From 2f8c88e0532b6b712cc386a9c15d833d3629b19a Mon Sep 17 00:00:00 2001 From: Sean Dague Date: Thu, 13 Apr 2017 09:08:39 -0400 Subject: [PATCH] Factor out code to write uwsgi config files Instead of this code all existing in keystone inline, factor out into a dedicated set of functions, and make keystone use this. This drops uwsgi supporting https directly, but that's not going to be a supported model going forward once we get to proxy only anyway. Change-Id: I1d89be1f1b36f26eaf543b99bde6fdc5701474fe --- lib/apache | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++ lib/keystone | 47 ++++++++-------------------------------------- 2 files changed, 61 insertions(+), 39 deletions(-) diff --git a/lib/apache b/lib/apache index e36d0c998f..fc73b49912 100644 --- a/lib/apache +++ b/lib/apache @@ -181,6 +181,59 @@ function reload_apache_server { reload_service $APACHE_NAME } +function write_uwsgi_config { + local file=$1 + local wsgi=$2 + local url=$3 + local http=$4 + local name="" + name=$(basename $wsgi) + local socket="/tmp/${name}.socket" + + # always cleanup given that we are using iniset here + rm -rf $file + iniset "$file" uwsgi wsgi-file "$wsgi" + iniset "$file" uwsgi socket "$socket" + iniset "$file" uwsgi processes $API_WORKERS + # This is running standalone + iniset "$file" uwsgi master true + # Set die-on-term & exit-on-reload so that uwsgi shuts down + iniset "$file" uwsgi die-on-term true + iniset "$file" uwsgi exit-on-reload true + iniset "$file" uwsgi enable-threads true + iniset "$file" uwsgi plugins python + # uwsgi recommends this to prevent thundering herd on accept. + iniset "$file" uwsgi thunder-lock true + # Override the default size for headers from the 4k default. + iniset "$file" uwsgi buffer-size 65535 + # Make sure the client doesn't try to re-use the connection. + iniset "$file" uwsgi add-header "Connection: close" + # This ensures that file descriptors aren't shared between processes. + iniset "$file" uwsgi lazy-apps true + iniset "$file" uwsgi chmod-socket 666 + + # If we said bind directly to http, then do that and don't start the apache proxy + if [[ -n "$http" ]]; then + iniset "$file" uwsgi http $http + else + local apache_conf="" + apache_conf=$(apache_site_config_for $name) + echo "ProxyPass \"${url}\" \"unix:${socket}|uwsgi://uwsgi-uds-${name}/\"" | sudo tee $apache_conf + enable_apache_site $name + reload_apache_server + fi +} + +function remove_uwsgi_config { + local file=$1 + local wsgi=$2 + local name="" + name=$(basename $wsgi) + + rm -rf $file + disable_apache_site $name +} + # Restore xtrace $_XTRACE_LIB_APACHE diff --git a/lib/keystone b/lib/keystone index 3db3c8d4aa..936af6a5e1 100644 --- a/lib/keystone +++ b/lib/keystone @@ -50,6 +50,10 @@ fi KEYSTONE_CONF_DIR=${KEYSTONE_CONF_DIR:-/etc/keystone} KEYSTONE_CONF=$KEYSTONE_CONF_DIR/keystone.conf KEYSTONE_PASTE_INI=${KEYSTONE_PASTE_INI:-$KEYSTONE_CONF_DIR/keystone-paste.ini} +KEYSTONE_PUBLIC_UWSGI_CONF=$KEYSTONE_CONF_DIR/keystone-uwsgi-public.ini +KEYSTONE_ADMIN_UWSGI_CONF=$KEYSTONE_CONF_DIR/keystone-uwsgi-admin.ini +KEYSTONE_PUBLIC_UWSGI=$KEYSTONE_BIN_DIR/keystone-wsgi-public +KEYSTONE_ADMIN_UWSGI=$KEYSTONE_BIN_DIR/keystone-wsgi-admin # Toggle for deploying Keystone under HTTPD + mod_wsgi # Deprecated in Mitaka, use KEYSTONE_DEPLOY instead. @@ -293,44 +297,9 @@ function configure_keystone { _config_keystone_apache_wsgi else # uwsgi # iniset creates these files when it's called if they don't exist. - KEYSTONE_PUBLIC_UWSGI_FILE=$KEYSTONE_CONF_DIR/keystone-uwsgi-public.ini - KEYSTONE_ADMIN_UWSGI_FILE=$KEYSTONE_CONF_DIR/keystone-uwsgi-admin.ini - rm -f "$KEYSTONE_PUBLIC_UWSGI_FILE" - rm -f "$KEYSTONE_ADMIN_UWSGI_FILE" - - if is_ssl_enabled_service key; then - iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi https $KEYSTONE_SERVICE_HOST:$service_port,$KEYSTONE_SSL_CERT,$KEYSTONE_SSL_KEY - iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi https $KEYSTONE_ADMIN_BIND_HOST:$auth_port,$KEYSTONE_SSL_CERT,$KEYSTONE_SSL_KEY - else - iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi http $KEYSTONE_SERVICE_HOST:$service_port - iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi http $KEYSTONE_ADMIN_BIND_HOST:$auth_port - fi - - iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi wsgi-file "$KEYSTONE_BIN_DIR/keystone-wsgi-public" - iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi processes $(nproc) - - iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi wsgi-file "$KEYSTONE_BIN_DIR/keystone-wsgi-admin" - iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi processes $API_WORKERS - - # Common settings - for file in "$KEYSTONE_PUBLIC_UWSGI_FILE" "$KEYSTONE_ADMIN_UWSGI_FILE"; do - # This is running standalone - iniset "$file" uwsgi master true - # Set die-on-term & exit-on-reload so that uwsgi shuts down - iniset "$file" uwsgi die-on-term true - iniset "$file" uwsgi exit-on-reload true - iniset "$file" uwsgi enable-threads true - iniset "$file" uwsgi plugins python - # uwsgi recommends this to prevent thundering herd on accept. - iniset "$file" uwsgi thunder-lock true - # Override the default size for headers from the 4k default. - iniset "$file" uwsgi buffer-size 65535 - # Make sure the client doesn't try to re-use the connection. - iniset "$file" uwsgi add-header "Connection: close" - # This ensures that file descriptors aren't shared between processes. - iniset "$file" uwsgi lazy-apps true - done + write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity" "$KEYSTONE_SERVICE_HOST:$service_port" + write_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" "/identity_admin" "$KEYSTONE_ADMIN_BIND_HOST:$auth_port" fi iniset $KEYSTONE_CONF DEFAULT max_token_size 16384 @@ -604,8 +573,8 @@ function start_keystone { # TODO(sdague): we should really get down to a single keystone here enable_service key-p enable_service key-a - run_process key-p "$KEYSTONE_BIN_DIR/uwsgi --ini $KEYSTONE_PUBLIC_UWSGI_FILE" "" - run_process key-a "$KEYSTONE_BIN_DIR/uwsgi --ini $KEYSTONE_ADMIN_UWSGI_FILE" "" + run_process key-p "$KEYSTONE_BIN_DIR/uwsgi --ini $KEYSTONE_PUBLIC_UWSGI_CONF" "" + run_process key-a "$KEYSTONE_BIN_DIR/uwsgi --ini $KEYSTONE_ADMIN_UWSGI_CONF" "" fi echo "Waiting for keystone to start..."