[Openstack] Horizon, keystone/HTTPD config issue

Michael Hearn mike.hearn at oracle.com
Tue Apr 8 18:56:19 UTC 2014 

Guys
Really appreciate your replies on the question of external 
authentication and httpd config.   I have been able to move things 
along, however a glaring issue remains with Horizon.   It is unclear to 
me how, or if access to the dashboard is possible when external 
authentication is enabled.
Are there additional configuration updates required ?


Thanks
Mike

On 31/03/2014 19:30, Ali, Haneef wrote:
>
> This will work. Couple of suggestions
>
> Create file "/usr/lib/cgi-bin/keystone/admin".
>
> Instead of this, you can link to   httpd/keystone.py
>
> Also you may want to check the default MPM mode  for Apache. Most 
> probably it will be   worker-process.   There you can configure number 
> of servers used to serve the request which is different from keystone 
> process
>
> Thanks
>
> Haneef
>
> *From:*Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> *Sent:* Monday, March 31, 2014 11:01 AM
> *To:* mike.hearn; openstack at lists.openstack.org
> *Subject:* Re: [Openstack] keystone/HTTPD config issue
>
> This is my Icehouse documentation, I don't know if it will work with 
> Havana:
>
> Mark
>
>
>       1.2Keystone files changed (WSGI):
>
> **
>
> *NOTE*: The Apache2 WSGI configuration scripts below replace the 
> "/etc/init.d/keystone" startup script
>
> Create/configure file "/etc/apache2/sites-available/keystone.conf" to 
> match your keystone installation and server.
>
> WSGIDaemonProcess keystone user=keystone group=nogroup processes=6
>   
> Listen 0.0.0.0:5000
> <VirtualHost _default_:5000>
>   
>      LogLevel debug
>      ErrorLog /var/log/keystone/keystone.log
>      CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
>   
>      SSLEngine on
>      SSLCertificateFile /etc/keystone/ssl/certs/keystone.pem
>      SSLCertificateKeyFile /etc/keystone/ssl/private/keystonekey.pem
>   
>      SSLProtocol all -SSLv2
>      SSLVerifyClient none
>   
>      WSGIScriptAlias /  /usr/lib/cgi-bin/keystone/main
>      WSGIProcessGroup keystone
>      SetEnv nokeepalive ssl-unclean-shutdown
> </VirtualHost>
>   
> Listen 0.0.0.0:35357
> <VirtualHost _default_:35357>
>   
>      LogLevel debug
>      ErrorLog /var/log/keystone/keystone.log
>      CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
>   
>      SSLEngine on
>      SSLCertificateFile /etc/keystone/ssl/certs/keystone.pem
>      SSLCertificateKeyFile /etc/keystone/ssl/private/keystonekey.pem
>   
>      SSLProtocol all -SSLv2
>      SSLVerifyClient none
>   
>      WSGIScriptAlias /  /usr/lib/cgi-bin/keystone/admin
>      WSGIProcessGroup keystone
>      SetEnv nokeepalive ssl-unclean-shutdown
>   
> </VirtualHost>
>
> **
>
> *Note*: By changing the SSL_Engine variable in this file you can turn 
> on and off the Apache2-SSL frontend to Keystone.
>
> Now link keystone sites-enabled to keystone sites-available
>
> sudo ln -s /etc/apache2/sites-available/keystone.conf 
> /etc/apache2/sites-enabled/keystone.conf
>
> Create directory "/usr/lib/cgi-bin/keystone"
>
> sudo mkdir /usr/lib/cgi-bin
>
> sudo mkdir /usr/lib/cgi-bin/keystone
>
> Create file "/usr/lib/cgi-bin/keystone/admin".
>
> import logging
> import os
>   
> from paste import deploy
>   
> from keystone.openstack.common import gettextutils
>   
> from keystone.common import dependency
> from keystone.common import environment
> from keystone.common import sql
> from keystone import config
> from keystone.openstack.common import log
> from keystone import service
>   
> # NOTE(blk-u):
> # gettextutils.install() must run to set _ before importing any modules that
> # contain static translated strings.
> gettextutils.install('keystone', lazy=True)
>   
> CONF = config.CONF
>   
> config.configure()
> sql.initialize()
> config.set_default_for_default_log_levels()
>   
> CONF(project='keystone')
> config.setup_logging()
>   
> environment.use_stdlib()
> #name = os.path.basename(__file__)
> name = "admin"
>   
> if CONF.debug:
>      CONF.log_opt_values(log.getLogger(CONF.prog), logging.DEBUG)
>   
>   
> drivers = service.load_backends()
>   
> # NOTE(ldbragst): 'application' is required in this context by WSGI spec.
> # The following is a reference to Python Paste Deploy documentation
> #http://pythonpaste.org/deploy/
> application = deploy.loadapp('config:%s' % config.find_paste_config(),
>                               name=name)
