openstack/openstack-ansible-os_keystone
Code Issues Proposed changes

Drop Nginx webserver support

Browse Source 
There is no reason to support multiple web servers as a proxy for
keystone. Nginx is missing modules to support federation. With it's
removal we simplify code and reduce maintaining efforts needed.

Change-Id: Ib3f90a72dfc8f78cf304b0f130883befdeb09220
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/818674
This commit is contained in:
Dmitriy Rabotyagov 2021-11-10 13:54:03 +02:00 committed by Dmitriy Rabotyagov
parent eeef3a48f4
commit eb9a0c6cea
15 changed files with 64 additions and 288 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
defaults/main.yml
View File

@ -180,20 +180,13 @@ keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_
## Set this value to override the "public_endpoint" keystone.conf variable
#keystone_public_endpoint: "{{ keystone_service_publicuri }}"
# This is the web server that will handle all requests and will act as a
# Apache web server will handle all requests and will act as a
# reverse proxy to uWSGI. If internal TLS/SSL certificates are configured,
# they are implemented in this web server's configuration. Using a web server
# for endpoints is far better for scale and allows the use of additional
# modules to improve performance or security, leaving uWSGI to only have
# to be used for running the service.
#
# Note:
# The default is nginx, but apache will be used if Keystone is configured
# as a Federated Service provider.
# TODO (odyssey4me): Convert the SP implementation to use nginx instead
# so that we do not have to be concerned with multiple web servers.
#
keystone_web_server: "{{ (keystone_sp != {}) | ternary('apache', 'nginx') }}"
keystone_web_server_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}"
## security.txt
@ -216,26 +209,15 @@ keystone_apache_serversignature: "Off"
## Apache MPM tunables
keystone_httpd_mpm_backend: event
keystone_httpd_mpm_server_limit: "{{ keystone_wsgi_processes }}"
keystone_httpd_mpm_start_servers: 2
keystone_httpd_mpm_min_spare_threads: 25
keystone_httpd_mpm_max_spare_threads: 75
keystone_httpd_mpm_thread_limit: 64
keystone_httpd_mpm_thread_child: 25
keystone_httpd_mpm_max_requests: 150
keystone_httpd_mpm_max_requests: "{{ keystone_httpd_mpm_server_limit * keystone_httpd_mpm_thread_child }}"
keystone_httpd_mpm_max_conn_child: 0
## Centos NGINX repository options
keystone_centos_nginx_mirror: "{{ centos_nginx_mirror | default('http://nginx.org/packages/centos/7/$basearch/') }}"
keystone_centos_nginx_key: "{{ centos_nginx_key | default('http://nginx.org/keys/nginx_signing.key') }}"
## Nginx setup
keystone_nginx_access_log_format_combined: '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'
keystone_nginx_access_log_format_extras: '$request_time $upstream_response_time'
keystone_nginx_ports:
keystone-wsgi-public: "{{ keystone_service_port }}"
keystone_nginx_extra_conf:
- keepalive_timeout 70;
## uWSGI setup
keystone_wsgi_threads: 1
## Cap the maximun number of processes when a user value is unspecified.
@ -255,7 +237,7 @@ keystone_ssl: false
keystone_ssl_cert: /etc/ssl/certs/keystone.pem
keystone_ssl_key: /etc/ssl/private/keystone.key
keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
keystone_ssl_protocol: "{{ (keystone_web_server == 'nginx') | ternary('TLSv1.2', 'ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1') }}"
keystone_ssl_protocol: "ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1"
keystone_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
# if using a self-signed certificate, set this to true to regenerate it

43
files/nginx.conf
View File

@ -1,43 +0,0 @@
user nginx nginx;
worker_processes 1;
error_log /var/log/nginx/error_log info;
events {
worker_connections 1024;
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main
'$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$gzip_ratio"';
client_header_timeout 10m;
client_body_timeout 10m;
send_timeout 10m;
connection_pool_size 256;
client_header_buffer_size 1k;
large_client_header_buffers 4 2k;
request_pool_size 4k;
gzip off;
output_buffers 1 32k;
postpone_output 1460;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 75 20;
ignore_invalid_headers on;
include /etc/nginx/sites-available/*.conf;
}

