Ceilometer-api / Gnocchi-api WSGI refactor

- now using wsgi apps for both apis
- bumped gnocchi package version due to python-openssl bugs

Change-Id: I63636ca8c08660f44433e701c55e1e0e7db5465f
This commit is contained in:
Christoph Albers 2016-11-25 15:56:20 +01:00 committed by Jan Klare
parent 6477bbaf3c
commit b33c0ca574
11 changed files with 400 additions and 33 deletions

View File

@ -18,7 +18,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Set to some text value if you want templated config files
# to contain a custom banner at the top of the written file
default['openstack']['telemetry']['custom_template_banner'] =
'# This file autogenerated by Chef, changes will be overwritten'
# Set the endpoints for the telemetry services to allow all other cookbooks to
# access and use them
%w(telemetry telemetry-metric).each do |ts|
@ -58,6 +61,28 @@ default['openstack']['telemetry']['identity-api']['auth']['version'] =
default['openstack']['telemetry-metric']['identity-api']['auth']['version'] =
node['openstack']['api']['auth']['version']
%w(telemetry telemetry-metric).each do |ts|
# specify whether to enable SSL for ceilometer API endpoint
default['openstack'][ts]['ssl']['enabled'] = false
# specify server whether to enforce client certificate requirement
default['openstack'][ts]['ssl']['cert_required'] = false
# SSL certificate, keyfile and CA certficate file locations
default['openstack'][ts]['ssl']['basedir'] = '/etc/ceilometer/ssl'
# Protocol for SSL (Apache)
default['openstack'][ts]['ssl']['protocol'] = 'All -SSLv2 -SSLv3'
# Which ciphers to use with the SSL/TLS protocol (Apache)
# Example: 'RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK!RC4:!RC4-MD5:!RC4-SHA'
default['openstack'][ts]['ssl']['ciphers'] = nil
# path of the cert file for SSL.
default['openstack'][ts]['ssl']['certfile'] = "#{node['openstack'][ts]['ssl']['basedir']}/certs/sslcert.pem"
# path of the keyfile for SSL.
default['openstack'][ts]['ssl']['keyfile'] = "#{node['openstack'][ts]['ssl']['basedir']}/private/sslkey.pem"
default['openstack'][ts]['ssl']['chainfile'] = nil
# path of the CA cert file for SSL.
default['openstack'][ts]['ssl']['ca_certs'] = "#{node['openstack'][ts]['ssl']['basedir']}/certs/sslca.pem"
# path of the CA cert files for SSL (Apache)
default['openstack'][ts]['ssl']['ca_certs_path'] = "#{node['openstack'][ts]['ssl']['basedir']}/certs/"
end
case platform_family
when 'rhel'
default['openstack']['telemetry']['platform'] = {
@ -82,7 +107,7 @@ when 'rhel'
when 'debian'
default['openstack']['telemetry']['platform'] = {
'common_packages' => ['ceilometer-common'],
'gnocchi_packages' => ['gnocchi-api', 'gnocchi-metricd'],
'gnocchi_packages' => ['python-gnocchi', 'gnocchi-common', 'gnocchi-api', 'gnocchi-metricd'],
'gnocchi-api_service' => 'gnocchi-api',
'gnocchi-metricd_service' => 'gnocchi-metricd',
'agent_central_packages' => ['ceilometer-agent-central'],
@ -91,6 +116,8 @@ when 'debian'
'agent_compute_service' => 'ceilometer-agent-compute',
'agent_notification_packages' => ['ceilometer-agent-notification'],
'agent_notification_service' => 'ceilometer-agent-notification',
'ceilometer-api_wsgi_file' => '/usr/lib/python2.7/dist-packages/ceilometer/api/app.wsgi',
'gnocchi-api_wsgi_file' => '/usr/share/gnocchi-common/app.wsgi',
'api_packages' => ['ceilometer-api'],
'api_service' => 'ceilometer-api',
'client_packages' => ['python-ceilometerclient', 'python-gnocchiclient'],

View File

@ -26,3 +26,4 @@ end
depends 'openstack-common', '>= 14.0.0'
depends 'openstack-identity', '>= 14.0.0'
depends 'openstackclient'
depends 'apache2', '~> 3.2'

