Install and configure uWSGI

When an Apache + mod_wsgi configuration is not selected, configure
the two Keystone services with uWSGI service profiles.

Two arbitrary ports are selected for uWSGI to listen on, so that it
may be proxied for by a dedicated web server. This is in preparation
for laying down Nginx in a future patch.

Notify events are updated to restart the Keystone uWSGI services
where Keystone's configuration is modified only. Because federation
concerns will be isolated within the dedicated web server, changes
to federation configuration of Shiboleth do not trigger restarts of
uWSGI. Similarly, SSL certificate changes do not trigger restarts.

Change-Id: I99e16a999c496e68fb25fa2630d9b211c9755ea4
Related: blueprint keystone-uwsgi
This commit is contained in:
Steve Lewis 2016-08-18 16:08:58 -07:00
parent b1c2f9c00f
commit 9082c793cc
15 changed files with 300 additions and 0 deletions

View File

@ -181,6 +181,16 @@ keystone_httpd_mpm_thread_child: 25
keystone_httpd_mpm_max_requests: 150 keystone_httpd_mpm_max_requests: 150
keystone_httpd_mpm_max_conn_child: 0 keystone_httpd_mpm_max_conn_child: 0
## uWSGI setup
keystone_wsgi_public_program_name: keystone-wsgi-public
keystone_wsgi_admin_program_name: keystone-wsgi-admin
keystone_wsgi_program_names:
- "{{ keystone_wsgi_public_program_name }}"
- "{{ keystone_wsgi_admin_program_name }}"
keystone_uwsgi_ports:
keystone-wsgi-public: 37358
keystone-wsgi-admin: 37359
# set keystone_ssl to true to enable SSL configuration on the keystone containers # set keystone_ssl to true to enable SSL configuration on the keystone containers
keystone_ssl: false keystone_ssl: false
keystone_ssl_cert: /etc/ssl/certs/keystone.pem keystone_ssl_cert: /etc/ssl/certs/keystone.pem
@ -403,6 +413,7 @@ keystone_pip_packages:
- python-memcached - python-memcached
- python-openstackclient - python-openstackclient
- repoze.lru - repoze.lru
- uWSGI
# This variable is used by the repo_build process to determine # This variable is used by the repo_build process to determine
# which host group to check for members of before building the # which host group to check for members of before building the

View File

@ -24,6 +24,17 @@
delay: 2 delay: 2
when: keystone_apache_mod_wsgi_enabled | bool when: keystone_apache_mod_wsgi_enabled | bool
- name: Restart Keystone APIs
service:
name: "{{ item }}"
state: "restarted"
register: keystone_restart
until: keystone_restart | success
retries: 5
delay: 2
with_items: keystone_wsgi_program_names
when: not keystone_apache_mod_wsgi_enabled | bool
- name: Restart Shibd - name: Restart Shibd
service: service:
name: "shibd" name: "shibd"

View File

@ -21,3 +21,4 @@
when: keystone_idp != {} when: keystone_idp != {}
notify: notify:
- Restart Apache - Restart Apache
- Restart Keystone APIs

View File

@ -0,0 +1,25 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- include: keystone_init_upstart.yml
when: pid1_name == "init"
- include: keystone_init_systemd.yml
when: pid1_name == "systemd"
- name: Load service
service:
name: "{{ program_name }}"
enabled: "yes"

View File

@ -0,0 +1,48 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create Keystone TEMP dirs
file:
path: "{{ item.path }}/{{ program_name }}"
state: directory
owner: "{{ system_user }}"
group: "{{ system_group }}"
mode: "02755"
with_items:
- { path: "/var/run" }
- { path: "/var/lock" }
- name: Create tempfile.d entry
template:
src: "keystone-systemd-tempfiles.j2"
dest: "/etc/tmpfiles.d/keystone.conf"
mode: "0644"
owner: "root"
group: "root"
- name: Place the systemd init script
template:
src: "keystone-uwsgi_systemd-init.j2"
dest: "/etc/systemd/system/{{ program_name }}.service"
mode: "0644"
owner: "root"
group: "root"
register: systemd_init
- name: Reload the systemd daemon
command: "systemctl daemon-reload"
when: systemd_init | changed
notify:
- Restart Keystone APIs

