Introduce nova:metadata and nova::wsgi::apache_metadata

Classes to configure and serve Nova Metadata API with apache
mod_wsgi in place of eventlet service.
Nova metadata parameters in nova::api get deprecated that we
can remove them later.

See https://review.openstack.org/#/c/549510/ for more details.

Change-Id: Ic65736cb0e95c400a728cd699ecf06c6aecff832
Closes-Bug: 1781405
This commit is contained in:
Martin Schuppert 2018-07-13 17:11:38 +02:00
parent dc503260b0
commit e195703b86
7 changed files with 689 additions and 135 deletions

View File

@ -70,10 +70,6 @@
# installing the package - required on upgrade.
# Defaults to false.
#
# [*neutron_metadata_proxy_shared_secret*]
# (optional) Shared secret to validate proxies Neutron metadata requests
# Defaults to undef
#
# [*ratelimits*]
# (optional) A string that is a semicolon-separated list of 5-tuples.
# See http://docs.openstack.org/trunk/config-reference/content/configuring-compute-API.html
@ -122,43 +118,6 @@
# to make nova be a web app using apache mod_wsgi.
# Defaults to '$::nova::params::api_service_name'
#
# [*metadata_cache_expiration*]
# (optional) This option is the time (in seconds) to cache metadata.
# Defaults to $::os_service_default
#
# [*vendordata_jsonfile_path*]
# (optional) Represent the path to the data file.
# Cloud providers may store custom data in vendor data file that will then be
# available to the instances via the metadata service, and to the rendering of
# config-drive. The default class for this, JsonFileVendorData, loads this
# information from a JSON file, whose path is configured by this option
# Defaults to $::os_service_default
#
# [*vendordata_providers*]
# (optional) vendordata providers are how deployers can provide metadata via
# configdrive and metadata that is specific to their deployment. There are
# currently two supported providers: StaticJSON and DynamicJSON.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_targets*]
# (optional) A list of targets for the dynamic vendordata provider. These
# targets are of the form <name>@<url>.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_connect_timeout*]
# (optional) Maximum wait time for an external REST service to connect.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_read_timeout*]
# (optional) Maximum wait time for an external REST service to return data
# once connected.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_failure_fatal*]
# (optional) Should failures to fetch dynamic vendordata be fatal to
# instance boot?
# Defaults to $::os_service_default
#
# [*max_limit*]
# (optional) This option is limit the maximum number of items in a single response.
# Defaults to $::os_service_default
@ -199,42 +158,91 @@
# (optional) Whether the cinder::client class should be used to install the cinder client.
# Defaults to true
#
# [*allow_resize_to_same_host*]
# [*allow_resize_to_same_host*]
# (optional) Allow destination machine to match source for resize. Note that this
# is also settable in the compute class. In some situations you need it set here
# and in others you need it set there.
# Defaults to false
#
# [*vendordata_dynamic_auth_auth_type*]
# DEPRECATED
#
# [*nova_metadata_wsgi_enabled*]
# Wether nova metadata api is run via wsgi. Since running metadata via eventlet is
# going to be removed in the Sein release we can deprecate this and plan to remove
# metadata handling from api class.
# Defaults to false
#
# [*neutron_metadata_proxy_shared_secret*]
# (optional) Shared secret to validate proxies Neutron metadata requests
# Defaults to undef
#
# [*metadata_cache_expiration*]
# (optional) This option is the time (in seconds) to cache metadata.
# Defaults to $::os_service_default
#
# [*vendordata_jsonfile_path*]
# (optional) Represent the path to the data file.
