PREFERRED_VERSION_python-pika = "0.10.0%"
PREFERRED_VERSION_python-keyring = "5.3"
PREFERRED_VERSION_python-barbican = "8.0.%"
-PREFERRED_VERSION_python-keystone = "15.0.%"
+PREFERRED_VERSION_python-keystone = "16.0.%"
PREFERRED_VERSION_python-flask = "1.0.2"
PREFERRED_VERSION_python-keystonemiddleware = "5.1.%"
PREFERRED_VERSION_python-oslo.cache= "1.26.%"
+++ /dev/null
-#!/bin/sh
-# Copyright (c) 2013-2018 Wind River Systems, Inc.
-#
-# SPDX-License-Identifier: Apache-2.0
-#
-
-### BEGIN INIT INFO
-# Provides: OpenStack Keystone-wsgi
-# Required-Start: networking
-# Required-Stop: networking
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: OpenStack Keystone
-# Description: Openstack Identitiy service running on WSGI compatable gunicorn web server
-#
-### END INIT INFO
-
-RETVAL=0
-#public 5000
-
-DESC_PUBLIC="openstack-keystone"
-
-PIDFILE_PUBLIC="/var/run/$DESC_PUBLIC.pid"
-
-PYTHON=`which python`
-
-source /etc/keystone/keystone-extra.conf
-source /etc/platform/platform.conf
-
-if [ -n ${@:2:1} ] ; then
- if [ ${@:2:1}="--public-bind-addr" ] ; then
- PUBLIC_BIND_ADDR_CMD=${@:3:1}
- fi
-fi
-
-
-###
-EXEC="/usr/bin/gunicorn"
-
-WORKER="eventlet"
-# Increased timeout to facilitate large image uploads
-TIMEOUT="200"
-
-# Calculate the no of workers based on the number of workers retrieved by
-# Platform Eng which is retreived from the keystone-extra.conf
-
-if [ "$system_type" == "All-in-one" ]; then
- TIS_WORKERS_FACTOR=1
-else
- TIS_WORKERS_FACTOR=1.5
-fi
-TIS_WORKERS=$(echo "${TIS_WORKERS_FACTOR}*${TIS_PUBLIC_WORKERS}"|bc )
-TIS_WORKERS=${TIS_WORKERS%.*}
-
-#--max-requests , --max-requests-jitter Configuration
-#--max-requests = The max number of requests a worker will process before restarting
-#--max-requests-jitter = The maximum jitter to add to the max_requests setting.
-MAX_REQUESTS=100000
-MAX_REQ_JITTER_CAP_FACTOR=0.5
-MAX_REQ_JITTER_PUBLIC=$(echo "${TIS_WORKERS}*${MAX_REQ_JITTER_CAP_FACTOR}+1"|bc)
-MAX_REQ_JITTER_PUBLIC=${MAX_REQ_JITTER_PUBLIC%.*}
-
-
-start()
-{
- # Got proper no of workers . Starting gunicorn now
- echo -e "Initialising keystone service using gunicorn .. \n"
-
- if [ -z "$PUBLIC_BIND_ADDR" ]; then
- echo "Keystone floating ip not found . Cannot start services. Exiting .."
- exit 1
- fi
- BIND_PUBLIC=$PUBLIC_BIND_ADDR:5000
-
- if [ -e $PIDFILE_PUBLIC ]; then
- PIDDIR=/proc/$(cat $PIDFILE_PUBLIC)
- if [ -d ${PIDDIR} ]; then
- echo "$DESC_PUBLIC already running."
- exit 1
- else
- echo "Removing stale PID file $PIDFILE_PUBLIC"
- rm -f $PIDFILE_PUBLIC
- fi
- fi
-
- echo -e "Starting $DESC_PUBLIC...\n";
- echo -e "Worker is ${WORKER} --workers ${TIS_WORKERS} --timeout ${TIMEOUT} --max_requests ${MAX_REQUESTS} --max_request_jitter public ${MAX_REQ_JITTER_PUBLIC}\n" ;
-
- echo -e "Starting keystone process at port 5000 \n" ;
-
- start-stop-daemon --start --quiet --background --pidfile ${PIDFILE_PUBLIC} \
- --make-pidfile --exec ${PYTHON} -- ${EXEC} --bind ${BIND_PUBLIC} \
- --worker-class ${WORKER} --workers ${TIS_WORKERS} --timeout ${TIMEOUT} \
- --max-requests ${MAX_REQUESTS} --max-requests-jitter ${MAX_REQ_JITTER_PUBLIC} \
- --log-syslog \
- --pythonpath '/usr/share/keystone' public:application --name keystone-public
-
- RETVAL=$?
