Drop keystone dedicated ports
Those historic references to port 5000 and 35357 aren't being used
anymore for some time, so let us drop them.
Clean up some python2/3 wording along the way.
No longer mention Identity API v2, which is also a thing of the past.
Change-Id: Iafff097eee082f24ea2ae27ad038ad115aa36c61
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
index 45f4ffe..67c3b8a 100644
--- a/doc/source/configuration.rst
+++ b/doc/source/configuration.rst
@@ -137,7 +137,7 @@
::
- OS_AUTH_URL=http://$SERVICE_HOST:5000/v3.0
+ OS_AUTH_URL=http://$SERVICE_HOST/identity/v3.0
KEYSTONECLIENT\_DEBUG, NOVACLIENT\_DEBUG
Set command-line client log level to ``DEBUG``. These are commented
@@ -430,16 +430,16 @@
ADDITIONAL_VENV_PACKAGES="python-foo, python-bar"
-Use python3
+Use python2
------------
-By default ``stack.sh`` uses python2 (the exact version set by the
-``PYTHON2_VERSION``). This can be overriden so devstack will run
-python3 (the exact version set by ``PYTHON3_VERSION``).
+By default ``stack.sh`` uses python3 (the exact version set by the
+``PYTHON3_VERSION``). This can be overriden so devstack will run
+python2 (the exact version set by ``PYTHON2_VERSION``).
::
- USE_PYTHON3=True
+ USE_PYTHON3=False
A clean install every time
--------------------------
@@ -696,16 +696,6 @@
KEYSTONE_REGION_NAME has a default value the same as REGION_NAME thus we omit
it in the configuration of RegionOne.
-Disabling Identity API v2
-+++++++++++++++++++++++++
-
-The Identity API v2 is deprecated as of Mitaka and it is recommended to only
-use the v3 API. It is possible to setup keystone without v2 API, by doing:
-
-::
-
- ENABLE_IDENTITY_V2=False
-
.. _arch-configuration:
Architectures
diff --git a/files/apache-keystone.template b/files/apache-keystone.template
index 1284360..cf26c21 100644
--- a/files/apache-keystone.template
+++ b/files/apache-keystone.template
@@ -1,39 +1,9 @@
-Listen %PUBLICPORT%
-Listen %ADMINPORT%
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %D(us)" keystone_combined
<Directory %KEYSTONE_BIN%>
Require all granted
</Directory>
-<VirtualHost *:%PUBLICPORT%>
- WSGIDaemonProcess keystone-public processes=3 threads=1 user=%USER% display-name=%{GROUP} %VIRTUALENV%
- WSGIProcessGroup keystone-public
- WSGIScriptAlias / %KEYSTONE_BIN%/keystone-wsgi-public
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
- ErrorLogFormat "%M"
- ErrorLog /var/log/%APACHE_NAME%/keystone.log
- CustomLog /var/log/%APACHE_NAME%/keystone_access.log keystone_combined
- %SSLENGINE%
- %SSLCERTFILE%
- %SSLKEYFILE%
-</VirtualHost>
-
-<VirtualHost *:%ADMINPORT%>
- WSGIDaemonProcess keystone-admin processes=3 threads=1 user=%USER% display-name=%{GROUP} %VIRTUALENV%
- WSGIProcessGroup keystone-admin
- WSGIScriptAlias / %KEYSTONE_BIN%/keystone-wsgi-admin
- WSGIApplicationGroup %{GLOBAL}
- WSGIPassAuthorization On
- ErrorLogFormat "%M"
- ErrorLog /var/log/%APACHE_NAME%/keystone.log
- CustomLog /var/log/%APACHE_NAME%/keystone_access.log keystone_combined
- %SSLENGINE%
- %SSLCERTFILE%
- %SSLKEYFILE%
-</VirtualHost>
-
%SSLLISTEN%<VirtualHost *:443>
%SSLLISTEN% %SSLENGINE%
%SSLLISTEN% %SSLCERTFILE%
diff --git a/lib/keystone b/lib/keystone
index d4c7b06..29407a0 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -83,14 +83,10 @@
# Set Keystone interface configuration
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
-KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357}
