From de086882129fdd0d081925416d92ce32bb726803 Mon Sep 17 00:00:00 2001 From: Corey Bryant Date: Wed, 24 May 2017 18:19:16 -0400 Subject: [PATCH] Enable override of config files Enable the ability for default config files to be overridden for each entry point type (simple, uwsgi, and nginx). Also refresh the README while documenting how default config files can be overridden. Change-Id: I2b2479df2ca93eb6b82d115efafb62081e6e28c2 --- README.md | 126 +++++++++++++++++++++++++---------- snap/snap-openstack.yaml | 20 ++++-- snap/templates/nginx.conf.j2 | 2 +- 3 files changed, 105 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index 1aa8780..9256fb4 100644 --- a/README.md +++ b/README.md @@ -7,68 +7,122 @@ service, Keystone. The keystone snap can be installed directly from the snap store: - sudo snap install [--edge] keystone + sudo snap install --edge --classic keystone -## Configuring Keystone +The keystone snap is working towards publication across tracks for +OpenStack releases. The edge channel for each track will contain the tip +of the OpenStack project's master or stable branch, with the beta, candidate, +and stable channels being reserved for released versions. The same version +will be published progressively to beta, then candidate, and then stable once +CI validation completes for the channel. This should result in an experience +such as: -Snaps run in an AppArmor and seccomp confined profile, so don't read -configuration from `/etc/keystone` on the hosting operating system install. + sudo snap install --classic --channel=ocata/stable keystone + sudo snap install --classic --channel=pike/edge keystone -This snap supports configuration via the $SNAP\_COMMON writable area for the -snap: +## Configuring keystone - etc +The keystone snap gets its default configuration from the following $SNAP +and $SNAP_COMMON locations: + + /snap/keystone/current/etc/ + └── keystone +    ├── keystone.conf +    └── ... + + /var/snap/keystone/common/etc/ ├── keystone - │   ├── keystone.conf - └── keystone.conf.d - ├── database.conf - ├── keystone-snap.conf - └── keystone.conf + │   └── conf.d + │   └── keystone-snap.conf + ├── nginx + │   ├── snap + │   │   ├── nginx.conf + │   │   └── sites-enabled + │   │   └── keystone.conf + └── uwsgi + └── snap +   └── keystone.ini -The keystone applications can be configured in a few ways. +The keystone snap supports configuration updates via its $SNAP_COMMON writable +area. The default keystone configuration can be overridden as follows: -Firstly the WSGI daemon will detect and read `etc/keystone/keystone.conf` -if it exists so you can just place all configuration in the file for each -daemon. + /var/snap/keystone/common/etc/ + ├── keystone + │   ├── conf.d + │   │   ├── keystone-snap.conf + │   │   ├── database.conf + │   │   └── rabbitmq.conf + │   └── keystone.conf + ├── nginx + │   ├── snap + │   │   ├── nginx.conf + │   │   └── sites-enabled + │   │   └── keystone.conf + │   ├── nginx.conf + │   ├── sites-enabled + │   │   └── keystone.conf + └── uwsgi +    ├── snap +   │ └── keystone.ini + └── keystone.ini -Alternatively the WSGI daemon will load all configuration files from -`etc/keystone.conf.d` - in the above example, database and keystone authtoken -configuration is shared across both daemons using configuration snippets in -separate files in `etc/keystone.conf.d`. +The keystone configuration can be overridden or augmented by writing +configuration snippets to files in the conf.d directory. -For reference, $SNAP\_COMMON is typically located under -`/var/snap/keystone/common`. +Alternatively, keystone configuration can be overridden by adding a full +keystone.conf file to the keystone/ directory. If overriding in this way, you'll +need to either point this config file at additional config files located in $SNAP, +or add those to $SNAP_COMMON as well. -## Managing Keystone +The keystone nginx configuration can be overridden by adding an nginx/nginx.conf +and new site config files to the nginx/sites-enabled directory. In this case the +nginx/nginx.conf file would include that sites-enabled directory. If +nginx/nginx.conf exists, nginx/snap/nginx.conf will no longer be used. -Currently all snap binaries must be run as root; for example, to run the -keystone-manage binary use: +The keystone uwsgi configuration can be overridden similarly by adding a +uwsgi/keystone.ini