Add memcached_servers to keystone_auth section

The in-process cache for keystone tokens has been deprecated due to "incosistent results and high memory usage" with the expectation we switch to memcached_servers if we want to stay performant. Add memcache_servers [cache] section to the appropriate servers as the [DEFAULT]\memcache_servers options was deprecated. TrivialFix Related-Id: Ied2b88c8cefe5655a88d0c2f334de04e588fa75a Change-Id: Ic971bdddc0be3338b15924f7cc0f97d4a3ad2440
2016-03-19 16:42:26 +00:00 · 2016-03-19 16:42:26 +00:00 · d4535b6dc3
commit d4535b6dc3
parent e9b9a84157
15 changed files with 96 additions and 6 deletions
--- a/ansible/roles/cinder/templates/cinder.conf.j2
+++ b/ansible/roles/cinder/templates/cinder.conf.j2
@ -56,6 +56,11 @@ project_name = service
 username = {{ cinder_keystone_user }}
 password = {{ cinder_keystone_password }}

+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [oslo_concurrency]
 lock_path = /var/lib/cinder/tmp

--- a/ansible/roles/glance/templates/glance-api.conf.j2
+++ b/ansible/roles/glance/templates/glance-api.conf.j2
@ -29,6 +29,11 @@ project_name = service
 username = {{ glance_keystone_user }}
 password = {{ glance_keystone_password }}

+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [paste_deploy]
 flavor = keystone

--- a/ansible/roles/glance/templates/glance-registry.conf.j2
+++ b/ansible/roles/glance/templates/glance-registry.conf.j2
@ -21,6 +21,11 @@ project_name = service
 username = {{ glance_keystone_user }}
 password = {{ glance_keystone_password }}

+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [paste_deploy]
 flavor = keystone

--- a/ansible/roles/heat/templates/heat.conf.j2
+++ b/ansible/roles/heat/templates/heat.conf.j2
@ -47,6 +47,17 @@ project_name = service
 username = {{ heat_keystone_user }}
 password = {{ heat_keystone_password }}

+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
+[cache]
+backend = oslo_cache.memcache_pool
+enabled = True
+memcache_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [trustee]
 auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}
 auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}
--- a/ansible/roles/ironic/templates/ironic.conf.j2
+++ b/ansible/roles/ironic/templates/ironic.conf.j2
@ -40,6 +40,11 @@ project_name = service
 username = {{ ironic_keystone_user }}
 password = {{ ironic_keystone_password }}

+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [glance]
 glance_host = {{ kolla_internal_fqdn }}

--- a/ansible/roles/keystone/templates/keystone.conf.j2
+++ b/ansible/roles/keystone/templates/keystone.conf.j2
@ -8,3 +8,9 @@ secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO

 [database]
 connection = mysql+pymysql://{{ keystone_database_user }}:{{ keystone_database_password }}@{{ keystone_database_address }}/{{ keystone_database_name }}
+
+[cache]
+backend = oslo_cache.memcache_pool
+enabled = True
+memcache_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
--- a/ansible/roles/magnum/templates/magnum.conf.j2
+++ b/ansible/roles/magnum/templates/magnum.conf.j2
@ -35,6 +35,11 @@ project_name = service
 username = {{ magnum_keystone_user }}
 password = {{ magnum_keystone_password }}

+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [oslo_concurrency]
 lock_path = /var/lib/magnum/tmp

--- a/ansible/roles/manila/templates/manila.conf.j2
+++ b/ansible/roles/manila/templates/manila.conf.j2
@ -99,3 +99,8 @@ user_domain_id = default
 project_name = service
 username = {{ manila_keystone_user }}
 password = {{ manila_keystone_password }}
+
+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
--- a/ansible/roles/mistral/templates/mistral.conf.j2
+++ b/ansible/roles/mistral/templates/mistral.conf.j2
@ -25,6 +25,11 @@ project_name = service
 username = {{ mistral_keystone_user }}
 password = {{ mistral_keystone_password }}

+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [mistral]
 url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ mistral_api_port }}

--- a/ansible/roles/murano/templates/murano.conf.j2
+++ b/ansible/roles/murano/templates/murano.conf.j2
@ -21,6 +21,11 @@ project_name = service
 username = {{ murano_keystone_user }}
 password = {{ murano_keystone_password }}

+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [murano]
 url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ murano_api_port }}

--- a/ansible/roles/neutron/templates/neutron.conf.j2
+++ b/ansible/roles/neutron/templates/neutron.conf.j2
@ -69,5 +69,10 @@ project_name = service
 username = {{ neutron_keystone_user }}
 password = {{ neutron_keystone_password }}