- if [ $RETVAL -eq 0 ]; then
- echo -e "Keystone started at port 5000... \n"
- else
- echo -e "Failed to start Keystone .. \n"
- fi
-}
-
-stop()
-{
- if [ -e $PIDFILE_PUBLIC ]; then
- start-stop-daemon --stop --quiet --pidfile $PIDFILE_PUBLIC
- RETVAL_PUBLIC=$?
- if [ $RETVAL_PUBLIC -eq 0 ]; then
- echo "Stopped $DESC_PUBLIC."
- else
- echo "Stopping failed - $PIDFILE_PUBLIC"
- fi
- rm -f $PIDFILE_PUBLIC
- else
- echo "Already stopped - $PIDFILE_PUBLIC"
- fi
-}
-
-status()
-{
- pid_public=`cat $PIDFILE_PUBLIC 2>/dev/null`
-
- if [ -n "$pid_public" ]; then
- echo -e "\033[32m $DESC_PUBLIC is running..\033[0m"
- else
- echo -e "\033[31m $DESC_PUBLIC is not running..\033[0m"
- fi
-}
-
-
-
-case "$1" in
- start)
- start
- ;;
- stop)
- stop
- ;;
- restart|force-reload|reload)
- stop
- start
- ;;
- status)
- status
- ;;
- *)
- #echo "Usage: $0 {start|stop|force-reload|restart|reload|status} OR {/usr/bin/keystone-all start --public-bind-addr xxx.xxx.xxx}"
- start
- #RETVAL=1
- ;;
-esac
-
-exit $RETVAL
+++ /dev/null
-#!/bin/bash
-
-#
-# Wrapper script to rotate keystone fernet keys on active controller only
-#
-KEYSTONE_KEYS_ROTATE_INFO="/var/run/keystone-keys-rotate.info"
-KEYSTONE_KEYS_ROTATE_CMD="/usr/bin/nice -n 2 /usr/bin/keystone-manage fernet_rotate --keystone-user keystone --keystone-group keystone"
-
-function is_active_pgserver()
-{
- # Determine whether we're running on the same controller as the service.
- local service=postgres
- local enabledactive=$(/usr/bin/sm-query service $service| grep enabled-active)
- if [ "x$enabledactive" == "x" ]
- then
- # enabled-active not found for that service on this controller
- return 1
- else
- # enabled-active found for that resource
- return 0
- fi
-}
-
-if is_active_pgserver
-then
- if [ ! -f ${KEYSTONE_KEYS_ROTATE_INFO} ]
- then
- echo delay_count=0 > ${KEYSTONE_KEYS_ROTATE_INFO}
- fi
-
- source ${KEYSTONE_KEYS_ROTATE_INFO}
- sudo -u postgres psql -d sysinv -c "SELECT alarm_id, entity_instance_id from i_alarm;" | grep -P "^(?=.*100.101)(?=.*${HOSTNAME})" &>/dev/null
- if [ $? -eq 0 ]
- then
- source /etc/platform/platform.conf
- if [ "${system_type}" = "All-in-one" ]
- then
- source /etc/init.d/task_affinity_functions.sh
- idle_core=$(get_most_idle_core)
- if [ "$idle_core" -ne "0" ]
- then
- sh -c "exec taskset -c $idle_core ${KEYSTONE_KEYS_ROTATE_CMD}"
- sed -i "/delay_count/s/=.*/=0/" ${KEYSTONE_KEYS_ROTATE_INFO}
- exit 0
- fi
- fi
-
- if [ "$delay_count" -lt "3" ]
- then
- newval=$(($delay_count+1))
- sed -i "/delay_count/s/=.*/=$newval/" ${KEYSTONE_KEYS_ROTATE_INFO}
- (sleep 3600; /usr/bin/keystone-fernet-keys-rotate-active) &
- exit 0
- fi
-
- fi
-
- eval ${KEYSTONE_KEYS_ROTATE_CMD}
- sed -i "/delay_count/s/=.*/=0/" ${KEYSTONE_KEYS_ROTATE_INFO}
-
-fi
-
-exit 0
-
+++ /dev/null
-[Unit]
-Description=OpenStack Identity Service (code-named Keystone)
-After=syslog.target network.target
-
-[Service]
-Type=forking
-#ReminAfterExit is set to yes as we have 2 pids to monitor
-RemainAfterExit=yes
-ExecStart=/usr/bin/keystone-all start
-ExecStop=/usr/bin/keystone-all stop
-ExecReload=/usr/bin/keystone-all reload
-
-[Install]
-WantedBy=multi-user.target
