[Openstack] keystone/HTTPD config issue

Miller, Mark M (EB SW Cloud - R&D - Corvallis) mark.m.miller at hp.com
Mon Mar 31 18:01:27 UTC 2014 

This is my Icehouse documentation, I don't know if it will work with Havana:

Mark

1.2  Keystone files changed (WSGI):

NOTE: The Apache2 WSGI configuration scripts below replace the "/etc/init.d/keystone" startup script

Create/configure file "/etc/apache2/sites-available/keystone.conf" to match your keystone installation and server.

WSGIDaemonProcess keystone user=keystone group=nogroup processes=6



Listen 0.0.0.0:5000

<VirtualHost _default_:5000>



    LogLevel debug

    ErrorLog /var/log/keystone/keystone.log

    CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined



    SSLEngine on

    SSLCertificateFile /etc/keystone/ssl/certs/keystone.pem

    SSLCertificateKeyFile /etc/keystone/ssl/private/keystonekey.pem



    SSLProtocol all -SSLv2

    SSLVerifyClient none



    WSGIScriptAlias /  /usr/lib/cgi-bin/keystone/main

    WSGIProcessGroup keystone

    SetEnv nokeepalive ssl-unclean-shutdown

</VirtualHost>



Listen 0.0.0.0:35357

<VirtualHost _default_:35357>



    LogLevel debug

    ErrorLog /var/log/keystone/keystone.log

    CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined



    SSLEngine on

    SSLCertificateFile /etc/keystone/ssl/certs/keystone.pem

    SSLCertificateKeyFile /etc/keystone/ssl/private/keystonekey.pem



    SSLProtocol all -SSLv2

    SSLVerifyClient none



    WSGIScriptAlias /  /usr/lib/cgi-bin/keystone/admin

    WSGIProcessGroup keystone

    SetEnv nokeepalive ssl-unclean-shutdown



</VirtualHost>



Note: By changing the SSL_Engine variable in this file you can turn on and off the Apache2-SSL frontend to Keystone.


Now link keystone sites-enabled to keystone sites-available
sudo ln -s /etc/apache2/sites-available/keystone.conf   /etc/apache2/sites-enabled/keystone.conf



Create directory "/usr/lib/cgi-bin/keystone"

sudo mkdir /usr/lib/cgi-bin

sudo mkdir /usr/lib/cgi-bin/keystone



Create file "/usr/lib/cgi-bin/keystone/admin".

import logging

import os



from paste import deploy



from keystone.openstack.common import gettextutils



from keystone.common import dependency

from keystone.common import environment

from keystone.common import sql

from keystone import config

from keystone.openstack.common import log

from keystone import service



# NOTE(blk-u):

# gettextutils.install() must run to set _ before importing any modules that

# contain static translated strings.

gettextutils.install('keystone', lazy=True)



CONF = config.CONF



config.configure()

sql.initialize()

config.set_default_for_default_log_levels()



CONF(project='keystone')

config.setup_logging()



environment.use_stdlib()

#name = os.path.basename(__file__)

name = "admin"



if CONF.debug:

    CONF.log_opt_values(log.getLogger(CONF.prog), logging.DEBUG)





drivers = service.load_backends()



# NOTE(ldbragst): 'application' is required in this context by WSGI spec.

# The following is a reference to Python Paste Deploy documentation

# http://pythonpaste.org/deploy/

application = deploy.loadapp('config:%s' % config.find_paste_config(),

                             name=name)



dependency.resolve_future_dependencies()



Also create file "/usr/lib/cgi-bin/keystone/main".

import logging

import os



from paste import deploy



from keystone.openstack.common import gettextutils



from keystone.common import dependency

from keystone.common import environment

from keystone.common import sql

from keystone import config

from keystone.openstack.common import log

from keystone import service



# NOTE(blk-u):

# gettextutils.install() must run to set _ before importing any modules that

# contain static translated strings.

gettextutils.install('keystone', lazy=True)



CONF = config.CONF



config.configure()

sql.initialize()

config.set_default_for_default_log_levels()



CONF(project='keystone')

config.setup_logging()



environment.use_stdlib()

#name = os.path.basename(__file__)

name = "main"



if CONF.debug:

    CONF.log_opt_values(log.getLogger(CONF.prog), logging.DEBUG)





drivers = service.load_backends()



# NOTE(ldbragst): 'application' is required in this context by WSGI spec.

# The following is a reference to Python Paste Deploy documentation

# http://pythonpaste.org/deploy/

application = deploy.loadapp('config:%s' % config.find_paste_config(),

                             name=name)



dependency.resolve_future_dependencies()



If the keystone service is running, shut it down because the Apache2 service will now start it up with as many instances of keystone as are specified on the first line of file "/etc/apache2/sites-available/keystone.conf".

sudo service keystone stop


From: mike.hearn [mailto:mike.hearn at oracle.com]
Sent: Monday, March 31, 2014 10:22 AM
To: openstack at lists.openstack.org
Subject: [Openstack] keystone/HTTPD config issue

Hoping someone can offer some help / guidance.

I am trying to configure keystone to run in HTTPD.
Release: Havana
OS: EL 6.5

Following documentation I have configured a VirtualHost in my webserver and made the necessary updates in keystone.conf  (admin_port, public_port, admin_endpoint, public_endpoint, external driver)
Before updating endpoints in the keystone repo I ran an initial keystone cmd to verify the original endpoints and to test the httpd setup was functioning correctly  e.g.
$ keystone --os-endpoint http://xxxxxxx:8080/keystone/admin/v2.0 --os-token xxxxxxxx service-get keystone

This failed with errors showing up in the webserver log files.

[VirtualHost: xxxxxxx:8080]  from paste import deploy
[VirtualHost: xxxxxxx:8080]  ImportError: cannot import name deploy

The error is obviously linked to the keystone.wsgi file (as linked frpm keystone/admin) and its attempt to import the paste module
e.g.  (extract from keystone.wsgi)

from paste import deploy
from keystone.openstack.common import gettextutils

I did some research and found an older but similar issue occurred with the keystone-all file. The fix was to ensure that the import of gettextutils occured before the import of deploy from paste. (https://github.com/redhat-openstack/keystone/commit/e053026a)

I moved the import of gettextutils above the paste import in keystone.wsgi  which did remove the paste import error. However,  the webserver log file now shows a segfault after re-running the keystone cmd above

[VirtualHost: xxxxxxx:8080]  Premature end of script headers: admin
[VirtualHost: xxxxxxx:8080]  Request Failed for : /keystone/admin/v2.0/OS-KSADM/services/keystone, Resp Code : [500]
[VirtualHost: main]  child pid 9671 exit signal Segmentation fault (11)
I also looked in /var/log/messages and see:
 kernel: httpd.worker[9705]: segfault at 0 ip 00007f509a7cf86f sp 00007f508e432fb8 error 4 in libc-2.12.so<http://libc-2.12.so/>[7f509a69c000+18b000]
So at this point I need to ask :
1 - Was I correct to update keystone.wsgi and move the import gettextutils above import deploy  ?
2 - Has anyone come across similar issues when configuring keystone to run in HTTPD

I'd gratefully appreciate any help and advice on solving or trouble shooting
Cheers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140331/3c2dc31e/attachment.html>

More information about the Openstack mailing list