2
handlers/main.yml
View File

@ -15,7 +15,7 @@
- name: Restart web server
service:
name: "{{ (keystone_web_server == 'apache') | ternary(keystone_system_service_name, 'nginx') }}"
name: "{{ keystone_system_service_name }}"
enabled: yes
state: restarted
daemon_reload: "{{ (ansible_facts['service_mgr'] == 'systemd') | ternary('yes', omit) }}"

16
releasenotes/notes/keystone_drop_nginx-5e7791d22f0be48a.yaml Normal file
View File

@ -0,0 +1,16 @@
---
deprecations:
- |
We removed multiple web server support for keystone and left only Apache
since nginx is missing features required for federation setup.
With this change following variables are deprecated and have no effect:
* keystone_web_server
* keystone_centos_nginx_mirror
* keystone_centos_nginx_key
* keystone_nginx_access_log_format_combined
* keystone_nginx_access_log_format_extras
* keystone_nginx_ports
* keystone_nginx_extra_conf
Nginx web server will be removed and replaced with Apache during upgrade.

71
tasks/keystone_install.yml
View File

@ -47,48 +47,45 @@
- ansible_facts['pkg_mgr'] == 'dnf'
- keystone_sp != {}
- name: Add NGINX repository keys
rpm_key:
key: "{{ keystone_centos_nginx_key }}"
state: present
when:
- ansible_facts['pkg_mgr'] == 'dnf'
- keystone_web_server == 'nginx'
register: add_nginx_key
until: add_nginx_key is success
retries: 5
delay: 2
# TODO(noonedeadpunk): Remove nginx-related changes in Y release
- name: Remove nginx keystone vhost configuration
file:
path: "/etc/nginx/{{ (ansible_facts['os_family'] | lower == 'debian') | ternary('sites-available', 'conf.d') }}/{{ item }}.conf"
state: absent
with_items: "{{ keystone_services.keys() | list }}"
register: nginx_vhosts
- name: Add NGINX repository
yum_repository:
name: nginx
description: 'nginx repo'
baseurl: "{{ keystone_centos_nginx_mirror }}"
when:
- ansible_facts['pkg_mgr'] == 'dnf'
- keystone_web_server == 'nginx'
register: add_nginx_repo
until: add_nginx_repo is success
retries: 5
delay: 2
- name: Remove nginx symlink for vhost configuration
file:
path: /etc/nginx/sites-enabled/{{ item }}.conf
state: absent
with_items: "{{ keystone_services.keys() | list }}"
when: ansible_facts['os_family'] == "Debian"
- name: Reload nginx if needed
service:
name: "nginx"
state: restarted
failed_when: false
when: nginx_vhosts is changed
# If the web server being removed was never installed, this task will fail when trying
# to stop/disable it. The task is therefore set to never fail.
- name: Ensure other web server is not running/enabled
service:
name: "{{ (keystone_web_server == 'nginx') | ternary(keystone_system_service_name, 'nginx') }}"
enabled: no
state: stopped
daemon_reload: "yes"
failed_when: false
- name: Remove nginx web server
when: "('repo_all' in groups and inventory_hostname not in groups['repo_all']) or ('repo_all' not in groups)"
block:
- name: Ensure nginx web server is not running/enabled
service:
name: "nginx"
enabled: no
state: stopped
failed_when: false
- name: Remove other web server distro packages and mod_wsgi
package:
name: "{{ (keystone_web_server == 'nginx') | ternary(keystone_apache_distro_packages, keystone_nginx_distro_packages) }}"
state: absent
autoremove: "{{ (ansible_facts['pkg_mgr'] == 'apt') | ternary('yes', omit) }}"
when: "(is_metal is undefined) or
not (is_metal | bool)"
- name: Remove nginx server distro packages
package:
name: "nginx"
state: absent
autoremove: "{{ (ansible_facts['pkg_mgr'] == 'apt') | ternary('yes', omit) }}"
- name: Install distro packages
package:

95
tasks/keystone_nginx.yml
View File

@ -1,95 +0,0 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Ensure Apache is not running
service:
name: "{{ keystone_system_service_name }}"
state: stopped
failed_when: false
when: ('horizon_all' in groups and inventory_hostname not in groups['horizon_all']) or ('horizon_all' not in groups)
- name: Disable default configuration
file:
path: /etc/nginx/sites-enabled/default
state: absent
notify:
- Manage LB
- Restart web server
- name: Remove default nginx config
file:
path: /etc/nginx/conf.d/default.conf
state: absent
notify:
- Manage LB
- Restart web server
- name: Ensure configuration directories exist
file:
path: "{{ item }}"
state: directory
with_items:
- "/etc/nginx/{{ keystone_nginx_conf_path }}"
- "/etc/nginx/conf.d"
- name: Configure custom nginx log format
copy:
# NOTE(odyssey4me):
# To cater for the situation where there are no containers, or
# nginx is shared in some way, it's better to add custom directives
# for nginx.conf into a conf.d file. That way it's never overwritten.
content: |
# Ansible managed
log_format custom '{{ keystone_nginx_access_log_format_combined }} {{ keystone_nginx_access_log_format_extras }}';
dest: "/etc/nginx/conf.d/custom_log.conf"
notify:
- Manage LB
- Restart web server
# Configure app
- name: Configure virtual hosts
template:
src: keystone_nginx.conf.j2
dest: "/etc/nginx/{{ keystone_nginx_conf_path }}/{{ item }}.conf"
with_items: "{{ keystone_services.keys() | list }}"
notify:
- Manage LB
- Restart web server
- name: Link to enable virtual hosts
file:
src: "/etc/nginx/sites-available/{{ item }}.conf"
path: "/etc/nginx/sites-enabled/{{ item }}.conf"
state: link
with_items: "{{ keystone_services.keys() | list }}"
when: ansible_facts['os_family'] == "Debian"
notify:
- Manage LB
- Restart web server
- name: Ensure nginx does not listen on 80 port
replace:
path: /etc/nginx/nginx.conf
regexp: "{{ item.regexp }}"
replace: "{{ item.replace }}"
validate: nginx -t -c %s
with_items:
- regexp: '(\s+listen\s+)[\[,\],:]+80'
replace: '\1 [::1]:8008'
- regexp: '(\s+listen\s+)80'
replace: '\1 127.0.0.1:8008'
notify:
- Manage LB
- Restart web server

2
tasks/main.yml
View File

@ -153,7 +153,7 @@
tags:
- keystone-config
- import_tasks: "keystone_{{ keystone_web_server }}.yml"
- import_tasks: "keystone_apache.yml"
tags:
- keystone-config

1
templates/keystone-httpd-mpm.conf.j2
View File

@ -1,4 +1,5 @@
<IfModule mpm_{{ keystone_httpd_mpm_backend }}_module>
ServerLimit {{ keystone_httpd_mpm_server_limit }}
StartServers {{ keystone_httpd_mpm_start_servers }}
MinSpareThreads {{ keystone_httpd_mpm_min_spare_threads }}
MaxSpareThreads {{ keystone_httpd_mpm_max_spare_threads }}

2
templates/keystone-httpd.conf.j2
View File

@ -1,6 +1,6 @@
# {{ ansible_managed }}
Listen {{ keystone_service_port }}
Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
<VirtualHost {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}>
<IfVersion >= 2.4>

57
templates/keystone_nginx.conf.j2
View File

@ -1,57 +0,0 @@
# {{ ansible_managed }}
server {
listen {{ keystone_web_server_bind_address }}:{{ keystone_nginx_ports[item] }};
{% if keystone_ssl | bool and keystone_service_adminuri_proto == "https" %}
ssl on;
ssl_protocols {{ keystone_ssl_protocol }};
ssl_certificate {{ keystone_ssl_cert }};
ssl_certificate_key {{ keystone_ssl_key }};
ssl_trusted_certificate {{ keystone_ssl_ca_cert }};
ssl_ciphers {{ keystone_ssl_cipher_suite }};
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:2m;
ssl_session_timeout 2m;
{%- endif %}
{% for line in keystone_nginx_extra_conf %}
{{ line }}
{%- endfor %}
error_log syslog:server=unix:/dev/log;
access_log syslog:server=unix:/dev/log;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self' https: wss:;";
add_header X-Frame-Options {{ keystone_x_frame_options | default ('DENY') }};
real_ip_header X-Forwarded-For;
{% for ip in keystone_set_real_ip_from %}
set_real_ip_from {{ ip }};
{%- endfor %}
{% if keystone_security_txt_content is defined %}
location /security.txt {
alias {{ keystone_security_txt_dir }}/security.txt;
}
location /.well-known/security.txt {
alias {{ keystone_security_txt_dir }}/security.txt;
}
{%- endif %}
location / {
try_files $uri @yourapplication;
}
location @yourapplication {
include /etc/nginx/uwsgi_params;
uwsgi_pass 127.0.0.1:{{ keystone_uwsgi_ports[item]['socket'] }};
uwsgi_param SCRIPT_NAME '';
{% for header in keystone_extra_headers %}
add_header "{{ header['parameter'] }}" "{{ header['value'] }}";
{% endfor %}
}
}

