Install and configure uWSGI
When an Apache + mod_wsgi configuration is not selected, configure the two Keystone services with uWSGI service profiles. Two arbitrary ports are selected for uWSGI to listen on, so that it may be proxied for by a dedicated web server. This is in preparation for laying down Nginx in a future patch. Notify events are updated to restart the Keystone uWSGI services where Keystone's configuration is modified only. Because federation concerns will be isolated within the dedicated web server, changes to federation configuration of Shiboleth do not trigger restarts of uWSGI. Similarly, SSL certificate changes do not trigger restarts. Change-Id: I99e16a999c496e68fb25fa2630d9b211c9755ea4 Related: blueprint keystone-uwsgi
This commit is contained in:
parent
b1c2f9c00f
commit
9082c793cc
|
@ -181,6 +181,16 @@ keystone_httpd_mpm_thread_child: 25
|
|||
keystone_httpd_mpm_max_requests: 150
|
||||
keystone_httpd_mpm_max_conn_child: 0
|
||||
|
||||
## uWSGI setup
|
||||
keystone_wsgi_public_program_name: keystone-wsgi-public
|
||||
keystone_wsgi_admin_program_name: keystone-wsgi-admin
|
||||
keystone_wsgi_program_names:
|
||||
- "{{ keystone_wsgi_public_program_name }}"
|
||||
- "{{ keystone_wsgi_admin_program_name }}"
|
||||
keystone_uwsgi_ports:
|
||||
keystone-wsgi-public: 37358
|
||||
keystone-wsgi-admin: 37359
|
||||
|
||||
# set keystone_ssl to true to enable SSL configuration on the keystone containers
|
||||
keystone_ssl: false
|
||||
keystone_ssl_cert: /etc/ssl/certs/keystone.pem
|
||||
|
@ -403,6 +413,7 @@ keystone_pip_packages:
|
|||
- python-memcached
|
||||
- python-openstackclient
|
||||
- repoze.lru
|
||||
- uWSGI
|
||||
|
||||
# This variable is used by the repo_build process to determine
|
||||
# which host group to check for members of before building the
|
||||
|
|
|
@ -24,6 +24,17 @@
|
|||
delay: 2
|
||||
when: keystone_apache_mod_wsgi_enabled | bool
|
||||
|
||||
- name: Restart Keystone APIs
|
||||
service:
|
||||
name: "{{ item }}"
|
||||
state: "restarted"
|
||||
register: keystone_restart
|
||||
until: keystone_restart | success
|
||||
retries: 5
|
||||
delay: 2
|
||||
with_items: keystone_wsgi_program_names
|
||||
when: not keystone_apache_mod_wsgi_enabled | bool
|
||||
|
||||
- name: Restart Shibd
|
||||
service:
|
||||
name: "shibd"
|
||||
|
|
|
@ -21,3 +21,4 @@
|
|||
when: keystone_idp != {}
|
||||
notify:
|
||||
- Restart Apache
|
||||
- Restart Keystone APIs
|
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
# Copyright 2016, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- include: keystone_init_upstart.yml
|
||||
when: pid1_name == "init"
|
||||
|
||||
- include: keystone_init_systemd.yml
|
||||
when: pid1_name == "systemd"
|
||||
|
||||
- name: Load service
|
||||
service:
|
||||
name: "{{ program_name }}"
|
||||
enabled: "yes"
|
|
@ -0,0 +1,48 @@
|
|||
---
|
||||
# Copyright 2016, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Create Keystone TEMP dirs
|
||||
file:
|
||||
path: "{{ item.path }}/{{ program_name }}"
|
||||
state: directory
|
||||
owner: "{{ system_user }}"
|
||||
group: "{{ system_group }}"
|
||||
mode: "02755"
|
||||
with_items:
|
||||
- { path: "/var/run" }
|
||||
- { path: "/var/lock" }
|
||||
|
||||
- name: Create tempfile.d entry
|
||||
template:
|
||||
src: "keystone-systemd-tempfiles.j2"
|
||||
dest: "/etc/tmpfiles.d/keystone.conf"
|
||||
mode: "0644"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
|
||||
- name: Place the systemd init script
|
||||
template:
|
||||
src: "keystone-uwsgi_systemd-init.j2"
|
||||
dest: "/etc/systemd/system/{{ program_name }}.service"
|
||||
mode: "0644"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
register: systemd_init
|
||||
|
||||
