Browse Source

Convert Nova APIs to WSGI services

To be consistent with the install guide[1], the Nova services should be
deployed as WSGI services.

[1] https://docs.openstack.org/nova/queens/install/controller-install-ubuntu.html

Change-Id: I49a767724e744f98d7f008411755c063f96a4c9d
changes/85/575785/2
Samuel Cassiba 1 year ago
parent
commit
4992010231

+ 16
- 11
attributes/default.rb View File

@@ -33,15 +33,17 @@ default['openstack']['compute']['rootwrap']['use_syslog'] = 'False'
33 33
 default['openstack']['compute']['rootwrap']['syslog_log_facility'] = 'syslog'
34 34
 default['openstack']['compute']['rootwrap']['syslog_log_level'] = 'ERROR'
35 35
 
36
-# Placement API settings
37
-default['openstack']['placement']['ssl']['enabled'] = false
38
-default['openstack']['placement']['ssl']['certfile'] = ''
39
-default['openstack']['placement']['ssl']['chainfile'] = ''
40
-default['openstack']['placement']['ssl']['keyfile'] = ''
41
-default['openstack']['placement']['ssl']['ca_certs_path'] = ''
42
-default['openstack']['placement']['ssl']['cert_required'] = false
43
-default['openstack']['placement']['ssl']['protocol'] = ''
44
-default['openstack']['placement']['ssl']['ciphers'] = ''
36
+# SSL settings
37
+%w(api placement metadata).each do |service|
38
+  default['openstack']['compute'][service]['ssl']['enabled'] = false
39
+  default['openstack']['compute'][service]['ssl']['certfile'] = ''
40
+  default['openstack']['compute'][service]['ssl']['chainfile'] = ''
41
+  default['openstack']['compute'][service]['ssl']['keyfile'] = ''
42
+  default['openstack']['compute'][service]['ssl']['ca_certs_path'] = ''
43
+  default['openstack']['compute'][service]['ssl']['cert_required'] = false
44
+  default['openstack']['compute'][service]['ssl']['protocol'] = ''
45
+  default['openstack']['compute'][service]['ssl']['ciphers'] = ''
46
+end
45 47
 
46 48
 # Platform specific settings
47 49
 case node['platform_family']
@@ -81,8 +83,8 @@ when 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this
81 83
   }
82 84
 when 'debian'
83 85
   default['openstack']['compute']['platform'] = {
84
-    'api_os_compute_packages' => ['nova-api-os-compute'],
85
-    'api_os_compute_service' => 'nova-api-os-compute',
86
+    'api_os_compute_packages' => ['nova-api'],
87
+    'api_os_compute_service' => 'nova-api',
86 88
     'api_placement_packages' => ['nova-placement-api'],
87 89
     'api_placement_service' => 'nova-placement-api',
88 90
     'memcache_python_packages' => ['python-memcache'],
@@ -144,6 +146,7 @@ end
144 146
   default['openstack']['endpoints'][type]['compute-novnc']['path'] = '/vnc_auto.html'
145 147
   # The OpenStack Compute (Nova) metadata API endpoint
146 148
   default['openstack']['endpoints'][type]['compute-metadata-api']['port'] = '8775'
149
+  default['openstack']['endpoints'][type]['compute-metadata-api']['path'] = ''
147 150
   # The OpenStack Compute (Nova) serial proxy endpoint
148 151
   default['openstack']['endpoints'][type]['compute-serial-proxy']['scheme'] = 'ws'
149 152
   default['openstack']['endpoints'][type]['compute-serial-proxy']['port'] = '6083'
@@ -161,7 +164,9 @@ default['openstack']['bind_service']['all']['compute-xvpvnc']['port'] = '6081'
161 164
 default['openstack']['bind_service']['all']['compute-vnc']['port'] = '6081'
162 165
 default['openstack']['bind_service']['all']['compute-serial-proxy']['port'] = '6081'
163 166
 default['openstack']['bind_service']['all']['compute-novnc']['port'] = '6080'
167
+default['openstack']['bind_service']['all']['compute-metadata-api']['host'] = '127.0.0.1'
164 168
 default['openstack']['bind_service']['all']['compute-metadata-api']['port'] = '8775'
169
+default['openstack']['bind_service']['all']['compute-api']['host'] = '127.0.0.1'
165 170
 default['openstack']['bind_service']['all']['compute-api']['port'] = '8774'
166 171
 default['openstack']['bind_service']['all']['placement-api']['port'] = '8778'
167 172
 default['openstack']['bind_service']['all']['placement-api']['host'] = '127.0.0.1'