View File

@ -0,0 +1,31 @@
---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Place the init script
template:
src: "keystone-uwsgi_upstart.conf.j2"
dest: "/etc/init/{{ program_name }}.conf"
mode: "0644"
owner: "root"
group: "root"
register: upstart_init
notify: Restart Keystone APIs
- name: Reload init scripts
shell: |
initctl reload-configuration
when: upstart_init | changed
notify:
- Restart Keystone APIs

View File

@ -133,6 +133,7 @@
- keystone_get_venv | changed or keystone_venv_dir | changed - keystone_get_venv | changed or keystone_venv_dir | changed
notify: notify:
- Restart Apache - Restart Apache
- Restart Keystone APIs
- name: Install pip packages - name: Install pip packages
pip: pip:
@ -149,6 +150,7 @@
- keystone_get_venv | failed or keystone_developer_mode | bool - keystone_get_venv | failed or keystone_developer_mode | bool
notify: notify:
- Restart Apache - Restart Apache
- Restart Keystone APIs
- name: Update virtualenv path - name: Update virtualenv path
command: > command: >

View File

@ -36,6 +36,7 @@
with_dict: "{{ keystone_ldap }}" with_dict: "{{ keystone_ldap }}"
notify: notify:
- Restart Apache - Restart Apache
- Restart Keystone APIs
# Bug 1547542 - Older versions of the keystone role would deploy a blank # Bug 1547542 - Older versions of the keystone role would deploy a blank
# keystone.Default.conf and this will cause errors when adding LDAP-backed # keystone.Default.conf and this will cause errors when adding LDAP-backed
@ -47,3 +48,4 @@
when: keystone_ldap.Default is not defined when: keystone_ldap.Default is not defined
notify: notify:
- Restart Apache - Restart Apache
- Restart Keystone APIs

View File

@ -37,6 +37,7 @@
config_type: "json" config_type: "json"
notify: notify:
- Restart Apache - Restart Apache
- Restart Keystone APIs
- name: Drop Keystone Configs - name: Drop Keystone Configs
copy: copy:
@ -47,4 +48,5 @@
mode: "0644" mode: "0644"
notify: notify:
- Restart Apache - Restart Apache
- Restart Keystone APIs

56
tasks/keystone_uwsgi.yml Normal file
View File

@ -0,0 +1,56 @@
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Uwsgi Configuration
- name: Ensure uWSGI directory exists
file:
path: "/etc/uwsgi/"
state: directory
mode: "0711"
- name: Apply uWSGI configuration
template:
src: "keystone-uwsgi.ini.j2"
dest: "/etc/uwsgi/{{ item }}.ini"
mode: "0744"
with_items: keystone_wsgi_program_names
notify: Restart Keystone APIs
- include: keystone_init_common.yml
vars:
program_name: "{{ keystone_wsgi_public_program_name }}"
service_name: "{{ keystone_wsgi_public_program_name }}"
system_user: "{{ keystone_system_user_name }}"
system_group: "{{ keystone_system_group_name }}"
service_home: "{{ keystone_system_user_home }}"
notify: Restart Keystone APIs
- include: keystone_init_common.yml
vars:
program_name: "{{ keystone_wsgi_admin_program_name }}"
service_name: "{{ keystone_wsgi_admin_program_name }}"
system_user: "{{ keystone_system_user_name }}"
system_group: "{{ keystone_system_group_name }}"
service_home: "{{ keystone_system_user_home }}"
notify: Restart Keystone APIs
- name: Ensure uwsgi service started
service:
name: "{{ item }}"
state: started
register: keystone_start
until: keystone_start | success
retries: 5
delay: 2
with_items: keystone_wsgi_program_names