View File

@ -20,7 +20,14 @@
# limitations under the License.
#
include_recipe 'openstack-telemetry::common'
require 'uri'
# load the methods defined in cookbook-openstack-common libraries
class ::Chef::Recipe
include ::Openstack
end
# include_recipe 'openstack-telemetry::common'
platform = node['openstack']['telemetry']['platform']
platform['api_packages'].each do |pkg|
@ -29,9 +36,58 @@ platform['api_packages'].each do |pkg|
action :upgrade
end
end
bind_service = node['openstack']['bind_service']['all']['telemetry']
bind_service_address = bind_address bind_service
#### Start of Apache specific work
service 'ceilometer-api' do
service_name platform['api_service']
subscribes :restart, "template[#{node['openstack']['telemetry']['conf_file']}]"
action [:enable, :start]
# configure attributes for apache2 cookbook to align with openstack settings
apache_listen = Array(node['apache']['listen']) # include already defined listen attributes
# Remove the default apache2 cookbook port, as that is also the default for horizon, but with
# a different address syntax. *:80 vs 0.0.0.0:80
apache_listen -= ['*:80']
apache_listen += ["#{bind_service_address}:#{bind_service.port}"]
node.normal['apache']['listen'] = apache_listen.uniq
# include the apache2 default recipe and the recipes for mod_wsgi
include_recipe 'apache2'
include_recipe 'apache2::mod_wsgi'
# include the apache2 mod_ssl recipe if ssl is enabled for identity
include_recipe 'apache2::mod_ssl' if node['openstack']['telemetry']['ssl']['enabled']
# create the ceilometer-api apache directory
ceilometer_apache_dir = "#{node['apache']['docroot_dir']}/ceilometer"
directory ceilometer_apache_dir do
owner 'root'
group 'root'
mode 00755
end
ceilometer_server_entry = "#{ceilometer_apache_dir}/app"
# Note: Using lazy here as the wsgi file is not available until after
# the ceilometer-api package is installed during execution phase.
file ceilometer_server_entry do
content lazy { IO.read(platform['ceilometer-api_wsgi_file']) }
owner 'root'
group 'root'
mode 00755
end
web_app 'ceilometer-api' do
template 'wsgi-template.conf.erb'
deamon_process 'ceilometer-api'
server_host node['openstack']['telemetry']['conf']['api']['host']
server_port node['openstack']['telemetry']['conf']['api']['port']
server_entry ceilometer_server_entry
log_dir node['apache']['log_dir']
log_debug node['openstack']['telemetry']['debug']
user node['openstack']['telemetry']['user']
group node['openstack']['telemetry']['group']
use_ssl node['openstack']['telemetry']['ssl']['enabled']
cert_file node['openstack']['telemetry']['ssl']['certfile']
chain_file node['openstack']['telemetry']['ssl']['chainfile']
key_file node['openstack']['telemetry']['ssl']['keyfile']
ca_certs_path node['openstack']['telemetry']['ssl']['ca_certs_path']
cert_required node['openstack']['telemetry']['ssl']['cert_required']
protocol node['openstack']['telemetry']['ssl']['protocol']
ciphers node['openstack']['telemetry']['ssl']['ciphers']
end

View File

@ -15,7 +15,9 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
class ::Chef::Recipe
include ::Openstack
end
platform = node['openstack']['telemetry']['platform']
db_user = node['openstack']['db']['telemetry-metric']['username']
db_pass = get_password 'db', 'gnocchi'
@ -95,10 +97,58 @@ execute 'gnocchi-upgrade' do
user node['openstack']['telemetry-metric']['user']
end
service 'gnocchi-api' do
service_name platform['gnocchi-api_service']
subscribes :restart, "template[#{node['openstack']['telemetry-metric']['conf_file']}]"
action [:enable, :start]
#### Start of Apache specific work
# configure attributes for apache2 cookbook to align with openstack settings
apache_listen = Array(node['apache']['listen']) # include already defined listen attributes
# Remove the default apache2 cookbook port, as that is also the default for horizon, but with
# a different address syntax. *:80 vs 0.0.0.0:80
apache_listen -= ['*:80']
apache_listen += ["#{bind_service_address}:#{bind_service.port}"]
node.normal['apache']['listen'] = apache_listen.uniq
# include the apache2 default recipe and the recipes for mod_wsgi
include_recipe 'apache2'
include_recipe 'apache2::mod_wsgi'
# include the apache2 mod_ssl recipe if ssl is enabled for identity
include_recipe 'apache2::mod_ssl' if node['openstack']['identity']['ssl']['enabled']
# create the gnocchi-api apache directory
gnocchi_apache_dir = "#{node['apache']['docroot_dir']}/gnocchi"
directory gnocchi_apache_dir do
owner 'root'
group 'root'
mode 00755
end
gnocchi_server_entry = "#{gnocchi_apache_dir}/app"
# Note: Using lazy here as the wsgi file is not available until after
# the gnocchik-api package is installed during execution phase.
file gnocchi_server_entry do
content lazy { IO.read(platform['gnocchi-api_wsgi_file']) }
owner 'root'
group 'root'
mode 00755
end
web_app 'gnocchi-api' do
template 'wsgi-template.conf.erb'
deamon_process 'gnocchi-api'
server_host node['openstack']['telemetry-metric']['conf']['api']['host']
server_port node['openstack']['telemetry-metric']['conf']['api']['port']
server_entry gnocchi_server_entry
log_dir node['apache']['log_dir']
log_debug node['openstack']['telemetry-metric']['debug']
user node['openstack']['telemetry-metric']['user']
group node['openstack']['telemetry-metric']['group']
use_ssl node['openstack']['telemetry-metric']['ssl']['enabled']
cert_file node['openstack']['telemetry-metric']['ssl']['certfile']
chain_file node['openstack']['telemetry-metric']['ssl']['chainfile']
key_file node['openstack']['telemetry-metric']['ssl']['keyfile']
ca_certs_path node['openstack']['telemetry-metric']['ssl']['ca_certs_path']
cert_required node['openstack']['telemetry-metric']['ssl']['cert_required']
protocol node['openstack']['telemetry-metric']['ssl']['protocol']
ciphers node['openstack']['telemetry-metric']['ssl']['ciphers']
end
service 'gnocchi-metricd' do

