From 870451e554d480ee8974827ada13b0b1042a812d Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
Date: Tue, 17 Sep 2024 20:07:35 +0200
Subject: [PATCH] Ensure that selected Apache MPM is enforced

At the moment services might have different MPM selected while all
operating the same Apache setup, ie on metal setup.
This results in failures to set selected MPMs, so eventually second run
of roles after initial deployment will end up in failure (ie upgrade).

This patch ensures that all except selected MPMs are disabled and do
role get's the desired state of deployment.

We also need to align selected MPM across all roles to avoid
future conflicts.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/930446
Change-Id: Ia3e4af7986166f0729840d2a61fb8f52ea053676
---
 defaults/main.yml         |  2 +-
 tasks/keystone_apache.yml | 21 +++++++++++++++++++++
 vars/debian.yml           |  8 ++++++++
 3 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index eeaa224e..94c7b76e 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -232,7 +232,7 @@ keystone_apache_servertokens: "Prod"
 keystone_apache_serversignature: "Off"
 
 ## Apache MPM tunables
-keystone_httpd_mpm_backend: event
+keystone_httpd_mpm_backend: "{{ openstack_apache_mpm_backend | default('event') }}"
 keystone_httpd_mpm_server_limit: "{{ keystone_wsgi_processes }}"
 keystone_httpd_mpm_start_servers: 2
 keystone_httpd_mpm_min_spare_threads: 25
diff --git a/tasks/keystone_apache.yml b/tasks/keystone_apache.yml
index 5626fe49..79ced564 100644
--- a/tasks/keystone_apache.yml
+++ b/tasks/keystone_apache.yml
@@ -33,6 +33,27 @@
     group: "{{ keystone_apache_default_log_grp }}"
     mode: "0755"
 
+- name: Ensure apache2 MPM for Debian/Ubuntu
+  apache2_module:
+    name: "{{ item.name }}"
+    state: "{{ item.state }}"
+    warn_mpm_absent: false
+  with_items: "{{ keystone_apache_mpms | sort(attribute='state') }}"
+  when:
+    - ansible_facts['pkg_mgr'] == 'apt'
+  notify: Restart web server
+
+- name: Ensure apache2 MPM for EL
+  copy:
+    content: |
+      LoadModule mpm_{{ keystone_httpd_mpm_backend }}_module modules/mod_mpm_{{ keystone_httpd_mpm_backend }}.so
+
+    dest: /etc/httpd/conf.modules.d/00-mpm.conf
+    mode: "0644"
+  when:
+    - ansible_facts['pkg_mgr'] == 'dnf'
+  notify: Restart web server
+
 ## NOTE(cloudnull):
 ## Module enable/disable process is only functional on Debian
 - name: Enable apache2 modules
diff --git a/vars/debian.yml b/vars/debian.yml
index 6fdd6446..62481710 100644
--- a/vars/debian.yml
+++ b/vars/debian.yml
@@ -82,6 +82,14 @@ keystone_apache_configs:
   - { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" }
   - { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/apache2/mods-available/mpm_{{ keystone_httpd_mpm_backend }}.conf" }
 
+keystone_apache_mpms:
+  - name: "mpm_event"
+    state: "{{ (keystone_httpd_mpm_backend == 'event') | ternary('present', 'absent') }}"
+  - name: "mpm_worker"
+    state: "{{ (keystone_httpd_mpm_backend == 'worker') | ternary('present', 'absent') }}"
+  - name: "mpm_prefork"
+    state: "{{ (keystone_httpd_mpm_backend == 'prefork') | ternary('present', 'absent') }}"
+
 keystone_apache_modules:
   - name: "ssl"
     state: "{{ (keystone_backend_ssl | bool) | ternary('present', 'absent') }}"