View File

@ -32,6 +32,18 @@
tags: tags:
- always - always
- name: Check init system
command: cat /proc/1/comm
register: _pid1_name
tags:
- always
- name: Set the name of pid1
set_fact:
pid1_name: "{{ _pid1_name.stdout }}"
tags:
- always
- include: keystone_pre_install.yml - include: keystone_pre_install.yml
tags: tags:
- keystone-install - keystone-install
@ -88,6 +100,13 @@
- keystone-config - keystone-config
when: keystone_apache_mod_wsgi_enabled | bool when: keystone_apache_mod_wsgi_enabled | bool
- include: keystone_uwsgi.yml
tags:
- keystone-install
- keystone-config
when:
- not keystone_apache_mod_wsgi_enabled | bool
- name: Flush handlers - name: Flush handlers
meta: flush_handlers meta: flush_handlers

View File

@ -0,0 +1,4 @@
# {{ ansible_managed }}
D /var/lock/{{ program_name }} 2755 {{ system_user }} {{ system_group }}
D /var/run/{{ program_name }} 2755 {{ system_user }} {{ system_group }}

View File

@ -0,0 +1,19 @@
# {{ ansible_managed }}
[uwsgi]
uid = {{ keystone_system_user_name }}
gid = {{ keystone_system_group_name }}
virtualenv = /openstack/venvs/keystone-{{ keystone_venv_tag }}
wsgi-file = {{ keystone_bin }}/{{ item }}
http = 0.0.0.0:{{ keystone_uwsgi_ports[item] }}
master = true
enable-threads = true
processes = {{ keystone_wsgi_processes }}
threads = {{ keystone_wsgi_threads }}
exit-on-reload = true
die-on-term = true
lazy-apps = true
add-header = Connection: close
buffer-size = 65535
thunder-lock = true

View File

@ -0,0 +1,25 @@
# {{ ansible_managed }}
[Unit]
Description=OpenStack Keystone service
After=syslog.target
After=network.target
[Service]
Type=simple
User={{ system_user }}
Group={{ system_group }}
{% if program_override is defined %}
ExecStart={{ program_override }} --ini /etc/uwsgi/{{ program_name }}.ini --logto /var/log/keystone/{{ program_name }}.log {{ program_config_options|default('') }}
{% else %}
ExecStart={{ keystone_bin }}/uwsgi --ini /etc/uwsgi/{{ program_name }}.ini --logto /var/log/keystone/{{ program_name }}.log {{ program_config_options|default('') }}
{% endif %}
# Give a reasonable amount of time for the server to start up/shut down
TimeoutSec=300
Restart=on-failure
RestartSec=150
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,44 @@
# {{ ansible_managed }}
# vim:set ft=upstart ts=2 et:
description "{{ program_name }} under uWSGI"
author "Kevin Carter <kevin.carter@rackspace.com>"
start on runlevel [2345]
stop on runlevel [016]
respawn
respawn limit 10 5
# Set the RUNBIN environment variable
env RUNBIN="{{ keystone_bin }}/uwsgi"
# Change directory to service users home
chdir "{{ service_home }}"
# Pre start actions
pre-start script
mkdir -p "/var/run/{{ program_name }}"
chown {{ system_user }}:{{ system_group }} "/var/run/{{ program_name }}"
mkdir -p "/var/lock/{{ program_name }}"
chown {{ system_user }}:{{ system_group }} "/var/lock/{{ program_name }}"
. {{ keystone_bin }}/activate
end script
# Post stop actions
post-stop script
rm "/var/run/{{ program_name }}/{{ program_name }}.pid"
end script
# Run the start up job
exec start-stop-daemon --start \
--make-pidfile \
--pidfile /var/run/{{ program_name }}/{{ program_name }}.pid \
--exec "{{ program_override|default('$RUNBIN') }}" \
-- --ini "/etc/uwsgi/{{ program_name }}.ini" \
--logto /var/log/keystone/{{ program_name }}.log \
-- {{ program_config_options|default('') }}