-KEYSTONE_AUTH_PORT_INT=${KEYSTONE_AUTH_PORT_INT:-35358}
KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL}
# Public facing bits
KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST}
-KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000}
-KEYSTONE_SERVICE_PORT_INT=${KEYSTONE_SERVICE_PORT_INT:-5001}
KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}
# Bind hosts
@@ -170,22 +166,14 @@
local keystone_ssl=""
local keystone_certfile=""
local keystone_keyfile=""
- local keystone_service_port=$KEYSTONE_SERVICE_PORT
- local keystone_auth_port=$KEYSTONE_AUTH_PORT
local venv_path=""
- if is_service_enabled tls-proxy; then
- keystone_service_port=$KEYSTONE_SERVICE_PORT_INT
- keystone_auth_port=$KEYSTONE_AUTH_PORT_INT
- fi
if [[ ${USE_VENV} = True ]]; then
venv_path="python-path=${PROJECT_VENV["keystone"]}/lib/$(python_version)/site-packages"
fi
sudo cp $FILES/apache-keystone.template $keystone_apache_conf
sudo sed -e "
- s|%PUBLICPORT%|$keystone_service_port|g;
- s|%ADMINPORT%|$keystone_auth_port|g;
s|%APACHE_NAME%|$APACHE_NAME|g;
s|%SSLLISTEN%|$keystone_ssl_listen|g;
s|%SSLENGINE%|$keystone_ssl|g;
@@ -222,21 +210,8 @@
iniset_rpc_backend keystone $KEYSTONE_CONF oslo_messaging_notifications
- local service_port=$KEYSTONE_SERVICE_PORT
- local auth_port=$KEYSTONE_AUTH_PORT
-
- if is_service_enabled tls-proxy; then
- # Set the service ports for a proxy to take the originals
- service_port=$KEYSTONE_SERVICE_PORT_INT
- auth_port=$KEYSTONE_AUTH_PORT_INT
- fi
-
# Override the endpoints advertised by keystone (the public_endpoint and
- # admin_endpoint) so that clients use the correct endpoint. By default, the
- # keystone server uses the public_port and admin_port which isn't going to
- # work when you want to use a different port (in the case of proxy), or you
- # don't want the port (in the case of putting keystone on a path in
- # apache).
+ # admin_endpoint) so that clients use the correct endpoint.
iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI
iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI
@@ -270,12 +245,6 @@
iniset $KEYSTONE_CONF credential key_repository "$KEYSTONE_CONF_DIR/credential-keys/"
- # Configure the project created by the 'keystone-manage bootstrap' as the cloud-admin project.
- # The users from this project are globally admin as before, but it also
- # allows policy changes in order to clarify the adminess scope.
- #iniset $KEYSTONE_CONF resource admin_project_domain_name Default
- #iniset $KEYSTONE_CONF resource admin_project_name admin
-
if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then
iniset $KEYSTONE_CONF security_compliance lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS
iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION
@@ -510,14 +479,6 @@
# start_keystone() - Start running processes
function start_keystone {
- # Get right service port for testing
- local service_port=$KEYSTONE_SERVICE_PORT
- local auth_protocol=$KEYSTONE_AUTH_PROTOCOL
- if is_service_enabled tls-proxy; then
- service_port=$KEYSTONE_SERVICE_PORT_INT
- auth_protocol="http"
- fi
-
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
enable_apache_site keystone
restart_apache_server
@@ -526,23 +487,13 @@
fi
echo "Waiting for keystone to start..."
- # Check that the keystone service is running. Even if the tls tunnel
- # should be enabled, make sure the internal port is checked using
- # unencryted traffic at this point.
- # If running in Apache, use the path rather than port.
