python-keystone: get things working with stable/pike

Since we need to ensure the setup is run after postgresql is setup and
running we can't use a postinst as it runs too early in the boot
process. Instead we have a simple service which will run after
postgresql-init to complete the setup. On completion the service
disables itself, avoiding being run again on subsequent boots.

Update configuration data to match keystone setup as described on the
upstream project pages.

Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>

4 files changed, 122 insertions, 151 deletions

diff --git a/meta-openstack/recipes-devtools/python/python-keystone/keystone b/meta-openstack/recipes-devtools/python/python-keystone/keystone
deleted file mode 100644
index 34cc3ad..0000000
--- a/meta-openstack/recipes-devtools/python/python-keystone/keystone
+++ /dev/null
@@ -1,128 +0,0 @@
-#!/bin/sh
-
-### BEGIN INIT INFO
-# Provides:          keystone
-# Required-Start: $remote_fs $network $syslog
-# Required-Stop: $remote_fs $syslog
-# Default-Start:     3 5
-# Default-Stop:      0 1 2 6
-# Short-Description: Keystone Server
-# Description: OpenStack identity Service (code-named keystone)
-### END INIT INFO
-
-DESC="keystone"
-DAEMON="uwsgi"
-DAEMON_OPTIONS="--http 127.0.0.1:35357 --wsgi-file $(which keystone-wsgi-admin)"
-PIDFILE="/var/run/keystone-all.pid"
-
-start ()
-{
-    if [ -e $PIDFILE ]; then
-        PIDDIR=/proc/$(cat $PIDFILE)
-        if [ -d ${PIDDIR} ]; then
-            echo "$DESC already running."
-            exit 1
-        else
-            echo "Removing stale PID file $PIDFILE"
-            rm -f $PIDFILE
-        fi
-    fi
-
-    if [ ! -d /var/log/keystone ]; then
-        mkdir /var/log/keystone                                                     
-    fi
-    echo -n "Starting $DESC..."
-
-    start-stop-daemon --start --quiet --background \
-        --pidfile ${PIDFILE} --make-pidfile --exec ${DAEMON} \
-        -- ${DAEMON_OPTIONS}
-
-    if [ $? -eq 0 ]; then
-        echo "done."
-    else
-        echo "failed."
-    fi
-}
-
-stop ()
-{
-    echo -n "Stopping $DESC..."
-    start-stop-daemon --stop --quiet --pidfile $PIDFILE
-    if [ $? -eq 0 ]; then
-        echo "done."
-    else
-        echo "failed."
-    fi
-    rm -f $PIDFILE
-}
-
-status()
-{
-    pid=`cat $PIDFILE 2>/dev/null`
-    if [ -n "$pid" ]; then
-        if ps -p $pid > /dev/null 2>&1 ; then
-            echo "$DESC is running"
-            return
-        fi
-    fi
-    echo "$DESC is not running"
-}
-
-reset()
-{
-    # Cleanup keystone tenant
-    . /etc/nova/openrc
-    simple_delete "keystone user-list" "keystone user-delete" 1 "keystone user"
-    simple_delete "keystone tenant-list" "keystone tenant-delete" 1 "keystone tenant"
-    simple_delete "keystone role-list" "keystone role-delete" 1 "keystone role"
-    simple_delete "keystone endpoint-list" "keystone endpoint-delete" 1 "keystone endpoint"
-    simple_delete "keystone service-list" "keystone service-delete" 1 "keystone service"
-
-    stop
-
-    # This is to make sure postgres is configured and running
-    if ! pidof postmaster > /dev/null; then
-        /etc/init.d/postgresql-init
-        /etc/init.d/postgresql start
-        sleep 2
-    fi
-
-    sudo -u postgres dropdb keystone
-    sudo -u postgres createdb keystone
-    keystone-manage db_sync
-    keystone-manage pki_setup --keystone-user=root --keystone-group=root
-
-    start
-
-    sleep 2
-
-    ADMIN_PASSWORD=%ADMIN_PASSWORD% \
-    SERVICE_PASSWORD=%SERVICE_PASSWORD% \
-    SERVICE_TENANT_NAME=%SERVICE_TENANT_NAME% \
-        bash /etc/keystone/service-user-setup
-}
-
-case "$1" in
-    start)
-        start
-        ;;
-    stop)
-        stop
-        ;;
-    restart|force-reload|reload)
-        stop
-        start
-        ;;
-    status)
-        status
-        ;;
-    reset)
-        reset
-        ;;
-    *)
-        echo "Usage: $0 {start|stop|force-reload|restart|reload|status|reset}"
-        exit 1
-        ;;
-esac
-
-exit 0
diff --git a/meta-openstack/recipes-devtools/python/python-keystone/keystone-init b/meta-openstack/recipes-devtools/python/python-keystone/keystone-init
new file mode 100644
index 0000000..db4b4fa
--- /dev/null
+++ b/meta-openstack/recipes-devtools/python/python-keystone/keystone-init
@@ -0,0 +1,60 @@
+#!/bin/bash
+#
+# Basic keystone setup as described on:
+# https://docs.openstack.org/mitaka/install-guide-ubuntu/keystone-install.html
+# https://docs.openstack.org/keystone/pike/install/keystone-install-ubuntu.html
+#
+# Prerequisites: /etc/postgresql/postgresql-init must be run first to create the DB
+#
+# After complete you should be able to query keystone with something like the 
