From 4992010231b205140b5fa1b3279d75d76e89acf7 Mon Sep 17 00:00:00 2001 From: Samuel Cassiba Date: Fri, 15 Jun 2018 09:15:48 -0700 Subject: [PATCH] Convert Nova APIs to WSGI services To be consistent with the install guide[1], the Nova services should be deployed as WSGI services. [1] https://docs.openstack.org/nova/queens/install/controller-install-ubuntu.html Change-Id: I49a767724e744f98d7f008411755c063f96a4c9d --- attributes/default.rb | 27 +++++++------ attributes/nova_conf.rb | 1 + recipes/api-metadata.rb | 48 +++++++++++++++++++++--- recipes/api-os-compute.rb | 48 +++++++++++++++++++++--- recipes/nova-common.rb | 11 ------ recipes/placement_api.rb | 16 ++++---- spec/api-metadata-redhat_spec.rb | 8 +++- spec/api-metadata_spec.rb | 14 ++----- spec/api-os-compute-redhat_spec.rb | 8 ++-- spec/api-os-compute_spec.rb | 15 +++----- spec/nova-common_spec.rb | 15 +------- spec/spec_helper.rb | 2 + templates/default/wsgi-template.conf.erb | 2 +- 13 files changed, 134 insertions(+), 81 deletions(-) diff --git a/attributes/default.rb b/attributes/default.rb index 326e9092..b14b7c75 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -33,15 +33,17 @@ default['openstack']['compute']['rootwrap']['use_syslog'] = 'False' default['openstack']['compute']['rootwrap']['syslog_log_facility'] = 'syslog' default['openstack']['compute']['rootwrap']['syslog_log_level'] = 'ERROR' -# Placement API settings -default['openstack']['placement']['ssl']['enabled'] = false -default['openstack']['placement']['ssl']['certfile'] = '' -default['openstack']['placement']['ssl']['chainfile'] = '' -default['openstack']['placement']['ssl']['keyfile'] = '' -default['openstack']['placement']['ssl']['ca_certs_path'] = '' -default['openstack']['placement']['ssl']['cert_required'] = false -default['openstack']['placement']['ssl']['protocol'] = '' -default['openstack']['placement']['ssl']['ciphers'] = '' +# SSL settings +%w(api placement metadata).each do |service| + default['openstack']['compute'][service]['ssl']['enabled'] = false + default['openstack']['compute'][service]['ssl']['certfile'] = '' + default['openstack']['compute'][service]['ssl']['chainfile'] = '' + default['openstack']['compute'][service]['ssl']['keyfile'] = '' + default['openstack']['compute'][service]['ssl']['ca_certs_path'] = '' + default['openstack']['compute'][service]['ssl']['cert_required'] = false + default['openstack']['compute'][service]['ssl']['protocol'] = '' + default['openstack']['compute'][service]['ssl']['ciphers'] = '' +end # Platform specific settings case node['platform_family'] @@ -81,8 +83,8 @@ when 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this } when 'debian' default['openstack']['compute']['platform'] = { - 'api_os_compute_packages' => ['nova-api-os-compute'], - 'api_os_compute_service' => 'nova-api-os-compute', + 'api_os_compute_packages' => ['nova-api'], + 'api_os_compute_service' => 'nova-api', 'api_placement_packages' => ['nova-placement-api'], 'api_placement_service' => 'nova-placement-api', 'memcache_python_packages' => ['python-memcache'], @@ -144,6 +146,7 @@ end default['openstack']['endpoints'][type]['compute-novnc']['path'] = '/vnc_auto.html' # The OpenStack Compute (Nova) metadata API endpoint default['openstack']['endpoints'][type]['compute-metadata-api']['port'] = '8775' + default['openstack']['endpoints'][type]['compute-metadata-api']['path'] = '' # The OpenStack Compute (Nova) serial proxy endpoint default['openstack']['endpoints'][type]['compute-serial-proxy']['scheme'] = 'ws' default['openstack']['endpoints'][type]['compute-serial-proxy']['port'] = '6083' @@ -161,7 +164,9 @@ default['openstack']['bind_service']['all']['compute-xvpvnc']['port'] = '6081' default['openstack']['bind_service']['all']['compute-vnc']['port'] = '6081' default['openstack']['bind_service']['all']['compute-serial-proxy']['port'] = '6081' default['openstack']['bind_service']['all']['compute-novnc']['port'] = '6080' +default['openstack']['bind_service']['all']['compute-metadata-api']['host'] = '127.0.0.1' default['openstack']['bind_service']['all']['compute-metadata-api']['port'] = '8775' +default['openstack']['bind_service']['all']['compute-api']['host'] = '127.0.0.1' default['openstack']['bind_service']['all']['compute-api']['port'] = '8774' default['openstack']['bind_service']['all']['placement-api']['port'] = '8778' default['openstack']['bind_service']['all']['placement-api']['host'] = '127.0.0.1' diff --git a/attributes/nova_conf.rb b/attributes/nova_conf.rb index 76dac591..82d7a73d 100644 --- a/attributes/nova_conf.rb +++ b/attributes/nova_conf.rb @@ -21,6 +21,7 @@ default['openstack']['compute']['conf'].tap do |conf| conf['keystone_authtoken']['project_domain_name'] = 'Default' conf['keystone_authtoken']['project_name'] = 'service' conf['keystone_authtoken']['auth_version'] = 'v3' + conf['keystone_authtoken']['service_token_roles_required'] = true # [libvirt] conf['libvirt']['virt_type'] = 'kvm' diff --git a/recipes/api-metadata.rb b/recipes/api-metadata.rb index c143bcb2..08f6268e 100644 --- a/recipes/api-metadata.rb +++ b/recipes/api-metadata.rb @@ -5,6 +5,7 @@ # # Copyright 2012, Rackspace US, Inc. # Copyright 2013, Craig Tracey +# Copyright 2018, Workday, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,6 +26,13 @@ class ::Chef::Recipe include ::Openstack end +execute 'nova-metadata: set-selinux-permissive' do + command '/sbin/setenforce Permissive' + action :run + + only_if "[ ! -e /etc/httpd/conf/httpd.conf ] && [ -e /etc/redhat-release ] && [ $(/sbin/sestatus | grep -c '^Current mode:.*enforcing') -eq 1 ]" +end + include_recipe 'openstack-compute::nova-common' platform_options = node['openstack']['compute']['platform'] @@ -46,9 +54,39 @@ end service 'nova-api-metadata' do service_name platform_options['compute_api_metadata_service'] supports status: true, restart: true - action [:enable, :start] - subscribes :restart, [ - 'template[/etc/nova/nova.conf]', - 'template[/etc/nova/api-paste.ini]', - ] + action [:disable, :stop] +end + +bind_service = node['openstack']['bind_service']['all']['compute-metadata-api'] + +web_app 'nova-metadata' do + template 'wsgi-template.conf.erb' + daemon_process 'nova-metadata' + server_host bind_service['host'] + server_port bind_service['port'] + server_entry '/usr/bin/nova-metadata-wsgi' + log_dir node['apache']['log_dir'] + run_dir node['apache']['run_dir'] + user node['openstack']['compute']['user'] + group node['openstack']['compute']['group'] + use_ssl node['openstack']['compute']['metadata']['ssl']['enabled'] + cert_file node['openstack']['compute']['metadata']['ssl']['certfile'] + chain_file node['openstack']['compute']['metadata']['ssl']['chainfile'] + key_file node['openstack']['compute']['metadata']['ssl']['keyfile'] + ca_certs_path node['openstack']['compute']['metadata']['ssl']['ca_certs_path'] + cert_required node['openstack']['compute']['metadata']['ssl']['cert_required'] + protocol node['openstack']['compute']['metadata']['ssl']['protocol'] + ciphers node['openstack']['compute']['metadata']['ssl']['ciphers'] +end + +execute 'nova-metadata apache restart' do + command 'uname' + notifies :run, 'execute[nova-metadata: restore-selinux-context]', :immediately + notifies :restart, 'service[apache2]', :immediately +end + +execute 'nova-metadata: restore-selinux-context' do + command 'restorecon -Rv /etc/httpd /etc/pki || :' + action :nothing + only_if { platform_family?('rhel') } end diff --git a/recipes/api-os-compute.rb b/recipes/api-os-compute.rb index 082c6ab7..3276ec63 100644 --- a/recipes/api-os-compute.rb +++ b/recipes/api-os-compute.rb @@ -4,6 +4,7 @@ # Recipe:: api-os-compute # # Copyright 2012, Rackspace US, Inc. +# Copyright 2018, Workday, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,6 +23,13 @@ class ::Chef::Recipe include ::Openstack end +execute 'nova-api: set-selinux-permissive' do + command '/sbin/setenforce Permissive' + action :run + + only_if "[ ! -e /etc/httpd/conf/httpd.conf ] && [ -e /etc/redhat-release ] && [ $(/sbin/sestatus | grep -c '^Current mode:.