From 153279105e253f337964ff38b52192ea7fd695a1 Mon Sep 17 00:00:00 2001 From: Saad Zaher Date: Mon, 4 Apr 2016 12:27:53 +0100 Subject: [PATCH] Adding storage, keystone_authtoken sections to sample config Added storage section for elk config and keystone_authtoken section for keystone related configurations Change-Id: Iba3e1c97bfd58fb39c6f9208e31014dde8658f2f Closes-Bug: #1565737 --- README.rst | 9 +- devstack/lib/freezer-api | 3 +- etc/freezer-api.conf | 60 ---------- etc/freezer-api.conf.sample | 213 +++++++++++++++++++++++++++++++++- freezer_api/common/config.py | 8 +- freezer_api/storage/driver.py | 4 + 6 files changed, 231 insertions(+), 66 deletions(-) delete mode 100644 etc/freezer-api.conf diff --git a/README.rst b/README.rst index 997e6e67..fc371049 100644 --- a/README.rst +++ b/README.rst @@ -71,6 +71,13 @@ To get information about optional additional parameters: freezer-db-init -h +Freezer index number of replicas: + +The number of replicas of the freezer index can be configured by changing +the parameter number_of_replicas in the configuration file. This should be done +before running freezer-db-init script. More information about elasticsearch +replicas can be found here https://www.elastic.co/guide/en/elasticsearch/guide/current/replica-shards.html + 1.5 run simple instance ----------------------- :: @@ -89,6 +96,7 @@ To get information about optional additional parameters: 1.7 example running freezer-api with apache2 -------------------------------- :: + # sudo vi /etc/apache2/sites-enabled/freezer-api.conf WSGIDaemonProcess freezer-api processes=2 threads=2 user=freezer @@ -110,7 +118,6 @@ To get information about optional additional parameters: - 2. Devstack Plugin ================== diff --git a/devstack/lib/freezer-api b/devstack/lib/freezer-api index c5899d09..c7ea1e05 100644 --- a/devstack/lib/freezer-api +++ b/devstack/lib/freezer-api @@ -87,10 +87,11 @@ function configure_freezer_api { [ ! -d $FREEZER_API_LOG_DIR ] && sudo mkdir -m 755 -p $FREEZER_API_LOG_DIR sudo chown $USER $FREEZER_API_LOG_DIR - sudo cp $FREEZER_API_DIR/etc/freezer-api.conf $FREEZER_API_CONF_DIR + sudo cp $FREEZER_API_DIR/etc/freezer-api.conf.sample $FREEZER_API_CONF_DIR/freezer-api.conf iniset $FREEZER_API_CONF 'storage' db elasticsearch iniset $FREEZER_API_CONF 'storage' index freezer + iniset $FREEZER_API_CONF 'storage' number_of_replicas 0 iniset $FREEZER_API_CONF 'storage' hosts http://$SERVICE_HOST:9200 iniset $FREEZER_API_CONF 'keystone_authtoken' auth_protocol $KEYSTONE_AUTH_PROTOCOL diff --git a/etc/freezer-api.conf b/etc/freezer-api.conf deleted file mode 100644 index 6ca7e758..00000000 --- a/etc/freezer-api.conf +++ /dev/null @@ -1,60 +0,0 @@ -# (c) Copyright 2014,2015 Hewlett-Packard Development Company, L.P. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -[DEFAULT] -# Show more verbose log output (sets INFO log level output) -verbose = false - -# Show debugging output in logs (sets DEBUG log level output) -#debug = False - -# Log to this file. Make sure you do not set the same log file for both the API -# and registry servers! -# -# If `log_file` is omitted and `use_syslog` is false, then log messages are -# sent to stdout as a fallback. -log_file = freezer-api.log - -# ================= Syslog Options ============================ - -# Send logs to syslog (/dev/log) instead of to file specified -# by `log_file` -use_syslogd = false - -# Facility to use. If unset defaults to LOG_USER. -#syslog_log_facility = LOG_LOCAL0 - -[keystone_authtoken] -auth_protocol = http -auth_host = keystone_host -auth_port = 35357 -admin_user = freezer -admin_password = freezer -admin_tenant_name = service -include_service_catalog = False -delay_auth_decision = False - - -[storage] -# supported db engine. currently elasticsearch only -db=elasticsearch -hosts='http://elasticsearch_host:9200' -# freezer-db-init uses the following parameter to set the number of replicas -number_of_replicas=2 - -#use_ssl=False -#ca_certs='' -#use_ssl=False -#timeout=60 -#retries=20 diff --git a/etc/freezer-api.conf.sample b/etc/freezer-api.conf.sample index dbb0fc7b..24b1d6e6 100644 --- a/etc/freezer-api.conf.sample +++ b/etc/freezer-api.conf.sample @@ -7,8 +7,8 @@ # IP address to listen on. Default is 0.0.0.0 (IP address value) #bind_host = 0.0.0.0 -# Port number to listen on. Default is 9090 (integer value) -# Minimum value: 1 +# Port number to listen on. Default is 9090 (port value) +# Minimum value: 0 # Maximum value: 65535 #bind_port = 9090 @@ -106,3 +106,212 @@ # Enables or disables fatal status of deprecations. (boolean value) #fatal_deprecations = false + + +[keystone_authtoken] + +# +# From freezer-api +# + +# Complete public Identity API endpoint. (string value) +#auth_uri = + +# API version of the admin Identity API endpoint. (string value) +#auth_version = + +# Do not handle authorization requests within the middleware, but delegate the +# authorization decision to downstream WSGI components. (boolean value) +#delay_auth_decision = false + +# Request timeout value for communicating with Identity API server. (integer +# value) +#http_connect_timeout = + +# How many times are we trying to reconnect when communicating with Identity +# API Server. (integer value) +#http_request_max_retries = 3 + +# Env key for the swift cache. (string value) +#cache = + +# Required if identity server requires client certificate (string value) +#certfile = + +# Required if identity server requires client certificate (string value) +#keyfile = + +# A PEM encoded Certificate Authority to use when verifying HTTPs connections. +# Defaults to system CAs. (string value) +#cafile = + +# Verify HTTPS connections. (boolean value) +#insecure = false + +# The region in which the identity server can be found. (string value) +#region_name = + +# Directory used to cache files related to PKI tokens. (string value) +#signing_dir = + +# Optionally specify a list of memcached server(s) to use for caching. If left +# undefined, tokens will instead be cached in-process. (list value) +# Deprecated group/name - [DEFAULT]/memcache_servers +#memcached_servers = + +# In order to prevent excessive effort spent validating tokens, the middleware +# caches previously-seen tokens for a configurable duration (in seconds). Set +# to -1 to disable caching completely. (integer value) +#token_cache_time = 300 + +# Determines the frequency at which the list of revoked tokens is retrieved +# from the Identity service (in seconds). A high number of revocation events +# combined with a low cache duration may significantly reduce performance. +# (integer value) +#revocation_cache_time = 10 + +# (Optional) If defined, indicate whether token data should be authenticated or +# authenticated and encrypted. If MAC, token data is authenticated (with HMAC) +# in the cache. If ENCRYPT, token data is encrypted and authenticated in the +# cache. If the value is not one of these options or empty, auth_token will +# raise an exception on initialization. (string value) +# Allowed values: None, MAC, ENCRYPT +#memcache_security_strategy = None + +# (Optional, mandatory if memcache_security_strategy is defined) This string is +# used for key derivation. (string value) +#memcache_secret_key = + +# (Optional) Number of seconds memcached server is considered dead before it is +# tried again. (integer value) +#memcache_pool_dead_retry = 300 + +# (Optional) Maximum total number of open connections to every memcached +# server. (integer value) +#memcache_pool_maxsize = 10 + +# (Optional) Socket timeout in seconds for communicating with a memcached +# server. (integer value) +#memcache_pool_socket_timeout = 3 + +# (Optional) Number of seconds a connection to memcached is held unused in the +# pool before it is closed. (integer value) +#memcache_pool_unused_timeout = 60 + +# (Optional) Number of seconds that an operation will wait to get a memcached +# client connection from the pool. (integer value) +#memcache_pool_conn_get_timeout = 10 + +# (Optional) Use the advanced (eventlet safe) memcached client pool. The +# advanced pool will only work under python 2.x. (boolean value) +#memcache_use_advanced_pool = false + +# (Optional) Indicate whether to set the X-Service-Catalog header. If False, +# middleware will not ask for service catalog on token validation and will not +# set the X-Service-Catalog header. (boolean value) +#include_service_catalog = true + +# Used to control the use and type of token binding. Can be set to: "disabled" +# to not check token binding. "permissive" (default) to validate binding +# information if the bind type is of a form known to the server and ignore it +# if not. "strict" like "permissive" but if the bind type is unknown the token +# will be rejected. "required" any form of token binding is needed to be +# allowed. Finally the name of a binding