From 57f51243aa3f638064155671da92722ac9ff6091 Mon Sep 17 00:00:00 2001 From: Jackie Huang Date: Thu, 3 Jun 2021 14:15:10 +0800 Subject: [PATCH] python-keystone: uprev to 16.0.0 for stx 5.0 * update the branch and SRCREV * update the preferred version * use BPN instead of PN in some places * inherit stx-metadata to help apply patches and install files from stx 'upstream' repo * remove the local copy of stx patches Issue-ID: INF-215 Signed-off-by: Jackie Huang Change-Id: I999487bd99733a63d3a835ea595718a59349de6d --- .../conf/distro/include/stx-preferred-vers.inc | 2 +- .../files/python-keystone/stx-files/keystone-all | 156 --------------------- .../stx-files/keystone-fernet-keys-rotate-active | 64 --------- .../stx-files/openstack-keystone.service | 14 -- .../python-keystone/stx-files/password-rules.conf | 35 ----- .../files/python-keystone/stx-files/public.py | 21 --- .../recipes-devtools/python/python-keystone_git.bb | 57 ++++---- 7 files changed, 30 insertions(+), 319 deletions(-) delete mode 100644 meta-starlingx/meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/keystone-all delete mode 100644 meta-starlingx/meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/keystone-fernet-keys-rotate-active delete mode 100644 meta-starlingx/meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/openstack-keystone.service delete mode 100644 meta-starlingx/meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/password-rules.conf delete mode 100644 meta-starlingx/meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/public.py diff --git a/meta-starlingx/meta-stx-distro/conf/distro/include/stx-preferred-vers.inc b/meta-starlingx/meta-stx-distro/conf/distro/include/stx-preferred-vers.inc index a1880c3..dcb23d1 100644 --- a/meta-starlingx/meta-stx-distro/conf/distro/include/stx-preferred-vers.inc +++ b/meta-starlingx/meta-stx-distro/conf/distro/include/stx-preferred-vers.inc @@ -13,7 +13,7 @@ PREFERRED_VERSION_python-expect = "4.6.0" PREFERRED_VERSION_python-pika = "0.10.0%" PREFERRED_VERSION_python-keyring = "5.3" PREFERRED_VERSION_python-barbican = "8.0.%" -PREFERRED_VERSION_python-keystone = "15.0.%" +PREFERRED_VERSION_python-keystone = "16.0.%" PREFERRED_VERSION_python-flask = "1.0.2" PREFERRED_VERSION_python-keystonemiddleware = "5.1.%" PREFERRED_VERSION_python-oslo.cache= "1.26.%" diff --git a/meta-starlingx/meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/keystone-all b/meta-starlingx/meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/keystone-all deleted file mode 100644 index bde324b..0000000 --- a/meta-starlingx/meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/keystone-all +++ /dev/null @@ -1,156 +0,0 @@ -#!/bin/sh -# Copyright (c) 2013-2018 Wind River Systems, Inc. -# -# SPDX-License-Identifier: Apache-2.0 -# - -### BEGIN INIT INFO -# Provides: OpenStack Keystone-wsgi -# Required-Start: networking -# Required-Stop: networking -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: OpenStack Keystone -# Description: Openstack Identitiy service running on WSGI compatable gunicorn web server -# -### END INIT INFO - -RETVAL=0 -#public 5000 - -DESC_PUBLIC="openstack-keystone" - -PIDFILE_PUBLIC="/var/run/$DESC_PUBLIC.pid" - -PYTHON=`which python` - -source /etc/keystone/keystone-extra.conf -source /etc/platform/platform.conf - -if [ -n ${@:2:1} ] ; then - if [ ${@:2:1}="--public-bind-addr" ] ; then - PUBLIC_BIND_ADDR_CMD=${@:3:1} - fi -fi - - -### -EXEC="/usr/bin/gunicorn" - -WORKER="eventlet" -# Increased timeout to facilitate large image uploads -TIMEOUT="200" - -# Calculate the no of workers based on the number of workers retrieved by -# Platform Eng which is retreived from the keystone-extra.conf - -if [ "$system_type" == "All-in-one" ]; then - TIS_WORKERS_FACTOR=1 -else - TIS_WORKERS_FACTOR=1.5 -fi -TIS_WORKERS=$(echo "${TIS_WORKERS_FACTOR}*${TIS_PUBLIC_WORKERS}"|bc ) -TIS_WORKERS=${TIS_WORKERS%.