openstack/kolla-ansible
Code Issues Proposed changes
1a4a8c1615
kolla-ansible/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
Doug Szumski 647ff667e6 Add variable for changing Apache HTTP timeout 
In services which use the Apache HTTP server to service HTTP requests,
there exists a TimeOut directive [1] which defaults to 60 seconds. APIs
which come under heavy load, such as Cinder, can sometimes exceed this
which results in a HTTP 504 Gateway timeout, or similar. However, the
request can still be serviced without error. For example, if Nova calls
the Cinder API to detach a volume, and this operation takes longer
than the shortest of the two timeouts, Nova will emit a stack trace
with a 504 Gateway timeout. At some time later, the request to detach
the volume will succeed. The Nova and Cinder DBs then become
out-of-sync with each other, and frequently DB surgery is required.

Although strictly this category of bugs should be fixed in OpenStack
services, it is not realistic to expect this to happen in the short
term. Therefore, this change makes it easier to set the Apache HTTP
timeout via a new variable.

An example of a related bug is here:

https://bugs.launchpad.net/nova/+bug/1888665

Whilst this timeout can currently be set by overriding the WSGI
config for individual services, this change makes it much easier.

Change-Id: Ie452516655cbd40d63bdad3635fd66693e40ce34
Closes-Bug: #1917648
2021-03-04 11:25:06 +00:00

121 lines
4.5 KiB
Django/Jinja
Raw Blame History

{% set keystone_log_dir = '/var/log/kolla/keystone' %}
{% set binary_path = '/usr/bin' if keystone_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
{% if keystone_enable_tls_backend | bool %}
{% if kolla_base_distro in ['centos'] %}
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
{% else %}
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
{% endif %}
{% endif %}
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_public_listen_port }}
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_admin_listen_port }}
ServerSignature Off
ServerTokens Prod
TraceEnable off
TimeOut {{ kolla_httpd_timeout }}
KeepAliveTimeout {{ kolla_httpd_keep_alive }}
ErrorLog "{{ keystone_log_dir }}/apache-error.log"
<IfModule log_config_module>
CustomLog "{{ keystone_log_dir }}/apache-access.log" common
</IfModule>
{% if keystone_logging_debug | bool %}
LogLevel info
{% endif %}
<Directory "{{ binary_path }}">
<FilesMatch "^keystone-wsgi-(public|admin)$">
AllowOverride None
Options None
Require all granted
</FilesMatch>
</Directory>
<VirtualHost *:{{ keystone_public_listen_port }}>
WSGIDaemonProcess keystone-public processes={{ openstack_service_workers }} threads=1 user=keystone group=keystone display-name=keystone-public
WSGIProcessGroup keystone-public
WSGIScriptAlias / {{ binary_path }}/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog "{{ keystone_log_dir }}/keystone-apache-public-error.log"
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
CustomLog "{{ keystone_log_dir }}/keystone-apache-public-access.log" logformat
{% if keystone_enable_tls_backend | bool %}
SSLEngine on
SSLCertificateFile /etc/keystone/certs/keystone-cert.pem
SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem
{% endif %}
{% if keystone_enable_federation_openid %}
OIDCClaimPrefix "OIDC-"
OIDCClaimDelimiter ";"
OIDCResponseType "id_token"
OIDCScope "{{ keystone_federation_oidc_scopes }}"
OIDCMetadataDir {{ keystone_container_federation_oidc_metadata_folder }}
{% if keystone_federation_openid_certificate_key_ids | length > 0 %}
OIDCOAuthVerifyCertFiles {{ keystone_federation_openid_certificate_key_ids | join(" ") }}
{% endif %}
OIDCCryptoPassphrase {{ keystone_federation_openid_crypto_password }}
OIDCRedirectURI {{ keystone_public_url }}/redirect_uri
<Location ~ "/redirect_uri">
Require valid-user
AuthType openid-connect
</Location>
{# WebSSO authentication endpoint -#}
<Location /v3/auth/OS-FEDERATION/websso/openid>
Require valid-user
AuthType openid-connect
</Location>
{% for idp in keystone_identity_providers %}
{% if idp.protocol == 'openid' %}
<LocationMatch /v3/auth/OS-FEDERATION/identity_providers/{{ idp.name }}/protocols/{{ idp.protocol }}/websso>
Require valid-user
AuthType openid-connect
</LocationMatch>
{% endif %}
{% endfor %}
{# CLI / API authentication endpoint -#}
{% for idp in keystone_identity_providers %}
{% if idp.protocol == 'openid' %}
<LocationMatch /v3/OS-FEDERATION/identity_providers/{{ idp.name }}/protocols/{{ idp.protocol }}/auth>
Require valid-user
{# Note(jasonanderson): `auth-openidc` is a special auth type that can -#}
{# additionally handle verifying bearer tokens -#}
AuthType auth-openidc
</LocationMatch>
{% endif %}
{% endfor %}
{% endif %}
</VirtualHost>
<VirtualHost *:{{ keystone_admin_listen_port }}>
WSGIDaemonProcess keystone-admin processes={{ openstack_service_workers }} threads=1 user=keystone group=keystone display-name=keystone-admin
WSGIProcessGroup keystone-admin
WSGIScriptAlias / {{ binary_path }}/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog "{{ keystone_log_dir }}/keystone-apache-admin-error.log"
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
CustomLog "{{ keystone_log_dir }}/keystone-apache-admin-access.log" logformat
{% if keystone_enable_tls_backend | bool %}
SSLEngine on
SSLCertificateFile /etc/keystone/certs/keystone-cert.pem
SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem
{% endif %}
</VirtualHost>
View Git Blame Copy Permalink