Implemented wsgi support for cinder-api

- Cinder's API service is a WSGI service running behind Apache, which is enabled by default on Ubuntu. Let's get with the times and manage that service. - version bump to pick up the new change Change-Id: I641fa32cac6025e44c1aeedc5f89a12b5efa4e58
2017-12-14 07:44:32 -08:00
parent 0b4ce1e9e1
commit 88e512ef18
5 changed files with 82 additions and 6 deletions
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -71,6 +71,16 @@ default['openstack']['block-storage']['volume']['block_devices'] = nil
 default['openstack']['block-storage']['user'] = 'cinder'
 default['openstack']['block-storage']['group'] = 'cinder'

+# Cinder WSGI app SSL settings
+default['openstack']['block-storage']['ssl']['enabled'] = false
+default['openstack']['block-storage']['ssl']['certfile'] = ''
+default['openstack']['block-storage']['ssl']['chainfile'] = ''
+default['openstack']['block-storage']['ssl']['keyfile'] = ''
+default['openstack']['block-storage']['ssl']['ca_certs_path'] = ''
+default['openstack']['block-storage']['ssl']['cert_required'] = false
+default['openstack']['block-storage']['ssl']['protocol'] = ''
+default['openstack']['block-storage']['ssl']['ciphers'] = ''
+
 case platform_family
 when 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this
  # operating system user and group names
--- a/metadata.rb
+++ b/metadata.rb
@@ -4,7 +4,7 @@ maintainer_email 'openstack-dev@lists.openstack.org'
 license          'Apache 2.0'
 description      'The OpenStack Advanced Volume Management service Cinder.'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '15.0.0'
+version          '15.1.0'

 %w(ubuntu redhat centos).each do |os|
  supports os
--- a/recipes/api.rb
+++ b/recipes/api.rb
@@ -27,6 +27,7 @@ end

 include_recipe 'openstack-block-storage::cinder-common'

+bind_service = node['openstack']['bind_service']['all']['block-storage']
 platform_options = node['openstack']['block-storage']['platform']

 platform_options['cinder_api_packages'].each do |pkg|
@@ -43,10 +44,6 @@ node['openstack']['db']['python_packages'][db_type].each do |pkg|
  end
 end

-# Todo(jr): Runs via wsgi in apache2 now, need to find a nice way to
-# trigger apache2 restart. Also disable the default installed wsgi
-# service and use our template based setup
-
 execute 'cinder-manage db sync' do
  user node['openstack']['block-storage']['user']
  group node['openstack']['block-storage']['group']
@@ -60,3 +57,28 @@ if node['openstack']['block-storage']['policyfile_url']
    mode 0o0644
  end
 end
+
+# remove the cinder-wsgi.conf automatically generated from package
+apache_config 'cinder-wsgi' do
+  enable false
+end
+
+web_app 'cinder-api' do
+  template 'wsgi-template.conf.erb'
+  daemon_process 'cinder-wsgi'
+  server_host bind_service['host']
+  server_port bind_service['port']
+  server_entry '/usr/bin/cinder-wsgi'
+  log_dir node['apache']['log_dir']
+  run_dir node['apache']['run_dir']
+  user node['openstack']['block-storage']['user']
+  group node['openstack']['block-storage']['group']
+  use_ssl node['openstack']['block-storage']['ssl']['enabled']
+  cert_file node['openstack']['block-storage']['ssl']['certfile']
+  chain_file node['openstack']['block-storage']['ssl']['chainfile']
+  key_file node['openstack']['block-storage']['ssl']['keyfile']
+  ca_certs_path node['openstack']['block-storage']['ssl']['ca_certs_path']
+  cert_required node['openstack']['block-storage']['ssl']['cert_required']
+  protocol node['openstack']['block-storage']['ssl']['protocol']
+  ciphers node['openstack']['block-storage']['ssl']['ciphers']
+end
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -12,7 +12,7 @@ require 'chef/application'
 LOG_LEVEL = :fatal
 REDHAT_OPTS = {
  platform: 'redhat',
-  version: '7.1',
+  version: '7.3',
  log_level: LOG_LEVEL
 }.freeze
 UBUNTU_OPTS = {
@@ -58,6 +58,8 @@ shared_context 'block-storage-stubs' do
    allow_any_instance_of(Chef::Recipe).to receive(:rabbit_transport_url)
      .with('block-storage')
      .and_return('rabbit://guest:mypass@127.0.0.1:5672')
+    stub_command('/usr/sbin/httpd -t').and_return(true)
+    stub_command('/usr/sbin/apache2 -t').and_return(true)
    allow(Chef::Application).to receive(:fatal!)
  end
 end
--- a/templates/default/wsgi-template.conf.erb
+++ b/templates/default/wsgi-template.conf.erb
@@ -0,0 +1,42 @@
+<%= node["openstack"]["block-storage"]["custom_template_banner"] %>
+
+Listen <%= @params[:server_host] %>:<%= @params[:server_port] %>
+
+<VirtualHost <%= @params[:server_host] %>:<%= @params[:server_port] %>>
+  WSGIDaemonProcess <%= @params[:daemon_process] %> processes=2 threads=10 user=<%= @params[:user] %> group=<%= @params[:group] %> display-name=%{GROUP}
+  WSGIProcessGroup <%= @params[:daemon_process] %>
+  WSGIScriptAlias / <%= @params[:server_entry] %>
+  WSGIApplicationGroup %{GLOBAL}
+  WSGIPassAuthorization On
+
+  <Directory /usr/bin>
+    Require all granted
+  </Directory>
+
+  ErrorLogFormat "%{cu}t %M"
+  ErrorLog <%= @params[:log_dir] %>/<%= @params[:daemon_process] %>_error.log
+  CustomLog <%= @params[:log_dir] %>/<%= @params[:daemon_process] %>_access.log combined
+<% if [true, 'true', 'True'].include?(@params[:log_debug]) -%>
+  LogLevel debug
+<% end -%>
+
+<% if @params[:use_ssl] -%>
+  SSLEngine On
+  SSLCertificateFile <%= @params[:cert_file] %>
+  SSLCertificateKeyFile <%= @params[:key_file] %>
+  SSLCACertificatePath <%= @params[:ca_certs_path] %>
+<%   if @params[:chain_file] %>
+  SSLCertificateChainFile <%= @params[:chain_file] %>
+<%   end -%>
+  SSLProtocol <%= @params[:protocol] %>
+<%   if @params[:ciphers] -%>
+  SSLCipherSuite <%= @params[:ciphers] %>
+<%   end -%>
+<%   if @params[:cert_required] -%>
+  SSLVerifyClient require
+<%   end -%>
+<% end -%>
+</VirtualHost>
+
+WSGISocketPrefix <%= @params[:run_dir] -%>
+