+ 1
- 0
attributes/nova_conf.rb View File

@@ -21,6 +21,7 @@ default['openstack']['compute']['conf'].tap do |conf|
21 21
   conf['keystone_authtoken']['project_domain_name'] = 'Default'
22 22
   conf['keystone_authtoken']['project_name'] = 'service'
23 23
   conf['keystone_authtoken']['auth_version'] = 'v3'
24
+  conf['keystone_authtoken']['service_token_roles_required'] = true
24 25
 
25 26
   # [libvirt]
26 27
   conf['libvirt']['virt_type'] = 'kvm'

+ 43
- 5
recipes/api-metadata.rb View File

@@ -5,6 +5,7 @@
5 5
 #
6 6
 # Copyright 2012, Rackspace US, Inc.
7 7
 # Copyright 2013, Craig Tracey <craigtracey@gmail.com>
8
+# Copyright 2018, Workday, Inc.
8 9
 #
9 10
 # Licensed under the Apache License, Version 2.0 (the "License");
10 11
 # you may not use this file except in compliance with the License.
@@ -25,6 +26,13 @@ class ::Chef::Recipe
25 26
   include ::Openstack
26 27
 end
27 28
 
29
+execute 'nova-metadata: set-selinux-permissive' do
30
+  command '/sbin/setenforce Permissive'
31
+  action :run
32
+
33
+  only_if "[ ! -e /etc/httpd/conf/httpd.conf ] && [ -e /etc/redhat-release ] && [ $(/sbin/sestatus | grep -c '^Current mode:.*enforcing') -eq 1 ]"
34
+end
35
+
28 36
 include_recipe 'openstack-compute::nova-common'
29 37
 
30 38
 platform_options = node['openstack']['compute']['platform']
@@ -46,9 +54,39 @@ end
46 54
 service 'nova-api-metadata' do
47 55
   service_name platform_options['compute_api_metadata_service']
48 56
   supports status: true, restart: true
49
-  action [:enable, :start]
50
-  subscribes :restart, [
51
-    'template[/etc/nova/nova.conf]',
52
-    'template[/etc/nova/api-paste.ini]',
53
-  ]
57
+  action [:disable, :stop]
58
+end
59
+
60
+bind_service = node['openstack']['bind_service']['all']['compute-metadata-api']
61
+
62
+web_app 'nova-metadata' do
63
+  template 'wsgi-template.conf.erb'
64
+  daemon_process 'nova-metadata'
65
+  server_host bind_service['host']
66
+  server_port bind_service['port']
67
+  server_entry '/usr/bin/nova-metadata-wsgi'
68
+  log_dir node['apache']['log_dir']
69
+  run_dir node['apache']['run_dir']
70
+  user node['openstack']['compute']['user']
71
+  group node['openstack']['compute']['group']
72
+  use_ssl node['openstack']['compute']['metadata']['ssl']['enabled']
73
+  cert_file node['openstack']['compute']['metadata']['ssl']['certfile']
74
+  chain_file node['openstack']['compute']['metadata']['ssl']['chainfile']
75
+  key_file node['openstack']['compute']['metadata']['ssl']['keyfile']
76
+  ca_certs_path node['openstack']['compute']['metadata']['ssl']['ca_certs_path']
77
+  cert_required node['openstack']['compute']['metadata']['ssl']['cert_required']
78
+  protocol node['openstack']['compute']['metadata']['ssl']['protocol']
79
+  ciphers node['openstack']['compute']['metadata']['ssl']['ciphers']
80
+end
81
+
82
+execute 'nova-metadata apache restart' do
83
+  command 'uname'
84
+  notifies :run, 'execute[nova-metadata: restore-selinux-context]', :immediately
85
+  notifies :restart, 'service[apache2]', :immediately
86
+end
87
+
88
+execute 'nova-metadata: restore-selinux-context' do
89
+  command 'restorecon -Rv /etc/httpd /etc/pki || :'
90
+  action :nothing
91
+  only_if { platform_family?('rhel') }
54 92
 end