*enforcing') -eq 1 ]" +end + include_recipe 'openstack-compute::nova-common' platform_options = node['openstack']['compute']['platform'] @@ -54,11 +62,41 @@ end service 'nova-api-os-compute' do service_name platform_options['api_os_compute_service'] supports status: true, restart: true - action [:enable, :start] - subscribes :restart, [ - 'template[/etc/nova/nova.conf]', - 'template[/etc/nova/api-paste.ini]', - ] + action [:disable, :stop] +end + +bind_service = node['openstack']['bind_service']['all']['compute-api'] + +web_app 'nova-api' do + template 'wsgi-template.conf.erb' + daemon_process 'nova-api' + server_host bind_service['host'] + server_port bind_service['port'] + server_entry '/usr/bin/nova-api-wsgi' + log_dir node['apache']['log_dir'] + run_dir node['apache']['run_dir'] + user node['openstack']['compute']['user'] + group node['openstack']['compute']['group'] + use_ssl node['openstack']['compute']['api']['ssl']['enabled'] + cert_file node['openstack']['compute']['api']['ssl']['certfile'] + chain_file node['openstack']['compute']['api']['ssl']['chainfile'] + key_file node['openstack']['compute']['api']['ssl']['keyfile'] + ca_certs_path node['openstack']['compute']['api']['ssl']['ca_certs_path'] + cert_required node['openstack']['compute']['api']['ssl']['cert_required'] + protocol node['openstack']['compute']['api']['ssl']['protocol'] + ciphers node['openstack']['compute']['api']['ssl']['ciphers'] end include_recipe 'openstack-compute::_nova_cell' + +execute 'nova-api apache restart' do + command 'uname' + notifies :run, 'execute[nova-api: restore-selinux-context]', :immediately + notifies :restart, 'service[apache2]', :immediately +end + +execute 'nova-api: restore-selinux-context' do + command 'restorecon -Rv /etc/httpd /etc/pki || :' + action :nothing + only_if { platform_family?('rhel') } +end diff --git a/recipes/nova-common.rb b/recipes/nova-common.rb index 7b453f70..a10708e0 100644 --- a/recipes/nova-common.rb +++ b/recipes/nova-common.rb @@ -115,8 +115,6 @@ vnc_bind = node['openstack']['bind_service']['all']['compute-vnc'] vnc_bind_address = bind_address vnc_bind vnc_proxy_bind = node['openstack']['bind_service']['all']['compute-vnc-proxy'] vnc_proxy_bind_address = bind_address vnc_proxy_bind -compute_api_bind = node['openstack']['bind_service']['all']['compute-api'] -compute_api_bind_address = bind_address compute_api_bind compute_api_endpoint = internal_endpoint 'compute-api' compute_metadata_api_bind = node['openstack']['bind_service']['all']['compute-metadata-api'] compute_metadata_api_bind_address = bind_address compute_metadata_api_bind @@ -157,13 +155,6 @@ node.default['openstack']['compute']['conf'].tap do |conf| conf['DEFAULT']['iscsi_helper'] = platform_options['iscsi_helper'] # conf['DEFAULT']['scheduler_default_filters'] = node['openstack']['compute']['scheduler']['default_filters'].join(',') - if node['openstack']['compute']['conf']['DEFAULT']['enabled_apis'].include?('osapi_compute') - conf['DEFAULT']['osapi_compute_listen'] = compute_api_bind_address - conf['DEFAULT']['osapi_compute_listen_port'] = compute_api_bind['port'] - end - # if node['openstack']['mq']['compute']['rabbit']['ha'] - # conf['DEFAULT']['rabbit_hosts'] = rabbit_hosts - # end conf['DEFAULT']['metadata_listen'] = compute_metadata_api_bind_address conf['DEFAULT']['metadata_listen_port'] = compute_metadata_api_bind['port'] conf['vnc']['novncproxy_base_url'] = novnc_endpoint.to_s @@ -192,8 +183,6 @@ node.default['openstack']['compute']['conf'].tap do |conf| "#{image_endpoint.scheme}://#{image_endpoint.host}:#{image_endpoint.port}" # [neutron] section - conf['neutron']['url'] = - "#{network_endpoint.scheme}://#{network_endpoint.host}:#{network_endpoint.port}" conf['neutron']['auth_url'] = identity_endpoint.to_s # [serial_console] section diff --git a/recipes/placement_api.rb b/recipes/placement_api.rb index 53294865..8ab4f877 100644 --- a/recipes/placement_api.rb +++ b/recipes/placement_api.rb @@ -61,12 +61,12 @@ web_app 'nova-placement-api' do run_dir node['apache']['run_dir'] user node['openstack']['compute']['user'] group node['openstack']['compute']['group'] - use_ssl node['openstack']['placement']['ssl']['enabled'] - cert_file node['openstack']['placement']['ssl']['certfile'] - chain_file node['openstack']['placement']['ssl']['chainfile'] - key_file node['openstack']['placement']['ssl']['keyfile'] - ca_certs_path node['openstack']['placement']['ssl']['ca_certs_path'] - cert_required node['openstack']['placement']['ssl']['cert_required'] - protocol node['openstack']['placement']['ssl']['protocol'] - ciphers node['openstack']['placement']['ssl']['ciphers'] + use_ssl node['openstack']['compute']['placement']['ssl']['enabled'] + cert_file node['openstack']['compute']['placement']['ssl']['certfile'] + chain_file node['openstack']['compute']['placement']['ssl']['chainfile'] + key_file node['openstack']['compute']['placement']['ssl']['keyfile'] + ca_certs_path node['openstack']['compute']['placement']['ssl']['ca_certs_path'] + cert_required node['openstack']['compute']['placement']['ssl']['cert_required'] + protocol node['openstack']['compute']['placement']['ssl']['protocol'] + ciphers node['openstack']['compute']['placement']['ssl']['ciphers'] end diff --git a/spec/api-metadata-redhat_spec.rb b/spec/api-metadata-redhat_spec.rb index f2914a34..79dee21e 100644 --- a/spec/api-metadata-redhat_spec.rb +++ b/spec/api-metadata-redhat_spec.rb @@ -17,8 +17,12 @@ describe 'openstack-compute::api-metadata' do expect(chef_run).to upgrade_package 'openstack-nova-api' end - it 'starts metadata api on boot' do - expect(chef_run).to enable_service 'nova-api-metadata' + it 'disables metadata api on boot' do + expect(chef_run).to disable_service 'nova-api-metadata' + end + + it 'stops metadata api now' do + expect(chef_run).to stop_service 'nova-api-metadata' end end end diff --git a/spec/api-metadata_spec.rb b/spec/api-metadata_spec.rb index 9c4d9090..06daa301 100644 --- a/spec/api-metadata_spec.rb +++ b/spec/api-metadata_spec.rb @@ -18,18 +18,12 @@ describe 'openstack-compute::api-metadata' do expect(chef_run).to upgrade_package 'nova-api-metadata' end - it 'starts metadata api on boot' do - expect(chef_run).to enable_service 'nova-api-metadata' + it 'disables metadata api on boot' do + expect(chef_run).to disable_service 'nova-api-metadata' end - it 'starts metadata api now' do - expect(chef_run).to start_service 'nova-api-metadata' + it 'stop metadata api now' do + expect(chef_run).to stop_service 'nova-api-metadata' end - it do - template = chef_run.template('/etc/nova/api-paste.ini') - expect(template).to notify('service[nova-api-metadata]').to(:restart) - end - - # expect_creates_api_paste 'service[nova-api-metadata]' end end diff --git a/spec/api-os-compute-redhat_spec.rb b/spec/api-os-compute-redhat_spec.rb index bc8d2988..ef215d5e 100644 --- a/spec/api-os-compute-redhat_spec.rb +++ b/spec/api-os-compute-redhat_spec.rb @@ -25,12 +25,12 @@ describe 'openstack-compute::api-os-compute' do expect(chef_run).to upgrade_package 'openstack-nova-api' end - it 'starts openstack api on boot' do - expect(chef_run).to enable_service 'openstack-nova-api' + it 'disables openstack api on boot' do + expect(chef_run).to disable_service 'openstack-nova-api' end - it 'starts openstack api now' do - expect(chef_run).to start_service 'openstack-nova-api' + it 'stops openstack api now' do + expect(chef_run).to stop_service 'openstack-nova-api' end end end diff --git a/spec/api-os-compute_spec.rb b/spec/api-os-compute_spec.rb index 9c19e265..5dd7e211 100644 --- a/spec/api-os-compute_spec.rb +++ b/spec/api-os-compute_spec.rb @@ -23,20 +23,15 @@ describe 'openstack-compute::api-os-compute' do end it 'upgrades openstack api packages' do - expect(chef_run).to upgrade_package 'nova-api-os-compute' + expect(chef_run).to upgrade_package 'nova-api' end - it 'starts openstack api on boot' do - expect(chef_run).to enable_service 'nova-api-os-compute' + it 'disables openstack api on boot' do + expect(chef_run).to disable_service 'nova-api-os-compute' end - it 'starts openstack api now' do - expect(chef_run).to start_service 'nova-api-os-compute' + it 'stops openstack api now' do + expect(chef_run).to stop_service 'nova-api-os-compute' end - it do - template = chef_run.template('/etc/nova/api-paste.ini') - expect(template).to notify('service[nova-api-os-compute]').to(:restart) - end - # expect_creates_api_paste 'service[nova-api-os-compute]' end end diff --git a/spec/nova-common_spec.rb b/spec/nova-common_spec.rb index a721a055..5553ab90 100644 --- a/spec/nova-common_spec.rb +++ b/spec/nova-common_spec.rb @@ -98,13 +98,6 @@ describe 'openstack-compute::nova-common' do end end - it 'has default compute ip and port options set' do - [/^osapi_compute_listen = 127.0.0.1$/, - /^osapi_compute_listen_port = 8774$/].each do |line| - expect(chef_run).to render_file(file.name).with_content(line) - end - end - it 'has default metadata ip and port options set' do [/^metadata_listen = 127.0.0.1$/, /^metadata_listen_port = 8775$/].each do |line| @@ -129,6 +122,7 @@ describe 'openstack-compute::nova-common' do 'project_name = service', 'user_domain_name = Default', 'project_domain_name = Default', + 'service_token_roles_required = true', ].each do |line| expect(chef_run).to render_config_file(file.name)\ .with_section_content('keystone_authtoken', /^#{Regexp.quote(line)}$/) @@ -169,19 +163,12 @@ describe 'openstack-compute::nova-common' do /^project_name = service$/, /^user_domain_name = Default/, /^project_domain_name = Default/, - %r{^url = http://127.0.0.1:9696$}, ].each do |line| expect(chef_run).to render_config_file(file.name)\ .with_section_content('neutron', line) end end - it 'sets scheme for neutron' do - node.set['openstack']['endpoints']['internal']['network']['scheme'] = 'https' - expect(chef_run).to render_config_file(file.name)\ - .with_section_content('neutron', %r{^url = https://127.0.0.1:9696$}) - end - context 'rabbit mq backend' do describe 'ha rabbit disabled' do before do diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index a0a73c87..3febe351 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -85,6 +85,7 @@ shared_context 'compute_stubs' do # stub_command('nova-manage network list | grep 192.168.200.0/24').and_return(false) # stub_command("nova-manage floating list |grep -E '.*([0-9]{1,3}[.]){3}[0-9]{1,3}*'").and_return(false) stub_command('/usr/sbin/apache2 -t').and_return(true) + stub_command('/usr/sbin/httpd -t').and_return(true) stub_command('virsh net-list | grep -q default').and_return(true) stub_command('ovs-vsctl br-exists br-int').and_return(true) stub_command('ovs-vsctl br-exists br-tun').and_return(true) @@ -94,6 +95,7 @@ shared_context 'compute_stubs' do stub_command('nova-manage cell_v2 list_cells | grep -q cell0').and_return(false) stub_command('nova-manage cell_v2 list_cells | grep -q cell1').and_return(false) stub_command('nova-manage cell_v2 discover_hosts').and_return(true) + stub_command("[ ! -e /etc/httpd/conf/httpd.conf ] && [ -e /etc/redhat-release ] && [ $(/sbin/sestatus | grep -c '^Current mode:.*enforcing') -eq 1 ]").and_return(true) end end diff --git a/templates/default/wsgi-template.conf.erb b/templates/default/wsgi-template.conf.erb index 564bfc83..97e9c7b7 100644 --- a/templates/default/wsgi-template.conf.erb +++ b/templates/default/wsgi-template.conf.erb @@ -1,4 +1,4 @@ -<%= node["openstack"]["compute"]["custom_template_banner"] %> +<%= node['openstack']['compute']['custom_template_banner'] %> Listen <%= @params[:server_host] %>:<%= @params[:server_port] %>