The puppet-keystone project consolidated keystone applications:
ace7aeb3b7 (diff-e5968f40345cf5d3be0539fbba87f787)
This effectively reduces the number of available workers to process
keystone requests since only half the processes are deployed now that
the applications are consolidated [0]. As a result, we see a performance
regression [1] when interacting with keystone.
For example, in earlier versions, an 8 core machine would spawn four
processes to serve the keystone-main application. Another four processes
would be spawned to serve the keystone-admin application. Now, we only
have 4 processes total to serve the entire keystone application. Due to
the difference in the number of workers deployed by default, users will
experience reduced performance out-of-the-box.
This patch not only brings performance back to the previous levels, it
is also safe to implement as we are not changing the number of workers
when compared to previous releases and only bringing parity.
[0] https://github.com/openstack/puppet-openstacklib/blob/master/lib/facter/os_workers.rb#L33
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1789495
Co-Authored-By: Takashi Kajinami <tkajinam@redhat.com>
Depends-on: https://review.opendev.org/#/c/705041/
Change-Id: Icf9acaa106af705fa249a2ef2abca9f9a91fba59
Modifying the content of this symlink will just
cause a warning and not do anything since the
sites-available file is empty already.
Change-Id: I82e573ca66af4485303ec9c0040e2e0063d93585
See Bug 1737697. The ubuntu packaging provides a default keystone.conf
which we want to remove because we manage the keystone vhost
configuration via puppet. This change moves the logic we had in
puppet-openstack-integration into puppet-keystone proper. Once the code
is removed from p-o-i, we can switch these to actual file resources
rather than using ensure_resource
Change-Id: Iea8f531a8eff4c053cff01a7f75ce43024c97c7b
These parameters has no effect and was deprecated when
we removed port 35357 deployment and can be removed in
Train.
Depends-On: https://review.opendev.org/#/c/658547/
Change-Id: I859803f1d79304de5a803753841e994357b045f8
The legacy admin and public ports for Keystone has since the
release of the v3 API not been required as keystone moved all
actions to the same API. [1]
This patch removes the deployment of port 35357 and remodels
puppet-keystone and more specifically the keystone::wsgi::apache
class to only deploy keystone on port 5000.
This has already been changed in the installation guides [2]
and is the recommend way to deploy keystone.
We have already prepared all our modules default values to use
port 5000 instead of 35357 a while ago and we also in the Rocky
release informed our users with a release note that this would
be performed [3]
[1] https://github.com/openstack/keystone/blob/master/keystone/server/wsgi.py
[2] https://docs.openstack.org/keystone/rocky/install/keystone-install-obs.html
[3] https://review.openstack.org/#/c/586791/
Closes-Bug: 1804426
Depends-On: https://review.openstack.org/#/c/627793/
Change-Id: I726cd9408d20f868b2b5337ef2df4da458904e51
This patch changes the usage of the of
apache::vhost to openstacklib::wsgi::apache.
Also removes the wsgi_script_source param
that was deprecated in Mitaka.
Fixes and cleans up spec testing, cleans up
documentation in the manifest to conform
with the overall standard.
Depends-On: I31096140a6f355ec99496053fb06ce6c73094180
Change-Id: Ic11a0aea68a04d370453a7e81218642e0e150a9f
Closes-Bug: 1657582
Due to Python's GIL [1], we can't use multiple threads for running
OpenStack services without a performance penalty, since the execution
ends up serialized, which defeats the purpose.
Instead, we should use several processes, since this approach doesn't
have this limitation.
[1] https://wiki.python.org/moin/GlobalInterpreterLock
Change-Id: Ifd7ec428442da08d9aa85718b7b8553ca75c1b5c
This is causing a dependency cycle:
File[/etc/httpd/conf.d] => File[ssl.conf] => Class[Apache::Mod::Ssl] =>
File[/etc/httpd/conf.d]
And shouldn't be needed.
Change-Id: If395724f530ae975eaee093216d1cf031395eac6
Closes-Bug: 1645299
In the case of more restrictive, system-wide umask setting,
directory $keystone_wsgi_script_path may become inaccessible for
web-server resulting in keystone failures.
Change-Id: I4cdc053bb88da0a7c2604ff0b431de57e24b41eb
This patch changes the default worker count from ::processorcount to the
new ::os_workers fact. ::os_workers is based on the number of processors
(currently cpu/4) but is capped at a maximum of 8 worker processors.
