Merge "Ensure that selected Apache MPM is enforced"

2024-09-27 12:25:33 +00:00 · 2024-09-27 12:25:33 +00:00 · 1247611233
commit 1247611233
parent ce4c6dfe8e 870451e554
3 changed files with 30 additions and 1 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -232,7 +232,7 @@ keystone_apache_servertokens: "Prod"
 keystone_apache_serversignature: "Off"

 ## Apache MPM tunables
-keystone_httpd_mpm_backend: event
+keystone_httpd_mpm_backend: "{{ openstack_apache_mpm_backend | default('event') }}"
 keystone_httpd_mpm_server_limit: "{{ keystone_wsgi_processes }}"
 keystone_httpd_mpm_start_servers: 2
 keystone_httpd_mpm_min_spare_threads: 25
--- a/tasks/keystone_apache.yml
+++ b/tasks/keystone_apache.yml
@ -33,6 +33,27 @@
    group: "{{ keystone_apache_default_log_grp }}"
    mode: "0755"

+- name: Ensure apache2 MPM for Debian/Ubuntu
+  apache2_module:
+    name: "{{ item.name }}"
+    state: "{{ item.state }}"
+    warn_mpm_absent: false
+  with_items: "{{ keystone_apache_mpms | sort(attribute='state') }}"
+  when:
+    - ansible_facts['pkg_mgr'] == 'apt'
+  notify: Restart web server
+
+- name: Ensure apache2 MPM for EL
+  copy:
+    content: |
+      LoadModule mpm_{{ keystone_httpd_mpm_backend }}_module modules/mod_mpm_{{ keystone_httpd_mpm_backend }}.so
+
+    dest: /etc/httpd/conf.modules.d/00-mpm.conf
+    mode: "0644"
+  when:
+    - ansible_facts['pkg_mgr'] == 'dnf'
+  notify: Restart web server
+
 ## NOTE(cloudnull):
 ## Module enable/disable process is only functional on Debian
 - name: Enable apache2 modules
--- a/vars/debian.yml
+++ b/vars/debian.yml
@ -82,6 +82,14 @@ keystone_apache_configs:
  - { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" }
  - { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/apache2/mods-available/mpm_{{ keystone_httpd_mpm_backend }}.conf" }

+keystone_apache_mpms:
+  - name: "mpm_event"
+    state: "{{ (keystone_httpd_mpm_backend == 'event') | ternary('present', 'absent') }}"
+  - name: "mpm_worker"
+    state: "{{ (keystone_httpd_mpm_backend == 'worker') | ternary('present', 'absent') }}"
+  - name: "mpm_prefork"
+    state: "{{ (keystone_httpd_mpm_backend == 'prefork') | ternary('present', 'absent') }}"
+
 keystone_apache_modules:
  - name: "ssl"
    state: "{{ (keystone_backend_ssl | bool) | ternary('present', 'absent') }}"