[Bug 2130370] Re: [SRU] keystone-wsgi-public and keystone-wsgi-admin missing from the keystone package

Sun Nov 2 10:42:44 UTC 2025

The package in resolute is failing to build with the following error, it
shouldn't be related to this change, because (re)building
keystone_28.0.0-0ubuntu1.dsc (the one in the archive) fails in the same
way.

+ PYTHON=python3.14 stestr run --parallel --subunit --exclude-regex keystone.tests.unit.tests.test_core.TestTestCase.test_deprecation_warnings_are_raised_as_exceptions_in_tests
+ subunit2pyunit

=========================
Failures during discovery
=========================
--- import errors ---
Failed to import test module: keystone.tests.unit
Traceback (most recent call last):
  File "/usr/lib/python3.14/unittest/loader.py", line 460, in _find_test_path
    package = self._get_module_from_name(name)
  File "/usr/lib/python3.14/unittest/loader.py", line 367, in _get_module_from_name
    __import__(name)
    ~~~~~~~~~~^^^^^^
  File "/build/reproducible-path/keystone-28.0.0/keystone/tests/unit/__init__.py", line 15, in <module>
    from keystone.tests.unit.core import *  # noqa
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/build/reproducible-path/keystone-28.0.0/keystone/tests/unit/core.py", line 53, in <module>
    from keystone.identity.backends.ldap import common as ks_ldap
  File "/build/reproducible-path/keystone-28.0.0/keystone/identity/__init__.py", line 15, in <module>
    from keystone.identity.core import *  # noqa
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/build/reproducible-path/keystone-28.0.0/keystone/identity/core.py", line 31, in <module>
    from keystone import assignment  # TODO(lbragstad): Decouple this dependency
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/build/reproducible-path/keystone-28.0.0/keystone/assignment/__init__.py", line 15, in <module>
    from keystone.assignment.core import *  # noqa
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/build/reproducible-path/keystone-28.0.0/keystone/assignment/core.py", line 26, in <module>
    from keystone.common.resource_options import options as ro_opt
  File "/build/reproducible-path/keystone-28.0.0/keystone/common/resource_options/__init__.py", line 13, in <module>
    from keystone.common.resource_options.core import *  # noqa
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/build/reproducible-path/keystone-28.0.0/keystone/common/resource_options/core.py", line 15, in <module>
    from keystone.common import validation
  File "/build/reproducible-path/keystone-28.0.0/keystone/common/validation/__init__.py", line 14, in <module>
    from keystone.common.validation import validators
  File "/build/reproducible-path/keystone-28.0.0/keystone/common/validation/validators.py", line 16, in <module>
    import jsonschema
  File "/usr/lib/python3/dist-packages/jsonschema/__init__.py", line 13, in <module>
    from jsonschema._format import FormatChecker
  File "/usr/lib/python3/dist-packages/jsonschema/_format.py", line 11, in <module>
    from jsonschema.exceptions import FormatError
  File "/usr/lib/python3/dist-packages/jsonschema/exceptions.py", line 15, in <module>
    from referencing.exceptions import Unresolvable as _Unresolvable
  File "/usr/lib/python3/dist-packages/referencing/__init__.py", line 5, in <module>
    from referencing._core import Anchor, Registry, Resource, Specification
  File "/usr/lib/python3/dist-packages/referencing/_core.py", line 9, in <module>
    from rpds import HashTrieMap, HashTrieSet, List
  File "/usr/lib/python3/dist-packages/rpds/__init__.py", line 1, in <module>
    from .rpds import *
ModuleNotFoundError: No module named 'rpds.rpds'

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/2130370

Title:
  [SRU] keystone-wsgi-public and keystone-wsgi-admin missing from the
  keystone package

Status in OpenStack Keystone Charm:
  Invalid
Status in regress-stack:
  Invalid
Status in keystone package in Ubuntu:
  New
Status in keystone source package in Questing:
  New

Bug description:
  [ Impact ]

  Keystone-28.0.0 (2025.2)[0]  dropped the keystone-wsgi-admin and
  keystone-wsgi-public scripts were dropped, the provided Apache2
  configuration[2]

  The debian package provides an Apache2 configuration and it assumes
  the existence of these scripts - https://git.launchpad.net/~ubuntu-
  openstack-dev/ubuntu/+source/keystone/tree/debian/keystone.conf#n4

  The approach to fix this bug is to reintroduce the generation of the
  wsgi scripts by patchin the setup.cfg file.

  The patch also augments the autopkgtest configuring keystone and
  validating the configured service is capable of issuing tokens.

  [0] https://docs.openstack.org/releasenotes/keystone/2025.2.html
  [1] https://opendev.org/openstack/keystone/commit/0d2cc1a3af4dbd2825cef5992056bffe935eaadd
  [2] /etc/apache2/sites-available/keystone.conf

  [ Test Plan ]

  1. Install keystone, mysql and other packages to assist with the testing
  sudo apt-get install keystone mysql-server crudini python3-openstackclient

  2. Create a database for keystone
  sudo mysql -u root << EOF
  CREATE USER 'keystone'@'localhost' IDENTIFIED BY 'changeme';
  CREATE USER 'keystone'@'%' IDENTIFIED BY 'changeme';
  CREATE DATABASE keystone;
  GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost';
  GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%';
  EOF

  3. Configure keystone to use the database
  sudo crudini --set /etc/keystone/keystone.conf database connection "mysql+pymysql://keystone:changeme@localhost/keystone"

  4. Sync up the database
  sudo -u keystone keystone-manage --config-dir /etc/keystone db_sync

  5. Configure Fernet for Keystone
  sudo keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
  sudo keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

  6. Restart apache2
  sudo systemctl restart apache2

  7. Bootstrap keystone
  keystone-manage bootstrap \
      --bootstrap-password changeme \
      --bootstrap-admin-url http://localhost:/v3/ \
      --bootstrap-internal-url http://localhost:/v3/ \
      --bootstrap-public-url http://localhost:/v3/ \
      --bootstrap-region-id RegionOne

  8. Issue a token
  openstack --os-region-name RegionOne \
      --os-auth-url http://localhost:5000/v3 \
      --os-project-domain-name Default \
      --os-user-domain-name Default \
      --os-project-name admin \
      --os-username admin \
      --os-password changeme \
      token issue

  Example of the expected output:
  +------------+------------------------------------------+
  | Field      | Value                                    |
  +------------+------------------------------------------+
  | expires    | 2025-11-02T11:10:36+0000                 |
  | id         | gAAAAABpBy4ckoYzHMVnZFXNjwOXUg0-Us0[...] |
  | project_id | 6497c42b07464c9594ed7dd1610986cd         |
  | user_id    | 0708b8f653a14a158ed503dd1ff0eee8         |
  +------------+------------------------------------------+

  [ Where problems could occur ]

  * The wsgi scripts are generated while the deb package is being built
  and they are installed under /usr/bin , any issues with this patch
  would be at building time when python's setup phase runs.

  * This patch doesn't change existing files, it will create new files
  to be included in the package, hence no behavior change is being
  introduced.

  [ Other Info ]

  * Another possible way to fix this bug would have been to migrate the
  package to uwsgi, although keystone is in main and uwsgi is in
  universe, so a Main Inclusion Request would need to be submitted
  first, in any case this approach wouldn't be suitable for a SRU.

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-keystone/+bug/2130370/+subscriptions