*} - -#--max-requests , --max-requests-jitter Configuration -#--max-requests = The max number of requests a worker will process before restarting -#--max-requests-jitter = The maximum jitter to add to the max_requests setting. -MAX_REQUESTS=100000 -MAX_REQ_JITTER_CAP_FACTOR=0.5 -MAX_REQ_JITTER_PUBLIC=$(echo "${TIS_WORKERS}*${MAX_REQ_JITTER_CAP_FACTOR}+1"|bc) -MAX_REQ_JITTER_PUBLIC=${MAX_REQ_JITTER_PUBLIC%.*} - - -start() -{ - # Got proper no of workers . Starting gunicorn now - echo -e "Initialising keystone service using gunicorn .. \n" - - if [ -z "$PUBLIC_BIND_ADDR" ]; then - echo "Keystone floating ip not found . Cannot start services. Exiting .." - exit 1 - fi - BIND_PUBLIC=$PUBLIC_BIND_ADDR:5000 - - if [ -e $PIDFILE_PUBLIC ]; then - PIDDIR=/proc/$(cat $PIDFILE_PUBLIC) - if [ -d ${PIDDIR} ]; then - echo "$DESC_PUBLIC already running." - exit 1 - else - echo "Removing stale PID file $PIDFILE_PUBLIC" - rm -f $PIDFILE_PUBLIC - fi - fi - - echo -e "Starting $DESC_PUBLIC...\n"; - echo -e "Worker is ${WORKER} --workers ${TIS_WORKERS} --timeout ${TIMEOUT} --max_requests ${MAX_REQUESTS} --max_request_jitter public ${MAX_REQ_JITTER_PUBLIC}\n" ; - - echo -e "Starting keystone process at port 5000 \n" ; - - start-stop-daemon --start --quiet --background --pidfile ${PIDFILE_PUBLIC} \ - --make-pidfile --exec ${PYTHON} -- ${EXEC} --bind ${BIND_PUBLIC} \ - --worker-class ${WORKER} --workers ${TIS_WORKERS} --timeout ${TIMEOUT} \ - --max-requests ${MAX_REQUESTS} --max-requests-jitter ${MAX_REQ_JITTER_PUBLIC} \ - --log-syslog \ - --pythonpath '/usr/share/keystone' public:application --name keystone-public - - RETVAL=$? - if [ $RETVAL -eq 0 ]; then - echo -e "Keystone started at port 5000... \n" - else - echo -e "Failed to start Keystone .. \n" - fi -} - -stop() -{ - if [ -e $PIDFILE_PUBLIC ]; then - start-stop-daemon --stop --quiet --pidfile $PIDFILE_PUBLIC - RETVAL_PUBLIC=$? - if [ $RETVAL_PUBLIC -eq 0 ]; then - echo "Stopped $DESC_PUBLIC." - else - echo "Stopping failed - $PIDFILE_PUBLIC" - fi - rm -f $PIDFILE_PUBLIC - else - echo "Already stopped - $PIDFILE_PUBLIC" - fi -} - -status() -{ - pid_public=`cat $PIDFILE_PUBLIC 2>/dev/null` - - if [ -n "$pid_public" ]; then - echo -e "\033[32m $DESC_PUBLIC is running..\033[0m" - else - echo -e "\033[31m $DESC_PUBLIC is not running..\033[0m" - fi -} - - - -case "$1" in - start) - start - ;; - stop) - stop - ;; - restart|force-reload|reload) - stop - start - ;; - status) - status - ;; - *) - #echo "Usage: $0 {start|stop|force-reload|restart|reload|status} OR {/usr/bin/keystone-all start --public-bind-addr xxx.xxx.xxx}" - start - #RETVAL=1 - ;; -esac - -exit $RETVAL diff --git a/meta-starlingx/meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/keystone-fernet-keys-rotate-active b/meta-starlingx/meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/keystone-fernet-keys-rotate-active deleted file mode 100644 index 8080ea0..0000000 --- a/meta-starlingx/meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/keystone-fernet-keys-rotate-active +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/bash - -# -# Wrapper script to rotate keystone fernet keys on active controller only -# -KEYSTONE_KEYS_ROTATE_INFO="/var/run/keystone-keys-rotate.info" -KEYSTONE_KEYS_ROTATE_CMD="/usr/bin/nice -n 2 /usr/bin/keystone-manage fernet_rotate --keystone-user keystone --keystone-group keystone" - -function is_active_pgserver() -{ - # Determine whether we're running on the same controller as the service. - local service=postgres - local enabledactive=$(/usr/bin/sm-query service $service| grep enabled-active) - if [ "x$enabledactive" == "x" ] - then - # enabled-active not found for that service on this controller - return 1 - else - # enabled-active found for that resource - return 0 - fi -} - -if is_active_pgserver -then - if [ ! -f ${KEYSTONE_KEYS_ROTATE_INFO} ] - then - echo delay_count=0 > ${KEYSTONE_KEYS_ROTATE_INFO} - fi - - source ${KEYSTONE_KEYS_ROTATE_INFO} - sudo -u postgres psql -d sysinv -c "SELECT alarm_id, entity_instance_id from i_alarm;" | grep -P "^(?=.*100.101)(?=.*${HOSTNAME})" &>/dev/null - if [ $? -eq 0 ] - then - source /etc/platform/platform.conf - if [ "${system_type}" = "All-in-one" ] - then - source /etc/init.d/task_affinity_functions.sh - idle_core=$(get_most_idle_core) - if [ "$idle_core" -ne "0" ] - then - sh -c "exec taskset -c $idle_core ${KEYSTONE_KEYS_ROTATE_CMD}" - sed -i "/delay_count/s/=.*/=0/" ${KEYSTONE_KEYS_ROTATE_INFO} - exit 0 - fi - fi - - if [ "$delay_count" -lt "3" ] - then - newval=$(($delay_count+1)) - sed -i "/delay_count/s/=.*/=$newval/" ${KEYSTONE_KEYS_ROTATE_INFO} - (sleep 3600; /usr/bin/keystone-fernet-keys-rotate-active) & - exit 0 - fi - - fi - - eval ${KEYSTONE_KEYS_ROTATE_CMD} - sed -i "/delay_count/s/=.*/=0/" ${KEYSTONE_KEYS_ROTATE_INFO} - -fi - -exit 0 - diff --git a/meta-starlingx/meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/openstack-keystone.service b/meta-starlingx/meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/openstack-keystone.service deleted file mode 100644 index a72aa84..0000000 --- a/meta-starlingx/meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/openstack-keystone.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=OpenStack Identity Service (code-named Keystone) -After=syslog.target network.target - -[Service] -Type=forking -#ReminAfterExit is set to yes as we have 2 pids to monitor -RemainAfterExit=yes -ExecStart=/usr/bin/keystone-all start -ExecStop=/usr/bin/keystone-all stop -ExecReload=/usr/bin/keystone-all reload - -[Install] -WantedBy=multi-user.target diff --git a/meta-starlingx/meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/password-rules.conf b/meta-starlingx/meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/password-rules.conf deleted file mode 100644 index 6ecd43c..0000000 --- a/meta-starlingx/meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/password-rules.conf +++ /dev/null @@ -1,35 +0,0 @@ - -# The password rules captures the [security_compliance] -# section of the generic Keystone configuration (keystone.conf) -# This configuration is used to statically define the password -# rules for password validation in pre-Keystone environments -# -# N.B: Only set non-default keys here (default commented configuration -# items not needed) - -[security_compliance] - -# -# From keystone -# - -# This controls the number of previous