Migrate gnocchi to use uWSGI

This patch moves gnocchi-api from usage of apache with mod_wsgi to uWSGI, which means unification across another roles and reduced maintenance costs During migration period tasks that ensures apache won't listen on gnocchi_service_port are present, but they are supposed to be removed after train release. Depends-On: https://review.opendev.org/671988 Change-Id: I06bbcb2f15108fc517742208ac5291719627ffe2
2019-07-25 22:47:29 +03:00 · 2019-07-25 22:47:29 +03:00 · 57b88ebc65
parent eb083ecf9f
commit 57b88ebc65
15 changed files with 98 additions and 280 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -56,9 +56,6 @@ gnocchi_fatal_deprecations: false
 gnocchi_ssl_external: true
 gnocchi_secure_proxy_ssl_header: HTTP_X_FORWARDED_PROTO

-#: Set this to false to disable API service through Apache + mod_wsgi
-gnocchi_use_mod_wsgi: true
-
 #: Name of the virtual env to deploy into
 gnocchi_venv_tag: "{{ venv_tag | default('untagged') }}"
 gnocchi_bin: "/openstack/venvs/gnocchi-{{ gnocchi_venv_tag }}/bin"
@ -121,31 +118,12 @@ gnocchi_service_internalurl: "{{ gnocchi_service_internaluri }}"
 gnocchi_service_adminuri: "{{ gnocchi_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ gnocchi_service_port }}"
 gnocchi_service_adminurl: "{{ gnocchi_service_adminuri }}"

-## Apache setup
-gnocchi_apache_log_level: info
-gnocchi_apache_servertokens: "Prod"
-gnocchi_apache_serversignature: "Off"
+## uWSGI setup
 gnocchi_wsgi_threads: 1
 gnocchi_wsgi_processes_max: 16
 gnocchi_wsgi_processes: "{{ [[ansible_processor_vcpus|default(1), 1] | max * 2, gnocchi_wsgi_processes_max] | min }}"

-# set gnocchi_ssl to true to enable SSL configuration on the gnocchi containers
-gnocchi_ssl: false
-gnocchi_ssl_cert: /etc/ssl/certs/gnocchi.pem
-gnocchi_ssl_key: /etc/ssl/private/gnocchi.key
-gnocchi_ssl_ca_cert: /etc/ssl/certs/gnocchi-ca.pem
-gnocchi_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1') }}"
-gnocchi_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
-
-# if using a self-signed certificate, set this to true to regenerate it
-gnocchi_ssl_self_signed_regen: false
-gnocchi_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
-
-# Set these in user_variables to deploy custom certificates
-#gnocchi_user_ssl_cert: <path to cert on ansible deployment host>
-#gnocchi_user_ssl_key: <path to cert on ansible deployment host>
-#gnocchi_user_ssl_ca_cert: <path to cert on ansible deployment host>
-
+gnocchi_uwsgi_conf_overrides: {}
 gnocchi_api_init_overrides: {}
 gnocchi_metricd_init_overrides: {}

@ -154,9 +132,10 @@ gnocchi_services:
  gnocchi-api:
    group: "gnocchi_api"
    service_name: "gnocchi-api"
-    service_enabled: "{{ gnocchi_use_mod_wsgi | ternary(false, true) }}"
+    service_enabled: true
    init_config_overrides: "{{ gnocchi_api_init_overrides }}"
-    execstarts: "{{ gnocchi_bin }}/gnocchi-api"
+    execstarts: "{{ gnocchi_bin }}/uwsgi --autoload --ini /etc/uwsgi/gnocchi-api.ini"
+    execreloads: "{{ gnocchi_bin }}/uwsgi --reload /var/run/gnocchi-api/gnocchi-api.pid"
  gnocchi-metricd:
    group: "gnocchi_metricd"
    service_name: "gnocchi-metricd"
@ -174,6 +153,7 @@ gnocchi_pip_packages:
  - kazoo
  - redis
  - systemd-python
+  - uwsgi

 # This variable is used by the repo_build process to determine
 # which host group to check for members of before building the
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -69,14 +69,12 @@
    - "Restart gnocchi services"
    - "venv changed"

