..
      Copyright 2011 OpenStack, LLC
      All Rights Reserved.

      Licensed under the Apache License, Version 2.0 (the "License"); you may
      not use this file except in compliance with the License. You may obtain
      a copy of the License at

          http://www.apache.org/licenses/LICENSE-2.0

      Unless required by applicable law or agreed to in writing, software
      distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
      WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
      License for the specific language governing permissions and limitations
      under the License.

============================
Controlling Keystone Servers
============================

This section describes the ways to start, stop, and reload the Keystone
services.

Keystone Services
-----------------

Keystone can serve a number of REST APIs and extensions on different TCP/IP
ports.

The Service API
~~~~~~~~~~~~~~~~

The core Keystone
API is primarily a read-only API (the only write operation being POST /tokens
which authenticates a client, and returns a generated token).
This API is sufficient to use OpenStack if all users, roles, endpoints already
exist. This is often the case if Keystone is using an enterprise backend
and the backend is managed through other entperrise tools and business
processes. This core API is called the Service API and can be started
separately from the more complete Admin API. By default, Keystone runs
this API on port 5000. This is not an IANA assigned port and should not
be relied upon (instead, use the Admin API on port 35357 to look for
this endpoint - more on this later)

The Service API is started using this command in the /bin directory::

    $ ./keystone-auth

The Admin API
~~~~~~~~~~~~~

Inn order for Keystone to be a fully functional service out of the box,
API extensions that provide full CRUD operations is included with Keystone.
This full set of API calls includes the OS-KSCATALOG, OS-KSADM, and OS-KSEC2
extensions. These extensions provide a full set of create, read, update, delete
(CRUD) operations that can be used to manage Keystone objects through REST
calls. By default Keystone runs this full REST API on TCP/IP port 35357
(assigned by IANA to Keystone).

The Admin API is started using this command in the /bin directory::

    $ ./keystone-admin


Both APIs can be loaded simultaneously (on different ports) using this command::

    $ ./keystone

Starting a server
-----------------

There are two ways to start a Keystone service (either the Service API server
or the Admin API server):

- Manually calling the server program
- Using the ``keystone-control`` server daemon wrapper program

We recommend using the second way in production and the first for development
and debugging.

Manually starting the server
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The first is by directly calling the server program, passing in command-line
options and a single argument for a ``paste.deploy`` configuration file to
use when configuring the server application.

.. note::

  Keystone ships with an ``etc/`` directory that contains a sample ``paste.deploy``
  configuration files that you can copy to a standard configuration directory and
  adapt for your own uses.

If you do `not` specify a configuration file on the command line, Keystone will
do its best to locate a configuration file in one of the
following directories, stopping at the first config file it finds:

- ``$CWD``
- ``~/.keystone``
- ``~/``
- ``/etc/keystone``
- ``/etc``

The filename that is searched for is ``keystone.conf`` by default.

If no configuration file is found, you will see an error, like::

    $ keystone
    ERROR: Unable to locate any configuration file. Cannot load application keystone

Here is an example showing how you can manually start the ``keystone-auth`` server and ``keystone-registry`` in a shell::

