Keystone on Port 80 For Tripleo

Posted on by

Many services assume that Keystone listens on ports 5000 and 35357. I’d prefer to have Keystone listen on the standard HTTP(s) ports of 80 and 443. We can’t remove the non-standard ports without a good deal of rewriting. But there is nothing preventing us from running Keystone on port 80 or 443 in addition to those ports.

I was trying to get this to work for a Tripleo deployment where I needed to ssh in and port forward through several levels. I didn’t want to have to do this for more ports than absolutetly necessary.

I did need to backport one change to make this work with the current Tripleo, but I suspect that, come Milestone 3 of Mitaka, we’ll have it via a rebase of the RDO packages.

In Tripleo, Horizon is run on port 80, and shows up under the /dashboard URI. So, I put Keystone under /keystone (yeah yeah, it should have been /identity. I’ll do that next time.)

UPDATE 1: decreased threads to 1, as oslo-config complains on multiple.
UPDATE 2: changed Location from /keystone/main/ to /keystone/main and /keystone/admin/ to /keystone/admin to match WSGIDaemonProcess

in /etc/httpd/conf.d/11-keystone_wsgi_main.conf

WSGIApplicationGroup %{GLOBAL}
WSGIDaemonProcess keystone_main_11 display-name=keystone-main group=keystone processes=1 threads=1 user=keystone
WSGIProcessGroup keystone_main_11
WSGIScriptAlias /keystone/main "/var/www/cgi-bin/keystone/main"
<Location "/keystone/main">
WSGIProcessGroup keystone_main_11
</Location>

And in /etc/httpd/conf.d/11-keystone_wsgi_admin.conf

WSGIApplicationGroup %{GLOBAL}
WSGIDaemonProcess keystone_admin_11 display-name=keystone-admin group=keystone processes=1 threads=1 user=keystone
WSGIProcessGroup keystone_admin_11
WSGIScriptAlias /keystone/admin "/var/www/cgi-bin/keystone/admin"
<Location "/keystone/admin">
WSGIProcessGroup keystone_admin_11
</Location>

I have an adapted version of the overcloud rc file set of Keystone V3:

export OS_NO_CACHE=True
export OS_CLOUDNAME=overcloud
#export OS_AUTH_URL=http://192.0.2.6:5000/
export OS_AUTH_URL=http://192.0.2.6/keystone/main/
export NOVA_VERSION=1.1
export COMPUTE_API_VERSION=1.1
export OS_USERNAME=admin
export no_proxy=,192.0.2.18
export OS_PASSWORD=`uuidgen -r`
export PYTHONWARNINGS="ignore:Certificate has no, ignore:A true SSLContext object is not available"
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_IDENTITY_API_VERSION=3

To Test:

$ . ./overcloudv3.rc 
[heat-admin@overcloud-controller-0 ~]$ openstack token issue
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2016-02-24T05:40:10.017354Z      |
| id         | 53c5ba8766034ee39a3918cc51082f2c |
| project_id | 42fddae694cb4bd29c0911b64c95440b |
| user_id    | 627727a981f149e2a9ae50422738e659 |
+------------+----------------------------------+

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.