[Bug 2130370] Re: [SRU] keystone-wsgi-public and keystone-wsgi-admin missing from the keystone package

Felipe Reyes 2130370 at bugs.launchpad.net
Sun Nov 2 10:43:36 UTC 2025 

** Patch added: "lp2130370_resolute.debdiff"
   https://bugs.launchpad.net/ubuntu/+source/keystone/+bug/2130370/+attachment/5923222/+files/lp2130370_resolute.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/2130370

Title:
  [SRU] keystone-wsgi-public and keystone-wsgi-admin missing from the
  keystone package

Status in OpenStack Keystone Charm:
  Invalid
Status in regress-stack:
  Invalid
Status in keystone package in Ubuntu:
  New
Status in keystone source package in Questing:
  New

Bug description:
  [ Impact ]

  Keystone-28.0.0 (2025.2)[0]  dropped the keystone-wsgi-admin and
  keystone-wsgi-public scripts were dropped, the provided Apache2
  configuration[2]

  The debian package provides an Apache2 configuration and it assumes
  the existence of these scripts - https://git.launchpad.net/~ubuntu-
  openstack-dev/ubuntu/+source/keystone/tree/debian/keystone.conf#n4

  The approach to fix this bug is to reintroduce the generation of the
  wsgi scripts by patchin the setup.cfg file.

  The patch also augments the autopkgtest configuring keystone and
  validating the configured service is capable of issuing tokens.

  [0] https://docs.openstack.org/releasenotes/keystone/2025.2.html
  [1] https://opendev.org/openstack/keystone/commit/0d2cc1a3af4dbd2825cef5992056bffe935eaadd
  [2] /etc/apache2/sites-available/keystone.conf

  [ Test Plan ]

  1. Install keystone, mysql and other packages to assist with the testing
  sudo apt-get install keystone mysql-server crudini python3-openstackclient

  2. Create a database for keystone
  sudo mysql -u root << EOF
  CREATE USER 'keystone'@'localhost' IDENTIFIED BY 'changeme';
  CREATE USER 'keystone'@'%' IDENTIFIED BY 'changeme';
  CREATE DATABASE keystone;
  GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost';
  GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%';
  EOF

  3. Configure keystone to use the database
  sudo crudini --set /etc/keystone/keystone.conf database connection "mysql+pymysql://keystone:changeme@localhost/keystone"

  4. Sync up the database
  sudo -u keystone keystone-manage --config-dir /etc/keystone db_sync

  5. Configure Fernet for Keystone
  sudo keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
  sudo keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

  6. Restart apache2
  sudo systemctl restart apache2

  7. Bootstrap keystone
  keystone-manage bootstrap \
      --bootstrap-password changeme \
      --bootstrap-admin-url http://localhost:/v3/ \
      --bootstrap-internal-url http://localhost:/v3/ \
      --bootstrap-public-url http://localhost:/v3/ \
      --bootstrap-region-id RegionOne

  8. Issue a token
  openstack --os-region-name RegionOne \
      --os-auth-url http://localhost:5000/v3 \
      --os-project-domain-name Default \
      --os-user-domain-name Default \
      --os-project-name admin \
      --os-username admin \
      --os-password changeme \
      token issue

  Example of the expected output:
  +------------+------------------------------------------+
  | Field      | Value                                    |
  +------------+------------------------------------------+
  | expires    | 2025-11-02T11:10:36+0000                 |
  | id         | gAAAAABpBy4ckoYzHMVnZFXNjwOXUg0-Us0[...] |
  | project_id | 6497c42b07464c9594ed7dd1610986cd         |
  | user_id    | 0708b8f653a14a158ed503dd1ff0eee8         |
  +------------+------------------------------------------+

  [ Where problems could occur ]

  * The wsgi scripts are generated while the deb package is being built
  and they are installed under /usr/bin , any issues with this patch
  would be at building time when python's setup phase runs.

  * This patch doesn't change existing files, it will create new files
  to be included in the package, hence no behavior change is being
  introduced.

  [ Other Info ]

  * Another possible way to fix this bug would have been to migrate the
  package to uwsgi, although keystone is in main and uwsgi is in
  universe, so a Main Inclusion Request would need to be submitted
  first, in any case this approach wouldn't be suitable for a SRU.

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-keystone/+bug/2130370/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list