Keystone development server on Fedora 25

While Unit tests are essential to development, I often want to check the complete flow of a feature against a running keystone server as well. I recently upgraded to Fedora 25, and had to reset my environment. Here is how I set up for development.

Update: turns out there is more.

The Keystone server is unusual in that it requires no other OpenStack services in order to run. Most other services require a Keystone server, but Keystone itself only requires MySQL. As such, it is not worth the effort (and Python hassle) of running devstack. You can run the Keystone server right out of the source directory in a virtual environment.

The code I need for Keystone has been committed for a while. To start clean, I rebase my local git repository to master and to run tox -r to recreate the virtual environment.

I’m going to use that virtual environment along with the directions on the official Keystone development site.

First I need a Database.

 sudo dnf -y  install mariadb-server
 sudo systemctl enable mariadb.service
 sudo systemctl start mariadb.service

Check that The MySQL monitor works.

$ mysql
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 10.1.19-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

Now, configure the data base according to the official setup docs:

I want to end up with MySQL using SQLAlchemy via the following configuration:

connection = mysql+pymysql://keystone:keystone@127.0.0.1/keystone

This is what works on F25. It is a little different frm the older install guides. I am running as the no-root user `ayoung`

mysql -u root
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
    ->   IDENTIFIED BY 'keystone';

That is not sufficient to connect, as shown by this test:

mysql -h 127.0.0.1 keystone -u keystone –password=keystone

Ensure need MySQL listening on a newtork socket.

$ getent services mysql
mysql                 3306/tcp
$ telnet 127.0.0.1 3306
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Y

Turns Out what I needed was:

GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost'    IDENTIFIED BY 'keystone';

This is not a production grade solution, but should work for development.

Enable the virtual environemnt:

. .tox/py27/bin/activate

Update /etc/keystone.conf as per the above doc and try the db sync:

keystone-manage db_sync
...
keystone-manage db_version
109

You will need uwsgi to run as the webserver. Don’t try to use the system package. On F24, at least, the system one was out of date. Since this is a development setup, let’s match the upstream approach and use pip to install it in the venv.

pip install uwsgi

Now try to run the server:

 uwsgi --http 127.0.0.1:35357 --wsgi-file $(which keystone-wsgi-admin)

And test:

curl localhost:35357
{"versions": {"values": [{"status": "stable", "updated": "2016-10-06T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.7", "links": [{"href": "http://localhost:35357/v3/", "rel": "self"}]}, {"status": "deprecated", "updated": "2016-08-04T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://localhost:35357/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}]}}

Now I want to run the bootstrap code to initialize the database tables:

 keystone-manage bootstrap --bootstrap-password keystone

Remember to run the public port server in a separate console window (but also in the venv)

. .tox/py27/bin/activate
uwsgi --http 127.0.0.1:5000 --wsgi-file $(which keystone-wsgi-public )

To run the sample data (again in another venv window)

 pip install python-openstackclient
ADMIN_PASSWORD=keystone tools/sample_data.sh

Here is my keystone.rc file for talking to this server. The OS_IDENTITY_API_VERSION bypasses discovery, which is probably not a long term solution.

unset `env | awk -F= '/OS_/ {print $1}' | xargs`

export OS_USERNAME=admin
export OS_PASSWORD=keystone
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_DOMAIN_ID=default
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=http://127.0.0.1:5000/v3

Make sure token issue work:

. ~/devel/openstack/keystone.rc 
openstack token issue
+------------+-----------------------------------------------------------------+
| Field      | Value                                                           |
+------------+-----------------------------------------------------------------+
| expires    | 2016-12-06T01:09:23+0000                                        |
| id         | gAAAAABYRgGzX_ZixdkZBmS-Ut9uGphBhfSw8rdnTBBar6waqfrghdQWi3PLgjI |
|            | ah6HL9pxGvdmGm8pHCCos7yo4D28LRmROrSRf8Yy1dEE9bMQGcCrFuG4QCe_m2E |
|            | SdqNoB3LMhfCPyCbm3705_Blo_h6f5Cst-fLZuUFyItKkgo4BYZUDpGxk       |
| project_id | f84f16ef1f2f45cd80580329ab2c00b0                                |
| user_id    | bc72530345094d0e9ba53a275d2df9e8                                |
+------------+-----------------------------------------------------------------+

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.