This is a much more reasonable default in general and prevents excessive
resource consumption on systems with a large number of CPUs.
Change-Id: I09076c05ffd42219e8662d3393b1732400d297dc
The servername_admin parameter uses the servername itself to get a
default value. This parameter, is based on the fqdn fact, which can
be null. However, servername_admin is set with the pick function
which doesn't take null values, so it crashes when that's the case.
This takes pick_default into use which actually takes null values and
fixes the issue.
Change-Id: Id8f3e4467b7081802cd2e92414679c49953fcd02
Closes-Bug: #1625010
Removing puppet-lint warnings
in favor of upgrading to latest gem
2016-09-13 21:10:29.621198 | manifests/federation/mellon.pp:70:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621299 | manifests/federation/openidc.pp:1:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621338 | manifests/federation/openidc_httpd_configuration.pp:2:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621371 | manifests/federation/shibboleth.pp:80:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621400 | manifests/init.pp:749:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621428 | manifests/init.pp:862:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621456 | manifests/init.pp:869:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621483 | manifests/init.pp:870:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621510 | manifests/init.pp:923:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621537 | manifests/init.pp:927:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621564 | manifests/init.pp:931:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621592 | manifests/init.pp:935:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621633 | manifests/init.pp:939:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621662 | manifests/init.pp:943:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621689 | manifests/init.pp:1062:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621717 | manifests/init.pp:1067:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621742 | manifests/ldap.pp:468:ERROR: trailing whitespace found
2016-09-13 21:10:29.621771 | manifests/ldap_backend.pp:465:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621800 | manifests/wsgi/apache.pp:282:WARNING: line has more than 140 characters
2016-09-13 21:10:29.621824 | tests/site.pp:24:WARNING: unquoted node name found
2016-09-13 21:10:29.621848 | tests/site.pp:43:WARNING: unquoted node name found
Change-Id: Ia308a08b002074d2393dc488a8ccc5429d675533
When the admin endpoint is configured in a different IP and host, the
servername needs to be changed too. Else the vhost will be routed
wrongly by apache.
Change-Id: Ief84f524b4e221313b36e72beae291616491fa8b
The admin endpoint might be serving with a different IP and
servername, so it might need a different set of keys/certs. This
commit gives it the ability to do so, while still having backwards
compatibility, since, if no admin key/cert is given, it will use the
pair that the public endpoint uses.
Change-Id: I8725bb39f6473e4837cbd0c553295c2340f20913
When we switched to using the package provided wsgi scripts for
keystone, we lost the ability to override these scripts. This change
updates the apache::wsgi::apache class to actually allow for the
overriding of the admin and public wsgi scripts.
Change-Id: I683f1ef95700d9382d480a1daca41cf9ed5ccd26
This change updates the wsgi configuration for keystone to use the
keystone-wsgi-public and keystone-wsgi-admin scripts provided. The
previous httpd.py implementation has been deprecated as part of the
Mitaka cycle. We are deprecating the previous single script variable
that was used for both endpoints infavor of two new variables for each
of the scripts.
Change-Id: I03a7a057cae0bf86331191faf47ec394487150a7
Closes-Bug: #1558290
This commit will make sure that the entire Class[apache::mod::ssl]
completes before the file resource that purges the conf.d director
runs.
This is needed because the mod_ssl package on EL is putting down a
ssl.conf file in the conf.d directory after the purge, resulting in it
only being removed on a the second Puppet run. I'd probably consider
this a bug is puppetlabs-apache or upstream EL packaging but for now,
this is the workaround.
Change-Id: I96d3028aefe423ebd03b843380fb073a85f778d7
This code moves all deps to an external class so that Keystone can be
installed with mechanisms besides packages (like venv or docker). This
also cleans-up the dependency tree by removing false or confusing
dependencies.
Change-Id: If69cd7cba267f75faad51fdbc80a58b24d2095d8
Co-Author: Clayton O'Neill <clayton.oneill@twcable.com>
This change adds the ability to configure specific
apache::vhost::headers via puppet-keystone.
