Update Glance service to Kilo

To support a future release target deploying OpenStack Kilo release this
change applies the changes required to provide an updated role for
new deploys of Glance configured to run with the Kilo release.

Highlights:
- added template for glance-manage.conf
- changed api and registry paste.ini files to be templated
- added osprofiler filter to piplines in api and registry paste files

New user secrets:
- glance_profiler_hmac_key added for osprofiler use

New Tunables:
- glance_profiler_enabled for osprofiler use, default 'False'
- glance_http_keepalive for api and registry services, default 'True'
- glance_digest_algorithm for digital signatures, default 'SHA1'
- glance_task_executor for task execution, default 'taskflow'
- glance_policy_dirs & glance_policy_file for alternate policy config
sources, default 'policy.d' and 'policy.json' respectively
- glance_policy_default_rule for policy enforcement, default 'default'

Change-Id: I611a0ce3145861233c81c81084b1648b2b4b4423
Partially implements: blueprint master-kilofication

etc/openstack_deploy/user_secrets.yml

@@ -42,6 +42,7 @@ cinder_profiler_hmac_key:
 ## Glance Options
 glance_container_mysql_password:
 glance_service_password:
+glance_profiler_hmac_key:
 ### Extra options when configuring swift as a glance back-end.
 glance_swift_store_auth_address: "https://some.auth.url.com"
 glance_swift_store_user: "OPENSTACK_TENANT_ID:OPENSTACK_USER_NAME"

playbooks/roles/os_glance/defaults/main.yml

@@ -19,6 +19,7 @@ is_metal: true
 ## Verbosity Options
 debug: False
 verbose: True
+glance_profiler_enabled: False
 glance_fatal_deprecations: False
 
 ## System info
@@ -93,6 +94,14 @@ glance_image_cache_max_size: 10737418240
 # compute the number of api workers to use.
 # glance_registry_workers: 16
 
+glance_task_executor: taskflow
+glance_digest_algorithm: sha1
+glance_http_keepalive: True
+
+## Glance policy
+glance_policy_file: policy.json
+glance_policy_default_rule: default
+glance_policy_dirs: policy.d
 
 ## Define nfs information for glance. When the glance_nfs_client dictionary is
 ## defined it will enable nfs shares as mounted directories. The

playbooks/roles/os_glance/tasks/glance_post_install.yml

@@ -39,8 +39,11 @@
     owner: "{{ glance_system_user_name }}"
     group: "{{ glance_system_group_name }}"
   with_items:
+    - { src: "glance-api-paste.ini.j2", dest: "/etc/glance/glance-api-paste.ini" }
+    - { src: "glance-registry-paste.ini.j2", dest: "/etc/glance/glance-registry-paste.ini" }
     - { src: "glance-api.conf.j2", dest: "/etc/glance/glance-api.conf" }
     - { src: "glance-cache.conf.j2", dest: "/etc/glance/glance-cache.conf" }
+    - { src: "glance-manage.conf.j2", dest: "/etc/glance/glance-manage.conf" }
     - { src: "glance-registry.conf.j2", dest: "/etc/glance/glance-registry.conf" }
     - { src: "glance-scrubber.conf.j2", dest: "/etc/glance/glance-scrubber.conf" }
   notify:
@@ -56,8 +59,6 @@
     owner: "{{ glance_system_user_name }}"
     group: "{{ glance_system_group_name }}"
   with_items:
-    - { src: "glance-api-paste.ini", dest: "/etc/glance/glance-api-paste.ini" }
-    - { src: "glance-registry-paste.ini", dest: "/etc/glance/glance-registry-paste.ini" }
     - { src: "policy.json", dest: "/etc/glance/policy.json" }
     - { src: "schema.json", dest: "/etc/glance/schema.json" }
     - { src: "schema.json", dest: "/etc/glance/schema-image.json" }

playbooks/roles/os_glance/templates/glance-api-paste.ini.j2

@@ -1,38 +1,38 @@
 # Use this pipeline for no auth or image caching - DEFAULT
 [pipeline:glance-api]
-pipeline = versionnegotiation unauthenticated-context rootapp
+pipeline = versionnegotiation osprofiler unauthenticated-context rootapp
 
 # Use this pipeline for image caching and no auth
 [pipeline:glance-api-caching]
-pipeline = versionnegotiation unauthenticated-context cache rootapp
+pipeline = versionnegotiation osprofiler unauthenticated-context cache rootapp
 
 # Use this pipeline for caching w/ management interface but no auth
 [pipeline:glance-api-cachemanagement]
-pipeline = versionnegotiation unauthenticated-context cache cachemanage rootapp
+pipeline = versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
 
 # Use this pipeline for keystone auth
 [pipeline:glance-api-keystone]
-pipeline = versionnegotiation authtoken context rootapp
+pipeline = versionnegotiation osprofiler authtoken context rootapp
 
 # Use this pipeline for keystone auth with image caching
 [pipeline:glance-api-keystone+caching]
-pipeline = versionnegotiation authtoken context cache rootapp
+pipeline = versionnegotiation osprofiler authtoken context cache rootapp
 
 # Use this pipeline for keystone auth with caching and cache management
 [pipeline:glance-api-keystone+cachemanagement]
-pipeline = versionnegotiation authtoken context cache cachemanage rootapp
+pipeline = versionnegotiation osprofiler authtoken context cache cachemanage rootapp
 