View File

@ -22,6 +22,6 @@ platform = node['openstack']['telemetry']['platform']
platform['gnocchi_packages'].each do |pkg|
package pkg do
options platform['package_overrides']
action :upgrade
version '2.0.2-4'
end
end

View File

@ -9,14 +9,9 @@ describe 'openstack-telemetry::api' do
let(:chef_run) { runner.converge(described_recipe) }
include_context 'telemetry-stubs'
include_examples 'expect-runs-common-recipe'
it 'installs the api package' do
expect(chef_run).to upgrade_package('openstack-ceilometer-api')
end
it 'starts api service' do
expect(chef_run).to start_service('openstack-ceilometer-api')
expect(chef_run).to upgrade_package 'openstack-ceilometer-api'
end
end
end

View File

@ -9,20 +9,112 @@ describe 'openstack-telemetry::api' do
let(:chef_run) { runner.converge(described_recipe) }
include_context 'telemetry-stubs'
include_examples 'expect-runs-common-recipe'
it 'installs the api package' do
expect(chef_run).to upgrade_package 'ceilometer-api'
end
it 'enables and starts the api service' do
expect(chef_run).to enable_service('ceilometer-api')
expect(chef_run).to start_service('ceilometer-api')
describe 'apache recipes' do
it 'include apache recipes' do
expect(chef_run).to include_recipe('apache2')
expect(chef_run).to include_recipe('apache2::mod_wsgi')
expect(chef_run).not_to include_recipe('apache2::mod_ssl')
end
it 'include apache recipes' do
node.set['openstack']['telemetry']['ssl']['enabled'] = true
expect(chef_run).to include_recipe('apache2::mod_ssl')
end
end
describe 'ceilometer-api' do
it 'subscribes to its config file' do
expect(chef_run.service('ceilometer-api')).to subscribe_to('template[/etc/ceilometer/ceilometer.conf]').delayed
it 'creates directory /var/www/html/ceilometer' do
expect(chef_run).to create_directory('/var/www/html/ceilometer').with(
user: 'root',
group: 'root',
mode: 00755
)
end
it 'creates wsgi file' do
expect(chef_run).to create_file('/var/www/html/ceilometer/app').with(
user: 'root',
group: 'root',
mode: 00755
)
end
describe 'apache wsgi' do
file = '/etc/apache2/sites-available/ceilometer-api.conf'
it "creates #{file}" do
expect(chef_run).to create_template(file).with(
user: 'root',
group: 'root',
mode: '0644'
)
end
it "configures #{file} common lines" do
node.set['openstack']['telemetry']['custom_template_banner'] = 'custom_template_banner_value'
[/user=ceilometer/,
/group=ceilometer/,
%r{^ ErrorLog /var/log/apache2/ceilometer-api_error.log$},
%r{^ CustomLog /var/log/apache2/ceilometer-api_access.log}].each do |line|
expect(chef_run).to render_file(file).with_content(line)
end
end
it "does not configure #{file} triggered common lines" do
[/^ LogLevel/,
/^ SSL/].each do |line|
expect(chef_run).not_to render_file(file).with_content(line)
end
end
context 'Enable SSL' do
before do
node.set['openstack']['telemetry']['ssl']['enabled'] = true
end
it "configures #{file} common ssl lines" do
[/^ SSLEngine On$/,
%r{^ SSLCertificateFile /etc/ceilometer/ssl/certs/sslcert.pem$},
%r{^ SSLCertificateKeyFile /etc/ceilometer/ssl/private/sslkey.pem$},
%r{^ SSLCACertificatePath /etc/ceilometer/ssl/certs/$},
/^ SSLProtocol All -SSLv2 -SSLv3$/].each do |line|
expect(chef_run).to render_file(file).with_content(line)
end
end
it "does not configure #{file} common ssl lines" do
[/^ SSLCertificateChainFile/,
/^ SSLCipherSuite/,
/^ SSLVerifyClient require/].each do |line|
expect(chef_run).not_to render_file(file).with_content(line)
end
end
it "configures #{file} chainfile when set" do
node.set['openstack']['telemetry']['ssl']['chainfile'] = '/etc/ceilometer/ssl/certs/chainfile.pem'
expect(chef_run).to render_file(file)
.with_content(%r{^ SSLCertificateChainFile /etc/ceilometer/ssl/certs/chainfile.pem$})
end
it "configures #{file} ciphers when set" do
node.set['openstack']['telemetry']['ssl']['ciphers'] = 'ciphers_value'
expect(chef_run).to render_file(file)
.with_content(/^ SSLCipherSuite ciphers_value$/)
end
it "configures #{file} cert_required set" do
node.set['openstack']['telemetry']['ssl']['cert_required'] = true
expect(chef_run).to render_file(file)
.with_content(/^ SSLVerifyClient require$/)
end
end
describe 'ceilometer-api WSGI app' do
it 'configures required lines' do
[/^<VirtualHost 127.0.0.1:8777>$/,
/^ WSGIDaemonProcess ceilometer-api/,
/^ WSGIProcessGroup ceilometer-api$/,
%r{^ WSGIScriptAlias / /var/www/html/ceilometer/app$}].each do |line|
expect(chef_run).to render_file('/etc/apache2/sites-available/ceilometer-api.conf').with_content(line)
end
end
end
end
end