+ 43
- 5
recipes/api-os-compute.rb View File

@@ -4,6 +4,7 @@
4 4
 # Recipe:: api-os-compute
5 5
 #
6 6
 # Copyright 2012, Rackspace US, Inc.
7
+# Copyright 2018, Workday, Inc.
7 8
 #
8 9
 # Licensed under the Apache License, Version 2.0 (the "License");
9 10
 # you may not use this file except in compliance with the License.
@@ -22,6 +23,13 @@ class ::Chef::Recipe
22 23
   include ::Openstack
23 24
 end
24 25
 
26
+execute 'nova-api: set-selinux-permissive' do
27
+  command '/sbin/setenforce Permissive'
28
+  action :run
29
+
30
+  only_if "[ ! -e /etc/httpd/conf/httpd.conf ] && [ -e /etc/redhat-release ] && [ $(/sbin/sestatus | grep -c '^Current mode:.*enforcing') -eq 1 ]"
31
+end
32
+
25 33
 include_recipe 'openstack-compute::nova-common'
26 34
 
27 35
 platform_options = node['openstack']['compute']['platform']
@@ -54,11 +62,41 @@ end
54 62
 service 'nova-api-os-compute' do
55 63
   service_name platform_options['api_os_compute_service']
56 64
   supports status: true, restart: true
57
-  action [:enable, :start]
58
-  subscribes :restart, [
59
-    'template[/etc/nova/nova.conf]',
60
-    'template[/etc/nova/api-paste.ini]',
61
-  ]
65
+  action [:disable, :stop]
66
+end
67
+
68
+bind_service = node['openstack']['bind_service']['all']['compute-api']
69
+
70
+web_app 'nova-api' do
71
+  template 'wsgi-template.conf.erb'
72
+  daemon_process 'nova-api'
73
+  server_host bind_service['host']
74
+  server_port bind_service['port']
75
+  server_entry '/usr/bin/nova-api-wsgi'
76
+  log_dir node['apache']['log_dir']
77
+  run_dir node['apache']['run_dir']
78
+  user node['openstack']['compute']['user']
79
+  group node['openstack']['compute']['group']
80
+  use_ssl node['openstack']['compute']['api']['ssl']['enabled']
81
+  cert_file node['openstack']['compute']['api']['ssl']['certfile']
82
+  chain_file node['openstack']['compute']['api']['ssl']['chainfile']
83
+  key_file node['openstack']['compute']['api']['ssl']['keyfile']
84
+  ca_certs_path node['openstack']['compute']['api']['ssl']['ca_certs_path']
85
+  cert_required node['openstack']['compute']['api']['ssl']['cert_required']
86
+  protocol node['openstack']['compute']['api']['ssl']['protocol']
87
+  ciphers node['openstack']['compute']['api']['ssl']['ciphers']
62 88
 end
63 89
 
64 90
 include_recipe 'openstack-compute::_nova_cell'
91
+
92
+execute 'nova-api apache restart' do
93
+  command 'uname'
94
+  notifies :run, 'execute[nova-api: restore-selinux-context]', :immediately
95
+  notifies :restart, 'service[apache2]', :immediately
96
+end
97
+
98
+execute 'nova-api: restore-selinux-context' do
99
+  command 'restorecon -Rv /etc/httpd /etc/pki || :'
100
+  action :nothing
101
+  only_if { platform_family?('rhel') }
102
+end

