| Age | Commit message (Collapse) | Author |
|---|
|
The patch CVE-2014-0006-swift-1265665.patch is already in the
latest Swift havana/stable release, so dropping it.
Signed-off-by: Vu Tran <vu.tran@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
|
This patch removes the openrc file from the keystone package and
references to openrc in the python-kystone_git.bb file.
Signed-off-by: Liam R. Howlett <Liam.Howlett@WindRiver.com>
|
|
Signed-off-by: Amy Fong <amy.fong@windriver.com>
|
|
Instead of creating tenant/user/role and service/endpoint for all
openstack services in keystone postinstall, now each of the services
creates its own keystone identities by queueing them up in its postinstall
to a file /etc/keystone/service-user-setup. service-user-setup
script, when run as the last postinstall, calls identity.sh with keystone
identity parameters to create necessary identities for the services.
Signed-off-by: Andy Ning <andy.ning@windriver.com>
|
|
Adding /etc/keystone/hybrid-backend-setup and
convert_keystone_backend.py to set the backend
for keystone to hybrid and starts openldap and
restarts keystone.
Signed-off-by: Amy Fong <amy.fong@windriver.com>
|
|
Modify python-keystone to use openldap. keystone's identity and
assignment backends are configured to utilitze the hybrid backend for
keystone. This backend uses the SQL backend by default and goes to the ldap
database if the user doesn't exist.
Signed-off-by: Amy Fong <amy.fong@windriver.com>
|
|
Some of the openstack data is associated with external resources
(ie glance may have external files), we explicitly invoke the delete commands on those
in additional to dropping and recreating the databases.
Signed-off-by: Amy Fong <amy.fong@windriver.com>
|
|
When running the keystone tests, the tests ensures that
keystone is being tested against the latest version of
keystone-client available by downloading keystone-client from
source using git. However, on the target system
keystone-client is installed as a separate package and it is
undesirable to download a newer version to test against. This
fix comments out the portion of the testing code that attempts
to retrieve keystone-client from source code using git.
Signed-off-by: Keith Holman <Keith.Holman@windriver.com>
|
|
Some Keystone tests create temporary files, usually
databases for testing. These files are stored in the
"tmp" directory under the "tests" directory in Keystone.
The fix creates this directory so these tests don't fail
on failing to create temporary files because the path
doesn't exist.
Signed-off-by: Keith Holman <Keith.Holman@windriver.com>
|
|
Keystone tests define the location of certificate files
as the location of the files in the source tree. However,
when installed on the system files are put in different
locations. This change patches the configuration file
for some tests to contain the full path to the tests
directories.
Signed-off-by: Keith Holman <Keith.Holman@windriver.com>
|
|
Some tests provided by Keystone tests signing with an
example certificate and signing key. If these certificates
are not found these particular tests will hang. Thus, in
order for these tests to pass we must install the example
certificates to the system. This fix updates the install
script for Keystone to include installing the example
certificates.
Signed-off-by: Keith Holman <Keith.Holman@windriver.com>
|
|
Keystone tests are designed to run on the source tree.
However, Keystone is installed on a system with files
in various directories. This fix patches the testing
source files to be able to find the files on the
distribution. This fix incorporates the changes of
a previous patch file into a new patch file that is
generated, since the previous patch are related and
close to eachother in the source and it is easier to
maintain less patch files.
Signed-off-by: Keith Holman <Keith.Holman@windriver.com>
|
|
Openstack components provide a run_tests.sh script for
running unit tests. Some of these tests expect the
openstack-nose plugin to be installed. This fix provides
a recipe for the building that plugin in order to allow
the various run_tests.sh scripts to run.
Signed-off-by: Keith Holman <Keith.Holman@windriver.com>
|
|
The bitbake recipe file for building Keystone is inconsistent
with the use of tabs versus spaces. According to guidelines
for the Yocto project (style guide), the tabs should be
replaced with spaces in the case of indenting for lists. The
style guide can be found at:
https://wiki.yoctoproject.org/wiki/Recipe_&_Patch_Style_Guide
This fix changes the Keystone recipe file to use spaces instead
of tabs in list of files and package dependencies.
Signed-off-by: Keith Holman <Keith.Holman@windriver.com>
|
|
Since Grizzly release Keystone defaults to storing tokens in PKI
format. Some software works better with keystone if tokens
are in the older UUID format. This change allows a simple way
to set the storage format within the bitbake receipes. The default
is to use the newer PKI format.
Signed-off-by: Keith Holman <Keith.Holman@windriver.com>
|
|
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
|
authentication chaining
The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and
icehouse before icehouse-rc2 allows remote attackers to cause a denial of
service (CPU consumption) via a large number of the same authentication
method in a request, aka "authentication chaining."
