b1197b3819
Using sudo -u to change users for a command can fail if sudo thinks it needs a controlling TTY as part of its authentication. Since this is the default config, that means that whenever the command is run in an environment that does not have a TTY (such as from init(1)), sudo will die. su does not care or check for a controlling TTY, so it will succeed as long as it is being run by root (which should be the case for all os-refresh-config elements). Therefore, instead of using sudo -u <username> -- <command> to run commands as other users, use su -s /bin/bash -c "<command>" <username> This will allow things to function in the face of a misconfigured sudo as well as allow commands to run against an account that has been locked out or has a shell that otherwise restricts what commands can be run. Change-Id: I5cc518ce42536a09e9f25c6635e191884aaaef92 |
||
---|---|---|
.. | ||
cleanup.d | ||
environment.d | ||
install.d | ||
os-apply-config | ||
os-refresh-config | ||
README.md | ||
cleanup-keystone-tokens.sh | ||
element-deps | ||
keystone.crontab | ||
pkg-map | ||
source-repository-keystone | ||
svc-map |
README.md
Install and configure Keystone.
Upon booting the image, the service should be running on port 5000.
Configuration
Default template for /etc/keystone/keystone.conf file contains minimal set of configuration parameters, which are expected to be passed in with Heat Metadata. For example, keystone.db key is required to provide MySQL connection string:
keystone:
db: "mysql://keyuser:keypass@localhost/keystone"
All customizations to /etc/keystone/keystone.conf are expected to be done using passthrough configuration feature.
Additional configuration file /etc/keystone/domains/keystone.ldap.conf is also maintained to provide domain-specific configuration for LDAP. This file is also populated using passthrough configuration feature with "keystone_ldap" key. Here is a sample content for ExtraConfig Heat Metadata parameter:
{
"keystone": {
"config": [
{
"section": "identity",
"values": [
{
"option": "domain_specific_drivers_enabled",
"value": "True"
},
{
"option": "domain_config_dir",
"value": "/etc/keystone/domains"
}
]
}
]
},
"keystone_ldap": {
"config": [
{
"section": "identity",
"values": [
{
"option": "driver",
"value": "keystone.identity.backends.ldap.Identity"
}
]
},
{
"section": "assignment",
"values": [
{
"option": "driver",
"value": "keystone.assignment.backends.sql.Assignment"
}
]
},
{
"section": "ldap",
"values": [
{
"option": "url",
"value": "ldap://ldap.example.com"
},
{
"option": "suffix",
"value": "dc=example,dc=com"
},
. . .
]
}
]
}
}
NOTE: Token cleanup will cause poor performance until the upstream bug (https://bugs.launchpad.net/keystone/+bug/1188378) is fixed. This problem is fixed in some distributions (Ubuntu, RHEL, CentOS) where percona-toolkit's is supported and used to clean out the table on mysql. http://www.percona.com/mysql-support/policies/percona-toolkit-supported-platforms-and-versions