- name: Reload the systemd daemon
|
||||
command: "systemctl daemon-reload"
|
||||
when: systemd_init | changed
|
||||
notify:
|
||||
- Restart Keystone APIs
|
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
# Copyright 2015, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Place the init script
|
||||
template:
|
||||
src: "keystone-uwsgi_upstart.conf.j2"
|
||||
dest: "/etc/init/{{ program_name }}.conf"
|
||||
mode: "0644"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
register: upstart_init
|
||||
notify: Restart Keystone APIs
|
||||
|
||||
- name: Reload init scripts
|
||||
shell: |
|
||||
initctl reload-configuration
|
||||
when: upstart_init | changed
|
||||
notify:
|
||||
- Restart Keystone APIs
|
|
@ -133,6 +133,7 @@
|
|||
- keystone_get_venv | changed or keystone_venv_dir | changed
|
||||
notify:
|
||||
- Restart Apache
|
||||
- Restart Keystone APIs
|
||||
|
||||
- name: Install pip packages
|
||||
pip:
|
||||
|
@ -149,6 +150,7 @@
|
|||
- keystone_get_venv | failed or keystone_developer_mode | bool
|
||||
notify:
|
||||
- Restart Apache
|
||||
- Restart Keystone APIs
|
||||
|
||||
- name: Update virtualenv path
|
||||
command: >
|
||||
|
|
|
@ -36,6 +36,7 @@
|
|||
with_dict: "{{ keystone_ldap }}"
|
||||
notify:
|
||||
- Restart Apache
|
||||
- Restart Keystone APIs
|
||||
|
||||
# Bug 1547542 - Older versions of the keystone role would deploy a blank
|
||||
# keystone.Default.conf and this will cause errors when adding LDAP-backed
|
||||
|
@ -47,3 +48,4 @@
|
|||
when: keystone_ldap.Default is not defined
|
||||
notify:
|
||||
- Restart Apache
|
||||
- Restart Keystone APIs
|
||||
|
|
|
@ -37,6 +37,7 @@
|
|||
config_type: "json"
|
||||
notify:
|
||||
- Restart Apache
|
||||
- Restart Keystone APIs
|
||||
|
||||
- name: Drop Keystone Configs
|
||||
copy:
|
||||
|
@ -47,4 +48,5 @@
|
|||
mode: "0644"
|
||||
notify:
|
||||
- Restart Apache
|
||||
- Restart Keystone APIs
|
||||
|
||||
|
|
|
@ -0,0 +1,56 @@
|
|||
# Copyright 2016, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# Uwsgi Configuration
|
||||
- name: Ensure uWSGI directory exists
|
||||
file:
|
||||
path: "/etc/uwsgi/"
|
||||
state: directory
|
||||
mode: "0711"
|
||||
|
||||
- name: Apply uWSGI configuration
|
||||
template:
|
||||
src: "keystone-uwsgi.ini.j2"
|
||||
dest: "/etc/uwsgi/{{ item }}.ini"
|
||||
mode: "0744"
|
||||
with_items: keystone_wsgi_program_names
|
||||
notify: Restart Keystone APIs
|
||||
|
||||
- include: keystone_init_common.yml
|
||||
vars:
|
||||
program_name: "{{ keystone_wsgi_public_program_name }}"
|
||||
service_name: "{{ keystone_wsgi_public_program_name }}"
|
||||
system_user: "{{ keystone_system_user_name }}"
|
||||
system_group: "{{ keystone_system_group_name }}"
|
||||
service_home: "{{ keystone_system_user_home }}"
|
||||
notify: Restart Keystone APIs
|
||||
|
||||
- include: keystone_init_common.yml
|
||||
vars:
|
||||
program_name: "{{ keystone_wsgi_admin_program_name }}"
|
||||
service_name: "{{ keystone_wsgi_admin_program_name }}"
|
||||
system_user: "{{ keystone_system_user_name }}"
|
||||
system_group: "{{ keystone_system_group_name }}"
|
||||
service_home: "{{ keystone_system_user_home }}"
|
||||
notify: Restart Keystone APIs
|
||||
|
||||
- name: Ensure uwsgi service started
|
||||
service:
|
||||
name: "{{ item }}"
|
||||
state: started
|
||||
register: keystone_start
|
||||
until: keystone_start | success
|
||||
retries: 5
|
||||
delay: 2
|
||||
with_items: keystone_wsgi_program_names
|
|
@ -32,6 +32,18 @@
|
|||
tags:
|
||||
- always
|
||||
|
||||
- name: Check init system
|
||||
command: cat /proc/1/comm
|
||||
register: _pid1_name
|
||||
tags:
|
||||
- always
|
||||
|
||||
- name: Set the name of pid1
|
||||
set_fact:
|
||||