-
+ # Check that the keystone service is running.
local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/
if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then
die $LINENO "keystone did not start"
fi
- # Start proxies if enabled
- if is_service_enabled tls-proxy; then
- start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT
- start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT
- fi
-
# (re)start memcached to make sure we have a clean memcache.
restart_service memcached
}
@@ -561,11 +512,9 @@
# This function uses the following GLOBAL variables:
# - ``KEYSTONE_BIN_DIR``
# - ``ADMIN_PASSWORD``
-# - ``IDENTITY_API_VERSION``
+# - ``KEYSTONE_AUTH_URI``
# - ``REGION_NAME``
-# - ``KEYSTONE_SERVICE_PROTOCOL``
-# - ``KEYSTONE_SERVICE_HOST``
-# - ``KEYSTONE_SERVICE_PORT``
+# - ``KEYSTONE_SERVICE_URI``
function bootstrap_keystone {
$KEYSTONE_BIN_DIR/keystone-manage bootstrap \
--bootstrap-username admin \
diff --git a/openrc b/openrc
index beeaebe..28f388b 100644
--- a/openrc
+++ b/openrc
@@ -86,7 +86,7 @@
#
# If you don't have a working .stackenv, this is the backup position
-KEYSTONE_BACKUP=$SERVICE_PROTOCOL://$SERVICE_HOST:5000
+KEYSTONE_BACKUP=$SERVICE_PROTOCOL://$SERVICE_HOST/identity
KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_URI:-$KEYSTONE_BACKUP}
export OS_AUTH_URL=${OS_AUTH_URL:-$KEYSTONE_SERVICE_URI}
diff --git a/tools/create_userrc.sh b/tools/create_userrc.sh
index f4a4edc..c7bea4a 100755
--- a/tools/create_userrc.sh
+++ b/tools/create_userrc.sh
@@ -152,7 +152,7 @@
fi
if [ -z "$OS_AUTH_URL" ]; then
- export OS_AUTH_URL=http://localhost:5000/v3/
+ export OS_AUTH_URL=http://localhost/identity/v3/
fi
if [ -z "$OS_USER_DOMAIN_ID" -a -z "$OS_USER_DOMAIN_NAME" ]; then
diff --git a/tools/fixup_stuff.sh b/tools/fixup_stuff.sh
index e140929..2ac8a47 100755
--- a/tools/fixup_stuff.sh
+++ b/tools/fixup_stuff.sh
@@ -26,39 +26,6 @@
FILES=$TOP_DIR/files
fi
-# Keystone Port Reservation
-# -------------------------
-# Reserve and prevent ``KEYSTONE_AUTH_PORT`` and ``KEYSTONE_AUTH_PORT_INT`` from
-# being used as ephemeral ports by the system. The default(s) are 35357 and
-# 35358 which are in the Linux defined ephemeral port range (in disagreement
-# with the IANA ephemeral port range). This is a workaround for bug #1253482
-# where Keystone will try and bind to the port and the port will already be
-# in use as an ephemeral port by another process. This places an explicit
-# exception into the Kernel for the Keystone AUTH ports.
-function fixup_keystone {
- keystone_ports=${KEYSTONE_AUTH_PORT:-35357},${KEYSTONE_AUTH_PORT_INT:-35358}
-
- # Only do the reserved ports when available, on some system (like containers)
- # where it's not exposed we are almost pretty sure these ports would be
- # exclusive for our DevStack.
- if sysctl net.ipv4.ip_local_reserved_ports >/dev/null 2>&1; then
- # Get any currently reserved ports, strip off leading whitespace
- reserved_ports=$(sysctl net.ipv4.ip_local_reserved_ports | awk -F'=' '{print $2;}' | sed 's/^ //')
-
- if [[ -z "${reserved_ports}" ]]; then
- # If there are no currently reserved ports, reserve the keystone ports
- sudo sysctl -w net.ipv4.ip_local_reserved_ports=${keystone_ports}
- else
- # If there are currently reserved ports, keep those and also reserve the
- # Keystone specific ports. Duplicate reservations are merged into a single
- # reservation (or range) automatically by the kernel.
- sudo sysctl -w net.ipv4.ip_local_reserved_ports=${keystone_ports},${reserved_ports}
- fi
- else
- echo_summary "WARNING: unable to reserve keystone ports"
- fi
-}
-
# Ubuntu Repositories
#--------------------
# Enable universe for bionic since it is missing when installing from ISO.
@@ -208,7 +175,6 @@
}
function fixup_all {
- fixup_keystone
fixup_ubuntu
fixup_fedora
fixup_suse