+ 0
- 11
recipes/nova-common.rb View File

@@ -115,8 +115,6 @@ vnc_bind = node['openstack']['bind_service']['all']['compute-vnc']
115 115
 vnc_bind_address = bind_address vnc_bind
116 116
 vnc_proxy_bind = node['openstack']['bind_service']['all']['compute-vnc-proxy']
117 117
 vnc_proxy_bind_address = bind_address vnc_proxy_bind
118
-compute_api_bind = node['openstack']['bind_service']['all']['compute-api']
119
-compute_api_bind_address = bind_address compute_api_bind
120 118
 compute_api_endpoint = internal_endpoint 'compute-api'
121 119
 compute_metadata_api_bind = node['openstack']['bind_service']['all']['compute-metadata-api']
122 120
 compute_metadata_api_bind_address = bind_address compute_metadata_api_bind
@@ -157,13 +155,6 @@ node.default['openstack']['compute']['conf'].tap do |conf|
157 155
   conf['DEFAULT']['iscsi_helper'] = platform_options['iscsi_helper']
158 156
   # conf['DEFAULT']['scheduler_default_filters'] = node['openstack']['compute']['scheduler']['default_filters'].join(',')
159 157
 
160
-  if node['openstack']['compute']['conf']['DEFAULT']['enabled_apis'].include?('osapi_compute')
161
-    conf['DEFAULT']['osapi_compute_listen'] = compute_api_bind_address
162
-    conf['DEFAULT']['osapi_compute_listen_port'] = compute_api_bind['port']
163
-  end
164
-  # if node['openstack']['mq']['compute']['rabbit']['ha']
165
-  #   conf['DEFAULT']['rabbit_hosts'] = rabbit_hosts
166
-  # end
167 158
   conf['DEFAULT']['metadata_listen'] = compute_metadata_api_bind_address
168 159
   conf['DEFAULT']['metadata_listen_port'] = compute_metadata_api_bind['port']
169 160
   conf['vnc']['novncproxy_base_url'] = novnc_endpoint.to_s
@@ -192,8 +183,6 @@ node.default['openstack']['compute']['conf'].tap do |conf|
192 183
     "#{image_endpoint.scheme}://#{image_endpoint.host}:#{image_endpoint.port}"
193 184
 
194 185
   # [neutron] section
195
-  conf['neutron']['url'] =
196
-    "#{network_endpoint.scheme}://#{network_endpoint.host}:#{network_endpoint.port}"
197 186
   conf['neutron']['auth_url'] = identity_endpoint.to_s
198 187
 
199 188
   # [serial_console] section

+ 8
- 8
recipes/placement_api.rb View File

@@ -61,12 +61,12 @@ web_app 'nova-placement-api' do
61 61
   run_dir node['apache']['run_dir']
62 62
   user node['openstack']['compute']['user']
63 63
   group node['openstack']['compute']['group']
64
-  use_ssl node['openstack']['placement']['ssl']['enabled']
65
-  cert_file node['openstack']['placement']['ssl']['certfile']
66
-  chain_file node['openstack']['placement']['ssl']['chainfile']
67
-  key_file node['openstack']['placement']['ssl']['keyfile']
68
-  ca_certs_path node['openstack']['placement']['ssl']['ca_certs_path']
69
-  cert_required node['openstack']['placement']['ssl']['cert_required']
70
-  protocol node['openstack']['placement']['ssl']['protocol']
71
-  ciphers node['openstack']['placement']['ssl']['ciphers']
64
+  use_ssl node['openstack']['compute']['placement']['ssl']['enabled']
65
+  cert_file node['openstack']['compute']['placement']['ssl']['certfile']
66
+  chain_file node['openstack']['compute']['placement']['ssl']['chainfile']
67
+  key_file node['openstack']['compute']['placement']['ssl']['keyfile']
68
+  ca_certs_path node['openstack']['compute']['placement']['ssl']['ca_certs_path']
69
+  cert_required node['openstack']['compute']['placement']['ssl']['cert_required']
70
+  protocol node['openstack']['compute']['placement']['ssl']['protocol']
71
+  ciphers node['openstack']['compute']['placement']['ssl']['ciphers']
72 72
 end