+# NOTE(noonedeadpunk): This task is created due to migration from apache to uwsgi
+# which was introduced during train release. It can be dropped afterwards.
 - name: Restart web server
  service:
    name: "{{ gnocchi_system_service_name }}"
    enabled: yes
    state: "restarted"
    daemon_reload: yes
-  when: gnocchi_use_mod_wsgi | bool
-  register: _restart
-  until: _restart is success
-  retries: 5
-  delay: 2
+  failed_when: false
--- a/releasenotes/notes/use_uwsgi-298612ec01592808.yaml
+++ b/releasenotes/notes/use_uwsgi-298612ec01592808.yaml
@ -0,0 +1,17 @@
+---
+upgrade:
+  - |
+    Gnocchi migrated from usage of Apache mod_wsgi or native daemon to uWSGI
+    daemon. This means, that some variables are not available and has no effect
+    anymore, specifically
+    * `gnocchi_use_mod_wsgi`
+    * `gnocchi_apache_*`
+    * `gnocchi_ssl*` (except `gnocchi_ssl_external` - it's still in place)
+    * `gnocchi_user_ssl_*`
+
+    During upgrade process role will drop `gnocchi_service_port` from apache
+    listeners (ports.conf) and gnocchi virtualhost, which by default means
+    misconfigured apache service (since it won't have any listeners) unless
+    it's aio build and this apache server is in use by other role/service.
+    Apache server won't be dropped from gnocchi_api hosts, so deployers
+    are encoureged to remove it manually.
--- a/tasks/gnocchi_apache.yml
+++ b/tasks/gnocchi_apache.yml
@ -1,99 +0,0 @@
---
-# Copyright 2014, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# NOTE(hwoarang) default openSUSE apache2 installation is missing
-# some required modules so enable them here. This can possibly be
-# extended to other distributions if necessary.
- name: Enable required apache2 modules (SUSE)
-  apache2_module:
-    name: "{{ item.name }}"
-    state: "{{ item.state }}"
-  with_items: "{{ gnocchi_apache_modules }}"
-  when:
-    - ansible_pkg_mgr ==  'zypper'
-    - gnocchi_apache_modules is defined
-  notify:
-    - Restart web server
-
- name: Drop apache2 virtual host and ports file
-  template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: "root"
-    group: "root"
-  with_items: "{{ gnocchi_apache_config }}"
-  notify:
-    - Restart web server
-
- name: Disable default apache site
-  file:
-    path: "{{ item }}"
-    state: "absent"
-  with_items: "{{ gnocchi_apache_default_sites }}"
-  notify:
-    - Restart web server
-
- name: Enabled gnocchi vhost
-  file:
-    src: "{{ gnocchi_apache_site_available }}"
-    dest: "{{ gnocchi_apache_site_enabled }}"
-    state: "link"
-  when:
-    - gnocchi_apache_site_available is defined
-    - gnocchi_apache_site_enabled is defined
-  notify:
-    - Restart web server
-
- name: Ensure Apache ServerName
-  lineinfile:
-    dest: "{{ gnocchi_apache_conf }}"
-    line: "ServerName {{ inventory_hostname }}"
-  notify:
-    - Restart web server
-
- name: Ensure Apache ServerTokens
-  lineinfile:
-    dest: "{{ gnocchi_apache_security_conf }}"
-    regexp: '^ServerTokens'
-    line: "ServerTokens {{ gnocchi_apache_servertokens }}"
-  notify:
-    - Restart web server
-
- name: Ensure Apache ServerSignature
-  lineinfile:
-    dest: "{{ gnocchi_apache_security_conf }}"
-    regexp: '^ServerSignature'
-    line: "ServerSignature {{ gnocchi_apache_serversignature }}"
-  notify:
-    - Restart web server
-
- name: remove Listen from Apache config
-  lineinfile:
-    dest: "{{ gnocchi_apache_security_conf }}"
-    regexp: '^(Listen.*)'
-    backrefs: yes
-    line: '#\1'
-  notify:
-    - Restart web server
-
- name: Enable/disable mod_ssl for apache2
-  apache2_module:
-    name: ssl
-    state: "{{ gnocchi_ssl | bool | ternary('present', 'absent') }}"
-  when:
-    - ansible_pkg_mgr == 'apt'
-  notify:
-    - Restart web server
--- a/tasks/gnocchi_post_install.yml
+++ b/tasks/gnocchi_post_install.yml
@ -49,13 +49,38 @@
    - Restart gnocchi services
    - Restart web server

