@@ -137,7 +137,7 @@ OS\_AUTH\_URL

     ::

-        OS_AUTH_URL=http://$SERVICE_HOST:5000/v3.0

+        OS_AUTH_URL=http://$SERVICE_HOST/identity/v3.0

 KEYSTONECLIENT\_DEBUG, NOVACLIENT\_DEBUG

     Set command-line client log level to ``DEBUG``. These are commented

@@ -430,16 +430,16 @@ Python bindings added when they are enabled.

   ADDITIONAL_VENV_PACKAGES="python-foo, python-bar"

-Use python3

+Use python2

 ------------

-By default ``stack.sh`` uses python2 (the exact version set by the

-``PYTHON2_VERSION``). This can be overriden so devstack will run

-python3 (the exact version set by ``PYTHON3_VERSION``).

+By default ``stack.sh`` uses python3 (the exact version set by the

+``PYTHON3_VERSION``). This can be overriden so devstack will run

+python2 (the exact version set by ``PYTHON2_VERSION``).

 ::

-  USE_PYTHON3=True

+  USE_PYTHON3=False

 A clean install every time

 --------------------------

@@ -696,16 +696,6 @@ KEYSTONE_REGION_NAME to specify the region of Keystone service.

 KEYSTONE_REGION_NAME has a default value the same as REGION_NAME thus we omit

 it in the configuration of RegionOne.

-Disabling Identity API v2

-+++++++++++++++++++++++++

-

-The Identity API v2 is deprecated as of Mitaka and it is recommended to only

-use the v3 API. It is possible to setup keystone without v2 API, by doing:

-

-::

-

-    ENABLE_IDENTITY_V2=False

-

 .. _arch-configuration:

 Architectures

@@ -1,39 +1,9 @@

-Listen %PUBLICPORT%

-Listen %ADMINPORT%

 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %D(us)" keystone_combined

 <Directory %KEYSTONE_BIN%>

     Require all granted

 </Directory>

-<VirtualHost *:%PUBLICPORT%>

-    WSGIDaemonProcess keystone-public processes=3 threads=1 user=%USER% display-name=%{GROUP} %VIRTUALENV%

-    WSGIProcessGroup keystone-public

-    WSGIScriptAlias / %KEYSTONE_BIN%/keystone-wsgi-public

-    WSGIApplicationGroup %{GLOBAL}

-    WSGIPassAuthorization On

-    ErrorLogFormat "%M"

-    ErrorLog /var/log/%APACHE_NAME%/keystone.log

-    CustomLog /var/log/%APACHE_NAME%/keystone_access.log keystone_combined

-    %SSLENGINE%

-    %SSLCERTFILE%

-    %SSLKEYFILE%

-</VirtualHost>

-

-<VirtualHost *:%ADMINPORT%>

-    WSGIDaemonProcess keystone-admin processes=3 threads=1 user=%USER% display-name=%{GROUP} %VIRTUALENV%

-    WSGIProcessGroup keystone-admin

-    WSGIScriptAlias / %KEYSTONE_BIN%/keystone-wsgi-admin

-    WSGIApplicationGroup %{GLOBAL}

-    WSGIPassAuthorization On

-    ErrorLogFormat "%M"

-    ErrorLog /var/log/%APACHE_NAME%/keystone.log

-    CustomLog /var/log/%APACHE_NAME%/keystone_access.log keystone_combined

-    %SSLENGINE%

-    %SSLCERTFILE%

-    %SSLKEYFILE%

-</VirtualHost>

-

 %SSLLISTEN%<VirtualHost *:443>

 %SSLLISTEN%    %SSLENGINE%

 %SSLLISTEN%    %SSLCERTFILE%

@@ -83,14 +83,10 @@ KEYSTONE_TOKEN_FORMAT=$(echo ${KEYSTONE_TOKEN_FORMAT} | tr '[:upper:]' '[:lower:

 # Set Keystone interface configuration

 KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}

-KEYSTONE_AUTH_PORT=${KEYSTONE_AUTH_PORT:-35357}

-KEYSTONE_AUTH_PORT_INT=${KEYSTONE_AUTH_PORT_INT:-35358}

 KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL}

 # Public facing bits

 KEYSTONE_SERVICE_HOST=${KEYSTONE_SERVICE_HOST:-$SERVICE_HOST}

-KEYSTONE_SERVICE_PORT=${KEYSTONE_SERVICE_PORT:-5000}

-KEYSTONE_SERVICE_PORT_INT=${KEYSTONE_SERVICE_PORT_INT:-5001}

 KEYSTONE_SERVICE_PROTOCOL=${KEYSTONE_SERVICE_PROTOCOL:-$SERVICE_PROTOCOL}

 # Bind hosts

@@ -170,22 +166,14 @@ function _config_keystone_apache_wsgi {

     local keystone_ssl=""

     local keystone_certfile=""

     local keystone_keyfile=""

-    local keystone_service_port=$KEYSTONE_SERVICE_PORT

-    local keystone_auth_port=$KEYSTONE_AUTH_PORT

     local venv_path=""

-    if is_service_enabled tls-proxy; then

-        keystone_service_port=$KEYSTONE_SERVICE_PORT_INT

-        keystone_auth_port=$KEYSTONE_AUTH_PORT_INT

-    fi

     if [[ ${USE_VENV} = True ]]; then

         venv_path="python-path=${PROJECT_VENV["keystone"]}/lib/$(python_version)/site-packages"

     fi

     sudo cp $FILES/apache-keystone.template $keystone_apache_conf

     sudo sed -e "

-        s|%PUBLICPORT%|$keystone_service_port|g;

-        s|%ADMINPORT%|$keystone_auth_port|g;

         s|%APACHE_NAME%|$APACHE_NAME|g;

         s|%SSLLISTEN%|$keystone_ssl_listen|g;

         s|%SSLENGINE%|$keystone_ssl|g;

@@ -222,21 +210,8 @@ function configure_keystone {

     iniset_rpc_backend keystone $KEYSTONE_CONF oslo_messaging_notifications

-    local service_port=$KEYSTONE_SERVICE_PORT

-    local auth_port=$KEYSTONE_AUTH_PORT

-

-    if is_service_enabled tls-proxy; then

-        # Set the service ports for a proxy to take the originals

-        service_port=$KEYSTONE_SERVICE_PORT_INT

-        auth_port=$KEYSTONE_AUTH_PORT_INT

-    fi

-

     # Override the endpoints advertised by keystone (the public_endpoint and

-    # admin_endpoint) so that clients use the correct endpoint. By default, the

-    # keystone server uses the public_port and admin_port which isn't going to

-    # work when you want to use a different port (in the case of proxy), or you

-    # don't want the port (in the case of putting keystone on a path in

-    # apache).

+    # admin_endpoint) so that clients use the correct endpoint.

     iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI

     iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI

@@ -270,12 +245,6 @@ function configure_keystone {

     iniset $KEYSTONE_CONF credential key_repository "$KEYSTONE_CONF_DIR/credential-keys/"

-    # Configure the project created by the 'keystone-manage bootstrap' as the cloud-admin project.

-    # The users from this project are globally admin as before, but it also

-    # allows policy changes in order to clarify the adminess scope.

-    #iniset $KEYSTONE_CONF resource admin_project_domain_name Default

-    #iniset $KEYSTONE_CONF resource admin_project_name admin

-

     if [[ "$KEYSTONE_SECURITY_COMPLIANCE_ENABLED" = True ]]; then

         iniset $KEYSTONE_CONF security_compliance lockout_failure_attempts $KEYSTONE_LOCKOUT_FAILURE_ATTEMPTS

         iniset $KEYSTONE_CONF security_compliance lockout_duration $KEYSTONE_LOCKOUT_DURATION

@@ -510,14 +479,6 @@ function install_keystone {

 # start_keystone() - Start running processes

 function start_keystone {

-    # Get right service port for testing

-    local service_port=$KEYSTONE_SERVICE_PORT

-    local auth_protocol=$KEYSTONE_AUTH_PROTOCOL

-    if is_service_enabled tls-proxy; then

-        service_port=$KEYSTONE_SERVICE_PORT_INT

-        auth_protocol="http"

-    fi

-

     if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then

         enable_apache_site keystone

         restart_apache_server

@@ -526,23 +487,13 @@ function start_keystone {

     fi

     echo "Waiting for keystone to start..."

-    # Check that the keystone service is running. Even if the tls tunnel

-    # should be enabled, make sure the internal port is checked using

-    # unencryted traffic at this point.

-    # If running in Apache, use the path rather than port.