Signed-off-by: Amy Fong <amy.fong@windriver.com>
|
|
tools/sample_data.sh in OpenStack Keystone 2012.1.3, when access to Amazon
Elastic Compute Cloud (Amazon EC2) is configured, uses world-readable
permissions for /etc/keystone/ec2rc, which allows local users to obtain
access to EC2 services by reading administrative access and secret values
from this file.
Modify /etc/keystone to have permission 750
Signed-off-by: Amy Fong <amy.fong@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
|
Editing the files in ${WORKDIR} using sed or similar tools as part of
do_install means they can only be edited once. Supplying a modified
CONTROLLER_IP in local.conf and building the image again will not
result in the CONTROLLER_IP being properly updated since the
substitution placeholders will no longer exist. We therefore simply
swap the other of things, installing the configuration files first,
then editing them to swap the placeholders. This means we can run the
do_install again and again and get the results we expect.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
|
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
|
Currently all the openstack components have default start level
of 20. There are other services such as glusterfs, rabbbitmq,
database... are also starting at the same start level. On some
platform, this can cause racing condition between services which
in turn causes some of openstack components not started.
By adjusting the openstack components start level to higher will
ensure that system services start in the determistic way.
Signed-off-by: Vu Tran <vu.tran@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
|
Several python packages require 'python-pbr' both at build and
runtime, as listed in their respective setup.py files, yet this
dependency is not included in their recipe. Adding python-pbr
to the RDEPENDS to correct this.
In addition this situation is complicated by the fact that the
setuptools will actually fetch python-pip and python-pbr eggs,
regardless of the value of BB_NO_NETWORK, if any of these packages are
built before python-pip and python-pbr are in the sysroot. Most
dramitically if you were to attempt to build any of these packages
with no network connectivity the do_compile() task will fail with the
following:
| DEBUG: Executing shell function do_compile
| Download error: [Errno 110] Connection timed out -- Some packages may not be found!
| Couldn't find index page for 'pip' (maybe misspelled?)
| Download error: [Errno 110] Connection timed out -- Some packages may not be found!
| No local packages or download links found for pip>=1.0
| Traceback (most recent call last):
| File "setup.py", line 21, in <module>
| pbr=True)
Adding the missing DEPENDS will ensure these packages are available
without the need for setuptools to fetch them, and avoid possible
build issues due to network connectivity.
In order to test these modifications all of these packages have been
built with a populated sstate cache and the network crippled using:
iptables -A OUTPUT -p tcp --destination-port 80 -j DROP
to ensure no extra fetches are taking place.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
|
Tests in keystone/tests are failed because they
looks for some config files at wrong location.
Currently all the keystone config files are at
/etc/keystone.
Signed-off-by: Vu Tran <vu.tran@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
|
By default expired keystone tokens are not removed
out of the keystone table in keystone database.
This will cause the keystone database to grow in
size due. So this patch adds new package named
keystone-cronjobs which will register a cronjob
to invoke command "keystone-manage token_flush"
for flushing out any expired token.
Signed-off-by: Vu Tran <vu.tran@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
|
Installation from package feeds shows some missing REDPENDS for the
-setup packages.
Signed-off-by: Rob Wolley <Rob.Woolley@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
|
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
|
To add more complete tempest support, we require flakes8, so it is
added to the dependency list.
To get the individual component test scripts onto the target, create
a $PACKAGE-tests package and add the script. When the tests are
required on target, these packages should be added to the install
list.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
|
After moving all database creation initialization packages, we also
remove it from the RDEPENDS of the various control node recipes.
This allows images to select database initialization or skip it.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
|
Many OpenStack modules require a first boot action to setup up users,
databases, bridges, etc. These same packages install initscripts to start
daemons and servers.
The 1st boot package post install actions immediately exit to indicate
that the action cannot be performed in the cross environment and instead
should be done on first boot. The update-rc.d post install actions are
intended to be run in the cross environment to symlink scripts into the
proper runlevels.
The early exit from the db setup routines, means that the rc files are
not linked in host cross. If the rootfs doesn't contain update-rc.d,
they also will not be set up on first boot. The end result is a system
that does not start all of its required services on boot.
To fix this, we split out db and other first boot setup tasks into
dedicated (but empty) -setup packages. These run on first boot, while
update-rc.d is left to create the proper symlinks.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
|
Updating the keystone OpenStack component to the havana release version.
As part of this switch, we also start building out of git versus the
release tarballs.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
|
Vu Tran
Liam R. Howlett
Amy Fong
Andy Ning
Keith Holman
Bruce Ashfield
Mark Asselstine