Install and configure uWSGI

When an Apache + mod_wsgi configuration is not selected, configure
the two Keystone services with uWSGI service profiles.

Two arbitrary ports are selected for uWSGI to listen on, so that it
may be proxied for by a dedicated web server. This is in preparation
for laying down Nginx in a future patch.

Notify events are updated to restart the Keystone uWSGI services
where Keystone's configuration is modified only. Because federation
concerns will be isolated within the dedicated web server, changes
to federation configuration of Shiboleth do not trigger restarts of
uWSGI. Similarly, SSL certificate changes do not trigger restarts.

Change-Id: I99e16a999c496e68fb25fa2630d9b211c9755ea4
Related: blueprint keystone-uwsgi

defaults/main.yml

@@ -181,6 +181,16 @@ keystone_httpd_mpm_thread_child: 25
 keystone_httpd_mpm_max_requests: 150
 keystone_httpd_mpm_max_conn_child: 0
 
+## uWSGI setup
+keystone_wsgi_public_program_name: keystone-wsgi-public
+keystone_wsgi_admin_program_name: keystone-wsgi-admin
+keystone_wsgi_program_names:
+  - "{{ keystone_wsgi_public_program_name }}"
+  - "{{ keystone_wsgi_admin_program_name }}"
+keystone_uwsgi_ports:
+  keystone-wsgi-public: 37358
+  keystone-wsgi-admin: 37359
+
 # set keystone_ssl to true to enable SSL configuration on the keystone containers
 keystone_ssl: false
 keystone_ssl_cert: /etc/ssl/certs/keystone.pem
@@ -403,6 +413,7 @@ keystone_pip_packages:
   - python-memcached
   - python-openstackclient
   - repoze.lru
+  - uWSGI
 
 # This variable is used by the repo_build process to determine
 # which host group to check for members of before building the

handlers/main.yml

@@ -24,6 +24,17 @@
   delay: 2
   when: keystone_apache_mod_wsgi_enabled | bool
 
+- name: Restart Keystone APIs
+  service:
+    name: "{{ item }}"
+    state: "restarted"
+  register: keystone_restart
+  until: keystone_restart | success
+  retries: 5
+  delay: 2
+  with_items: keystone_wsgi_program_names
+  when: not keystone_apache_mod_wsgi_enabled | bool
+
 - name: Restart Shibd
   service:
     name: "shibd"

tasks/keystone_idp_metadata.yml

@@ -21,3 +21,4 @@
   when: keystone_idp != {}
   notify:
     - Restart Apache
+    - Restart Keystone APIs

tasks/keystone_init_common.yml

@@ -0,0 +1,25 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- include: keystone_init_upstart.yml
+  when: pid1_name == "init"
+
+- include: keystone_init_systemd.yml
+  when: pid1_name == "systemd"
+
+- name: Load service
+  service:
+   name: "{{ program_name }}"
+   enabled: "yes"

tasks/keystone_init_systemd.yml

@@ -0,0 +1,48 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Create Keystone TEMP dirs
+  file:
+    path: "{{ item.path }}/{{ program_name }}"
+    state: directory
+    owner: "{{ system_user }}"
+    group: "{{ system_group }}"
+    mode: "02755"
+  with_items:
+    - { path: "/var/run" }
+    - { path: "/var/lock" }
+
+- name: Create tempfile.d entry
+  template:
+    src: "keystone-systemd-tempfiles.j2"
+    dest: "/etc/tmpfiles.d/keystone.conf"
+    mode: "0644"
+    owner: "root"
+    group: "root"
+
+- name: Place the systemd init script
+  template:
+    src: "keystone-uwsgi_systemd-init.j2"
+    dest: "/etc/systemd/system/{{ program_name }}.service"
+    mode: "0644"
+    owner: "root"
+    group: "root"
+  register: systemd_init
+
+- name: Reload the systemd daemon
+  command: "systemctl daemon-reload"
+  when: systemd_init | changed
+  notify:
+    - Restart Keystone APIs

