[Openstack] keystone/HTTPD config issue

Adam Young ayoung at redhat.com
Mon Mar 31 19:46:28 UTC 2014 

On 03/31/2014 02:30 PM, Ali, Haneef wrote:
>
> This will work. Couple of suggestions
>
> Create file "/usr/lib/cgi-bin/keystone/admin".
>
> Instead of this, you can link to   httpd/keystone.py
>
When I originally wrote it, I did a hardlink to this file, as that way 
you only modify one file for both sub-urls.  However,m you really don't 
need "main" if you are exposing "admin" as asmin has everything that is 
on main.  You would really only want to split them into admin vs main if 
you are deloying them with different scopes:  say admin internal to your 
firewall, but main external.


Note that I am working through the issues right now to do the same thing 
using FreeIPA and NSS.  You want to make sure you are planning on decent 
X509 hygene.  use a real CA, not keystone-manage setup_ssl

Lots of good information here:



> Also you may want to check the default MPM mode  for Apache. Most 
> probably it will be   worker-process.   There you can configure number 
> of servers used to serve the request which is different from keystone 
> process
>
> Thanks
>
> Haneef
>
> *From:*Miller, Mark M (EB SW Cloud - R&D - Corvallis)
> *Sent:* Monday, March 31, 2014 11:01 AM
> *To:* mike.hearn; openstack at lists.openstack.org
> *Subject:* Re: [Openstack] keystone/HTTPD config issue
>
> This is my Icehouse documentation, I don't know if it will work with 
> Havana:
>
> Mark
>
>
>       1.2Keystone files changed (WSGI):
>
> **
>
> *NOTE*: The Apache2 WSGI configuration scripts below replace the 
> "/etc/init.d/keystone" startup script
>
> Create/configure file "/etc/apache2/sites-available/keystone.conf" to 
> match your keystone installation and server.
>
> WSGIDaemonProcess keystone user=keystone group=nogroup processes=6
>   
> Listen 0.0.0.0:5000
> <VirtualHost _default_:5000>
>   
>      LogLevel debug
>      ErrorLog /var/log/keystone/keystone.log
>      CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
>   
>      SSLEngine on
>      SSLCertificateFile /etc/keystone/ssl/certs/keystone.pem
>      SSLCertificateKeyFile /etc/keystone/ssl/private/keystonekey.pem
>   
>      SSLProtocol all -SSLv2
>      SSLVerifyClient none
>   
>      WSGIScriptAlias /  /usr/lib/cgi-bin/keystone/main
>      WSGIProcessGroup keystone
>      SetEnv nokeepalive ssl-unclean-shutdown
> </VirtualHost>
>   
> Listen 0.0.0.0:35357
> <VirtualHost _default_:35357>
>   
>      LogLevel debug
>      ErrorLog /var/log/keystone/keystone.log
>      CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
>   
>      SSLEngine on
>      SSLCertificateFile /etc/keystone/ssl/certs/keystone.pem
>      SSLCertificateKeyFile /etc/keystone/ssl/private/keystonekey.pem
>   
>      SSLProtocol all -SSLv2
>      SSLVerifyClient none
>   
>      WSGIScriptAlias /  /usr/lib/cgi-bin/keystone/admin
>      WSGIProcessGroup keystone
>      SetEnv nokeepalive ssl-unclean-shutdown
>   
> </VirtualHost>
>
> **
>
> *Note*: By changing the SSL_Engine variable in this file you can turn 
> on and off the Apache2-SSL frontend to Keystone.
>
> Now link keystone sites-enabled to keystone sites-available
>
> sudo ln -s /etc/apache2/sites-available/keystone.conf 
> /etc/apache2/sites-enabled/keystone.conf
>
> Create directory "/usr/lib/cgi-bin/keystone"
>
> sudo mkdir /usr/lib/cgi-bin
>
> sudo mkdir /usr/lib/cgi-bin/keystone
>
> Create file "/usr/lib/cgi-bin/keystone/admin".
>
> import logging
> import os
>   
> from paste import deploy
>   
> from keystone.openstack.common import gettextutils
>   
> from keystone.common import dependency
> from keystone.common import environment
> from keystone.common import sql
> from keystone import config
> from keystone.openstack.common import log
> from keystone import service
>   
> # NOTE(blk-u):
> # gettextutils.install() must run to set _ before importing any modules that
> # contain static translated strings.
> gettextutils.install('keystone', lazy=True)
>   
> CONF = config.CONF
>   
> config.configure()
> sql.initialize()
> config.set_default_for_default_log_levels()
>   
> CONF(project='keystone')
> config.setup_logging()
>   
> environment.use_stdlib()
> #name = os.path.basename(__file__)
> name = "admin"
>   
> if CONF.debug:
>      CONF.log_opt_values(log.getLogger(CONF.prog), logging.DEBUG)
>   
>   
> drivers = service.load_backends()
>   
> # NOTE(ldbragst): 'application' is required in this context by WSGI spec.
> # The following is a reference to Python Paste Deploy documentation