# Cloud providers may store custom data in vendor data file that will then be
# available to the instances via the metadata service, and to the rendering of
# config-drive. The default class for this, JsonFileVendorData, loads this
# information from a JSON file, whose path is configured by this option
# Defaults to $::os_service_default
#
# [*vendordata_providers*]
# (optional) vendordata providers are how deployers can provide metadata via
# configdrive and metadata that is specific to their deployment. There are
# currently two supported providers: StaticJSON and DynamicJSON.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_targets*]
# (optional) A list of targets for the dynamic vendordata provider. These
# targets are of the form <name>@<url>.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_connect_timeout*]
# (optional) Maximum wait time for an external REST service to connect.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_read_timeout*]
# (optional) Maximum wait time for an external REST service to return data
# once connected.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_failure_fatal*]
# (optional) Should failures to fetch dynamic vendordata be fatal to
# instance boot?
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_auth_auth_type*]
# (optional) Authentication type to load for vendordata dynamic plugins.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_auth_auth_url*]
# [*vendordata_dynamic_auth_auth_url*]
# (optional) URL to use for authenticating.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_auth_os_region_name*]
# [*vendordata_dynamic_auth_os_region_name*]
# (optional) Region name for the vendordata dynamic plugin credentials.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_auth_password*]
# [*vendordata_dynamic_auth_password*]
# (optional) Password for the vendordata dynamic plugin credentials.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_auth_project_domain_name*]
# [*vendordata_dynamic_auth_project_domain_name*]
# (optional) Project domain name for the vendordata dynamic plugin
# credentials.
# Defaults to 'Default'
#
# [*vendordata_dynamic_auth_project_name*]
# [*vendordata_dynamic_auth_project_name*]
# (optional) Project name for the vendordata dynamic plugin credentials.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_auth_user_domain_name*]
# [*vendordata_dynamic_auth_user_domain_name*]
# (optional) User domain name for the vendordata dynamic plugin credentials.
# Defaults to 'Default'
#
# [*vendordata_dynamic_auth_username*]
# [*vendordata_dynamic_auth_username*]
# (optional) User name for the vendordata dynamic plugin credentials.
# Defaults to $::os_service_default
#
@ -289,6 +297,8 @@ class nova::api(
$vendordata_dynamic_auth_project_name = $::os_service_default,
$vendordata_dynamic_auth_user_domain_name = 'Default',
$vendordata_dynamic_auth_username = $::os_service_default,
# DEPRECATED PARAMETER
$nova_metadata_wsgi_enabled = false,
) inherits nova::params {
include ::nova::deps
@ -296,6 +306,10 @@ class nova::api(
include ::nova::policy
include ::nova::keystone::authtoken
if !$nova_metadata_wsgi_enabled {
warning('Running nova metadata api via evenlet is deprecated and will be removed in Stein release.')
}
if $install_cinder_client {
include ::cinder::client
Class['cinder::client'] ~> Nova::Generic_service['api']
@ -325,8 +339,8 @@ class nova::api(
$vendordata_dynamic_targets_real = $::os_service_default
}
# metadata can't be run in wsgi so we have to enable it in eventlet anyway.
if ('metadata' in $enabled_apis and $service_name == 'httpd') {
# enable metadata in eventlet if we do not run metadata via wsgi (nova::metadata)
if ('metadata' in $enabled_apis and $service_name == 'httpd' and !$nova_metadata_wsgi_enabled) {
$enable_metadata = true
} else {
$enable_metadata = false
@ -340,6 +354,7 @@ class nova::api(
$service_enabled = $enabled
} elsif $service_name == 'httpd' {
# when running wsgi, we want to enable metadata in eventlet if part of enabled_apis
# but only if we do not run metadata via wsgi (nova::metadata)
if $enable_metadata {
$enabled_apis_real = ['metadata']
$service_enabled = $enabled