5
vars/debian.yml
View File

@ -48,9 +48,6 @@ keystone_apache_distro_packages:
- apache2-utils
- libapache2-mod-proxy-uwsgi
keystone_nginx_distro_packages:
- nginx-extras
keystone_idp_distro_packages:
- ssl-cert
- xmlsec1
@ -99,8 +96,6 @@ keystone_apache_modules:
# - name: "mod_journald"
# state: "present
keystone_nginx_conf_path: "sites-available"
keystone_system_service_name: apache2
keystone_uwsgi_bin: '/usr/bin'

11
vars/distro_install.yml
View File

@ -19,14 +19,9 @@
# enabled.
#
keystone_package_list: |-
{% set packages = keystone_distro_packages %}
{% if keystone_web_server == 'apache' %}
{% set _ = packages.extend(keystone_apache_distro_packages) %}
{% if keystone_idp != {} %}
{% set _ = packages.extend(keystone_idp_distro_packages) %}
{% endif %}
{% else %}
{% set _ = packages.extend(keystone_nginx_distro_packages) %}
{% set packages = keystone_distro_packages + keystone_apache_distro_packages %}
{% if keystone_idp != {} %}
{% set _ = packages.extend(keystone_idp_distro_packages) %}
{% endif %}
{% if keystone_oslomsg_amqp1_enabled | bool %}
{% set _ = packages.extend(keystone_oslomsg_amqp1_distro_packages) %}

5
vars/redhat.yml
View File

@ -43,9 +43,6 @@ keystone_apache_distro_packages:
- httpd-tools
- mod_ssl
keystone_nginx_distro_packages:
- nginx
keystone_idp_distro_packages:
- xmlsec1
@ -79,8 +76,6 @@ keystone_apache_configs:
- { src: "keystone-httpd.conf.j2", dest: "/etc/httpd/conf.d/keystone-httpd.conf" }
- { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/httpd/conf.modules.d/mpm_{{ keystone_httpd_mpm_backend }}.conf" }
keystone_nginx_conf_path: "conf.d"
keystone_system_service_name: httpd
keystone_uwsgi_bin: '/usr/sbin'

11
vars/source_install.yml
View File

@ -19,14 +19,9 @@
# enabled.
#
keystone_package_list: |-
{% set packages = keystone_distro_packages %}
{% if keystone_web_server == 'apache' %}
{% set _ = packages.extend(keystone_apache_distro_packages) %}
{% if keystone_idp != {} %}
{% set _ = packages.extend(keystone_idp_distro_packages) %}
{% endif %}
{% else %}
{% set _ = packages.extend(keystone_nginx_distro_packages) %}
{% set packages = keystone_distro_packages + keystone_apache_distro_packages %}
{% if keystone_idp != {} %}
{% set _ = packages.extend(keystone_idp_distro_packages) %}
{% endif %}
{% if keystone_oslomsg_amqp1_enabled | bool %}
{% set _ = packages.extend(keystone_oslomsg_amqp1_distro_packages) %}

5
vars/ubuntu-18.04.yml
View File

@ -48,9 +48,6 @@ keystone_apache_distro_packages:
- apache2-utils
- libapache2-mod-proxy-uwsgi
keystone_nginx_distro_packages:
- nginx-extras
keystone_idp_distro_packages:
- ssl-cert
- xmlsec1
@ -99,8 +96,6 @@ keystone_apache_modules:
# - name: "mod_journald"
# state: "present
keystone_nginx_conf_path: "sites-available"
keystone_system_service_name: apache2
keystone_uwsgi_bin: '/usr/bin'