-

+    # Check that the keystone service is running.

     local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/

     if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then

         die $LINENO "keystone did not start"

     fi

-    # Start proxies if enabled

-    if is_service_enabled tls-proxy; then

-        start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT

-        start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT

-    fi

-

     # (re)start memcached to make sure we have a clean memcache.

     restart_service memcached

 }

@@ -561,11 +512,9 @@ function stop_keystone {

 # This function uses the following GLOBAL variables:

 # - ``KEYSTONE_BIN_DIR``

 # - ``ADMIN_PASSWORD``

-# - ``IDENTITY_API_VERSION``

+# - ``KEYSTONE_AUTH_URI``

 # - ``REGION_NAME``

-# - ``KEYSTONE_SERVICE_PROTOCOL``

-# - ``KEYSTONE_SERVICE_HOST``

-# - ``KEYSTONE_SERVICE_PORT``

+# - ``KEYSTONE_SERVICE_URI``

 function bootstrap_keystone {

     $KEYSTONE_BIN_DIR/keystone-manage bootstrap \

         --bootstrap-username admin \

@@ -86,7 +86,7 @@ export OS_AUTH_TYPE=password

 #

 # If you don't have a working .stackenv, this is the backup position

-KEYSTONE_BACKUP=$SERVICE_PROTOCOL://$SERVICE_HOST:5000

+KEYSTONE_BACKUP=$SERVICE_PROTOCOL://$SERVICE_HOST/identity

 KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_URI:-$KEYSTONE_BACKUP}

 export OS_AUTH_URL=${OS_AUTH_URL:-$KEYSTONE_SERVICE_URI}

@@ -152,7 +152,7 @@ if [ -z "$OS_USERNAME" ]; then

 fi

 if [ -z "$OS_AUTH_URL" ]; then

-    export OS_AUTH_URL=http://localhost:5000/v3/

+    export OS_AUTH_URL=http://localhost/identity/v3/

 fi

 if [ -z "$OS_USER_DOMAIN_ID" -a -z "$OS_USER_DOMAIN_NAME" ]; then

@@ -26,39 +26,6 @@ if [[ -z "$TOP_DIR" ]]; then

     FILES=$TOP_DIR/files

 fi

-# Keystone Port Reservation

-# -------------------------

-# Reserve and prevent ``KEYSTONE_AUTH_PORT`` and ``KEYSTONE_AUTH_PORT_INT`` from

-# being used as ephemeral ports by the system. The default(s) are 35357 and

-# 35358 which are in the Linux defined ephemeral port range (in disagreement

-# with the IANA ephemeral port range). This is a workaround for bug #1253482

-# where Keystone will try and bind to the port and the port will already be

-# in use as an ephemeral port by another process. This places an explicit

-# exception into the Kernel for the Keystone AUTH ports.

-function fixup_keystone {

-    keystone_ports=${KEYSTONE_AUTH_PORT:-35357},${KEYSTONE_AUTH_PORT_INT:-35358}

-

-    # Only do the reserved ports when available, on some system (like containers)

-    # where it's not exposed we are almost pretty sure these ports would be

-    # exclusive for our DevStack.

-    if sysctl net.ipv4.ip_local_reserved_ports >/dev/null 2>&1; then

-        # Get any currently reserved ports, strip off leading whitespace

-        reserved_ports=$(sysctl net.ipv4.ip_local_reserved_ports | awk -F'=' '{print $2;}' | sed 's/^ //')

-

-        if [[ -z "${reserved_ports}" ]]; then

-            # If there are no currently reserved ports, reserve the keystone ports

-            sudo sysctl -w net.ipv4.ip_local_reserved_ports=${keystone_ports}

-        else

-            # If there are currently reserved ports, keep those and also reserve the

-            # Keystone specific ports. Duplicate reservations are merged into a single

-            # reservation (or range) automatically by the kernel.

-            sudo sysctl -w net.ipv4.ip_local_reserved_ports=${keystone_ports},${reserved_ports}

-        fi

-    else

-        echo_summary "WARNING: unable to reserve keystone ports"

-    fi

-}

-

 # Ubuntu Repositories

 #--------------------

 # Enable universe for bionic since it is missing when installing from ISO.

@@ -208,7 +175,6 @@ function fixup_suse {

 }

 function fixup_all {

-    fixup_keystone

     fixup_ubuntu

     fixup_fedora

     fixup_suse