View File

@ -115,12 +115,115 @@ describe 'openstack-telemetry::gnocchi_configure' do
.with(user: 'gnocchi')
end
%w(gnocchi-api gnocchi-metricd).each do |service|
it do
expect(chef_run).to enable_service(service)
it do
expect(chef_run).to enable_service('gnocchi-metricd')
end
it do
expect(chef_run).to start_service('gnocchi-metricd')
end
describe 'apache recipes' do
it 'include apache recipes' do
expect(chef_run).to include_recipe('apache2')
expect(chef_run).to include_recipe('apache2::mod_wsgi')
expect(chef_run).not_to include_recipe('apache2::mod_ssl')
end
it do
expect(chef_run).to start_service(service)
it 'include apache recipes' do
node.set['openstack']['identity']['ssl']['enabled'] = true
expect(chef_run).to include_recipe('apache2::mod_ssl')
end
end
it 'creates directory /var/www/html/gnocchi' do
expect(chef_run).to create_directory('/var/www/html/gnocchi').with(
user: 'root',
group: 'root',
mode: 00755
)
end
it 'creates wsgi file' do
expect(chef_run).to create_file('/var/www/html/gnocchi/app').with(
user: 'root',
group: 'root',
mode: 00755
)
end
describe 'apache wsgi' do
file = '/etc/apache2/sites-available/gnocchi-api.conf'
it "creates #{file}" do
expect(chef_run).to create_template(file).with(
user: 'root',
group: 'root',
mode: '0644'
)
end
it "configures #{file} common lines" do
node.set['openstack']['telemetry-metric']['custom_template_banner'] = 'custom_template_banner_value'
[/user=gnocchi/,
/group=gnocchi/,
%r{^ ErrorLog /var/log/apache2/gnocchi-api_error.log$},
%r{^ CustomLog /var/log/apache2/gnocchi-api_access.log combined$}].each do |line|
expect(chef_run).to render_file(file).with_content(line)
end
end
it "does not configure #{file} triggered common lines" do
[/^ LogLevel/,
/^ SSL/].each do |line|
expect(chef_run).not_to render_file(file).with_content(line)
end
end
context 'Enable SSL' do
before do
node.set['openstack']['telemetry-metric']['ssl']['enabled'] = true
end
it "configures #{file} common ssl lines" do
[/^ SSLEngine On$/,
%r{^ SSLCertificateFile /etc/ceilometer/ssl/certs/sslcert.pem$},
%r{^ SSLCertificateKeyFile /etc/ceilometer/ssl/private/sslkey.pem$},
%r{^ SSLCACertificatePath /etc/ceilometer/ssl/certs/$},
/^ SSLProtocol All -SSLv2 -SSLv3$/].each do |line|
expect(chef_run).to render_file(file).with_content(line)
end
end
it "does not configure #{file} common ssl lines" do
[/^ SSLCertificateChainFile/,
/^ SSLCipherSuite/,
/^ SSLVerifyClient require/].each do |line|
expect(chef_run).not_to render_file(file).with_content(line)
end
end
it "configures #{file} chainfile when set" do
node.set['openstack']['telemetry-metric']['ssl']['chainfile'] = '/etc/ceilometer/ssl/certs/chainfile.pem'
expect(chef_run).to render_file(file)
.with_content(%r{^ SSLCertificateChainFile /etc/ceilometer/ssl/certs/chainfile.pem$})
end
it "configures #{file} ciphers when set" do
node.set['openstack']['telemetry-metric']['ssl']['ciphers'] = 'ciphers_value'
expect(chef_run).to render_file(file)
.with_content(/^ SSLCipherSuite ciphers_value$/)
end
it "configures #{file} cert_required set" do
node.set['openstack']['telemetry-metric']['ssl']['cert_required'] = true
expect(chef_run).to render_file(file)
.with_content(/^ SSLVerifyClient require$/)
end
end
describe 'gnocchi-api WSGI app' do
it 'configures required lines' do
[/^<VirtualHost 127.0.0.1:8041>$/,
/^ WSGIDaemonProcess gnocchi-api/,
/^ WSGIProcessGroup gnocchi-api$/,
%r{^ WSGIScriptAlias / /var/www/html/gnocchi/app$}].each do |line|
expect(chef_run).to render_file('/etc/apache2/sites-available/gnocchi-api.conf').with_content(line)
end
end
end
end
end