- name: Drop Gnocchi WSGI Configs
-  template:
-    src: gnocchi-wsgi.py.j2
-    dest: /var/www/cgi-bin/gnocchi/gnocchi-api
-    owner: "{{ gnocchi_system_user_name }}"
-    group: "{{ gnocchi_system_group_name }}"
-    mode: "0755"
-  when: gnocchi_use_mod_wsgi | bool
+- name: Configurng uWSGI
+  block:
+    - name: Ensure uWSGI directory exists
+      file:
+        path: "/etc/uwsgi/"
+        state: directory
+        mode: "0711"
+    - name: Apply uWSGI configuration
+      config_template:
+        src: "gnocchi-uwsgi.ini.j2"
+        dest: "/etc/uwsgi/gnocchi-api.ini"
+        mode: "0644"
+        config_overrides: "{{ gnocchi_uwsgi_conf_overrides }}"
+        config_type: ini
+      notify:
+        - Restart gnocchi services
+  when: "'gnocchi_api' in group_names"
+
+# NOTE(noonedeadpunk): This task is created due to migration from apache to uwsgi
+# which was introduced during train release. It can be dropped afterwards.
+- name: Drop Apache related configs
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items: "{{ gnocchi_apache_config }}"
  notify:
-    - Restart web server
+   - Restart web server
+
+- name: Stop Apache listening on Gnocchi port
+  lineinfile:
+    path: "{{ gnocchi_apache_ports }}"
+    state: absent
+    line: "Listen {{ gnocchi_service_port }}"
+  notify:
+   - Restart web server
--- a/tasks/gnocchi_pre_install.yml
+++ b/tasks/gnocchi_pre_install.yml
@ -43,15 +43,3 @@
    - { path: "/var/lib/gnocchi/tmp" }
    - { path: "/var/lib/gnocchi/locks" }
    - { path: "/var/cache/gnocchi", mode: "0700" }
-
- name: Create Apache mod_wsgi dirs
-  file:
-    path: "{{ item.path }}"
-    state: directory
-    owner: "{{ item.owner|default(gnocchi_system_user_name) }}"
-    group: "{{ item.group|default(gnocchi_system_group_name) }}"
-    mode: "{{ item.mode|default('0755') }}"
-  with_items:
-    - { path: "/var/www/cgi-bin", owner: root, group: root }
-    - { path: "/var/www/cgi-bin/gnocchi" }
-  when: gnocchi_use_mod_wsgi | bool
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -109,10 +109,3 @@
    - not gnocchi_identity_only | bool
  tags:
    - gnocchi-config
-
- import_tasks: gnocchi_apache.yml
-  when:
-    - gnocchi_use_mod_wsgi | bool
-    - not gnocchi_identity_only | bool
-  tags:
-    - gnocchi-config
--- a/templates/gnocchi-httpd.conf.j2
+++ b/templates/gnocchi-httpd.conf.j2
@ -1,42 +0,0 @@
-# {{ ansible_managed }}
-
-<VirtualHost *:{{ gnocchi_service_port }}>
-    WSGIDaemonProcess     gnocchi lang='en_US.UTF-8' locale='en_US.UTF-8' user={{ gnocchi_system_user_name }} group={{ gnocchi_system_group_name }} processes={{ gnocchi_wsgi_processes }} threads={{ gnocchi_wsgi_threads }} display-name=%{GROUP}
-    WSGIProcessGroup      gnocchi
-    WSGIScriptAlias       / /var/www/cgi-bin/gnocchi/gnocchi-api
-    WSGIApplicationGroup  %{GLOBAL}
-
-    <IfVersion >= 2.4>
-      ErrorLogFormat "%{cu}t %M"
-    </IfVersion>
-
