Fix keystone to manage the OSM users/projects
Keystone was not used by default by OSM NBI. Instead, internal
authentication is used.
When NBI is configured to use Keystone as auth backend, we found that it
didn't bootstrap properly because there were no data in the MySQL DB
used by Keystone. The initilization of DB was supposed to be done by the
Keystone containers in keystone-deployment. However, those container
were not able to initialize the DB because they were running as regular
users instead of root users.
Keystone is thought as an infra solution, not as an application
solution. The community behind Keystone development agreed on that
behaviour.
Based on that, Keystone containers were adapted to run as root.
In addition, we decided to disable Keystone and MySQL as part of the
default values for OSM helm chart.
Change-Id: I0e7078b809abe858a69323d6e3e493e862d6e6ab
Signed-off-by: vegall <lvega@whitestack.com>
diff --git a/docker/Keystone/scripts/start.sh b/docker/Keystone/scripts/start.sh
index dde1b5a..7b4e008 100755
--- a/docker/Keystone/scripts/start.sh
+++ b/docker/Keystone/scripts/start.sh
@@ -18,6 +18,8 @@
# contact: esousa@whitestack.com or glavado@whitestack.com
##
+set -e
+
DB_EXISTS=""
USER_DB_EXISTS=""
DB_NOT_EMPTY=""
@@ -121,6 +123,8 @@
# Setting Keystone tokens
sed -i '/^\[token\]$/,/^\[/ s/^.*provider = .*/provider = fernet/' /etc/keystone/keystone.conf
+# Setting Keystone for the stderr
+sed -i '/\[DEFAULT\]/a use_stderr = true' /etc/keystone/keystone.conf
# Use LDAP authentication for Identity
if [ $LDAP_AUTHENTICATION_DOMAIN_NAME ]; then
@@ -222,6 +226,7 @@
# Bootstrap Keystone service
if [ -z $DB_EXISTS ] || [ -z $DB_NOT_EMPTY ]; then
+ echo "Bootstraping keystone"
keystone-manage bootstrap \
--bootstrap-username "$ADMIN_USERNAME" \
--bootstrap-password "$ADMIN_PASSWORD" \
@@ -250,12 +255,33 @@
source setup_env
+# Function to retry a command up to 5 times
+retry() {
+ local n=1
+ local max=5
+ local delay=5
+ while true; do
+ "$@" && break || {
+ if [[ $n -lt $max ]]; then
+ ((n++))
+ echo "Command failed. Attempt $n/$max:"
+ sleep $delay;
+ else
+ echo "The command has failed after $n attempts."
+ return 1
+ fi
+ }
+ done
+}
+
# Create NBI User
-if [ -z $DB_EXISTS ] || [ -z $DB_NOT_EMPTY ]; then
- openstack user create --domain default --password "$SERVICE_PASSWORD" "$SERVICE_USERNAME"
- openstack project create --domain default --description "Service Project" "$SERVICE_PROJECT"
- openstack role add --project "$SERVICE_PROJECT" --user "$SERVICE_USERNAME" admin
+if ! openstack user show nbi --domain default; then
+ echo "NBI user does not exist. Creating nbi user"
+ retry openstack user create --domain default --password "$SERVICE_PASSWORD" "$SERVICE_USERNAME" || exit 1
+ retry openstack project create --domain default --description "Service Project" "$SERVICE_PROJECT" || exit 1
+ retry openstack role add --project "$SERVICE_PROJECT" --user "$SERVICE_USERNAME" admin || exit 1
fi
+echo "Done creating the NBI user"
if [ $LDAP_AUTHENTICATION_DOMAIN_NAME ]; then
if !(openstack domain list | grep -q $LDAP_AUTHENTICATION_DOMAIN_NAME); then
@@ -270,7 +296,7 @@
while ps -ef | grep -v grep | grep -q apache2
do
- sleep 60
+ tail -f /var/log/keystone/keystone-manage.log
done
# Only reaches this point if apache2 stops running