View File

@ -11,11 +11,11 @@ describe 'openstack-telemetry::gnocchi_install' do
include_context 'telemetry-stubs'
it do
expect(chef_run).to upgrade_package 'gnocchi-api'
expect(chef_run).to install_package 'gnocchi-api'
end
it do
expect(chef_run).to upgrade_package 'gnocchi-metricd'
expect(chef_run).to install_package 'gnocchi-metricd'
end
end
end

View File

@ -42,6 +42,12 @@ shared_context 'telemetry-stubs' do
.with('user', 'admin')
.and_return('admin-pass')
allow(Chef::Application).to receive(:fatal!)
node.set['openstack']['telemetry']['conf']['api']['host'] = '127.0.0.1'
node.set['openstack']['telemetry']['conf']['api']['port'] = '8777'
node.set['openstack']['telemetry-metric']['conf']['api']['host'] = '127.0.0.1'
node.set['openstack']['telemetry-metric']['conf']['api']['port'] = '8041'
stub_command('/usr/sbin/apache2 -t')
stub_command('/usr/sbin/httpd -t')
end
end

View File

@ -0,0 +1,37 @@
<%= node["openstack"]["telemetry"]["custom_template_banner"] %>
Listen <%= @params[:server_host] %>:<%= @params[:server_port] %>
<VirtualHost <%= @params[:server_host] %>:<%= @params[:server_port] %>>
WSGIDaemonProcess <%= @params[:deamon_process] %> processes=2 threads=10 user=<%= @params[:user] %> group=<%= @params[:group] %> display-name=%{GROUP}
WSGIProcessGroup <%= @params[:deamon_process] %>
WSGIScriptAlias / <%= @params[:server_entry] %>
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog <%= @params[:log_dir] %>/<%= @params[:deamon_process] %>_error.log
CustomLog <%= @params[:log_dir] %>/<%= @params[:deamon_process] %>_access.log combined
<% if [true, 'true', 'True'].include?(@params[:log_debug]) -%>
LogLevel debug
<% end -%>
<% if @params[:use_ssl] -%>
SSLEngine On
SSLCertificateFile <%= @params[:cert_file] %>
SSLCertificateKeyFile <%= @params[:key_file] %>
SSLCACertificatePath <%= @params[:ca_certs_path] %>
<% if @params[:chain_file] %>
SSLCertificateChainFile <%= @params[:chain_file] %>
<% end -%>
SSLProtocol <%= @params[:protocol] %>
<% if @params[:ciphers] -%>
SSLCipherSuite <%= @params[:ciphers] %>
<% end -%>
<% if @params[:cert_required] -%>
SSLVerifyClient require
<% end -%>
<% end -%>
</VirtualHost>
WSGISocketPrefix /var/run/apache2