tasks/keystone_init_upstart.yml

@@ -0,0 +1,31 @@
+---
+# Copyright 2015, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Place the init script
+  template:
+    src: "keystone-uwsgi_upstart.conf.j2"
+    dest: "/etc/init/{{ program_name }}.conf"
+    mode: "0644"
+    owner: "root"
+    group: "root"
+  register: upstart_init
+  notify: Restart Keystone APIs
+
+- name: Reload init scripts
+  shell: |
+    initctl reload-configuration
+  when: upstart_init | changed
+  notify:
+    - Restart Keystone APIs

tasks/keystone_install.yml

@@ -133,6 +133,7 @@
     - keystone_get_venv | changed or keystone_venv_dir | changed
   notify:
     - Restart Apache
+    - Restart Keystone APIs
 
 - name: Install pip packages
   pip:
@@ -149,6 +150,7 @@
     - keystone_get_venv | failed or keystone_developer_mode | bool
   notify:
     - Restart Apache
+    - Restart Keystone APIs
 
 - name: Update virtualenv path
   command: >

tasks/keystone_ldap_setup.yml

@@ -36,6 +36,7 @@
   with_dict: "{{ keystone_ldap }}"
   notify:
     - Restart Apache
+    - Restart Keystone APIs
 
 # Bug 1547542 - Older versions of the keystone role would deploy a blank
 # keystone.Default.conf and this will cause errors when adding LDAP-backed
@@ -47,3 +48,4 @@
   when: keystone_ldap.Default is not defined
   notify:
     - Restart Apache
+    - Restart Keystone APIs

tasks/keystone_post_install.yml

@@ -37,6 +37,7 @@
       config_type: "json"
   notify:
     - Restart Apache
+    - Restart Keystone APIs
 
 - name: Drop Keystone Configs
   copy:
@@ -47,4 +48,5 @@
     mode: "0644"
   notify:
     - Restart Apache
+    - Restart Keystone APIs
 

tasks/keystone_uwsgi.yml

@@ -0,0 +1,56 @@
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Uwsgi Configuration
+- name: Ensure uWSGI directory exists
+  file:
+    path: "/etc/uwsgi/"
+    state: directory
+    mode: "0711"
+
+- name: Apply uWSGI configuration
+  template:
+    src: "keystone-uwsgi.ini.j2"
+    dest: "/etc/uwsgi/{{ item }}.ini"
+    mode: "0744"
+  with_items: keystone_wsgi_program_names
+  notify: Restart Keystone APIs
+
+- include: keystone_init_common.yml
+  vars:
+    program_name: "{{ keystone_wsgi_public_program_name }}"
+    service_name: "{{ keystone_wsgi_public_program_name }}"
+    system_user: "{{ keystone_system_user_name }}"
+    system_group: "{{ keystone_system_group_name }}"
+    service_home: "{{ keystone_system_user_home }}"
+  notify: Restart Keystone APIs
+
+- include: keystone_init_common.yml
+  vars:
+    program_name: "{{ keystone_wsgi_admin_program_name }}"
+    service_name: "{{ keystone_wsgi_admin_program_name }}"
+    system_user: "{{ keystone_system_user_name }}"
+    system_group: "{{ keystone_system_group_name }}"
+    service_home: "{{ keystone_system_user_home }}"
+  notify: Restart Keystone APIs
+
+- name: Ensure uwsgi service started
+  service:
+    name: "{{ item }}"
+    state: started
+  register: keystone_start
+  until: keystone_start | success
+  retries: 5
+  delay: 2
+  with_items: keystone_wsgi_program_names

tasks/main.yml

@@ -32,6 +32,18 @@
   tags:
     - always
 
+- name: Check init system
+  command: cat /proc/1/comm
+  register: _pid1_name
+  tags:
+    - always
+
+- name: Set the name of pid1
+  set_fact:
+    pid1_name: "{{ _pid1_name.stdout }}"
+  tags:
+    - always
+
 - include: keystone_pre_install.yml
   tags:
     - keystone-install
@@ -88,6 +100,13 @@
     - keystone-config
   when: keystone_apache_mod_wsgi_enabled | bool
 