-    LogLevel  {{  gnocchi_apache_log_level }}
-    ErrorLog  /var/log/gnocchi/gnocchi-apache-error.log
-    CustomLog /var/log/gnocchi/gnocchi-access.log combined
-
-{% if gnocchi_ssl | bool and gnocchi_service_internaluri_proto == "https" -%}
-    SSLEngine on
-    SSLCertificateFile    {{ gnocchi_ssl_cert }}
-    SSLCertificateKeyFile {{ gnocchi_ssl_key }}
-    {% if gnocchi_user_ssl_ca_cert is defined -%}
-    SSLCACertificateFile  {{ gnocchi_ssl_ca_cert }}
-    {% endif -%}
-    SSLCompression Off
-    SSLProtocol {{ gnocchi_ssl_protocol }}
-    SSLHonorCipherOrder On
-    SSLCipherSuite {{ gnocchi_ssl_cipher_suite }}
-    SSLOptions +StdEnvVars +ExportCertData
-{% endif %}
-</VirtualHost>
-
-<Directory "/var/www/cgi-bin">
-        AllowOverride None
-        Options +ExecCGI -Includes
-        <IfModule !mod_access_compat.c>
-                Require all granted
-        </IfModule>
-        <IfModule mod_access_compat.c>
-                Order allow,deny
-                Allow from all
-        </IfModule>
-</Directory>
--- a/templates/gnocchi-ports.conf.j2
+++ b/templates/gnocchi-ports.conf.j2
@ -1,3 +0,0 @@
-# {{ ansible_managed }}
-
-Listen {{ gnocchi_service_port }}
--- a/templates/gnocchi-uwsgi.ini.j2
+++ b/templates/gnocchi-uwsgi.ini.j2
@ -0,0 +1,25 @@
+[uwsgi]
+uid = {{ gnocchi_system_user_name }}
+gid = {{ gnocchi_system_group_name }}
+
+virtualenv = /openstack/venvs/gnocchi-{{ gnocchi_venv_tag }}
+wsgi-file = {{ gnocchi_bin }}/gnocchi-api
+http-socket = {{ gnocchi_service_address }}:{{ gnocchi_service_port }}
+
+master = true
+enable-threads = true
+processes = {{ gnocchi_wsgi_processes }}
+threads = {{ gnocchi_wsgi_threads }}
+exit-on-reload = true
+die-on-term = true
+lazy-apps = true
+add-header = Connection: close
+buffer-size = 65535
+thunder-lock = true
+disable-logging = true
+http-auto-chunked = true
+http-raw-body = true
+socket-timeout = 10
+
+# Avoid filling up the logs with health check requests from haproxy.
+route-user-agent = ^osa-haproxy-healthcheck$ donotlog:
--- a/templates/gnocchi-wsgi.py.j2
+++ b/templates/gnocchi-wsgi.py.j2
@ -1,23 +0,0 @@
-# Copyright 2013 OpenStack Foundation
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-import os
-
-activate_this = os.path.expanduser("{{ gnocchi_bin }}/activate_this.py")
-execfile(activate_this, dict(__file__=activate_this))
-
-from gnocchi.rest import app
-from gnocchi import service
-
-application = app.load_app(service.prepare_service())
--- a/tests/os_gnocchi-overrides.yml
+++ b/tests/os_gnocchi-overrides.yml
@ -3,7 +3,6 @@ gnocchi_container_mysql_password: "secrete"
 gnocchi_keystone_auth: yes
 gnocchi_service_password: "secrete"
 gnocchi_galera_address: "{{ hostvars[groups['galera_all'][0]]['ansible_host'] }}"
-gnocchi_use_mod_wsgi: true
 gnocchi_ssl_external: false
 gnocchi_service_port: 8041
 gnocchi_venv_tag: untagged
--- a/vars/debian.yml
+++ b/vars/debian.yml
@ -17,28 +17,17 @@ cache_timeout: 600

