| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The bitbake recipe file for building Keystone is inconsistent
with the use of tabs versus spaces. According to guidelines
for the Yocto project (style guide), the tabs should be
replaced with spaces in the case of indenting for lists. The
style guide can be found at:
https://wiki.yoctoproject.org/wiki/Recipe_&_Patch_Style_Guide
This fix changes the Keystone recipe file to use spaces instead
of tabs in list of files and package dependencies.
Signed-off-by: Keith Holman <Keith.Holman@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
Since Grizzly release Keystone defaults to storing tokens in PKI
format. Some software works better with keystone if tokens
are in the older UUID format. This change allows a simple way
to set the storage format within the bitbake receipes. The default
is to use the newer PKI format.
Signed-off-by: Keith Holman <Keith.Holman@windriver.com>
|
| |
|
|
| |
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
authentication chaining
The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and
icehouse before icehouse-rc2 allows remote attackers to cause a denial of
service (CPU consumption) via a large number of the same authentication
method in a request, aka "authentication chaining."
Signed-off-by: Amy Fong <amy.fong@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
tools/sample_data.sh in OpenStack Keystone 2012.1.3, when access to Amazon
Elastic Compute Cloud (Amazon EC2) is configured, uses world-readable
permissions for /etc/keystone/ec2rc, which allows local users to obtain
access to EC2 services by reading administrative access and secret values
from this file.
Modify /etc/keystone to have permission 750
Signed-off-by: Amy Fong <amy.fong@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Editing the files in ${WORKDIR} using sed or similar tools as part of
do_install means they can only be edited once. Supplying a modified
CONTROLLER_IP in local.conf and building the image again will not
result in the CONTROLLER_IP being properly updated since the
substitution placeholders will no longer exist. We therefore simply
swap the other of things, installing the configuration files first,
then editing them to swap the placeholders. This means we can run the
do_install again and again and get the results we expect.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
| |
|
|
| |
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently all the openstack components have default start level
of 20. There are other services such as glusterfs, rabbbitmq,
database... are also starting at the same start level. On some
platform, this can cause racing condition between services which
in turn causes some of openstack components not started.
By adjusting the openstack components start level to higher will
ensure that system services start in the determistic way.
Signed-off-by: Vu Tran <vu.tran@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several python packages require 'python-pbr' both at build and
runtime, as listed in their respective setup.py files, yet this
dependency is not included in their recipe. Adding python-pbr
to the RDEPENDS to correct this.
In addition this situation is complicated by the fact that the
setuptools will actually fetch python-pip and python-pbr eggs,
regardless of the value of BB_NO_NETWORK, if any of these packages are
built before python-pip and python-pbr are in the sysroot. Most
dramitically if you were to attempt to build any of these packages
with no network connectivity the do_compile() task will fail with the
following:
| DEBUG: Executing shell function do_compile
| Download error: [Errno 110] Connection timed out -- Some packages may not be found!
| Couldn't find index page for 'pip' (maybe misspelled?)
| Download error: [Errno 110] Connection timed out -- Some packages may not be found!
| No local packages or download links found for pip>=1.0
| Traceback (most recent call last):
| File "setup.py", line 21, in <module>
| pbr=True)
Adding the missing DEPENDS will ensure these packages are available
without the need for setuptools to fetch them, and avoid possible
build issues due to network connectivity.
In order to test these modifications all of these packages have been
built with a populated sstate cache and the network crippled using:
iptables -A OUTPUT -p tcp --destination-port 80 -j DROP
to ensure no extra fetches are taking place.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
Tests in keystone/tests are failed because they
looks for some config files at wrong location.
Currently all the keystone config files are at
/etc/keystone.
Signed-off-by: Vu Tran <vu.tran@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
By default expired keystone tokens are not removed
out of the keystone table in keystone database.
This will cause the keystone database to grow in
size due. So this patch adds new package named
keystone-cronjobs which will register a cronjob
to invoke command "keystone-manage token_flush"
for flushing out any expired token.
Signed-off-by: Vu Tran <vu.tran@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
| |
|
|
|
|
|
|
| |
Installation from package feeds shows some missing REDPENDS for the
-setup packages.
Signed-off-by: Rob Wolley <Rob.Woolley@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
| |
|
|
| |
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To add more complete tempest support, we require flakes8, so it is
added to the dependency list.
To get the individual component test scripts onto the target, create
a $PACKAGE-tests package and add the script. When the tests are
required on target, these packages should be added to the install
list.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
| |
|
|
|
|
|
|
| |
After moving all database creation initialization packages, we also
remove it from the RDEPENDS of the various control node recipes.
This allows images to select database initialization or skip it.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Many OpenStack modules require a first boot action to setup up users,
databases, bridges, etc. These same packages install initscripts to start
daemons and servers.
The 1st boot package post install actions immediately exit to indicate
that the action cannot be performed in the cross environment and instead
should be done on first boot. The update-rc.d post install actions are
intended to be run in the cross environment to symlink scripts into the
proper runlevels.
The early exit from the db setup routines, means that the rc files are
not linked in host cross. If the rootfs doesn't contain update-rc.d,
they also will not be set up on first boot. The end result is a system
that does not start all of its required services on boot.
To fix this, we split out db and other first boot setup tasks into
dedicated (but empty) -setup packages. These run on first boot, while
update-rc.d is left to create the proper symlinks.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
|
|
Updating the keystone OpenStack component to the havana release version.
As part of this switch, we also start building out of git versus the
release tarballs.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