>   
> dependency.resolve_future_dependencies()
>
> Also create file "/usr/lib/cgi-bin/keystone/main".
>
> import logging
> import os
>   
> from paste import deploy
>   
> from keystone.openstack.common import gettextutils
>   
> from keystone.common import dependency
> from keystone.common import environment
> from keystone.common import sql
> from keystone import config
> from keystone.openstack.common import log
> from keystone import service
>   
> # NOTE(blk-u):
> # gettextutils.install() must run to set _ before importing any modules that
> # contain static translated strings.
> gettextutils.install('keystone', lazy=True)
>   
> CONF = config.CONF
>   
> config.configure()
> sql.initialize()
> config.set_default_for_default_log_levels()
>   
> CONF(project='keystone')
> config.setup_logging()
>   
> environment.use_stdlib()
> #name = os.path.basename(__file__)
> name = "main"
>   
> if CONF.debug:
>      CONF.log_opt_values(log.getLogger(CONF.prog), logging.DEBUG)
>   
>   
> drivers = service.load_backends()
>   
> # NOTE(ldbragst): 'application' is required in this context by WSGI spec.
> # The following is a reference to Python Paste Deploy documentation
> #http://pythonpaste.org/deploy/
> application = deploy.loadapp('config:%s' % config.find_paste_config(),
>                               name=name)
>   
> dependency.resolve_future_dependencies()
>
> If the keystone service is running, shut it down because the Apache2 
> service will now start it up with as many instances of keystone as are 
> specified on the first line of file 
> "/etc/apache2/sites-available/keystone.conf".
>
> sudo service keystone stop
>
> *From:*mike.hearn [mailto:mike.hearn at oracle.com]
> *Sent:* Monday, March 31, 2014 10:22 AM
> *To:* openstack at lists.openstack.org <mailto:openstack at lists.openstack.org>
> *Subject:* [Openstack] keystone/HTTPD config issue
>
> Hoping someone can offer some help / guidance.
>
> I am trying to configure keystone to run in HTTPD.
> Release: Havana
> OS: EL 6.5
>
> Following documentation I have configured a VirtualHost in my 
> webserver and made the necessary updates in keystone.conf  
> (admin_port, public_port, admin_endpoint, public_endpoint, external 
> driver)
>
> Before updating endpoints in the keystone repo I ran an initial 
> keystone cmd to verify the original endpoints and to test the httpd 
> setup was functioning correctly  e.g./
> $ keystone 
> --os-endpointhttp://xxxxxxx:8080/keystone/admin/v2.0--os-token 
> xxxxxxxx service-get keystone/
>
>
> This failed with errors showing up in the webserver log files.
>
>
> /[VirtualHost: xxxxxxx:8080]  from paste import deploy
> [VirtualHost: xxxxxxx:8080]  ImportError: cannot import name deploy/
>
> The error is obviously linked to the keystone.wsgi file (as linked 
> frpm keystone/admin) and its attempt to import the paste module
> e.g.  (extract from keystone.wsgi)
>
> /from paste import deploy
> from keystone.openstack.common import gettextutils/
>
> I did some research and found an older but similar issue occurred with 
> the /keystone-all/ file. The fix was to ensure that the import of 
> gettextutils occured before the import of deploy from paste. 
> (https://github.com/redhat-openstack/keystone/commit/e053026a)
>
> I moved the import of gettextutils above the paste import in 
> keystone.wsgi  which did remove the paste import error. However,  the 
> webserver log file now shows a segfault after re-running the keystone 
> cmd above
>
> /[VirtualHost: xxxxxxx:8080]  Premature end of script headers: admin
> [VirtualHost: xxxxxxx:8080]  Request Failed for : 
> /keystone/admin/v2.0/OS-KSADM/services/keystone, Resp Code : [500]
> [VirtualHost: main]  child pid 9671 exit signal Segmentation fault (11)/
>
> I also looked in /var/log/messages and see:
> / kernel: httpd.worker[9705]: segfault at 0 ip 00007f509a7cf86f sp 
> 00007f508e432fb8 error 4 inlibc-2.12.so 
> <http://libc-2.12.so/>[7f509a69c000+18b000]/
>
> So at this point I need to ask ://
>
> 1 - Was I correct to update keystone.wsgi and move the/import 
> gettextutils/above/import deploy  ?/
>
> 2 - Has anyone come across similar issues when configuring keystone to 
> run in HTTPD///
>
> /I'd gratefully appreciate any help and advic/e/on solving or trouble 
> shooting
>
> Cheers
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140408/8cfca109/attachment.html>

More information about the Openstack mailing list