From b657861a450c72dc54eb687e0b7f02fb19a65abc Mon Sep 17 00:00:00 2001 From: Steve Lewis Date: Thu, 26 Mar 2015 14:40:50 -0700 Subject: [PATCH] Update Glance service to Kilo To support a future release target deploying OpenStack Kilo release this change applies the changes required to provide an updated role for new deploys of Glance configured to run with the Kilo release. Highlights: - added template for glance-manage.conf - changed api and registry paste.ini files to be templated - added osprofiler filter to piplines in api and registry paste files New user secrets: - glance_profiler_hmac_key added for osprofiler use New Tunables: - glance_profiler_enabled for osprofiler use, default 'False' - glance_http_keepalive for api and registry services, default 'True' - glance_digest_algorithm for digital signatures, default 'SHA1' - glance_task_executor for task execution, default 'taskflow' - glance_policy_dirs & glance_policy_file for alternate policy config sources, default 'policy.d' and 'policy.json' respectively - glance_policy_default_rule for policy enforcement, default 'default' Change-Id: I611a0ce3145861233c81c81084b1648b2b4b4423 Partially implements: blueprint master-kilofication --- etc/openstack_deploy/user_secrets.yml | 1 + playbooks/roles/os_glance/defaults/main.yml | 9 ++++++++ .../os_glance/tasks/glance_post_install.yml | 5 +++-- .../glance-api-paste.ini.j2} | 21 ++++++++++++------- .../os_glance/templates/glance-api.conf.j2 | 13 ++++++++++++ .../os_glance/templates/glance-manage.conf.j2 | 9 ++++++++ .../glance-registry-paste.ini.j2} | 11 +++++++--- .../templates/glance-registry.conf.j2 | 9 ++++++++ 8 files changed, 65 insertions(+), 13 deletions(-) rename playbooks/roles/os_glance/{files/glance-api-paste.ini => templates/glance-api-paste.ini.j2} (73%) create mode 100644 playbooks/roles/os_glance/templates/glance-manage.conf.j2 rename playbooks/roles/os_glance/{files/glance-registry-paste.ini => templates/glance-registry-paste.ini.j2} (71%) diff --git a/etc/openstack_deploy/user_secrets.yml b/etc/openstack_deploy/user_secrets.yml index 951b0951fa..652cfb8605 100644 --- a/etc/openstack_deploy/user_secrets.yml +++ b/etc/openstack_deploy/user_secrets.yml @@ -42,6 +42,7 @@ cinder_profiler_hmac_key: ## Glance Options glance_container_mysql_password: glance_service_password: +glance_profiler_hmac_key: ### Extra options when configuring swift as a glance back-end. glance_swift_store_auth_address: "https://some.auth.url.com" glance_swift_store_user: "OPENSTACK_TENANT_ID:OPENSTACK_USER_NAME" diff --git a/playbooks/roles/os_glance/defaults/main.yml b/playbooks/roles/os_glance/defaults/main.yml index 824c1191ee..c596825366 100644 --- a/playbooks/roles/os_glance/defaults/main.yml +++ b/playbooks/roles/os_glance/defaults/main.yml @@ -19,6 +19,7 @@ is_metal: true ## Verbosity Options debug: False verbose: True +glance_profiler_enabled: False glance_fatal_deprecations: False ## System info @@ -93,6 +94,14 @@ glance_image_cache_max_size: 10737418240 # compute the number of api workers to use. # glance_registry_workers: 16 +glance_task_executor: taskflow +glance_digest_algorithm: sha1 +glance_http_keepalive: True + +## Glance policy +glance_policy_file: policy.json +glance_policy_default_rule: default +glance_policy_dirs: policy.d ## Define nfs information for glance. When the glance_nfs_client dictionary is ## defined it will enable nfs shares as mounted directories. The diff --git a/playbooks/roles/os_glance/tasks/glance_post_install.yml b/playbooks/roles/os_glance/tasks/glance_post_install.yml index 7ab9983e73..cd1582200a 100644 --- a/playbooks/roles/os_glance/tasks/glance_post_install.yml +++ b/playbooks/roles/os_glance/tasks/glance_post_install.yml @@ -39,8 +39,11 @@ owner: "{{ glance_system_user_name }}" group: "{{ glance_system_group_name }}" with_items: + - { src: "glance-api-paste.ini.j2", dest: "/etc/glance/glance-api-paste.ini" } + - { src: "glance-registry-paste.ini.j2", dest: "/etc/glance/glance-registry-paste.ini" } - { src: "glance-api.conf.j2", dest: "/etc/glance/glance-api.conf" } - { src: "glance-cache.conf.j2", dest: "/etc/glance/glance-cache.conf" } + - { src: "glance-manage.conf.j2", dest: "/etc/glance/glance-manage.conf" } - { src: "glance-registry.conf.j2", dest: "/etc/glance/glance-registry.conf" } - { src: "glance-scrubber.conf.j2", dest: "/etc/glance/glance-scrubber.conf" } notify: @@ -56,8 +59,6 @@ owner: "{{ glance_system_user_name }}" group: "{{ glance_system_group_name }}" with_items: - - { src: "glance-api-paste.ini", dest: "/etc/glance/glance-api-paste.ini" } - - { src: "glance-registry-paste.ini", dest: "/etc/glance/glance-registry-paste.ini" } - { src: "policy.json", dest: "/etc/glance/policy.json" } - { src: "schema.json", dest: "/etc/glance/schema.json" } - { src: "schema.json", dest: "/etc/glance/schema-image.json" } diff --git a/playbooks/roles/os_glance/files/glance-api-paste.ini b/playbooks/roles/os_glance/templates/glance-api-paste.ini.j2 similarity index 73% rename from playbooks/roles/os_glance/files/glance-api-paste.ini rename to playbooks/roles/os_glance/templates/glance-api-paste.ini.j2 index e4baa269fa..029221ccf7 100644 --- a/playbooks/roles/os_glance/files/glance-api-paste.ini +++ b/playbooks/roles/os_glance/templates/glance-api-paste.ini.j2 @@ -1,38 +1,38 @@ # Use this pipeline for no auth or image caching - DEFAULT [pipeline:glance-api] -pipeline = versionnegotiation unauthenticated-context rootapp +pipeline = versionnegotiation osprofiler unauthenticated-context rootapp # Use this pipeline for image caching and no auth [pipeline:glance-api-caching] -pipeline = versionnegotiation unauthenticated-context cache rootapp +pipeline = versionnegotiation osprofiler unauthenticated-context cache rootapp # Use this pipeline for caching w/ management interface but no auth [pipeline:glance-api-cachemanagement] -pipeline = versionnegotiation unauthenticated-context cache cachemanage rootapp +pipeline = versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp # Use this pipeline for keystone auth [pipeline:glance-api-keystone] -pipeline = versionnegotiation authtoken context rootapp +pipeline = versionnegotiation osprofiler authtoken context rootapp # Use this pipeline for keystone auth with image caching [pipeline:glance-api-keystone+caching] -pipeline = versionnegotiation authtoken context cache rootapp +pipeline = versionnegotiation osprofiler authtoken context cache rootapp # Use this pipeline for keystone auth with caching and cache management [pipeline:glance-api-keystone+cachemanagement] -pipeline = versionnegotiation authtoken context cache cachemanage rootapp +pipeline = versionnegotiation osprofiler authtoken context cache cachemanage rootapp # Use this pipeline for authZ only. This means that the registry will treat a # user as authenticated without making requests to keystone to reauthenticate # the user. [pipeline:glance-api-trusted-auth] -pipeline = versionnegotiation context rootapp +pipeline = versionnegotiation osprofiler context rootapp # Use this pipeline for authZ only. This means that the registry will treat a # user as authenticated without making requests to keystone to reauthenticate # the user and uses cache management [pipeline:glance-api-trusted-auth+cachemanagement] -pipeline = versionnegotiation context cache cachemanage rootapp +pipeline = versionnegotiation osprofiler context cache cachemanage rootapp [composite:rootapp] paste.composite_factory = glance.api:root_app_factory @@ -70,3 +70,8 @@ delay_auth_decision = true [filter:gzip] paste.filter_factory = glance.api.middleware.gzip:GzipMiddleware.factory + +[filter:osprofiler] +paste.filter_factory = osprofiler.web:WsgiMiddleware.factory +hmac_keys = {{ glance_profiler_hmac_key }} +enabled = yes diff --git a/playbooks/roles/os_glance/templates/glance-api.conf.j2 b/playbooks/roles/os_glance/templates/glance-api.conf.j2 index d5993bd81a..396335cb38 100644 --- a/playbooks/roles/os_glance/templates/glance-api.conf.j2 +++ b/playbooks/roles/os_glance/templates/glance-api.conf.j2 @@ -11,6 +11,8 @@ fatal_deprecations = {{ glance_fatal_deprecations }} use_syslog = False bind_host = {{ glance_api_bind_address }} bind_port = {{ glance_api_service_port }} +http_keepalive = {{ glance_http_keepalive }} +digest_algorithm = {{ glance_digest_algorithm }} backlog = 4096 workers = {{ glance_api_workers | default(api_threads) }} registry_host = {{ glance_registry_host }} @@ -43,6 +45,9 @@ scrub_time = 43200 scrubber_datadir = {{ glance_system_user_home }}/scrubber/ image_cache_dir = {{ glance_system_user_home }}/cache/ +[task] +task_executor = {{ glance_task_executor }} + [database] connection = mysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ galera_address }}/{{ glance_galera_database }}?charset=utf8 @@ -66,6 +71,11 @@ memcache_secret_key = {{ memcached_encryption_key }} # if your keystone deployment uses PKI, and you value security over performance: check_revocations_for_cached = False +[oslo_policy] +policy_file = {{ glance_policy_file }} +policy_default_rule = {{ glance_policy_default_rule }} +policy_dirs = {{ glance_policy_dirs }} + [paste_deploy] flavor = {{ glance_flavor }} @@ -88,3 +98,6 @@ swift_store_large_object_chunk_size = {{ glance_swift_store_large_object_chunk_s swift_store_retry_get_count = 5 swift_store_endpoint_type = {{ glance_swift_store_endpoint_type }} {% endif %} + +[profiler] +enabled = {{ glance_profiler_enabled }} diff --git a/playbooks/roles/os_glance/templates/glance-manage.conf.j2 b/playbooks/roles/os_glance/templates/glance-manage.conf.j2 new file mode 100644 index 0000000000..33c5689ee2 --- /dev/null +++ b/playbooks/roles/os_glance/templates/glance-manage.conf.j2 @@ -0,0 +1,9 @@ +[DEFAULT] +verbose = {{ verbose }} +debug = {{ debug }} +log_file = /var/log/glance/glance-manage.log +fatal_deprecations = {{ glance_fatal_deprecations }} +use_syslog = False + +[database] +connection = mysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ galera_address }}/{{ glance_galera_database }}?charset=utf8 diff --git a/playbooks/roles/os_glance/files/glance-registry-paste.ini b/playbooks/roles/os_glance/templates/glance-registry-paste.ini.j2 similarity index 71% rename from playbooks/roles/os_glance/files/glance-registry-paste.ini rename to playbooks/roles/os_glance/templates/glance-registry-paste.ini.j2 index ab8c2856df..a962043e38 100644 --- a/playbooks/roles/os_glance/files/glance-registry-paste.ini +++ b/playbooks/roles/os_glance/templates/glance-registry-paste.ini.j2 @@ -1,16 +1,16 @@ # Use this pipeline for no auth - DEFAULT [pipeline:glance-registry] -pipeline = unauthenticated-context registryapp +pipeline = osprofiler unauthenticated-context registryapp # Use this pipeline for keystone auth [pipeline:glance-registry-keystone] -pipeline = authtoken context registryapp +pipeline = osprofiler authtoken context registryapp # Use this pipeline for authZ only. This means that the registry will treat a # user as authenticated without making requests to keystone to reauthenticate # the user. [pipeline:glance-registry-trusted-auth] -pipeline = context registryapp +pipeline = osprofiler context registryapp [app:registryapp] paste.app_factory = glance.registry.api:API.factory @@ -23,3 +23,8 @@ paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddl [filter:authtoken] paste.filter_factory = keystonemiddleware.auth_token:filter_factory + +[filter:osprofiler] +paste.filter_factory = osprofiler.web:WsgiMiddleware.factory +hmac_keys = {{ glance_profiler_hmac_key }} +enabled = yes diff --git a/playbooks/roles/os_glance/templates/glance-registry.conf.j2 b/playbooks/roles/os_glance/templates/glance-registry.conf.j2 index 07c1ba1930..c9dd6a920f 100644 --- a/playbooks/roles/os_glance/templates/glance-registry.conf.j2 +++ b/playbooks/roles/os_glance/templates/glance-registry.conf.j2 @@ -11,6 +11,7 @@ log_file = /var/log/glance/glance-registry.log use_syslog = False bind_host = {{ glance_registry_bind_address }} bind_port = {{ glance_registry_service_port }} +http_keepalive = {{ glance_http_keepalive }} backlog = 4096 workers = {{ glance_registry_workers | default(api_threads) }} api_limit_max = 1000 @@ -39,5 +40,13 @@ memcache_secret_key = {{ memcached_encryption_key }} # if your keystone deployment uses PKI, and you value security over performance: check_revocations_for_cached = False +[oslo_policy] +policy_file = {{ glance_policy_file }} +policy_default_rule = {{ glance_policy_default_rule }} +policy_dirs = {{ glance_policy_dirs }} + [paste_deploy] flavor = keystone + +[profiler] +enabled = {{ glance_profiler_enabled }} \ No newline at end of file