+- include: keystone_uwsgi.yml
+  tags:
+    - keystone-install
+    - keystone-config
+  when:
+    - not keystone_apache_mod_wsgi_enabled | bool
+
 - name: Flush handlers
   meta: flush_handlers
 

templates/keystone-systemd-tempfiles.j2

@@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+D /var/lock/{{ program_name }} 2755 {{ system_user }} {{ system_group }}
+D /var/run/{{ program_name }} 2755 {{ system_user }} {{ system_group }}

templates/keystone-uwsgi.ini.j2

@@ -0,0 +1,19 @@
+# {{ ansible_managed }}
+[uwsgi]
+uid = {{ keystone_system_user_name }}
+gid = {{ keystone_system_group_name }}
+
+virtualenv = /openstack/venvs/keystone-{{ keystone_venv_tag }}
+wsgi-file = {{ keystone_bin }}/{{ item }}
+http = 0.0.0.0:{{ keystone_uwsgi_ports[item] }}
+
+master = true
+enable-threads = true
+processes = {{ keystone_wsgi_processes }}
+threads = {{ keystone_wsgi_threads }}
+exit-on-reload = true
+die-on-term = true
+lazy-apps = true
+add-header = Connection: close
+buffer-size = 65535
+thunder-lock = true

templates/keystone-uwsgi_systemd-init.j2

@@ -0,0 +1,25 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=OpenStack Keystone service
+After=syslog.target
+After=network.target
+
+[Service]
+Type=simple
+User={{ system_user }}
+Group={{ system_group }}
+
+{% if program_override is defined %}
+ExecStart={{ program_override }} --ini /etc/uwsgi/{{ program_name }}.ini --logto /var/log/keystone/{{ program_name }}.log {{ program_config_options|default('') }}
+{% else %}
+ExecStart={{ keystone_bin }}/uwsgi --ini /etc/uwsgi/{{ program_name }}.ini --logto /var/log/keystone/{{ program_name }}.log {{ program_config_options|default('') }}
+{% endif %}
+
+# Give a reasonable amount of time for the server to start up/shut down
+TimeoutSec=300
+Restart=on-failure
+RestartSec=150
+
+[Install]
+WantedBy=multi-user.target

templates/keystone-uwsgi_upstart.conf.j2

@@ -0,0 +1,44 @@
+# {{ ansible_managed }}
+
+# vim:set ft=upstart ts=2 et:
+
+description "{{ program_name }} under uWSGI"
+author "Kevin Carter <kevin.carter@rackspace.com>"
+
+start on runlevel [2345]
+stop on runlevel [016]
+
+respawn
+respawn limit 10 5
+
+# Set the RUNBIN environment variable
+env RUNBIN="{{ keystone_bin }}/uwsgi"
+
+# Change directory to service users home
+chdir "{{ service_home }}"
+
+# Pre start actions
+pre-start script
+  mkdir -p "/var/run/{{ program_name }}"
+  chown {{ system_user }}:{{ system_group }} "/var/run/{{ program_name }}"
+
+  mkdir -p "/var/lock/{{ program_name }}"
+  chown {{ system_user }}:{{ system_group }} "/var/lock/{{ program_name }}"
+
+  . {{ keystone_bin }}/activate
+
+end script
+
+# Post stop actions
+post-stop script
+  rm "/var/run/{{ program_name }}/{{ program_name }}.pid"
+end script
+
+# Run the start up job
+exec start-stop-daemon --start \
+                       --make-pidfile \
+                       --pidfile /var/run/{{ program_name }}/{{ program_name }}.pid \
+                       --exec "{{ program_override|default('$RUNBIN') }}" \
+                       -- --ini "/etc/uwsgi/{{ program_name }}.ini" \
+                       --logto /var/log/keystone/{{ program_name }}.log \
+                       -- {{ program_config_options|default('') }}