    $ ./keystone -d
    keystone-legacy-auth: INFO     **************************************************
    keystone-legacy-auth: INFO     Configuration options gathered from config file:
    keystone-legacy-auth: INFO     /Users/ziadsawalha/Documents/Code/keystone/etc/keystone.conf
    keystone-legacy-auth: INFO     ================================================
    keystone-legacy-auth: INFO     admin_host           0.0.0.0
    keystone-legacy-auth: INFO     admin_port           35357
    keystone-legacy-auth: INFO     admin_ssl            False
    keystone-legacy-auth: INFO     backends             keystone.backends.sqlalchemy
    keystone-legacy-auth: INFO     ca_certs             /etc/keystone/ssl/certs/ca.pem
    keystone-legacy-auth: INFO     cert_required        True
    keystone-legacy-auth: INFO     certfile             /etc/keystone/ssl/certs/keystone.pem
    keystone-legacy-auth: INFO     debug                True
    keystone-legacy-auth: INFO     default_store        sqlite
    keystone-legacy-auth: INFO     extensions           osksadm,oskscatalog,hpidm
    keystone-legacy-auth: INFO     hash-password        True
    keystone-legacy-auth: INFO     keyfile              /etc/keystone/ssl/private/keystonekey.pem
    keystone-legacy-auth: INFO     keystone-admin-role  Admin
    keystone-legacy-auth: INFO     keystone-service-admin-role KeystoneServiceAdmin
    keystone-legacy-auth: INFO     log_dir              .
    keystone-legacy-auth: INFO     log_file             keystone.log
    keystone-legacy-auth: INFO     service-header-mappings {
    'nova' : 'X-Server-Management-Url',
    'swift' : 'X-Storage-Url',
    'cdn' : 'X-CDN-Management-Url'}
    keystone-legacy-auth: INFO     service_host         0.0.0.0
    keystone-legacy-auth: INFO     service_port         5000
    keystone-legacy-auth: INFO     service_ssl          False
    keystone-legacy-auth: INFO     verbose              False
    keystone-legacy-auth: INFO     **************************************************
    passlib.registry: INFO     registered crypt handler 'sha512_crypt': <class 'passlib.handlers.sha2_crypt.sha512_crypt'>
    Starting the RAX-KEY extension
    Starting the Legacy Authentication component
    admin       : INFO     **************************************************
    admin       : INFO     Configuration options gathered from config file:
    admin       : INFO     /Users/ziadsawalha/Documents/Code/keystone/etc/keystone.conf
    admin       : INFO     ================================================
    admin       : INFO     admin_host           0.0.0.0
    admin       : INFO     admin_port           35357
    admin       : INFO     admin_ssl            False
    admin       : INFO     backends             keystone.backends.sqlalchemy
    admin       : INFO     ca_certs             /etc/keystone/ssl/certs/ca.pem
    admin       : INFO     cert_required        True
    admin       : INFO     certfile             /etc/keystone/ssl/certs/keystone.pem
    admin       : INFO     debug                True
    admin       : INFO     default_store        sqlite
    admin       : INFO     extensions           osksadm,oskscatalog,hpidm
    admin       : INFO     hash-password        True
    admin       : INFO     keyfile              /etc/keystone/ssl/private/keystonekey.pem
    admin       : INFO     keystone-admin-role  Admin
    admin       : INFO     keystone-service-admin-role KeystoneServiceAdmin
    admin       : INFO     log_dir              .
    admin       : INFO     log_file             keystone.log
    admin       : INFO     service-header-mappings {
    'nova' : 'X-Server-Management-Url',
    'swift' : 'X-Storage-Url',
    'cdn' : 'X-CDN-Management-Url'}
    admin       : INFO     service_host         0.0.0.0
    admin       : INFO     service_port         5000
    admin       : INFO     service_ssl          False
    admin       : INFO     verbose              False
    admin       : INFO     **************************************************
    Using config file: /Users/ziadsawalha/Documents/Code/keystone/etc/keystone.conf
    Service API (ssl=False) listening on 0.0.0.0:5000
    Admin API (ssl=False) listening on 0.0.0.0:35357
    eventlet.wsgi.server: DEBUG    (77128) wsgi starting up on http://0.0.0.0:5000/
    eventlet.wsgi.server: DEBUG    (77128) wsgi starting up on http://0.0.0.0:35357/