+# following (https://docs.openstack.org/keystone/latest/api_curl_examples.html)
+#
+#curl -i \
+#  -H "Content-Type: application/json" \
+#  -d '
+#{ "auth": {
+#    "identity": {
+#      "methods": ["password"],
+#      "password": {
+#        "user": {
+#          "name": "%ADMIN_USER%",
+#          "domain": { "id": "default" },
+#          "password": "%ADMIN_PASSWORD%"
+#        }
+#      }
+#    }
+#  }
+#}' \
+#  "http://localhost:5000/v3/auth/tokens" ; echo
+
+
+# Substitutions setup at do_intall()
+DB_USER=%DB_USER%
+KEYSTONE_USER=%KEYSTONE_USER%
+KEYSTONE_GROUP=%KEYSTONE_GROUP%
+CONTROLLER_IP=%CONTROLLER_IP%
+ADMIN_USER=%ADMIN_USER%
+ADMIN_PASSWORD=%ADMIN_PASSWORD%
+ADMIN_ROLE=%ADMIN_ROLE%
+
+# Create the keystone DB and grant the necessary permissions
+sudo -u postgres psql -c "CREATE DATABASE keystone" 2> /dev/null
+sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE keystone TO ${DB_USER}" 2> /dev/null
+
+keystone-manage db_sync
+
+keystone-manage fernet_setup --keystone-user ${KEYSTONE_USER} --keystone-group ${KEYSTONE_GROUP}
+keystone-manage credential_setup --keystone-user ${KEYSTONE_USER} --keystone-group ${KEYSTONE_GROUP}
+
+keystone-manage bootstrap \
+  --bootstrap-password ${ADMIN_PASSWORD} \
+  --bootstrap-username ${ADMIN_USER} \
+  --bootstrap-project-name admin \
+  --bootstrap-role-name ${ADMIN_ROLE} \
+  --bootstrap-service-name keystone \
+  --bootstrap-region-id RegionOne \
+  --bootstrap-admin-url http://${CONTROLLER_IP}:35357 \
+  --bootstrap-internal-url http://${CONTROLLER_IP}:5000 \
+  --bootstrap-public-url http://${CONTROLLER_IP}:5000
+
+#keystone-manage pki_setup --keystone-user=root --keystone-group=daemon
diff --git a/meta-openstack/recipes-devtools/python/python-keystone/keystone-init.service b/meta-openstack/recipes-devtools/python/python-keystone/keystone-init.service
new file mode 100644
index 0000000..b114806
--- /dev/null
+++ b/meta-openstack/recipes-devtools/python/python-keystone/keystone-init.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Barebones OpenStack keystone initialization
+After=postgresql-init.service
+
+[Service]
+Type=oneshot
+ExecStart=%SYSCONFIGDIR%/keystone/keystone-init
+ExecStartPost=/bin/systemctl --no-reload disable keystone-init.service
+RemainAfterExit=No
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta-openstack/recipes-devtools/python/python-keystone/wsgi-keystone.conf b/meta-openstack/recipes-devtools/python/python-keystone/wsgi-keystone.conf
index 91b95f6..febf1d7 100644
--- a/meta-openstack/recipes-devtools/python/python-keystone/wsgi-keystone.conf
+++ b/meta-openstack/recipes-devtools/python/python-keystone/wsgi-keystone.conf
@@ -1,25 +1,52 @@
-Listen 8081
-<VirtualHost *:8081>
-    ServerAdmin webmaster@localhost
-    WSGIApplicationGroup %{RESOURCE}
-    WSGIDaemonProcess keystone threads=15 display-name=%{GROUP}
-    WSGIProcessGroup keystone
-    WSGIScriptAlias /keystone/main  /var/www/cgi-bin/keystone/main
-    WSGIScriptAlias /keystone/admin  /var/www/cgi-bin/keystone/admin
-
-
-    <Location "/keystone">
-        Authtype none
-    </Location>
-
-    <Directory /var/www/cgi-bin/keystone/>
-        <IfVersion < 2.3>
-            Order allow,deny
-            Allow from all
-        </IfVersion>
-
-        <IfVersion >= 2.3>
-            Require all granted
-        </IfVersion>
+Listen 5000
+Listen 35357
+
+<VirtualHost *:5000>
+    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+    WSGIProcessGroup keystone-public
+    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+    ErrorLogFormat "%{cu}t %M"
+    ErrorLog /var/log/apache2/keystone.log
+    CustomLog /var/log/apache2/keystone_access.log combined
+
+    <Directory /usr/bin>
+        Require all granted
+    </Directory>
+</VirtualHost>
+
+<VirtualHost *:35357>
+    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+    WSGIProcessGroup keystone-admin
+    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+    ErrorLogFormat "%{cu}t %M"
+    ErrorLog /var/log/apache2/keystone.log
+    CustomLog /var/log/apache2/keystone_access.log combined
+
+    <Directory /usr/bin>
+        Require all granted
     </Directory>
 </VirtualHost>
+
+Alias /identity /usr/bin/keystone-wsgi-public
+<Location /identity>
+    SetHandler wsgi-script
+    Options +ExecCGI
+
+    WSGIProcessGroup keystone-public
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+</Location>
+
+Alias /identity_admin /usr/bin/keystone-wsgi-admin
+<Location /identity_admin>
+    SetHandler wsgi-script
+    Options +ExecCGI
+
+    WSGIProcessGroup keystone-admin
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+</Location>