> #http://pythonpaste.org/deploy/
> application = deploy.loadapp('config:%s' % config.find_paste_config(),
>                               name=name)
>   
> dependency.resolve_future_dependencies()
>
> Also create file "/usr/lib/cgi-bin/keystone/main".
>
> import logging
> import os
>   
> from paste import deploy
>   
> from keystone.openstack.common import gettextutils
>   
> from keystone.common import dependency
> from keystone.common import environment
> from keystone.common import sql
> from keystone import config
> from keystone.openstack.common import log
> from keystone import service
>   
> # NOTE(blk-u):
> # gettextutils.install() must run to set _ before importing any modules that
> # contain static translated strings.
> gettextutils.install('keystone', lazy=True)
>   
> CONF = config.CONF
>   
> config.configure()
> sql.initialize()
> config.set_default_for_default_log_levels()
>   
> CONF(project='keystone')
> config.setup_logging()
>   
> environment.use_stdlib()
> #name = os.path.basename(__file__)
> name = "main"
>   
> if CONF.debug:
>      CONF.log_opt_values(log.getLogger(CONF.prog), logging.DEBUG)
>   
>   
> drivers = service.load_backends()
>   
> # NOTE(ldbragst): 'application' is required in this context by WSGI spec.
> # The following is a reference to Python Paste Deploy documentation
> #http://pythonpaste.org/deploy/
> application = deploy.loadapp('config:%s' % config.find_paste_config(),
>                               name=name)
>   
> dependency.resolve_future_dependencies()
>
> If the keystone service is running, shut it down because the Apache2 
> service will now start it up with as many instances of keystone as are 
> specified on the first line of file 
> "/etc/apache2/sites-available/keystone.conf".
>
> sudo service keystone stop
>
> *From:*mike.hearn [mailto:mike.hearn at oracle.com]
> *Sent:* Monday, March 31, 2014 10:22 AM
> *To:* openstack at lists.openstack.org <mailto:openstack at lists.openstack.org>
> *Subject:* [Openstack] keystone/HTTPD config issue
>
> Hoping someone can offer some help / guidance.
>
> I am trying to configure keystone to run in HTTPD.
> Release: Havana
> OS: EL 6.5
>
> Following documentation I have configured a VirtualHost in my 
> webserver and made the necessary updates in keystone.conf  
> (admin_port, public_port, admin_endpoint, public_endpoint, external 
> driver)
>
> Before updating endpoints in the keystone repo I ran an initial 
> keystone cmd to verify the original endpoints and to test the httpd 
> setup was functioning correctly  e.g./
> $ keystone 
> --os-endpointhttp://xxxxxxx:8080/keystone/admin/v2.0--os-token 
> xxxxxxxx service-get keystone/
>
>
> This failed with errors showing up in the webserver log files.
>
>
> /[VirtualHost: xxxxxxx:8080]  from paste import deploy
> [VirtualHost: xxxxxxx:8080]  ImportError: cannot import name deploy/
>
> The error is obviously linked to the keystone.wsgi file (as linked 
> frpm keystone/admin) and its attempt to import the paste module
> e.g.  (extract from keystone.wsgi)
>
> /from paste import deploy
> from keystone.openstack.common import gettextutils/
>
> I did some research and found an older but similar issue occurred with 
> the /keystone-all/ file. The fix was to ensure that the import of 
> gettextutils occured before the import of deploy from paste. 
> (https://github.com/redhat-openstack/keystone/commit/e053026a)
>
> I moved the import of gettextutils above the paste import in 
> keystone.wsgi  which did remove the paste import error. However,  the 
> webserver log file now shows a segfault after re-running the keystone 
> cmd above
>
> /[VirtualHost: xxxxxxx:8080]  Premature end of script headers: admin
> [VirtualHost: xxxxxxx:8080]  Request Failed for : 
> /keystone/admin/v2.0/OS-KSADM/services/keystone, Resp Code : [500]
> [VirtualHost: main]  child pid 9671 exit signal Segmentation fault (11)/
>
> I also looked in /var/log/messages and see:
> / kernel: httpd.worker[9705]: segfault at 0 ip 00007f509a7cf86f sp 
> 00007f508e432fb8 error 4 inlibc-2.12.so 
> <http://libc-2.12.so/>[7f509a69c000+18b000]/
>
> So at this point I need to ask ://
>
> 1 - Was I correct to update keystone.wsgi and move the/import 
> gettextutils/above/import deploy  ?/
>
> 2 - Has anyone come across similar issues when configuring keystone to 
> run in HTTPD///
>
> /I'd gratefully appreciate any help and advic/e/on solving or trouble 
> shooting
>
> Cheers
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140331/a7f13314/attachment.html>

More information about the Openstack mailing list