+++ /dev/null
-
-# The password rules captures the [security_compliance]
-# section of the generic Keystone configuration (keystone.conf)
-# This configuration is used to statically define the password
-# rules for password validation in pre-Keystone environments
-#
-# N.B: Only set non-default keys here (default commented configuration
-# items not needed)
-
-[security_compliance]
-
-#
-# From keystone
-#
-
-# This controls the number of previous user password iterations to keep in
-# history, in order to enforce that newly created passwords are unique. Setting
-# the value to one (the default) disables this feature. Thus, to enable this
-# feature, values must be greater than 1. This feature depends on the `sql`
-# backend for the `[identity] driver`. (integer value)
-# Minimum value: 1
-unique_last_password_count = 2
-
-# The regular expression used to validate password strength requirements. By
-# default, the regular expression will match any password. The following is an
-# example of a pattern which requires at least 1 letter, 1 digit, and have a
-# minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature
-# depends on the `sql` backend for the `[identity] driver`. (string value)
-password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{7,}$
-
-# Describe your password regular expression here in language for humans. If a
-# password fails to match the regular expression, the contents of this
-# configuration variable will be returned to users to explain why their
-# requested password was insufficient. (string value)
-password_regex_description = Password must have a minimum length of 7 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character
+++ /dev/null
-# Copyright (c) 2013-2017 Wind River Systems, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-
-from keystone.server import wsgi as wsgi_server
-
-import sys
-sys.argv = sys.argv[:1]
-
-application = wsgi_server.initialize_public_application()
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=1dece7821bf3fd70fe1309eaa37d52a2"
-SRCREV = "c78581b4608f3dc10e945d358963000f284f188a"
+SRCREV = "dc9e9e32dfbf9fd9c58f9f8e2b35f0bcfd62328e"
SRCNAME = "keystone"
-PROTOCOL = "git"
-BRANCH = "stable/stein"
+PROTOCOL = "https"
+BRANCH = "stable/train"
S = "${WORKDIR}/git"
-PV = "15.0.0+git${SRCPV}"
-
+PV = "16.0.0+git${SRCPV}"
SRC_URI = " \
- git://opendev.org/openstack/${SRCNAME}.git;protocol=${PROTOCOL};branch=${BRANCH} \
- file://${PN}/keystone.conf \
- file://${PN}/identity.sh \
- file://${PN}/convert_keystone_backend.py \
- file://${PN}/wsgi-keystone.conf \
- file://${PN}/admin-openrc \
- file://${PN}/keystone-init.service \
- file://${PN}/stx-files/openstack-keystone.service \
- file://${PN}/stx-files/keystone-all \
- file://${PN}/stx-files/keystone-fernet-keys-rotate-active \
- file://${PN}/stx-files/public.py \
- file://${PN}/stx-files/password-rules.conf \
+ git://github.com/openstack/${SRCNAME}.git;protocol=${PROTOCOL};branch=${BRANCH} \
+ file://${BPN}/keystone.conf \
+ file://${BPN}/identity.sh \
+ file://${BPN}/convert_keystone_backend.py \
+ file://${BPN}/wsgi-keystone.conf \
+ file://${BPN}/admin-openrc \
