From 19b028e660fde34d83311025b5a4a1d4d3d59e2e Mon Sep 17 00:00:00 2001 From: James Kirsch Date: Thu, 6 Aug 2020 13:09:01 -0700 Subject: [PATCH] Add Keep Alive Timeout for httpd This patch introduces a global keep alive timeout value for services that leverage httpd + wsgi to handle http/https requests. The default value is one minute. Change-Id: Icf7cb0baf86b428a60a7e9bbed642999711865cd Partially-Implements: blueprint add-ssl-internal-network --- ansible/group_vars/all.yml | 11 ++++++++++- ansible/roles/aodh/templates/wsgi-aodh.conf.j2 | 1 + ansible/roles/cinder/templates/cinder-wsgi.conf.j2 | 1 + .../cloudkitty/templates/wsgi-cloudkitty.conf.j2 | 1 + .../roles/freezer/templates/wsgi-freezer-api.conf.j2 | 1 + ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2 | 1 + .../roles/heat/templates/wsgi-heat-api-cfn.conf.j2 | 1 + ansible/roles/heat/templates/wsgi-heat-api.conf.j2 | 1 + .../roles/keystone/templates/wsgi-keystone.conf.j2 | 1 + .../roles/masakari/templates/wsgi-masakari.conf.j2 | 1 + .../monasca/templates/monasca-api/wsgi-api.conf.j2 | 1 + ansible/roles/panko/templates/wsgi-panko.conf.j2 | 1 + .../placement/templates/placement-api-wsgi.conf.j2 | 1 + ansible/roles/qinling/templates/wsgi-qinling.conf.j2 | 1 + ansible/roles/vitrage/templates/wsgi-vitrage.conf.j2 | 1 + ansible/roles/zun/templates/wsgi-zun.conf.j2 | 1 + etc/kolla/globals.yml | 11 ++++++++++- ...keep-alive-timeout-for-httpd-0d51a9d139c50f66.yaml | 6 ++++++ 18 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/add-keep-alive-timeout-for-httpd-0d51a9d139c50f66.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 507051cfc6..715cce6ebf 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -758,10 +758,19 @@ kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem" kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem" kolla_admin_openrc_cacert: "" kolla_copy_ca_into_containers: "no" -kolla_verify_tls_backend: "yes" haproxy_backend_cacert: "{{ 'ca-certificates.crt' if kolla_base_distro in ['debian', 'ubuntu'] else 'ca-bundle.trust.crt' }}" haproxy_backend_cacert_dir: "/etc/ssl/certs" + +################## +# Backend options +################## +kolla_httpd_keep_alive: "60" + +###################### +# Backend TLS options +###################### kolla_enable_tls_backend: "no" +kolla_verify_tls_backend: "yes" kolla_tls_backend_cert: "{{ kolla_certificates_dir }}/backend-cert.pem" kolla_tls_backend_key: "{{ kolla_certificates_dir }}/backend-key.pem" diff --git a/ansible/roles/aodh/templates/wsgi-aodh.conf.j2 b/ansible/roles/aodh/templates/wsgi-aodh.conf.j2 index 152f97d38b..2b790afc1f 100644 --- a/ansible/roles/aodh/templates/wsgi-aodh.conf.j2 +++ b/ansible/roles/aodh/templates/wsgi-aodh.conf.j2 @@ -10,6 +10,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ aodh_api_l ServerSignature Off ServerTokens Prod TraceEnable off +KeepAliveTimeout {{ kolla_httpd_keep_alive }} ErrorLog "{{ aodh_log_dir }}/apache-error.log" diff --git a/ansible/roles/cinder/templates/cinder-wsgi.conf.j2 b/ansible/roles/cinder/templates/cinder-wsgi.conf.j2 index 2d98e73a7e..58d3b700c1 100644 --- a/ansible/roles/cinder/templates/cinder-wsgi.conf.j2 +++ b/ansible/roles/cinder/templates/cinder-wsgi.conf.j2 @@ -15,6 +15,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ cinder_api ServerSignature Off ServerTokens Prod TraceEnable off +KeepAliveTimeout {{ kolla_httpd_keep_alive }} {% if cinder_logging_debug | bool %} LogLevel info diff --git a/ansible/roles/cloudkitty/templates/wsgi-cloudkitty.conf.j2 b/ansible/roles/cloudkitty/templates/wsgi-cloudkitty.conf.j2 index 0c9e4fd8b4..39776d1528 100644 --- a/ansible/roles/cloudkitty/templates/wsgi-cloudkitty.conf.j2 +++ b/ansible/roles/cloudkitty/templates/wsgi-cloudkitty.conf.j2 @@ -6,6 +6,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ cloudkitty ServerSignature Off ServerTokens Prod TraceEnable off +KeepAliveTimeout {{ kolla_httpd_keep_alive }} ErrorLog "{{ cloudkitty_log_dir }}/apache-error.log" diff --git a/ansible/roles/freezer/templates/wsgi-freezer-api.conf.j2 b/ansible/roles/freezer/templates/wsgi-freezer-api.conf.j2 index c5e147071a..c71b75c0ed 100644 --- a/ansible/roles/freezer/templates/wsgi-freezer-api.conf.j2 +++ b/ansible/roles/freezer/templates/wsgi-freezer-api.conf.j2 @@ -5,6 +5,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ freezer_ap ServerSignature Off ServerTokens Prod TraceEnable off +KeepAliveTimeout {{ kolla_httpd_keep_alive }} ErrorLog "{{ freezer_log_dir }}/apache-error.log" diff --git a/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2 b/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2 index 672016c9f3..bb745351be 100644 --- a/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2 +++ b/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2 @@ -10,6 +10,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ gnocchi_ap ServerSignature Off ServerTokens Prod TraceEnable off +KeepAliveTimeout {{ kolla_httpd_keep_alive }} ErrorLog "{{ gnocchi_log_dir }}/apache-error.log" diff --git a/ansible/roles/heat/templates/wsgi-heat-api-cfn.conf.j2 b/ansible/roles/heat/templates/wsgi-heat-api-cfn.conf.j2 index da49496894..1269803c22 100644 --- a/ansible/roles/heat/templates/wsgi-heat-api-cfn.conf.j2 +++ b/ansible/roles/heat/templates/wsgi-heat-api-cfn.conf.j2 @@ -17,6 +17,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ heat_api_c ServerSignature Off ServerTokens Prod TraceEnable off +KeepAliveTimeout {{ kolla_httpd_keep_alive }} diff --git a/ansible/roles/heat/templates/wsgi-heat-api.conf.j2 b/ansible/roles/heat/templates/wsgi-heat-api.conf.j2 index f5423e4918..067866505f 100644 --- a/ansible/roles/heat/templates/wsgi-heat-api.conf.j2 +++ b/ansible/roles/heat/templates/wsgi-heat-api.conf.j2 @@ -17,6 +17,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ heat_api_l ServerSignature Off ServerTokens Prod TraceEnable off +KeepAliveTimeout {{ kolla_httpd_keep_alive }} diff --git a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 index ec1aa43d2f..5cd5d0c46a 100644 --- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 +++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 @@ -18,6 +18,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_a ServerSignature Off ServerTokens Prod TraceEnable off +KeepAliveTimeout {{ kolla_httpd_keep_alive }} ErrorLog "{{ keystone_log_dir }}/apache-error.log" diff --git a/ansible/roles/masakari/templates/wsgi-masakari.conf.j2 b/ansible/roles/masakari/templates/wsgi-masakari.conf.j2 index 1c20de3c95..734d8f7579 100644 --- a/ansible/roles/masakari/templates/wsgi-masakari.conf.j2 +++ b/ansible/roles/masakari/templates/wsgi-masakari.conf.j2 @@ -11,6 +11,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ masakari_a ServerSignature Off ServerTokens Prod TraceEnable off +KeepAliveTimeout {{ kolla_httpd_keep_alive }} ErrorLog "{{ masakari_log_dir }}/apache-error.log" diff --git a/ansible/roles/monasca/templates/monasca-api/wsgi-api.conf.j2 b/ansible/roles/monasca/templates/monasca-api/wsgi-api.conf.j2 index ceb26e88d0..5362f13014 100644 --- a/ansible/roles/monasca/templates/monasca-api/wsgi-api.conf.j2 +++ b/ansible/roles/monasca/templates/monasca-api/wsgi-api.conf.j2 @@ -5,6 +5,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ monasca_api_port }} TraceEnable off +KeepAliveTimeout {{ kolla_httpd_keep_alive }} ErrorLog "{{ monasca_log_dir }}/apache-api-error.log" diff --git a/ansible/roles/panko/templates/wsgi-panko.conf.j2 b/ansible/roles/panko/templates/wsgi-panko.conf.j2 index 89d902721e..e6d83f160d 100644 --- a/ansible/roles/panko/templates/wsgi-panko.conf.j2 +++ b/ansible/roles/panko/templates/wsgi-panko.conf.j2 @@ -6,6 +6,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ panko_api_ ServerSignature Off ServerTokens Prod TraceEnable off +KeepAliveTimeout {{ kolla_httpd_keep_alive }} ErrorLog "{{ panko_log_dir }}/apache-error.log" diff --git a/ansible/roles/placement/templates/placement-api-wsgi.conf.j2 b/ansible/roles/placement/templates/placement-api-wsgi.conf.j2 index 26d68199cf..02e051cf32 100644 --- a/ansible/roles/placement/templates/placement-api-wsgi.conf.j2 +++ b/ansible/roles/placement/templates/placement-api-wsgi.conf.j2 @@ -17,6 +17,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ placement_ ServerSignature Off ServerTokens Prod TraceEnable off +KeepAliveTimeout {{ kolla_httpd_keep_alive }} {% if placement_logging_debug | bool %} LogLevel info diff --git a/ansible/roles/qinling/templates/wsgi-qinling.conf.j2 b/ansible/roles/qinling/templates/wsgi-qinling.conf.j2 index 3f9df860dc..6eceb64f8e 100644 --- a/ansible/roles/qinling/templates/wsgi-qinling.conf.j2 +++ b/ansible/roles/qinling/templates/wsgi-qinling.conf.j2 @@ -10,6 +10,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ qinling_ap ServerSignature Off ServerTokens Prod TraceEnable off +KeepAliveTimeout {{ kolla_httpd_keep_alive }} ErrorLog "{{ qinling_log_dir }}/apache-error.log" diff --git a/ansible/roles/vitrage/templates/wsgi-vitrage.conf.j2 b/ansible/roles/vitrage/templates/wsgi-vitrage.conf.j2 index f8184f1ccb..5953671af1 100644 --- a/ansible/roles/vitrage/templates/wsgi-vitrage.conf.j2 +++ b/ansible/roles/vitrage/templates/wsgi-vitrage.conf.j2 @@ -5,6 +5,7 @@ Listen {{ 'api' | kolla_address | put_address_in_context('url') }}:{{ vitrage_ap ServerSignature Off ServerTokens Prod TraceEnable off +KeepAliveTimeout {{ kolla_httpd_keep_alive }} ErrorLog "{{ vitrage_log_dir }}/apache-error.log" diff --git a/ansible/roles/zun/templates/wsgi-zun.conf.j2 b/ansible/roles/zun/templates/wsgi-zun.conf.j2 index 5fa866e168..fecbb63577 100644 --- a/ansible/roles/zun/templates/wsgi-zun.conf.j2 +++ b/ansible/roles/zun/templates/wsgi-zun.conf.j2 @@ -5,6 +5,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ zun_api_po ServerSignature Off ServerTokens Prod TraceEnable off +KeepAliveTimeout {{ kolla_httpd_keep_alive }} ErrorLog "{{ zun_log_dir }}/apache-error.log" diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml index 4d5348728e..5352dda9e7 100644 --- a/etc/kolla/globals.yml +++ b/etc/kolla/globals.yml @@ -191,10 +191,19 @@ #kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem" #kolla_admin_openrc_cacert: "" #kolla_copy_ca_into_containers: "no" -#kolla_verify_tls_backend: "yes" #haproxy_backend_cacert: "{{ 'ca-certificates.crt' if kolla_base_distro in ['debian', 'ubuntu'] else 'ca-bundle.trust.crt' }}" #haproxy_backend_cacert_dir: "/etc/ssl/certs" + +################## +# Backend options +################## +#kolla_httpd_keep_alive: "60" + +##################### +# Backend TLS options +##################### #kolla_enable_tls_backend: "no" +#kolla_verify_tls_backend: "yes" #kolla_tls_backend_cert: "{{ kolla_certificates_dir }}/backend-cert.pem" #kolla_tls_backend_key: "{{ kolla_certificates_dir }}/backend-key.pem" diff --git a/releasenotes/notes/add-keep-alive-timeout-for-httpd-0d51a9d139c50f66.yaml b/releasenotes/notes/add-keep-alive-timeout-for-httpd-0d51a9d139c50f66.yaml new file mode 100644 index 0000000000..92d9d49861 --- /dev/null +++ b/releasenotes/notes/add-keep-alive-timeout-for-httpd-0d51a9d139c50f66.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Adds configuration parameter ``kolla_httpd_keep_alive`` to configure the + keep-alive timeout for services that use httpd to handle HTTP requests. + The default value is 60 seconds.