In our deployment, we use this to configure:
keystone::wsgi::apache::headers:
- 'set Strict-Transport-Security "max-age=15552000"'
- 'set X-Frame-Options "DENY"'
Change-Id: I0d1ca6b11d9ba5b03c92dff728e0edc3bd06cc19
Signed-off-by: Martin Millnert <martin@millnert.se>
Closes-Bug: #1551801
This patch adds a new admin_bind_host setting to the
keystone::wsgi::apache class. This setting is important
for for users who may use different (local) bind IPs
for the public and admin APIs.
This was previously possible when running Apache under
eventlet and is important to deployment tools like
TripleO which make use of these settings.
Change-Id: I22a348c298ff44f616b2e898f4872eddea040239
Keystone recommend to use WSGIApplicationGroup and WSGIPassAuthorization
options when is running under Apache. When WSGIApplicationGroup is not set,
import failures are observed and Keystone doesn't work as expected.
Change-Id: I30483d269f6ae6edcecd376d6814c80c0166b265
Closes-bug: #1502318
Add possibility to pass custom_fragment to apache::vhost
in order to provide lines, that are not supported by module.
(for example LimitRequestFieldSize for keystone)
Change-Id: Ibfa120d3bd3051f0e619bd6d245ae2cd4e12cbaf
Closes-Bug: 1475767
This change adds the ability to customiz how the keystone
wsgi virtual hosts log information. This is especially useful
if you have a load balancer and the source ip is being forwarded.
Change-Id: Id27179f1ca6001a1596f103013f6ca32ed23b6b4
Closes-bug: #1483776
Adds possibility to:
- use custom file source for wsgi scripts
- use symlinks for wsgi scripts
Change-Id: I941bf8804982e9081812e076f7a736f413220047
Closes-bug: #1449553
Un-pin puppet-lint gem and add puppet-lint-param-docs, this commit also
add missing puppetdoc and fixes lint issues.
Change-Id: I1eefc743c68c75eb54a65b3cc539922ef3a3b04d
The display-name option for mod_wsgi's WSGIDaemonProcess directive
allows for a useful name to be used for the process command name.
This is generally useful, as it allows one to distinguish the
keystone wsgi processes from other httpd processes on the system in
the output of ps and similar commands.
This patch uses display names of 'keystone-main' and 'keystone-admin'
for the main and admin processes respectively.
Change-Id: Id79c3a36b3f84938070f41c7171dfee20d1745e9
Closes-bug: #1409119
Allow keystone to be set up to use apache mod_wsgi as the server
instead of a standalone eventlet service. There is a new keystone
class parameter: service_name. The default is 'keystone', which will
set up the standalone eventlet service. If 'httpd' is used, the
keystone class will skip creating the keystone service, which also means
no 'openstack-keystone' service. The class 'keystone::wsgi::apache' is
then used to configure apache mod_wsgi to serve keystone.
Had to remove the File resource default in the keystone class. When
using wsgi::apache, the apache class and other classes are included.
Since puppet uses dynamic scoping, this overrides the file resources
in those classes as well. keystone now explicitly sets all of the
parameters in files/directory resources.
Change-Id: Ib05ac81381e169845b44b2ef7cb810a4d5db17de
Closes-Bug: #1348728
Add a 'bind_host' parameter to keystone::wsgi::apache to allow binding
to a specific IP address.
Fixes Bug #1273697
Change-Id: I4e94336c15132900dbe42052e46d0c7f2e36f91f
Serving keystone from a wsgi container is recommended for production
setups. SSL is enabled by default.
See the following URLs for explanations:
http://adam.younglogic.com/2012/03/keystone-should-move-to-apache-httpd/https://etherpad.openstack.org/havana-keystone-performance
Documentation in manifests/wsgi/apache.pp
Apache can be configured as a drop in replacement for keystone (using
ports 5000 & 35357) or with paths using the standard SSL port. See
examples in examples/apache_*.pp
- Also change some 'real_' prefix into '_real' suffix to respect the
coding guide.
- Added the '--insecure' option to keystone client in the provider to
allow using self-signed certificates.
- Fixed parsing the ssl/enable value in the provider.
There is no integer verification done in the manifests
and to get around a bug in rspec, which has been fixed
in https://github.com/rodjek/rspec-puppet/pull/107,
certain parameters that should be integer are treated as
strings
files/httpd/keystone.py updated with lastest from keystone git repo
Change-Id: Ide8c090d105c1ea75a14939f5e8ddb7d24ca3f1c