+ file://${BPN}/keystone-init.service \
"
+inherit setuptools identity hosts default_configs monitor useradd systemd
+inherit stx-metadata
-inherit setuptools identity hosts default_configs monitor useradd systemd
+STX_REPO = "upstream"
+STX_SUBPATH = "openstack/python-keystone/centos"
+
+SRC_URI_STX = " \
+ file://patches/0001-Rebasing-Keyring-integration.patch \
+ "
SERVICE_TOKEN = "password"
TOKEN_FORMAT ?= "PKI"
# Setup the systemd service file
install -d ${D}${systemd_system_unitdir}/
- install -m 644 ${WORKDIR}/${PN}/keystone-init.service ${D}${systemd_system_unitdir}/keystone-init.service
+ install -m 644 ${WORKDIR}/${BPN}/keystone-init.service ${D}${systemd_system_unitdir}/keystone-init.service
mv ${D}/${datadir}/etc/keystone/sso_callback_template.html ${KEYSTONE_CONF_DIR}/
rm -rf ${D}/${datadir}
# Setup the admin-openrc file
KS_OPENRC_FILE=${KEYSTONE_CONF_DIR}/admin-openrc
- install -m 600 ${WORKDIR}/${PN}/admin-openrc ${KS_OPENRC_FILE}
+ install -m 600 ${WORKDIR}/${BPN}/admin-openrc ${KS_OPENRC_FILE}
sed -e "s:%CONTROLLER_IP%:${CONTROLLER_IP}:g" -i ${KS_OPENRC_FILE}
sed -e "s:%ADMIN_USER%:${ADMIN_USER}:g" -i ${KS_OPENRC_FILE}
sed -e "s:%ADMIN_PASSWORD%:${ADMIN_PASSWORD}:g" -i ${KS_OPENRC_FILE}
# permissions as packages such as Apache require read access.
#
# Apache needs to read the keystone.conf
- install -m 644 ${WORKDIR}/${PN}/keystone.conf ${KEYSTONE_CONF_DIR}/
+ install -m 644 ${WORKDIR}/${BPN}/keystone.conf ${KEYSTONE_CONF_DIR}/
# Apache needs to read the wsgi-keystone.conf
- install -m 644 ${WORKDIR}/${PN}/wsgi-keystone.conf ${APACHE_CONF_DIR}/keystone.conf
+ install -m 644 ${WORKDIR}/${BPN}/wsgi-keystone.conf ${APACHE_CONF_DIR}/keystone.conf
install -m 600 ${S}${sysconfdir}/logging.conf.sample ${KEYSTONE_CONF_DIR}/logging.conf
# Copy examples from upstream
role_tree_dn = ou=Roles,${LDAP_DN} \
' ${KEYSTONE_CONF_FILE}
- install -m 0755 ${WORKDIR}/${PN}/convert_keystone_backend.py \
+ install -m 0755 ${WORKDIR}/${BPN}/convert_keystone_backend.py \
${D}${sysconfdir}/keystone/convert_keystone_backend.py
fi
- install -m 755 ${WORKDIR}/${PN}/stx-files/keystone-fernet-keys-rotate-active ${D}/${bindir}/keystone-fernet-keys-rotate-active
- install -m 440 ${WORKDIR}/${PN}/stx-files/password-rules.conf ${KEYSTONE_CONF_DIR}/password-rules.conf
+ install -m 755 ${STX_METADATA_PATH}/files/keystone-fernet-keys-rotate-active ${D}/${bindir}/keystone-fernet-keys-rotate-active
+ install -m 440 ${STX_METADATA_PATH}/files/password-rules.conf ${KEYSTONE_CONF_DIR}/password-rules.conf
install -m 755 -d ${KEYSTONE_DATA_DIR}
- install -m 755 ${WORKDIR}/${PN}/stx-files/public.py ${KEYSTONE_DATA_DIR}/public.py
- install -m 644 ${WORKDIR}/${PN}/stx-files/openstack-keystone.service ${D}${systemd_system_unitdir}/openstack-keystone.service
- install -m 755 ${WORKDIR}/${PN}/stx-files/keystone-all ${D}${bindir}/keystone-all
+ install -m 755 ${STX_METADATA_PATH}/files/public.py ${KEYSTONE_DATA_DIR}/public.py
+ install -m 644 ${STX_METADATA_PATH}/files/openstack-keystone.service ${D}${systemd_system_unitdir}/openstack-keystone.service
+ install -m 755 ${STX_METADATA_PATH}/files/keystone-all ${D}${bindir}/keystone-all
}