [[ -z "${extension_value}" ]]; then |
| continue |
| fi |
| $KEYSTONE_DIR/bin/keystone-manage db_sync --extension "${extension_value}" |
| done |
| |
| if [[ "$KEYSTONE_TOKEN_FORMAT" != "uuid" ]]; then |
| # Set up certificates |
| rm -rf $KEYSTONE_CONF_DIR/ssl |
| $KEYSTONE_DIR/bin/keystone-manage pki_setup |
| |
| # Create cache dir |
| sudo mkdir -p $KEYSTONE_AUTH_CACHE_DIR |
| sudo chown $STACK_USER $KEYSTONE_AUTH_CACHE_DIR |
| rm -f $KEYSTONE_AUTH_CACHE_DIR/* |
| fi |
| } |
| |
| # install_keystoneclient() - Collect source and prepare |
| function install_keystoneclient { |
| git_clone $KEYSTONECLIENT_REPO $KEYSTONECLIENT_DIR $KEYSTONECLIENT_BRANCH |
| setup_develop $KEYSTONECLIENT_DIR |
| sudo install -D -m 0644 -o $STACK_USER {$KEYSTONECLIENT_DIR/tools/,/etc/bash_completion.d/}keystone.bash_completion |
| } |
| |
| # install_keystonemiddleware() - Collect source and prepare |
| function install_keystonemiddleware { |
| git_clone $KEYSTONEMIDDLEWARE_REPO $KEYSTONEMIDDLEWARE_DIR $KEYSTONEMIDDLEWARE_BRANCH |
| setup_install $KEYSTONEMIDDLEWARE_DIR |
| } |
| |
| # install_keystone() - Collect source and prepare |
| function install_keystone { |
| # only install ldap if the service has been enabled |
| if is_service_enabled ldap; then |
| install_ldap |
| fi |
| if [[ "$KEYSTONE_TOKEN_BACKEND" = "memcache" ]]; then |
| # Install memcached and the memcache Python library that keystone uses. |
| # Unfortunately the Python library goes by different names in the .deb |
| # and .rpm circles. |
| install_package memcached |
| if is_ubuntu; then |
| install_package python-memcache |
| else |
| install_package python-memcached |
| fi |
| fi |
| git_clone $KEYSTONE_REPO $KEYSTONE_DIR $KEYSTONE_BRANCH |
| setup_develop $KEYSTONE_DIR |
| if [ "$KEYSTONE_USE_MOD_WSGI" == "True" ]; then |
| install_apache_wsgi |
| fi |
| } |
| |
| # start_keystone() - Start running processes, including screen |
| function start_keystone { |
| # Get right service port for testing |
| local service_port=$KEYSTONE_SERVICE_PORT |
| if is_service_enabled tls-proxy; then |
| service_port=$KEYSTONE_SERVICE_PORT_INT |
| fi |
| |
| if [ "$KEYSTONE_USE_MOD_WSGI" == "True" ]; then |
| enable_apache_site keystone |
| restart_apache_server |
| tail_log key /var/log/$APACHE_NAME/keystone.log |
| tail_log key-access /var/log/$APACHE_NAME/keystone_access.log |
| else |
| # Start Keystone in a screen window |
| run_process key "$KEYSTONE_DIR/bin/keystone-all --config-file $KEYSTONE_CONF --debug" |
| fi |
| |
| echo "Waiting for keystone to start..." |
| # Check that the keystone service is running. Even if the tls tunnel |
| # should be enabled, make sure the internal port is checked using |
| # unencryted traffic at this point. |
| if ! timeout $SERVICE_TIMEOUT sh -c "while ! curl --noproxy '*' -k -s http://$KEYSTONE_SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/ >/dev/null; do sleep 1; done"; then |
| die $LINENO "keystone did not start" |
| fi |
| |
| # Start proxies if enabled |
| if is_service_enabled tls-proxy; then |
| start_tls_proxy '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT & |
| start_tls_proxy '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT & |
| fi |
| } |
| |
| # stop_keystone() - Stop running processes |
| function stop_keystone { |
| if [ "$KEYSTONE_USE_MOD_WSGI" == "True" ]; then |
| disable_apache_site keystone |
| restart_apache_server |
| fi |
| # Kill the Keystone screen window |
| stop_process key |
| } |
| |
| function is_keystone_enabled { |
| return is_service_enabled key |
| } |
| |
| # Restore xtrace |
| $XTRACE |
| |
| # Tell emacs to use shell-script-mode |
| ## Local variables: |
| ## mode: shell-script |
| ## End: |