[openstack-dev] [Openstack-operators] [keystone] Removing functionality that was deprecated in Kilo and upcoming deprecated functionality in Mitaka
Matthew Treinish
mtreinish at kortar.org
Mon Dec 7 23:40:58 UTC 2015
On Mon, Dec 07, 2015 at 06:18:04PM -0500, Steve Martinelli wrote:
>
> ... re-adding the operators mailing list.
>
> sounds like we should document how to do this, with the assertion that it
> is not tested with our CI.
>
> with that said, we should try to have a job that sets up keystone with
> nginx that is run periodically (similar to our eventlet job at the moment).
So, we actually run keystone with eventlet on every tempest-dsvm-postgres-full
job. It runs way more than periodically:
http://status.openstack.org/openstack-health/#/job/gate-tempest-dsvm-postgres-full
That's just a 24 hr window in the gate queue, including check it's much more.
This has been long standing behavior ever since keystone under mod_wsgi support
was added to devstack:
https://github.com/openstack-infra/project-config/blob/master/jenkins/jobs/devstack-gate.yaml#L1395-L1429
It's 1 of 3 things that are different that make the postgres job different. I've
always viewed that job config overloading as a bug, for this exact reason.
-Matt Treinish
>
> From: Brant Knudson <blk at acm.org>
> To: "OpenStack Development Mailing List (not for usage questions)"
> <openstack-dev at lists.openstack.org>
> Date: 2015/12/07 05:52 PM
> Subject: Re: [openstack-dev] [Openstack-operators] [keystone] Removing
> functionality that was deprecated in Kilo and upcoming
> deprecated functionality in Mitaka
>
>
>
>
>
> On Tue, Dec 1, 2015 at 12:57 AM, Steve Martinelli <stevemar at ca.ibm.com>
> wrote:
> Trying to summarize here...
>
> - There isn't much interest in keeping eventlet around.
> - Folks are OK with running keystone in a WSGI server, but feel they are
> constrained by Apache.
> - uWSGI could help to support multiple web servers.
>
> My opinion:
>
> - Adding support for uWSGI definitely sounds like it's worth
> investigating, but not achievable in this release (unless someone already
> has something cooked up).
>
>
>
> What needs to change to support uWSGI? You can already run keystone in
> python uwsgi and then front it with nginx:
>
> $ uwsgi --socket 127.0.0.1:5001 --wsgi-file $(which keystone-wsgi-public)
> --honour-stdin --enable-threads --workers 6
> $ uwsgi --socket 127.0.0.1:35358 --wsgi-file $(which keystone-wsgi-admin)
> --honour-stdin --enable-threads --workers 6
>
> $ sudo vi /etc/nginx/sites-available/keystone
>
> server {
> listen 5000 default_server;
> server_name localhost;
> location / {
> include uwsgi_params;
> uwsgi_pass 127.0.0.1:5001;
> uwsgi_param SCRIPT_NAME /;
> }
> }
> server {
> listen 35357 default_server;
> server_name localhost;
> location / {
> include uwsgi_params;
> uwsgi_pass 127.0.0.1:35358;
> uwsgi_param SCRIPT_NAME /;
> }
> }
>
> $ sudo ln -x /etc/nginx/sites-available/keystone /etc/nginx/sites-enabled/
>
> $ sudo nginx
>
> and then you can make your regular curl calls.
>
> Also, you can run keystone with regular http in python uwsgi (uwsgi --http)
> and then just do normal reverse proxy (from Apache or nginx or whatever),
> which I think would be adequate for keystone.
>
> We don't do anything in keystone to stop deployments in web servers other
> than Apache. Keystone is just a regular wsgi app. We document Apache since
> it's popular and it provides mod_shib, which is the only saml2 module for
> web servers that I know of. Keystone can work with other saml2 modules and
> in different servers, it just takes the environment variables that the
> module sets and runs it through some mapping code. The mapping code has
> been shown to work alternative authentication modules (for ldap and
> kerberos).
>
> - Brant
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151207/81ab9c32/attachment.pgp>
More information about the OpenStack-dev
mailing list