+ 6
- 2
spec/api-metadata-redhat_spec.rb View File

@@ -17,8 +17,12 @@ describe 'openstack-compute::api-metadata' do
17 17
       expect(chef_run).to upgrade_package 'openstack-nova-api'
18 18
     end
19 19
 
20
-    it 'starts metadata api on boot' do
21
-      expect(chef_run).to enable_service 'nova-api-metadata'
20
+    it 'disables metadata api on boot' do
21
+      expect(chef_run).to disable_service 'nova-api-metadata'
22
+    end
23
+
24
+    it 'stops metadata api now' do
25
+      expect(chef_run).to stop_service 'nova-api-metadata'
22 26
     end
23 27
   end
24 28
 end

+ 4
- 10
spec/api-metadata_spec.rb View File

@@ -18,18 +18,12 @@ describe 'openstack-compute::api-metadata' do
18 18
       expect(chef_run).to upgrade_package 'nova-api-metadata'
19 19
     end
20 20
 
21
-    it 'starts metadata api on boot' do
22
-      expect(chef_run).to enable_service 'nova-api-metadata'
21
+    it 'disables metadata api on boot' do
22
+      expect(chef_run).to disable_service 'nova-api-metadata'
23 23
     end
24 24
 
25
-    it 'starts metadata api now' do
26
-      expect(chef_run).to start_service 'nova-api-metadata'
25
+    it 'stop metadata api now' do
26
+      expect(chef_run).to stop_service 'nova-api-metadata'
27 27
     end
28
-    it do
29
-      template = chef_run.template('/etc/nova/api-paste.ini')
30
-      expect(template).to notify('service[nova-api-metadata]').to(:restart)
31
-    end
32
-
33
-    # expect_creates_api_paste 'service[nova-api-metadata]'
34 28
   end
35 29
 end

+ 4
- 4
spec/api-os-compute-redhat_spec.rb View File

@@ -25,12 +25,12 @@ describe 'openstack-compute::api-os-compute' do
25 25
       expect(chef_run).to upgrade_package 'openstack-nova-api'
26 26
     end
27 27
 
28
-    it 'starts openstack api on boot' do
29
-      expect(chef_run).to enable_service 'openstack-nova-api'
28
+    it 'disables openstack api on boot' do
29
+      expect(chef_run).to disable_service 'openstack-nova-api'
30 30
     end
31 31
 
32
-    it 'starts openstack api now' do
33
-      expect(chef_run).to start_service 'openstack-nova-api'
32
+    it 'stops openstack api now' do
33
+      expect(chef_run).to stop_service 'openstack-nova-api'
34 34
     end
35 35
   end
36 36
 end

+ 5
- 10
spec/api-os-compute_spec.rb View File

@@ -23,20 +23,15 @@ describe 'openstack-compute::api-os-compute' do
23 23
     end
24 24
 
25 25
     it 'upgrades openstack api packages' do
26
-      expect(chef_run).to upgrade_package 'nova-api-os-compute'
26
+      expect(chef_run).to upgrade_package 'nova-api'
27 27
     end
28 28
 
29
-    it 'starts openstack api on boot' do
30
-      expect(chef_run).to enable_service 'nova-api-os-compute'
29
+    it 'disables openstack api on boot' do
30
+      expect(chef_run).to disable_service 'nova-api-os-compute'
31 31
     end
32 32
 
33
-    it 'starts openstack api now' do
34
-      expect(chef_run).to start_service 'nova-api-os-compute'
33
+    it 'stops openstack api now' do
34
+      expect(chef_run).to stop_service 'nova-api-os-compute'
35 35
     end
36
-    it do
37
-      template = chef_run.template('/etc/nova/api-paste.ini')
38
-      expect(template).to notify('service[nova-api-os-compute]').to(:restart)
39
-    end
40
-    # expect_creates_api_paste 'service[nova-api-os-compute]'
41 36
   end
42 37
 end