 #: Necessary packages
 gnocchi_distro_packages:
-  - apache2
-  - apache2-utils
  - build-essential
  - git
-  - libapache2-mod-wsgi
  - libpq-dev
  - librados-dev
  - libsystemd-dev
  - python-dev

+# NOTE(noonedeadpunk): These variables are left for migration from apache to uwsgi
+# which was introduced during train release. They can be dropped afterwards.
 gnocchi_system_service_name: apache2
-
 gnocchi_apache_config:
-  - { src: "gnocchi-ports.conf.j2", dest: "/etc/apache2/ports.conf" }
-  - { src: "gnocchi-httpd.conf.j2", dest: "/etc/apache2/sites-available/gnocchi-httpd.conf" }
-
-gnocchi_apache_default_sites:
-  - "/etc/apache2/sites-enabled/000-default.conf"
-
-gnocchi_apache_site_available: "/etc/apache2/sites-available/gnocchi-httpd.conf"
-gnocchi_apache_site_enabled: "/etc/apache2/sites-enabled/gnocchi-httpd.conf"
-
-gnocchi_apache_conf: "/etc/apache2/apache2.conf"
-gnocchi_apache_security_conf: "/etc/apache2/conf-available/security.conf"
-
+  - "/etc/apache2/sites-enabled/gnocchi-httpd.conf"
+  - "/etc/apache2/sites-available/gnocchi-httpd.conf"
+gnocchi_apache_ports: "/etc/apache2/ports.conf"
--- a/vars/redhat-7.yml
+++ b/vars/redhat-7.yml
@ -17,26 +17,15 @@
 gnocchi_distro_packages:
  - '@Development Tools'
  - git
-  - httpd
-  - httpd-tools
  - librados2-devel
-  - mod_wsgi
  - postgresql-devel
  - python-devel
  - systemd-devel
  - which

+# NOTE(noonedeadpunk): These variables are left for migration from apache to uwsgi
+# which was introduced during train release. They can be dropped afterwards.
 gnocchi_system_service_name: httpd
-
 gnocchi_apache_config:
-  - { src: "gnocchi-ports.conf.j2", dest: "/etc/httpd/conf.d/ports.conf" }
-  - { src: "gnocchi-httpd.conf.j2", dest: "/etc/httpd/conf.d/gnocchi-httpd.conf" }
-
-gnocchi_apache_default_sites:
-  - "/etc/httpd/conf.d/userdir.conf"
-  - "/etc/httpd/conf.d/welcome.conf"
-  - "/etc/httpd/conf.d/ssl.conf"
-
-gnocchi_apache_conf: "/etc/httpd/conf/httpd.conf"
-gnocchi_apache_security_conf: "{{ gnocchi_apache_conf }}"
-
+  - "/etc/httpd/conf.d/gnocchi-httpd.conf"
+gnocchi_apache_ports: "/etc/httpd/conf.d/ports.conf"
--- a/vars/suse.yml
+++ b/vars/suse.yml
@ -16,9 +16,6 @@

 # Necessary packages (also includes packages from devel_basis patterns)
 gnocchi_distro_packages:
-  - apache2
-  - apache2-mod_wsgi
-  - apache2-utils
  - autoconf
  - automake
  - binutils
@ -35,24 +32,9 @@ gnocchi_distro_packages:
  - systemd-devel
  - which

+# NOTE(noonedeadpunk): These variables are left for migration from apache to uwsgi
+# which was introduced during train release. They can be dropped afterwards.
 gnocchi_system_service_name: apache2
-
 gnocchi_apache_config:
-  - { src: "gnocchi-ports.conf.j2", dest: "/etc/apache2/conf.d/ports.conf" }
-  - { src: "gnocchi-httpd.conf.j2", dest: "/etc/apache2/conf.d/gnocchi-httpd.conf" }
-
-gnocchi_apache_default_sites:
-  - "/etc/apache2/conf.d/gitweb.conf"
-
-gnocchi_apache_conf: "/etc/apache2/httpd.conf"
-gnocchi_apache_security_conf: "{{ gnocchi_apache_conf }}"
-
-gnocchi_apache_modules:
-  - name: "authz_host"
-    state: "present"
-  - name: "access_compat"
-    state: "present"
-  - name: "version"
-    state: "present"
-  - name: "ssl"
-    state: "{{ (gnocchi_ssl | bool) | ternary('present', 'absent') }}"
+  - "/etc/apache2/conf.d/gnocchi-httpd.conf"
+gnocchi_apache_ports: "/etc/apache2/conf.d/ports.conf"