method that must be present in tokens. +# (string value) +#enforce_token_bind = permissive + +# If true, the revocation list will be checked for cached tokens. This requires +# that PKI tokens are configured on the identity server. (boolean value) +#check_revocations_for_cached = false + +# Hash algorithms to use for hashing PKI tokens. This may be a single algorithm +# or multiple. The algorithms are those supported by Python standard +# hashlib.new(). The hashes will be tried in the order given, so put the +# preferred one first for performance. The result of the first hash will be +# stored in the cache. This will typically be set to multiple values only while +# migrating from a less secure algorithm to a more secure one. Once all the old +# tokens are expired this option should be set to a single value for better +# performance. (list value) +#hash_algorithms = md5 + +# Prefix to prepend at the beginning of the path. Deprecated, use identity_uri. +# (string value) +#auth_admin_prefix = + +# Host providing the admin Identity API endpoint. Deprecated, use identity_uri. +# (string value) +#auth_host = 127.0.0.1 + +# Port of the admin Identity API endpoint. Deprecated, use identity_uri. +# (integer value) +#auth_port = 35357 + +# Protocol of the admin Identity API endpoint. Deprecated, use identity_uri. +# (string value) +# Allowed values: http, https +#auth_protocol = https + +# Complete admin Identity API endpoint. This should specify the unversioned +# root endpoint e.g. https://localhost:35357/ (string value) +#identity_uri = + +# This option is deprecated and may be removed in a future release. Single +# shared secret with the Keystone configuration used for bootstrapping a +# Keystone installation, or otherwise bypassing the normal authentication +# process. This option should not be used, use `admin_user` and +# `admin_password` instead. (string value) +#admin_token = + +# Service username. (string value) +#admin_user = + +# Service user password. (string value) +#admin_password = + +# Service tenant name. (string value) +#admin_tenant_name = admin + +# Authentication type to load (unknown value) +# Deprecated group/name - [DEFAULT]/auth_plugin +#auth_type = + +# Config Section from which to load plugin specific options (unknown value) +#auth_section = + + +[storage] + +# +# From freezer-api +# + +# specify the storage db to use (default: elasticsearch (string value) +#db = elasticsearch + +# specify the storage hosts (deprecated, use "hosts" (string value) +#endpoint = + +# specify the storage hosts (string value) +#hosts = http://localhost:9200 + +# specify the name of the elasticsearch index (string value) +#index = freezer + +# specify the connection timeout (integer value) +#timeout = 60 + +# number of retries to allow before raising and error (integer value) +#retries = 20 + +# explicitly turn on SSL (boolean value) +#use_ssl = false + +# turn on SSL certs verification (boolean value) +#verify_certs = false + +# path to CA certs on disk (string value) +#ca_certs = + +# Number of replicas for elk cluster. Default is 2. Use 0 for no replicas +# (integer value) +#number_of_replicas = 2 diff --git a/freezer_api/common/config.py b/freezer_api/common/config.py index 5307ca00..21f631b0 100644 --- a/freezer_api/common/config.py +++ b/freezer_api/common/config.py @@ -1,5 +1,5 @@ """ -(c) Copyright 2014,2015 Hewlett-Packard Development Company, L.P. +(c) Copyright 2015-2016 Hewlett-Packard Enterprise Company L.P. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -20,6 +20,8 @@ from oslo_config import cfg from oslo_log import log from freezer_api import __version__ as FREEZER_API_VERSION +from freezer_api.storage import driver +from keystonemiddleware import opts CONF = cfg.CONF @@ -69,7 +71,9 @@ def setup_logging(): def list_opts(): _OPTS = { - None: api_common_opts() + None: api_common_opts(), + 'storage': driver.storage_opts, + opts.auth_token_opts[0][0]: opts.auth_token_opts[0][1] } return _OPTS.items() diff --git a/freezer_api/storage/driver.py b/freezer_api/storage/driver.py index d8edb2f8..0767f786 100644 --- a/freezer_api/storage/driver.py +++ b/freezer_api/storage/driver.py @@ -56,6 +56,10 @@ storage_opts = [ cfg.StrOpt('ca_certs', default=None, help='path to CA certs on disk'), + cfg.IntOpt('number_of_replicas', + default=2, + help='Number of replicas for elk cluster. Default is 2. ' + 'Use 0 for no replicas') ] CONF = cfg.CONF