166
manifests/metadata.pp Normal file
View File

@ -0,0 +1,166 @@
# == Class: nova::metadata
#
# Setup and configure the Nova metadata API endpoint for wsgi
#
# === Parameters
#
# [*enabled_apis*]
# (optional) A list of apis to enable
# Defaults to ['metadata'] in case of wsgi
#
# [*neutron_metadata_proxy_shared_secret*]
# (optional) Shared secret to validate proxies Neutron metadata requests
# Defaults to undef
#
# [*enable_proxy_headers_parsing*]
# (optional) This determines if the HTTPProxyToWSGI
# middleware should parse the proxy headers or not.(boolean value)
# Defaults to $::os_service_default
#
# [*metadata_cache_expiration*]
# (optional) This option is the time (in seconds) to cache metadata.
# Defaults to $::os_service_default
#
# [*vendordata_jsonfile_path*]
# (optional) Represent the path to the data file.
# Cloud providers may store custom data in vendor data file that will then be
# available to the instances via the metadata service, and to the rendering of
# config-drive. The default class for this, JsonFileVendorData, loads this
# information from a JSON file, whose path is configured by this option
# Defaults to $::os_service_default
#
# [*vendordata_providers*]
# (optional) vendordata providers are how deployers can provide metadata via
# configdrive and metadata that is specific to their deployment. There are
# currently two supported providers: StaticJSON and DynamicJSON.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_targets*]
# (optional) A list of targets for the dynamic vendordata provider. These
# targets are of the form <name>@<url>.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_connect_timeout*]
# (optional) Maximum wait time for an external REST service to connect.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_read_timeout*]
# (optional) Maximum wait time for an external REST service to return data
# once connected.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_failure_fatal*]
# (optional) Should failures to fetch dynamic vendordata be fatal to
# instance boot?
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_auth_auth_type*]
# (optional) Authentication type to load for vendordata dynamic plugins.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_auth_auth_url*]
# (optional) URL to use for authenticating.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_auth_os_region_name*]
# (optional) Region name for the vendordata dynamic plugin credentials.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_auth_password*]
# (optional) Password for the vendordata dynamic plugin credentials.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_auth_project_domain_name*]
# (optional) Project domain name for the vendordata dynamic plugin
# credentials.
# Defaults to 'Default'
#
# [*vendordata_dynamic_auth_project_name*]
# (optional) Project name for the vendordata dynamic plugin credentials.
# Defaults to $::os_service_default
#
# [*vendordata_dynamic_auth_user_domain_name*]
# (optional) User domain name for the vendordata dynamic plugin credentials.
# Defaults to 'Default'
#
# [*vendordata_dynamic_auth_username*]
# (optional) User name for the vendordata dynamic plugin credentials.
# Defaults to $::os_service_default
#
# DEPRECATED
#
class nova::metadata(
$enabled_apis = 'metadata',
$neutron_metadata_proxy_shared_secret = undef,
$enable_proxy_headers_parsing = $::os_service_default,
$metadata_cache_expiration = $::os_service_default,
$vendordata_jsonfile_path = $::os_service_default,
$vendordata_providers = $::os_service_default,
$vendordata_dynamic_targets = $::os_service_default,
$vendordata_dynamic_connect_timeout = $::os_service_default,
$vendordata_dynamic_read_timeout = $::os_service_default,
$vendordata_dynamic_failure_fatal = $::os_service_default,
$vendordata_dynamic_auth_auth_type = $::os_service_default,
$vendordata_dynamic_auth_auth_url = $::os_service_default,
$vendordata_dynamic_auth_os_region_name = $::os_service_default,
$vendordata_dynamic_auth_password = $::os_service_default,
$vendordata_dynamic_auth_project_domain_name = 'Default',
$vendordata_dynamic_auth_project_name = $::os_service_default,
$vendordata_dynamic_auth_user_domain_name = 'Default',
$vendordata_dynamic_auth_username = $::os_service_default,
) inherits nova::params {
include ::nova::deps
include ::nova::db
include ::nova::keystone::authtoken
if !is_service_default($vendordata_providers) and !empty($vendordata_providers){
validate_array($vendordata_providers)
$vendordata_providers_real = join($vendordata_providers, ',')
} else {
$vendordata_providers_real = $::os_service_default
}
if !is_service_default($vendordata_dynamic_targets) and !empty($vendordata_dynamic_targets){
validate_array($vendordata_dynamic_targets)
$vendordata_dynamic_targets_real = join($vendordata_dynamic_targets, ',')
} else {
$vendordata_dynamic_targets_real = $::os_service_default
}
nova_config {
'DEFAULT/enabled_apis': value => $enabled_apis;
'api/metadata_cache_expiration': value => $metadata_cache_expiration;
'api/vendordata_jsonfile_path': value => $vendordata_jsonfile_path;
'api/vendordata_providers': value => $vendordata_providers_real;
'api/vendordata_dynamic_targets': value => $vendordata_dynamic_targets_real;
'api/vendordata_dynamic_connect_timeout': value => $vendordata_dynamic_connect_timeout;
'api/vendordata_dynamic_read_timeout': value => $vendordata_dynamic_read_timeout;
'api/vendordata_dynamic_failure_fatal': value => $vendordata_dynamic_failure_fatal;
'vendordata_dynamic_auth/auth_type': value => $vendordata_dynamic_auth_auth_type;
'vendordata_dynamic_auth/auth_url': value => $vendordata_dynamic_auth_auth_url;
'vendordata_dynamic_auth/os_region_name': value => $vendordata_dynamic_auth_os_region_name;
'vendordata_dynamic_auth/password': value => $vendordata_dynamic_auth_password, secret => true;
'vendordata_dynamic_auth/project_domain_name': value => $vendordata_dynamic_auth_project_domain_name;
'vendordata_dynamic_auth/project_name': value => $vendordata_dynamic_auth_project_name;
'vendordata_dynamic_auth/user_domain_name': value => $vendordata_dynamic_auth_user_domain_name;
'vendordata_dynamic_auth/username': value => $vendordata_dynamic_auth_username;
}
oslo::middleware {'nova_config':
enable_proxy_headers_parsing => $enable_proxy_headers_parsing,
}
if ($neutron_metadata_proxy_shared_secret){
nova_config {
'neutron/service_metadata_proxy': value => true;
'neutron/metadata_proxy_shared_secret':
value => $neutron_metadata_proxy_shared_secret, secret => true;
}
} else {
nova_config {
'neutron/service_metadata_proxy': value => false;
'neutron/metadata_proxy_shared_secret': ensure => absent;
}
}
}

