diff --git a/defaults/main.yml b/defaults/main.yml index 3ed206e6..2239e13d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -180,20 +180,13 @@ keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_ ## Set this value to override the "public_endpoint" keystone.conf variable #keystone_public_endpoint: "{{ keystone_service_publicuri }}" -# This is the web server that will handle all requests and will act as a +# Apache web server will handle all requests and will act as a # reverse proxy to uWSGI. If internal TLS/SSL certificates are configured, # they are implemented in this web server's configuration. Using a web server # for endpoints is far better for scale and allows the use of additional # modules to improve performance or security, leaving uWSGI to only have # to be used for running the service. # -# Note: -# The default is nginx, but apache will be used if Keystone is configured -# as a Federated Service provider. -# TODO (odyssey4me): Convert the SP implementation to use nginx instead -# so that we do not have to be concerned with multiple web servers. -# -keystone_web_server: "{{ (keystone_sp != {}) | ternary('apache', 'nginx') }}" keystone_web_server_bind_address: "{{ openstack_service_bind_address | default('0.0.0.0') }}" ## security.txt @@ -216,26 +209,15 @@ keystone_apache_serversignature: "Off" ## Apache MPM tunables keystone_httpd_mpm_backend: event +keystone_httpd_mpm_server_limit: "{{ keystone_wsgi_processes }}" keystone_httpd_mpm_start_servers: 2 keystone_httpd_mpm_min_spare_threads: 25 keystone_httpd_mpm_max_spare_threads: 75 keystone_httpd_mpm_thread_limit: 64 keystone_httpd_mpm_thread_child: 25 -keystone_httpd_mpm_max_requests: 150 +keystone_httpd_mpm_max_requests: "{{ keystone_httpd_mpm_server_limit * keystone_httpd_mpm_thread_child }}" keystone_httpd_mpm_max_conn_child: 0 -## Centos NGINX repository options -keystone_centos_nginx_mirror: "{{ centos_nginx_mirror | default('http://nginx.org/packages/centos/7/$basearch/') }}" -keystone_centos_nginx_key: "{{ centos_nginx_key | default('http://nginx.org/keys/nginx_signing.key') }}" - -## Nginx setup -keystone_nginx_access_log_format_combined: '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"' -keystone_nginx_access_log_format_extras: '$request_time $upstream_response_time' -keystone_nginx_ports: - keystone-wsgi-public: "{{ keystone_service_port }}" -keystone_nginx_extra_conf: - - keepalive_timeout 70; - ## uWSGI setup keystone_wsgi_threads: 1 ## Cap the maximun number of processes when a user value is unspecified. @@ -255,7 +237,7 @@ keystone_ssl: false keystone_ssl_cert: /etc/ssl/certs/keystone.pem keystone_ssl_key: /etc/ssl/private/keystone.key keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem -keystone_ssl_protocol: "{{ (keystone_web_server == 'nginx') | ternary('TLSv1.2', 'ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1') }}" +keystone_ssl_protocol: "ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1" keystone_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}" # if using a self-signed certificate, set this to true to regenerate it diff --git a/files/nginx.conf b/files/nginx.conf deleted file mode 100644 index ca04a5ec..00000000 --- a/files/nginx.conf +++ /dev/null @@ -1,43 +0,0 @@ -user nginx nginx; -worker_processes 1; - -error_log /var/log/nginx/error_log info; - -events { - worker_connections 1024; - use epoll; -} - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main - '$remote_addr - $remote_user [$time_local] ' - '"$request" $status $bytes_sent ' - '"$http_referer" "$http_user_agent" ' - '"$gzip_ratio"'; - - client_header_timeout 10m; - client_body_timeout 10m; - send_timeout 10m; - - connection_pool_size 256; - client_header_buffer_size 1k; - large_client_header_buffers 4 2k; - request_pool_size 4k; - - gzip off; - - output_buffers 1 32k; - postpone_output 1460; - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - - keepalive_timeout 75 20; - - ignore_invalid_headers on; - include /etc/nginx/sites-available/*.conf; -} diff --git a/handlers/main.yml b/handlers/main.yml index 44f14ac5..57a4adb0 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -15,7 +15,7 @@ - name: Restart web server service: - name: "{{ (keystone_web_server == 'apache') | ternary(keystone_system_service_name, 'nginx') }}" + name: "{{ keystone_system_service_name }}" enabled: yes state: restarted daemon_reload: "{{ (ansible_facts['service_mgr'] == 'systemd') | ternary('yes', omit) }}" diff --git a/releasenotes/notes/keystone_drop_nginx-5e7791d22f0be48a.yaml b/releasenotes/notes/keystone_drop_nginx-5e7791d22f0be48a.yaml new file mode 100644 index 00000000..e5413484 --- /dev/null +++ b/releasenotes/notes/keystone_drop_nginx-5e7791d22f0be48a.yaml @@ -0,0 +1,16 @@ +--- +deprecations: + - | + We removed multiple web server support for keystone and left only Apache + since nginx is missing features required for federation setup. + With this change following variables are deprecated and have no effect: + + * keystone_web_server + * keystone_centos_nginx_mirror + * keystone_centos_nginx_key + * keystone_nginx_access_log_format_combined + * keystone_nginx_access_log_format_extras + * keystone_nginx_ports + * keystone_nginx_extra_conf + + Nginx web server will be removed and replaced with Apache during upgrade. diff --git a/tasks/keystone_install.yml b/tasks/keystone_install.yml index 98de9608..ef9f043f 100644 --- a/tasks/keystone_install.yml +++ b/tasks/keystone_install.yml @@ -47,48 +47,45 @@ - ansible_facts['pkg_mgr'] == 'dnf' - keystone_sp != {} -- name: Add NGINX repository keys - rpm_key: - key: "{{ keystone_centos_nginx_key }}" - state: present - when: - - ansible_facts['pkg_mgr'] == 'dnf' - - keystone_web_server == 'nginx' - register: add_nginx_key - until: add_nginx_key is success - retries: 5 - delay: 2 +# TODO(noonedeadpunk): Remove nginx-related changes in Y release +- name: Remove nginx keystone vhost configuration + file: + path: "/etc/nginx/{{ (ansible_facts['os_family'] | lower == 'debian') | ternary('sites-available', 'conf.d') }}/{{ item }}.conf" + state: absent + with_items: "{{ keystone_services.keys() | list }}" + register: nginx_vhosts -- name: Add NGINX repository - yum_repository: - name: nginx - description: 'nginx repo' - baseurl: "{{ keystone_centos_nginx_mirror }}" - when: - - ansible_facts['pkg_mgr'] == 'dnf' - - keystone_web_server == 'nginx' - register: add_nginx_repo - until: add_nginx_repo is success - retries: 5 - delay: 2 +- name: Remove nginx symlink for vhost configuration + file: + path: /etc/nginx/sites-enabled/{{ item }}.conf + state: absent + with_items: "{{ keystone_services.keys() | list }}" + when: ansible_facts['os_family'] == "Debian" + +- name: Reload nginx if needed + service: + name: "nginx" + state: restarted + failed_when: false + when: nginx_vhosts is changed # If the web server being removed was never installed, this task will fail when trying # to stop/disable it. The task is therefore set to never fail. -- name: Ensure other web server is not running/enabled - service: - name: "{{ (keystone_web_server == 'nginx') | ternary(keystone_system_service_name, 'nginx') }}" - enabled: no - state: stopped - daemon_reload: "yes" - failed_when: false +- name: Remove nginx web server + when: "('repo_all' in groups and inventory_hostname not in groups['repo_all']) or ('repo_all' not in groups)" + block: + - name: Ensure nginx web server is not running/enabled + service: + name: "nginx" + enabled: no + state: stopped + failed_when: false -- name: Remove other web server distro packages and mod_wsgi - package: - name: "{{ (keystone_web_server == 'nginx') | ternary(keystone_apache_distro_packages, keystone_nginx_distro_packages) }}" - state: absent - autoremove: "{{ (ansible_facts['pkg_mgr'] == 'apt') | ternary('yes', omit) }}" - when: "(is_metal is undefined) or - not (is_metal | bool)" + - name: Remove nginx server distro packages + package: + name: "nginx" + state: absent + autoremove: "{{ (ansible_facts['pkg_mgr'] == 'apt') | ternary('yes', omit) }}" - name: Install distro packages package: diff --git a/tasks/keystone_nginx.yml b/tasks/keystone_nginx.yml deleted file mode 100644 index 5d00877f..00000000 --- a/tasks/keystone_nginx.yml +++ /dev/null @@ -1,95 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Ensure Apache is not running - service: - name: "{{ keystone_system_service_name }}" - state: stopped - failed_when: false - when: ('horizon_all' in groups and inventory_hostname not in groups['horizon_all']) or ('horizon_all' not in groups) - -- name: Disable default configuration - file: - path: /etc/nginx/sites-enabled/default - state: absent - notify: - - Manage LB - - Restart web server - -- name: Remove default nginx config - file: - path: /etc/nginx/conf.d/default.conf - state: absent - notify: - - Manage LB - - Restart web server - -- name: Ensure configuration directories exist - file: - path: "{{ item }}" - state: directory - with_items: - - "/etc/nginx/{{ keystone_nginx_conf_path }}" - - "/etc/nginx/conf.d" - -- name: Configure custom nginx log format - copy: - # NOTE(odyssey4me): - # To cater for the situation where there are no containers, or - # nginx is shared in some way, it's better to add custom directives - # for nginx.conf into a conf.d file. That way it's never overwritten. - content: | - # Ansible managed - log_format custom '{{ keystone_nginx_access_log_format_combined }} {{ keystone_nginx_access_log_format_extras }}'; - dest: "/etc/nginx/conf.d/custom_log.conf" - notify: - - Manage LB - - Restart web server - -# Configure app -- name: Configure virtual hosts - template: - src: keystone_nginx.conf.j2 - dest: "/etc/nginx/{{ keystone_nginx_conf_path }}/{{ item }}.conf" - with_items: "{{ keystone_services.keys() | list }}" - notify: - - Manage LB - - Restart web server - -- name: Link to enable virtual hosts - file: - src: "/etc/nginx/sites-available/{{ item }}.conf" - path: "/etc/nginx/sites-enabled/{{ item }}.conf" - state: link - with_items: "{{ keystone_services.keys() | list }}" - when: ansible_facts['os_family'] == "Debian" - notify: - - Manage LB - - Restart web server - -- name: Ensure nginx does not listen on 80 port - replace: - path: /etc/nginx/nginx.conf - regexp: "{{ item.regexp }}" - replace: "{{ item.replace }}" - validate: nginx -t -c %s - with_items: - - regexp: '(\s+listen\s+)[\[,\],:]+80' - replace: '\1 [::1]:8008' - - regexp: '(\s+listen\s+)80' - replace: '\1 127.0.0.1:8008' - notify: - - Manage LB - - Restart web server diff --git a/tasks/main.yml b/tasks/main.yml index 04102c97..97a955b0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -153,7 +153,7 @@ tags: - keystone-config -- import_tasks: "keystone_{{ keystone_web_server }}.yml" +- import_tasks: "keystone_apache.yml" tags: - keystone-config diff --git a/templates/keystone-httpd-mpm.conf.j2 b/templates/keystone-httpd-mpm.conf.j2 index 925b1fbb..17ba32de 100644 --- a/templates/keystone-httpd-mpm.conf.j2 +++ b/templates/keystone-httpd-mpm.conf.j2 @@ -1,4 +1,5 @@ + ServerLimit {{ keystone_httpd_mpm_server_limit }} StartServers {{ keystone_httpd_mpm_start_servers }} MinSpareThreads {{ keystone_httpd_mpm_min_spare_threads }} MaxSpareThreads {{ keystone_httpd_mpm_max_spare_threads }} diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2 index 75f65e29..b2efc645 100644 --- a/templates/keystone-httpd.conf.j2 +++ b/templates/keystone-httpd.conf.j2 @@ -1,6 +1,6 @@ # {{ ansible_managed }} -Listen {{ keystone_service_port }} +Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }} = 2.4> diff --git a/templates/keystone_nginx.conf.j2 b/templates/keystone_nginx.conf.j2 deleted file mode 100644 index daa12392..00000000 --- a/templates/keystone_nginx.conf.j2 +++ /dev/null @@ -1,57 +0,0 @@ -# {{ ansible_managed }} -server { - - listen {{ keystone_web_server_bind_address }}:{{ keystone_nginx_ports[item] }}; - - {% if keystone_ssl | bool and keystone_service_adminuri_proto == "https" %} - ssl on; - ssl_protocols {{ keystone_ssl_protocol }}; - ssl_certificate {{ keystone_ssl_cert }}; - ssl_certificate_key {{ keystone_ssl_key }}; - ssl_trusted_certificate {{ keystone_ssl_ca_cert }}; - ssl_ciphers {{ keystone_ssl_cipher_suite }}; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:2m; - ssl_session_timeout 2m; - {%- endif %} - - {% for line in keystone_nginx_extra_conf %} - {{ line }} - {%- endfor %} - - error_log syslog:server=unix:/dev/log; - access_log syslog:server=unix:/dev/log; - - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "default-src 'self' https: wss:;"; - add_header X-Frame-Options {{ keystone_x_frame_options | default ('DENY') }}; - - real_ip_header X-Forwarded-For; - {% for ip in keystone_set_real_ip_from %} - set_real_ip_from {{ ip }}; - {%- endfor %} - - {% if keystone_security_txt_content is defined %} - location /security.txt { - alias {{ keystone_security_txt_dir }}/security.txt; - } - - location /.well-known/security.txt { - alias {{ keystone_security_txt_dir }}/security.txt; - } - {%- endif %} - - location / { - try_files $uri @yourapplication; - } - - location @yourapplication { - include /etc/nginx/uwsgi_params; - uwsgi_pass 127.0.0.1:{{ keystone_uwsgi_ports[item]['socket'] }}; - uwsgi_param SCRIPT_NAME ''; -{% for header in keystone_extra_headers %} - add_header "{{ header['parameter'] }}" "{{ header['value'] }}"; -{% endfor %} - } -} diff --git a/vars/debian.yml b/vars/debian.yml index 7da9488f..d43e1e07 100644 --- a/vars/debian.yml +++ b/vars/debian.yml @@ -48,9 +48,6 @@ keystone_apache_distro_packages: - apache2-utils - libapache2-mod-proxy-uwsgi -keystone_nginx_distro_packages: - - nginx-extras - keystone_idp_distro_packages: - ssl-cert - xmlsec1 @@ -99,8 +96,6 @@ keystone_apache_modules: # - name: "mod_journald" # state: "present -keystone_nginx_conf_path: "sites-available" - keystone_system_service_name: apache2 keystone_uwsgi_bin: '/usr/bin' diff --git a/vars/distro_install.yml b/vars/distro_install.yml index 9170ee1b..11f47945 100644 --- a/vars/distro_install.yml +++ b/vars/distro_install.yml @@ -19,14 +19,9 @@ # enabled. # keystone_package_list: |- - {% set packages = keystone_distro_packages %} - {% if keystone_web_server == 'apache' %} - {% set _ = packages.extend(keystone_apache_distro_packages) %} - {% if keystone_idp != {} %} - {% set _ = packages.extend(keystone_idp_distro_packages) %} - {% endif %} - {% else %} - {% set _ = packages.extend(keystone_nginx_distro_packages) %} + {% set packages = keystone_distro_packages + keystone_apache_distro_packages %} + {% if keystone_idp != {} %} + {% set _ = packages.extend(keystone_idp_distro_packages) %} {% endif %} {% if keystone_oslomsg_amqp1_enabled | bool %} {% set _ = packages.extend(keystone_oslomsg_amqp1_distro_packages) %} diff --git a/vars/redhat.yml b/vars/redhat.yml index bcda4b00..6461b95d 100644 --- a/vars/redhat.yml +++ b/vars/redhat.yml @@ -43,9 +43,6 @@ keystone_apache_distro_packages: - httpd-tools - mod_ssl -keystone_nginx_distro_packages: - - nginx - keystone_idp_distro_packages: - xmlsec1 @@ -79,8 +76,6 @@ keystone_apache_configs: - { src: "keystone-httpd.conf.j2", dest: "/etc/httpd/conf.d/keystone-httpd.conf" } - { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/httpd/conf.modules.d/mpm_{{ keystone_httpd_mpm_backend }}.conf" } -keystone_nginx_conf_path: "conf.d" - keystone_system_service_name: httpd keystone_uwsgi_bin: '/usr/sbin' diff --git a/vars/source_install.yml b/vars/source_install.yml index 2bab1adf..4795e8aa 100644 --- a/vars/source_install.yml +++ b/vars/source_install.yml @@ -19,14 +19,9 @@ # enabled. # keystone_package_list: |- - {% set packages = keystone_distro_packages %} - {% if keystone_web_server == 'apache' %} - {% set _ = packages.extend(keystone_apache_distro_packages) %} - {% if keystone_idp != {} %} - {% set _ = packages.extend(keystone_idp_distro_packages) %} - {% endif %} - {% else %} - {% set _ = packages.extend(keystone_nginx_distro_packages) %} + {% set packages = keystone_distro_packages + keystone_apache_distro_packages %} + {% if keystone_idp != {} %} + {% set _ = packages.extend(keystone_idp_distro_packages) %} {% endif %} {% if keystone_oslomsg_amqp1_enabled | bool %} {% set _ = packages.extend(keystone_oslomsg_amqp1_distro_packages) %} diff --git a/vars/ubuntu-18.04.yml b/vars/ubuntu-18.04.yml index b8887cf8..8c0524a4 100644 --- a/vars/ubuntu-18.04.yml +++ b/vars/ubuntu-18.04.yml @@ -48,9 +48,6 @@ keystone_apache_distro_packages: - apache2-utils - libapache2-mod-proxy-uwsgi -keystone_nginx_distro_packages: - - nginx-extras - keystone_idp_distro_packages: - ssl-cert - xmlsec1 @@ -99,8 +96,6 @@ keystone_apache_modules: # - name: "mod_journald" # state: "present -keystone_nginx_conf_path: "sites-available" - keystone_system_service_name: apache2 keystone_uwsgi_bin: '/usr/bin'