+ 1
- 14
spec/nova-common_spec.rb View File

@@ -98,13 +98,6 @@ describe 'openstack-compute::nova-common' do
98 98
         end
99 99
       end
100 100
 
101
-      it 'has default compute ip and port options set' do
102
-        [/^osapi_compute_listen = 127.0.0.1$/,
103
-         /^osapi_compute_listen_port = 8774$/].each do |line|
104
-          expect(chef_run).to render_file(file.name).with_content(line)
105
-        end
106
-      end
107
-
108 101
       it 'has default metadata ip and port options set' do
109 102
         [/^metadata_listen = 127.0.0.1$/,
110 103
          /^metadata_listen_port = 8775$/].each do |line|
@@ -129,6 +122,7 @@ describe 'openstack-compute::nova-common' do
129 122
             'project_name = service',
130 123
             'user_domain_name = Default',
131 124
             'project_domain_name = Default',
125
+            'service_token_roles_required = true',
132 126
           ].each do |line|
133 127
             expect(chef_run).to render_config_file(file.name)\
134 128
               .with_section_content('keystone_authtoken', /^#{Regexp.quote(line)}$/)
@@ -169,19 +163,12 @@ describe 'openstack-compute::nova-common' do
169 163
           /^project_name = service$/,
170 164
           /^user_domain_name = Default/,
171 165
           /^project_domain_name = Default/,
172
-          %r{^url = http://127.0.0.1:9696$},
173 166
         ].each do |line|
174 167
           expect(chef_run).to render_config_file(file.name)\
175 168
             .with_section_content('neutron', line)
176 169
         end
177 170
       end
178 171
 
179
-      it 'sets scheme for neutron' do
180
-        node.set['openstack']['endpoints']['internal']['network']['scheme'] = 'https'
181
-        expect(chef_run).to render_config_file(file.name)\
182
-          .with_section_content('neutron', %r{^url = https://127.0.0.1:9696$})
183
-      end
184
-
185 172
       context 'rabbit mq backend' do
186 173
         describe 'ha rabbit disabled' do
187 174
           before do

+ 2
- 0
spec/spec_helper.rb View File

@@ -85,6 +85,7 @@ shared_context 'compute_stubs' do
85 85
     # stub_command('nova-manage network list | grep 192.168.200.0/24').and_return(false)
86 86
     # stub_command("nova-manage floating list |grep -E '.*([0-9]{1,3}[.]){3}[0-9]{1,3}*'").and_return(false)
87 87
     stub_command('/usr/sbin/apache2 -t').and_return(true)
88
+    stub_command('/usr/sbin/httpd -t').and_return(true)
88 89
     stub_command('virsh net-list | grep -q default').and_return(true)
89 90
     stub_command('ovs-vsctl br-exists br-int').and_return(true)
90 91
     stub_command('ovs-vsctl br-exists br-tun').and_return(true)
@@ -94,6 +95,7 @@ shared_context 'compute_stubs' do
94 95
     stub_command('nova-manage cell_v2 list_cells | grep -q cell0').and_return(false)
95 96
     stub_command('nova-manage cell_v2 list_cells | grep -q cell1').and_return(false)
96 97
     stub_command('nova-manage cell_v2 discover_hosts').and_return(true)
98
+    stub_command("[ ! -e /etc/httpd/conf/httpd.conf ] && [ -e /etc/redhat-release ] && [ $(/sbin/sestatus | grep -c '^Current mode:.*enforcing') -eq 1 ]").and_return(true)
97 99
   end
98 100
 end
99 101
 

+ 1
- 1
templates/default/wsgi-template.conf.erb View File

@@ -1,4 +1,4 @@
1
-<%= node["openstack"]["compute"]["custom_template_banner"] %>
1
+<%= node['openstack']['compute']['custom_template_banner'] %>
2 2
 
3 3
 Listen <%= @params[:server_host] %>:<%= @params[:server_port] %>
4 4
 

Loading…
Cancel
Save