user password iterations to keep in -# history, in order to enforce that newly created passwords are unique. Setting -# the value to one (the default) disables this feature. Thus, to enable this -# feature, values must be greater than 1. This feature depends on the `sql` -# backend for the `[identity] driver`. (integer value) -# Minimum value: 1 -unique_last_password_count = 2 - -# The regular expression used to validate password strength requirements. By -# default, the regular expression will match any password. The following is an -# example of a pattern which requires at least 1 letter, 1 digit, and have a -# minimum length of 7 characters: ^(?=.*\d)(?=.*[a-zA-Z]).{7,}$ This feature -# depends on the `sql` backend for the `[identity] driver`. (string value) -password_regex = ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*()<>{}+=_\\\[\]\-?|~`,.;:]).{7,}$ - -# Describe your password regular expression here in language for humans. If a -# password fails to match the regular expression, the contents of this -# configuration variable will be returned to users to explain why their -# requested password was insufficient. (string value) -password_regex_description = Password must have a minimum length of 7 characters, and must contain at least 1 upper case, 1 lower case, 1 digit, and 1 special character diff --git a/meta-starlingx/meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/public.py b/meta-starlingx/meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/public.py deleted file mode 100644 index d3a29f3..0000000 --- a/meta-starlingx/meta-stx-integ/recipes-devtools/python/files/python-keystone/stx-files/public.py +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright (c) 2013-2017 Wind River Systems, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - - -from keystone.server import wsgi as wsgi_server - -import sys -sys.argv = sys.argv[:1] - -application = wsgi_server.initialize_public_application() diff --git a/meta-starlingx/meta-stx-integ/recipes-devtools/python/python-keystone_git.bb b/meta-starlingx/meta-stx-integ/recipes-devtools/python/python-keystone_git.bb index 342523c..0b2e348 100644 --- a/meta-starlingx/meta-stx-integ/recipes-devtools/python/python-keystone_git.bb +++ b/meta-starlingx/meta-stx-integ/recipes-devtools/python/python-keystone_git.bb @@ -5,31 +5,32 @@ SECTION = "devel/python" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=1dece7821bf3fd70fe1309eaa37d52a2" -SRCREV = "c78581b4608f3dc10e945d358963000f284f188a" +SRCREV = "dc9e9e32dfbf9fd9c58f9f8e2b35f0bcfd62328e" SRCNAME = "keystone" -PROTOCOL = "git" -BRANCH = "stable/stein" +PROTOCOL = "https" +BRANCH = "stable/train" S = "${WORKDIR}/git" -PV = "15.0.0+git${SRCPV}" - +PV = "16.0.0+git${SRCPV}" SRC_URI = " \ - git://opendev.org/openstack/${SRCNAME}.git;protocol=${PROTOCOL};branch=${BRANCH} \ - file://${PN}/keystone.conf \ - file://${PN}/identity.sh \ - file://${PN}/convert_keystone_backend.py \ - file://${PN}/wsgi-keystone.conf \ - file://${PN}/admin-openrc \ - file://${PN}/keystone-init.service \ - file://${PN}/stx-files/openstack-keystone.service \ - file://${PN}/stx-files/keystone-all \ - file://${PN}/stx-files/keystone-fernet-keys-rotate-active \ - file://${PN}/stx-files/public.py \ - file://${PN}/stx-files/password-rules.conf \ + git://github.com/openstack/${SRCNAME}.git;protocol=${PROTOCOL};branch=${BRANCH} \ + file://${BPN}/keystone.conf \ + file://${BPN}/identity.sh \ + file://${BPN}/convert_keystone_backend.py \ + file://${BPN}/wsgi-keystone.conf \ + file://${BPN}/admin-openrc \ + file://${BPN}/keystone-init.service \ " +inherit setuptools identity hosts default_configs monitor useradd systemd +inherit stx-metadata -inherit setuptools identity hosts default_configs monitor useradd systemd +STX_REPO = "upstream" +STX_SUBPATH = "openstack/python-keystone/centos" + +SRC_URI_STX = " \ + file://patches/0001-Rebasing-Keyring-integration.patch \ + " SERVICE_TOKEN = "password" TOKEN_FORMAT ?= "PKI" @@ -83,14 +84,14 @@ do_install_append() { # Setup the systemd service file install -d ${D}${systemd_system_unitdir}/ - install -m 644 ${WORKDIR}/${PN}/keystone-init.service ${D}${systemd_system_unitdir}/keystone-init.service + install -m 644 ${WORKDIR}/${BPN}/keystone-init.service ${D}${systemd_system_unitdir}/keystone-init.service mv ${D}/${datadir}/etc/keystone/sso_callback_template.html ${KEYSTONE_CONF_DIR}/ rm -rf ${D}/${datadir} # Setup the admin-openrc file KS_OPENRC_FILE=${KEYSTONE_CONF_DIR}/admin-openrc - install -m 600 ${WORKDIR}/${PN}/admin-openrc ${KS_OPENRC_FILE} + install -m 600 ${WORKDIR}/${BPN}/admin-openrc ${KS_OPENRC_FILE} sed -e "s:%CONTROLLER_IP%:${CONTROLLER_IP}:g" -i ${KS_OPENRC_FILE} sed -e "s:%ADMIN_USER%:${ADMIN_USER}:g" -i ${KS_OPENRC_FILE} sed -e "s:%ADMIN_PASSWORD%:${ADMIN_PASSWORD}:g" -i ${KS_OPENRC_FILE} @@ -99,9 +100,9 @@ do_install_append() { # permissions as packages such as Apache require read access. # # Apache needs to read the keystone.conf - install -m 644 ${WORKDIR}/${PN}/keystone.conf ${KEYSTONE_CONF_DIR}/ + install -m 644 ${WORKDIR}/${BPN}/keystone.conf ${KEYSTONE_CONF_DIR}/ # Apache needs to read the wsgi-keystone.conf - install -m 644 ${WORKDIR}/${PN}/wsgi-keystone.conf ${APACHE_CONF_DIR}/keystone.conf + install -m 644 ${WORKDIR}/${BPN}/wsgi-keystone.conf ${APACHE_CONF_DIR}/keystone.conf install -m 600 ${S}${sysconfdir}/logging.conf.sample ${KEYSTONE_CONF_DIR}/logging.conf # Copy examples from upstream @@ -170,17 +171,17 @@ role_name_attribute = ou \ role_tree_dn = ou=Roles,${LDAP_DN} \ ' ${KEYSTONE_CONF_FILE} - install -m 0755 ${WORKDIR}/${PN}/convert_keystone_backend.py \ + install -m 0755 ${WORKDIR}/${BPN}/convert_keystone_backend.py \ ${D}${sysconfdir}/keystone/convert_keystone_backend.py fi - install -m 755 ${WORKDIR}/${PN}/stx-files/keystone-fernet-keys-rotate-active ${D}/${bindir}/keystone-fernet-keys-rotate-active - install -m 440 ${WORKDIR}/${PN}/stx-files/password-rules.conf ${KEYSTONE_CONF_DIR}/password-rules.conf + install -m 755 ${STX_METADATA_PATH}/files/keystone-fernet-keys-rotate-active ${D}/${bindir}/keystone-fernet-keys-rotate-active + install -m 440 ${STX_METADATA_PATH}/files/password-rules.conf ${KEYSTONE_CONF_DIR}/password-rules.conf install -m 755 -d ${KEYSTONE_DATA_DIR} - install -m 755 ${WORKDIR}/${PN}/stx-files/public.py ${KEYSTONE_DATA_DIR}/public.py - install -m 644 ${WORKDIR}/${PN}/stx-files/openstack-keystone.service ${D}${systemd_system_unitdir}/openstack-keystone.service - install -m 755 ${WORKDIR}/${PN}/stx-files/keystone-all ${D}${bindir}/keystone-all + install -m 755 ${STX_METADATA_PATH}/files/public.py ${KEYSTONE_DATA_DIR}/public.py + install -m 644 ${STX_METADATA_PATH}/files/openstack-keystone.service ${D}${systemd_system_unitdir}/openstack-keystone.service + install -m 755 ${STX_METADATA_PATH}/files/keystone-all ${D}${bindir}/keystone-all } -- 2.16.6