file. If uwsgi/keystone.ini exists, uwsgi/snap/keystone.ini +will no longer be used. - sudo keystone.manage +## Logging keystone -## Restarting Keystone services +The services for the keystone snap will log to its $SNAP_COMMON writable area: +/var/snap/keystone/common/log. + +## Managing keystone + +The keystone snap will drop privileges to run daemons and commands under +a regular user named snap-keystone. Additionally, permissions and ownership +of files and directories in /var/snap/keystone/common/ are modified to +restrict access from other users. + +The keystone snap has alias support that enables use of the well-known +keystone-manage command. To enable the alias, run the following prior to +using the command: + + sudo snap alias keystone.manage keystone-manage + +## Restarting keystone services To restart all keystone services: sudo systemctl restart snap.keystone.* -or use the individual service: +or an individual service can be restarted by dropping the wildcard and +specifying the full service name. - sudo systemctl restart snap.keystone.api - -## Building the Keystone snap +## Building the keystone snap Simply clone this repository and then install and run snapcraft: - git clone https://github.com/openstack-snaps/snap-keystone + git clone https://github.com/openstack/snap-keystone sudo apt install snapcraft - cd keystone + cd snap-keystone snapcraft ## Support -Please report any bugs related to this snap on +Please report any bugs related to this snap at: [Launchpad](https://bugs.launchpad.net/snap-keystone/+filebug). -Alternatively you can find the OpenStack Snap team in `#openstack-snaps` -on Freenode IRC. +Alternatively you can find the OpenStack Snap team in `#openstack-snaps` on +Freenode IRC. diff --git a/snap/snap-openstack.yaml b/snap/snap-openstack.yaml index 33ecb10..4439fa5 100644 --- a/snap/snap-openstack.yaml +++ b/snap/snap-openstack.yaml @@ -7,16 +7,20 @@ setup: - "{snap_common}/etc/keystone" - "{snap_common}/etc/keystone/conf.d" - "{snap_common}/etc/nginx" + - "{snap_common}/etc/nginx/sites-enabled" + - "{snap_common}/etc/nginx/snap" + - "{snap_common}/etc/nginx/snap/sites-enabled" - "{snap_common}/etc/uwsgi" + - "{snap_common}/etc/uwsgi/snap" - "{snap_common}/fernet-keys" - "{snap_common}/lib" - "{snap_common}/lock" - "{snap_common}/log" - "{snap_common}/run" templates: - keystone-nginx.conf.j2: "{snap_common}/etc/nginx/sites-enabled/keystone.conf" + keystone-nginx.conf.j2: "{snap_common}/etc/nginx/snap/sites-enabled/keystone.conf" keystone-snap.conf.j2: "{snap_common}/etc/keystone/conf.d/keystone-snap.conf" - nginx.conf.j2: "{snap_common}/etc/nginx/nginx.conf" + nginx.conf.j2: "{snap_common}/etc/nginx/snap/nginx.conf" rchown: "{snap_common}/fernet-keys": "snap-keystone:snap-keystone" "{snap_common}/lib": "snap-keystone:snap-keystone" @@ -28,6 +32,7 @@ entry_points: binary: "{snap}/bin/keystone-manage" config-files: - "{snap}/etc/keystone/keystone.conf" + config-files-override: - "{snap_common}/etc/keystone/keystone.conf" config-dirs: - "{snap_common}/etc/keystone/conf.d" @@ -35,19 +40,22 @@ entry_points: snap-keystone: [snap-keystone] keystone-uwsgi: type: uwsgi - uwsgi-dir: "{snap_common}/etc/uwsgi" + uwsgi-dir: "{snap_common}/etc/uwsgi/snap" + uwsgi-dir-override: "{snap_common}/etc/uwsgi" uwsgi-log: "{snap_common}/log/uwsgi.log" config-files: - "{snap}/etc/keystone/keystone.conf" + config-files-override: - "{snap_common}/etc/keystone/keystone.conf" config-dirs: - "{snap_common}/etc/keystone/conf.d" log-file: "{snap_common}/log/keystone.log" templates: - admin.ini.j2: "{snap_common}/etc/uwsgi/admin.ini" - public.ini.j2: "{snap_common}/etc/uwsgi/public.ini" + admin.ini.j2: "{snap_common}/etc/uwsgi/snap/admin.ini" + public.ini.j2: "{snap_common}/etc/uwsgi/snap/public.ini" run-as: snap-keystone: [snap-keystone] keystone-nginx: type: nginx - config-file: "{snap_common}/etc/nginx/nginx.conf" + config-file: "{snap_common}/etc/nginx/snap/nginx.conf" + config-file-override: "{snap_common}/etc/nginx/nginx.conf" diff --git a/snap/templates/nginx.conf.j2 b/snap/templates/nginx.conf.j2 index 0193035..9d367ae 100644 --- a/snap/templates/nginx.conf.j2 +++ b/snap/templates/nginx.conf.j2 @@ -35,5 +35,5 @@ http { gzip_disable "msie6"; include {{ snap_common }}/etc/nginx/conf.d/*.conf; - include {{ snap_common }}/etc/nginx/sites-enabled/*; + include {{ snap_common }}/etc/nginx/snap/sites-enabled/*; }