[openstack-dev] [keystone] Do we really need two listening ports ?

Brant Knudson blk at acm.org
Wed Feb 1 16:11:34 UTC 2017

On Wed, Feb 1, 2017 at 3:54 AM, Attila Fazekas <afazekas at redhat.com> wrote:

> Hi all,
> Typically we have two keystone service listening on two separate ports
> 35357 and 5000.
> Historically one of the port had limited functionality, but today I do not
> see why we want
> to have two separate service/port from the same code base for similar
> purposes.
> Effective we use double amount of memory than it is really required,
> because both port is served by completely different worker instances,
> typically from the same physical server.
> I wonder, would it be difficult to use only a single port or at least the
> same pool of workers for all keystone(identity, auth..) purposes?
> Best Regards,
> Attila
Keystone is a wsgi application and so can be run in a web server that
forwards requests under /identity to the v2 public and v3 handlers; and
/identity_admin to the v2 admin and v3 handlers. 35357 and 5000 are not a
requirement imposed by keystone.

If you run this way you might find that applications using keystone won't
work correctly in all cases since they make the assumption that they can
build identity endpoints by truncating the URL.

Another popular deployment option is to have the different keystones on
different hosts (like identity.example.com and identity_admin.example.com).

- Brant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170201/68125c5a/attachment.html>

More information about the OpenStack-dev mailing list