After installing sys-auth/keystone-2013.1.2.r2, and correctly configure the keystone service if you issue the command: # keystone --os-username=admin --os-password=ADMIN_PASS \ --os-tenant-name=admin --os-auth-url=http://controller:35357/v2.0 token-get the service will return an HTTP(500) error like this: ERROR keystone.common.cms [-] Signing error: Unable to load certificate - ensure you've configured PKI with 'keystone-manage pki_setup' Reproducible: Always Steps to Reproduce: 1.emerge =sys-auth/keystone-2013.1.2.r2 2.export OS_SERVICE_TOKEN=ADMIN_PASS && export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0 3.keystone --os-username=admin --os-password=ADMIN_PASS --os-auth-url=http://controller:35357/v2.0 token-get Actual Results: HTTP(500) error Expected Results: The keystone service release the auth token In openstack-havana keystone token driver is set to PKI, so the build should tell the user to configure openssl and keystone PKI.
Created attachment 365220 [details] keystone-2013.2-r1.ebuild Corrected build file with: 1. Creation of keystone user and group to run the daemon under 2. Added pkg_postinst() information about how to configure keystone PKI 3. Added pkg_config() to configure PKI as reported in pkg_postinst()
Created attachment 365222 [details] keystone init.d file Fixed keystone init.d file to run the keystone daemon under the keystone user.
Comment on attachment 365220 [details] keystone-2013.2-r1.ebuild --- keystone-2013.2-r1.ebuild 2013-11-28 18:39:30.380637752 +0100 +++ - 2013-12-13 15:29:34.891724152 +0100 @@ -79,6 +79,11 @@ "${FILESDIR}/2013.2-CVE-2013-4477.patch" ) +pkg_setup() { + enewgroup keystone + enewuser keystone -1 -1 /var/lib/keystone keystone +} + python_prepare_all() { mkdir ${PN}/tests/tmp || die cp etc/keystone-paste.ini ${PN}/tests/tmp/ || die @@ -103,4 +108,26 @@ doins etc/keystone.conf.sample etc/logging.conf.sample doins etc/default_catalog.templates etc/policy.json doins etc/policy.v3cloudsample.json etc/keystone-paste.ini + + fowners keystone:keystone /var/run/keystone /var/log/keystone /etc/keystone +} + +pkg_postinst() { + elog "You might want to run:" + elog "emerge --config =${CATEGORY}/${PF}" + elog "if this is a new install." + elog "If you have not already configured your openssl installation" + elog "please do it by modifying /etc/ssl/openssl.cnf" + elog "BEFORE issuing the configuration command." + elog "Otherwise default values will be used." +} + +pkg_config() { + if [ ! -d "${ROOT}"/etc/keystone/ssl ] ; then + einfo "Press ENTER to configure the keystone PKI, or Control-C to abort now..." + read + "${ROOT}"/usr/bin/keystone-manage pki_setup --keystone-user keystone --keystone-group keystone + else + einfo "keystone PKI certificates directory already present, skipping configuration" + fi }
is this for 2013.1 or 2013.2? looks like you have both mentioned in the comments.
Sorry for the typo. I was meaning sys-auth/keystone-2013.2-r1 :-)
fixed in 2013.2-r2 and 2013.2.9999 thanks for all the work :D