    $ sudo keystone-registry keystone-registry.conf &
    jsuh@mc-ats1:~$ 2011-04-13 14:51:16     INFO [sqlalchemy.engine.base.Engine.0x...feac] PRAGMA table_info("images")
    2011-04-13 14:51:16     INFO [sqlalchemy.engine.base.Engine.0x...feac] ()
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Col ('cid', 'name', 'type', 'notnull', 'dflt_value', 'pk')
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (0, u'created_at', u'DATETIME', 1, None, 0)
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (1, u'updated_at', u'DATETIME', 0, None, 0)
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (2, u'deleted_at', u'DATETIME', 0, None, 0)
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (3, u'deleted', u'BOOLEAN', 1, None, 0)
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (4, u'id', u'INTEGER', 1, None, 1)
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (5, u'name', u'VARCHAR(255)', 0, None, 0)
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (6, u'disk_format', u'VARCHAR(20)', 0, None, 0)
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (7, u'container_format', u'VARCHAR(20)', 0, None, 0)
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (8, u'size', u'INTEGER', 0, None, 0)
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (9, u'status', u'VARCHAR(30)', 1, None, 0)
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (10, u'is_public', u'BOOLEAN', 1, None, 0)
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (11, u'location', u'TEXT', 0, None, 0)
    2011-04-13 14:51:16     INFO [sqlalchemy.engine.base.Engine.0x...feac] PRAGMA table_info("image_properties")
    2011-04-13 14:51:16     INFO [sqlalchemy.engine.base.Engine.0x...feac] ()
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Col ('cid', 'name', 'type', 'notnull', 'dflt_value', 'pk')
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (0, u'created_at', u'DATETIME', 1, None, 0)
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (1, u'updated_at', u'DATETIME', 0, None, 0)
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (2, u'deleted_at', u'DATETIME', 0, None, 0)
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (3, u'deleted', u'BOOLEAN', 1, None, 0)
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (4, u'id', u'INTEGER', 1, None, 1)
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (5, u'image_id', u'INTEGER', 1, None, 0)
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (6, u'key', u'VARCHAR(255)', 1, None, 0)
    2011-04-13 14:51:16    DEBUG [sqlalchemy.engine.base.Engine.0x...feac] Row (7, u'value', u'TEXT', 0, None, 0)

    $ ps aux | grep keystone
    myuser    77148   0.0  0.0  2434892    472 s012  U+   11:50AM   0:00.01 grep keystone
    myuser    77128   0.0  0.6  2459356  25360 s011  S+   11:48AM   0:00.82 python ./keystone -d

Simply supply the configuration file as the first argument
and then any common options
you want to use (``-d`` was used above to show some of the debugging
output that the server shows when starting up. Call the server program
with ``--help`` to see all available options you can specify on the
command line.)

Using ``--trace-calls`` is useful for showing a trace of calls (errors in red)
for debugging.

For more information on configuring the server via the ``paste.deploy``
configuration files, see the section entitled
:doc:`Configuring Keystone <configuration>`

Note that the server `daemonizes` itself by using the standard
shell backgrounding indicator, ``&``, in the previous example. For most use cases, we recommend
using the ``keystone-control`` server daemon wrapper for daemonizing. See below
for more details on daemonization with ``keystone-control``.

Using ``keystone-control`` to start the server
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The second way to start up a Keystone server is to use the ``keystone-control``
program. ``keystone-control`` is a wrapper script that allows the user to
start, stop, restart, and reload the other Keystone server programs in
a fashion that is more conducive to automation and scripting.

Servers started via the ``keystone-control`` program are always `daemonized`,
meaning that the server program process runs in the background.

To start a Keystone server with ``keystone-control``, simply call
``keystone-control`` with a server and the word "start", followed by
any command-line options you wish to provide. Start the server with ``keystone-control``
in the following way::

    $ sudo keystone-control <SERVER> start [CONFPATH]

.. note::

    You must use the ``sudo`` program to run ``keystone-control`` currently, as the
    pid files for the server programs are written to /var/run/keystone/

Start the ``keystone-admin`` server using ``keystone-control``::

    $ sudo keystone-control admin start
    Starting keystone-admin with /etc/keystone.conf

The same ``paste.deploy`` configuration files are used by ``keystone-control``
to start the Keystone server programs, and you can specify (as the example above
shows) a configuration file when starting the server.

Stopping a server
-----------------

If you started a Keystone server manually and did not use the ``&`` backgrounding
function, simply send a terminate signal to the server process by typing
``Ctrl-C``

If you started the Keystone server using ``keystone-control``, you can
use the ``keystone-control`` program to stop it::

    $ sudo keystone-control <SERVER> stop

For example::

    $ sudo keystone-control auth stop
    Stopping keystone-auth  pid: 77401  signal: 15

Restarting a server
-------------------

Restart the Keystone server using ``keystone-control``::

    $ sudo keystone-control admin restart /etc/keystone.conf
    Stopping keystone-admin  pid: 77401  signal: 15
    Starting keystone-admin with /etc/keystone.conf