+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [oslo_messaging_notifications]
 driver = noop
--- a/ansible/roles/nova/templates/nova.conf.j2
+++ b/ansible/roles/nova/templates/nova.conf.j2
@ -21,7 +21,6 @@ metadata_listen_port = {{ nova_metadata_port }}
 ec2_listen = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
 ec2_listen_port = {{ nova_api_ec2_port }}

-
 use_neutron = True
 firewall_driver = nova.virt.firewall.NoopFirewallDriver

@ -50,9 +49,6 @@ compute_driver = fake.FakeDriver
 compute_driver = libvirt.LibvirtDriver
 {% endif %}

-memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
-
-
 # Though my_ip is not used directly, lots of other variables use $my_ip
 my_ip = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}

@ -130,6 +126,12 @@ connection = mysql+pymysql://{{ nova_database_user }}:{{ nova_database_password
 [api_database]
 connection = mysql+pymysql://{{ nova_api_database_user }}:{{ nova_api_database_password }}@{{ nova_api_database_address }}/{{ nova_api_database_name }}

+[cache]
+backend = oslo_cache.memcache_pool
+enabled = True
+memcache_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [keystone_authtoken]
 auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}
 auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}
@ -140,6 +142,11 @@ project_name = service
 username = {{ nova_keystone_user }}
 password = {{ nova_keystone_password }}

+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [libvirt]
 connection_uri = "qemu+tcp://{{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}/system"
 {% if enable_ceph | bool %}
--- a/ansible/roles/swift/templates/proxy-server.conf.j2
+++ b/ansible/roles/swift/templates/proxy-server.conf.j2
@ -39,6 +39,11 @@ project_name = service
 username = {{ swift_keystone_user }}
 password = {{ swift_keystone_password }}

+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [filter:keystoneauth]
 use = egg:swift#keystoneauth
 operator_roles = admin,user
--- a/ansible/site.yml
+++ b/ansible/site.yml
@ -56,7 +56,9 @@
        tags: rabbitmq,
        when: enable_rabbitmq | bool }

- hosts: keystone
+- hosts:
+    - keystone
+    - memcached
  roles:
    - { role: keystone,
        tags: keystone,
@ -68,6 +70,7 @@
    - swift-object-server
    - swift-proxy-server
    - rabbitmq
+    - memcached
  roles:
    - { role: swift,
        tags: swift,
@ -78,6 +81,7 @@
    - glance-api
    - glance-registry
    - rabbitmq
+    - memcached
  roles:
    - { role: glance,
        tags: glance,
@ -93,6 +97,7 @@
    - nova-novncproxy
    - nova-scheduler
    - rabbitmq
+    - memcached
  roles:
    - { role: nova,
        tags: nova,
@ -106,6 +111,7 @@
    - neutron-metadata-agent
    - neutron-server
    - rabbitmq
+    - memcached
  roles:
    - { role: neutron,
        tags: neutron,
@ -118,6 +124,7 @@
    - cinder-scheduler
    - cinder-volume
    - rabbitmq
+    - memcached
  roles:
    - { role: cinder,
        tags: cinder,
@ -128,12 +135,15 @@
    - heat-api-cfn
    - heat-engine
    - rabbitmq
+    - memcached
  roles:
    - { role: heat,
        tags: heat,
        when: enable_heat | bool }

- hosts: horizon
+- hosts:
+    - horizon
+    - memcached
  roles:
    - { role: horizon,
        tags: horizon,
@ -143,6 +153,7 @@
    - murano-api
    - murano-engine
    - rabbitmq
+    - memcached
  roles:
    - { role: murano,
        tags: murano,
@ -154,6 +165,7 @@
    - ironic-inspector
    - ironic-pxe
    - rabbitmq
+    - memcached
  roles:
    - { role: ironic,
        tags: ironic,
@ -163,6 +175,7 @@
    - magnum-api
    - magnum-conductor
    - rabbitmq
+    - memcached
  roles:
    - { role: magnum,
        tags: magnum,
@ -173,6 +186,7 @@
    - mistral-engine
    - mistral-executor
    - rabbitmq
+    - memcached
  roles:
    - { role: mistral,
        tags: mistral,
@ -190,6 +204,7 @@
    - manila-share
    - manila-scheduler
    - rabbitmq
+    - memcached
  roles:
    - { role: manila,
        tags: manila,
--- a/etc/kolla/passwords.yml
+++ b/etc/kolla/passwords.yml
@ -67,6 +67,7 @@ horizon_secret_key: "password"
 manila_database_password: "password"
 manila_keystone_password: "password"

+memcache_secret_key: "password"

 ####################
 # Manila options