pid1_name: "{{ _pid1_name.stdout }}"
|
||||
tags:
|
||||
- always
|
||||
|
||||
- include: keystone_pre_install.yml
|
||||
tags:
|
||||
- keystone-install
|
||||
|
@ -88,6 +100,13 @@
|
|||
- keystone-config
|
||||
when: keystone_apache_mod_wsgi_enabled | bool
|
||||
|
||||
- include: keystone_uwsgi.yml
|
||||
tags:
|
||||
- keystone-install
|
||||
- keystone-config
|
||||
when:
|
||||
- not keystone_apache_mod_wsgi_enabled | bool
|
||||
|
||||
- name: Flush handlers
|
||||
meta: flush_handlers
|
||||
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
D /var/lock/{{ program_name }} 2755 {{ system_user }} {{ system_group }}
|
||||
D /var/run/{{ program_name }} 2755 {{ system_user }} {{ system_group }}
|
|
@ -0,0 +1,19 @@
|
|||
# {{ ansible_managed }}
|
||||
[uwsgi]
|
||||
uid = {{ keystone_system_user_name }}
|
||||
gid = {{ keystone_system_group_name }}
|
||||
|
||||
virtualenv = /openstack/venvs/keystone-{{ keystone_venv_tag }}
|
||||
wsgi-file = {{ keystone_bin }}/{{ item }}
|
||||
http = 0.0.0.0:{{ keystone_uwsgi_ports[item] }}
|
||||
|
||||
master = true
|
||||
enable-threads = true
|
||||
processes = {{ keystone_wsgi_processes }}
|
||||
threads = {{ keystone_wsgi_threads }}
|
||||
exit-on-reload = true
|
||||
die-on-term = true
|
||||
lazy-apps = true
|
||||
add-header = Connection: close
|
||||
buffer-size = 65535
|
||||
thunder-lock = true
|
|
@ -0,0 +1,25 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
[Unit]
|
||||
Description=OpenStack Keystone service
|
||||
After=syslog.target
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User={{ system_user }}
|
||||
Group={{ system_group }}
|
||||
|
||||
{% if program_override is defined %}
|
||||
ExecStart={{ program_override }} --ini /etc/uwsgi/{{ program_name }}.ini --logto /var/log/keystone/{{ program_name }}.log {{ program_config_options|default('') }}
|
||||
{% else %}
|
||||
ExecStart={{ keystone_bin }}/uwsgi --ini /etc/uwsgi/{{ program_name }}.ini --logto /var/log/keystone/{{ program_name }}.log {{ program_config_options|default('') }}
|
||||
{% endif %}
|
||||
|
||||
# Give a reasonable amount of time for the server to start up/shut down
|
||||
TimeoutSec=300
|
||||
Restart=on-failure
|
||||
RestartSec=150
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,44 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
# vim:set ft=upstart ts=2 et:
|
||||
|
||||
description "{{ program_name }} under uWSGI"
|
||||
author "Kevin Carter <kevin.carter@rackspace.com>"
|
||||
|
||||
start on runlevel [2345]
|
||||
stop on runlevel [016]
|
||||
|
||||
respawn
|
||||
respawn limit 10 5
|
||||
|
||||
# Set the RUNBIN environment variable
|
||||
env RUNBIN="{{ keystone_bin }}/uwsgi"
|
||||
|
||||
# Change directory to service users home
|
||||
chdir "{{ service_home }}"
|
||||
|
||||
# Pre start actions
|
||||
pre-start script
|
||||
mkdir -p "/var/run/{{ program_name }}"
|
||||
chown {{ system_user }}:{{ system_group }} "/var/run/{{ program_name }}"
|
||||
|
||||
mkdir -p "/var/lock/{{ program_name }}"
|
||||
chown {{ system_user }}:{{ system_group }} "/var/lock/{{ program_name }}"
|
||||
|
||||
. {{ keystone_bin }}/activate
|
||||
|
||||
end script
|
||||
|
||||
# Post stop actions
|
||||
post-stop script
|
||||
rm "/var/run/{{ program_name }}/{{ program_name }}.pid"
|
||||
end script
|
||||
|
||||
# Run the start up job
|
||||
exec start-stop-daemon --start \
|
||||
--make-pidfile \
|
||||
--pidfile /var/run/{{ program_name }}/{{ program_name }}.pid \
|
||||
--exec "{{ program_override|default('$RUNBIN') }}" \
|
||||
-- --ini "/etc/uwsgi/{{ program_name }}.ini" \
|
||||
--logto /var/log/keystone/{{ program_name }}.log \
|
||||
-- {{ program_config_options|default('') }}
|
Loading…
Reference in New Issue