 # Use this pipeline for authZ only. This means that the registry will treat a
 # user as authenticated without making requests to keystone to reauthenticate
 # the user.
 [pipeline:glance-api-trusted-auth]
-pipeline = versionnegotiation context rootapp
+pipeline = versionnegotiation osprofiler context rootapp
 
 # Use this pipeline for authZ only. This means that the registry will treat a
 # user as authenticated without making requests to keystone to reauthenticate
 # the user and uses cache management
 [pipeline:glance-api-trusted-auth+cachemanagement]
-pipeline = versionnegotiation context cache cachemanage rootapp
+pipeline = versionnegotiation osprofiler context cache cachemanage rootapp
 
 [composite:rootapp]
 paste.composite_factory = glance.api:root_app_factory
@@ -70,3 +70,8 @@ delay_auth_decision = true
 
 [filter:gzip]
 paste.filter_factory = glance.api.middleware.gzip:GzipMiddleware.factory
+
+[filter:osprofiler]
+paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
+hmac_keys = {{ glance_profiler_hmac_key }}
+enabled = yes

playbooks/roles/os_glance/templates/glance-api.conf.j2

@@ -11,6 +11,8 @@ fatal_deprecations = {{ glance_fatal_deprecations }}
 use_syslog = False
 bind_host = {{ glance_api_bind_address }}
 bind_port = {{ glance_api_service_port }}
+http_keepalive = {{ glance_http_keepalive }}
+digest_algorithm = {{ glance_digest_algorithm }}
 backlog = 4096
 workers = {{ glance_api_workers | default(api_threads) }}
 registry_host = {{ glance_registry_host }}
@@ -43,6 +45,9 @@ scrub_time = 43200
 scrubber_datadir = {{ glance_system_user_home }}/scrubber/
 image_cache_dir = {{ glance_system_user_home }}/cache/
 
+[task]
+task_executor = {{ glance_task_executor }}
+
 [database]
 connection = mysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ galera_address }}/{{ glance_galera_database }}?charset=utf8
 
@@ -66,6 +71,11 @@ memcache_secret_key = {{ memcached_encryption_key }}
 # if your keystone deployment uses PKI, and you value security over performance:
 check_revocations_for_cached = False
 
+[oslo_policy]
+policy_file = {{ glance_policy_file }}
+policy_default_rule = {{ glance_policy_default_rule }}
+policy_dirs = {{ glance_policy_dirs }}
+
 [paste_deploy]
 flavor = {{ glance_flavor }}
 
@@ -88,3 +98,6 @@ swift_store_large_object_chunk_size = {{ glance_swift_store_large_object_chunk_s
 swift_store_retry_get_count = 5
 swift_store_endpoint_type = {{ glance_swift_store_endpoint_type }}
 {% endif %}
+
+[profiler]
+enabled = {{ glance_profiler_enabled }}

playbooks/roles/os_glance/templates/glance-manage.conf.j2

@@ -0,0 +1,9 @@
+[DEFAULT]
+verbose = {{ verbose }}
+debug = {{ debug }}
+log_file = /var/log/glance/glance-manage.log
+fatal_deprecations = {{ glance_fatal_deprecations }}
+use_syslog = False
+
+[database]
+connection = mysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ galera_address }}/{{ glance_galera_database }}?charset=utf8

playbooks/roles/os_glance/templates/glance-registry-paste.ini.j2

@@ -1,16 +1,16 @@
 # Use this pipeline for no auth - DEFAULT
 [pipeline:glance-registry]
-pipeline = unauthenticated-context registryapp
+pipeline = osprofiler unauthenticated-context registryapp
 
 # Use this pipeline for keystone auth
 [pipeline:glance-registry-keystone]
-pipeline = authtoken context registryapp
+pipeline = osprofiler authtoken context registryapp
 
 # Use this pipeline for authZ only. This means that the registry will treat a
 # user as authenticated without making requests to keystone to reauthenticate
 # the user.
 [pipeline:glance-registry-trusted-auth]
-pipeline = context registryapp
+pipeline = osprofiler context registryapp
 
 [app:registryapp]
 paste.app_factory = glance.registry.api:API.factory
@@ -23,3 +23,8 @@ paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddl
 
 [filter:authtoken]
 paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+
+[filter:osprofiler]
+paste.filter_factory = osprofiler.web:WsgiMiddleware.factory
+hmac_keys = {{ glance_profiler_hmac_key }}
+enabled = yes

playbooks/roles/os_glance/templates/glance-registry.conf.j2

@@ -11,6 +11,7 @@ log_file = /var/log/glance/glance-registry.log
 use_syslog = False
 bind_host = {{ glance_registry_bind_address }}
 bind_port = {{ glance_registry_service_port }}
+http_keepalive = {{ glance_http_keepalive }}
 backlog = 4096
 workers = {{ glance_registry_workers | default(api_threads) }}
 api_limit_max = 1000
@@ -39,5 +40,13 @@ memcache_secret_key = {{ memcached_encryption_key }}
 # if your keystone deployment uses PKI, and you value security over performance:
 check_revocations_for_cached = False
 
+[oslo_policy]
+policy_file = {{ glance_policy_file }}
+policy_default_rule = {{ glance_policy_default_rule }}
+policy_dirs = {{ glance_policy_dirs }}
+
 [paste_deploy]
 flavor = keystone
+
+[profiler]
+enabled = {{ glance_profiler_enabled }}