View File

@ -13,56 +13,57 @@ class nova::params {
case $::osfamily {
'RedHat': {
# package names
$client_package = 'python-novaclient'
$api_package_name = 'openstack-nova-api'
$placement_package_name = 'openstack-nova-placement-api'
$cells_package_name = 'openstack-nova-cells'
$common_package_name = 'openstack-nova-common'
$python_package_name = 'python-nova'
$compute_package_name = 'openstack-nova-compute'
$conductor_package_name = 'openstack-nova-conductor'
$consoleauth_package_name = 'openstack-nova-console'
$doc_package_name = 'openstack-nova-doc'
$libvirt_package_name = 'libvirt'
$libvirt_guests_package_name = 'libvirt-client'
$libvirt_daemon_package_prefix = 'libvirt-daemon-'
$libvirt_nwfilter_package_name = 'libvirt-daemon-config-nwfilter'
$network_package_name = 'openstack-nova-network'
$scheduler_package_name = 'openstack-nova-scheduler'
$tgt_package_name = 'scsi-target-utils'
$vncproxy_package_name = 'openstack-nova-novncproxy'
$serialproxy_package_name = 'openstack-nova-serialproxy'
$spicehtml5proxy_package_name = 'openstack-nova-console'
$ceph_client_package_name = 'ceph-common'
$genisoimage_package_name = 'genisoimage'
$client_package = 'python-novaclient'
$api_package_name = 'openstack-nova-api'
$placement_package_name = 'openstack-nova-placement-api'
$cells_package_name = 'openstack-nova-cells'
$common_package_name = 'openstack-nova-common'
$python_package_name = 'python-nova'
$compute_package_name = 'openstack-nova-compute'
$conductor_package_name = 'openstack-nova-conductor'
$consoleauth_package_name = 'openstack-nova-console'
$doc_package_name = 'openstack-nova-doc'
$libvirt_package_name = 'libvirt'
$libvirt_guests_package_name = 'libvirt-client'
$libvirt_daemon_package_prefix = 'libvirt-daemon-'
$libvirt_nwfilter_package_name = 'libvirt-daemon-config-nwfilter'
$network_package_name = 'openstack-nova-network'
$scheduler_package_name = 'openstack-nova-scheduler'
$tgt_package_name = 'scsi-target-utils'
$vncproxy_package_name = 'openstack-nova-novncproxy'
$serialproxy_package_name = 'openstack-nova-serialproxy'
$spicehtml5proxy_package_name = 'openstack-nova-console'
$ceph_client_package_name = 'ceph-common'
$genisoimage_package_name = 'genisoimage'
# service names
$api_service_name = 'openstack-nova-api'
$cells_service_name = 'openstack-nova-cells'
$compute_service_name = 'openstack-nova-compute'
$conductor_service_name = 'openstack-nova-conductor'
$consoleauth_service_name = 'openstack-nova-consoleauth'
$placement_service_name = 'httpd'
$libvirt_service_name = 'libvirtd'
$libvirt_guests_service_name = 'libvirt-guests'
$virtlock_service_name = 'virtlockd'
$virtlog_service_name = undef
$network_service_name = 'openstack-nova-network'
$scheduler_service_name = 'openstack-nova-scheduler'
$tgt_service_name = 'tgtd'
$vncproxy_service_name = 'openstack-nova-novncproxy'
$serialproxy_service_name = 'openstack-nova-serialproxy'
$spicehtml5proxy_service_name = 'openstack-nova-spicehtml5proxy'
$api_service_name = 'openstack-nova-api'
$cells_service_name = 'openstack-nova-cells'
$compute_service_name = 'openstack-nova-compute'
$conductor_service_name = 'openstack-nova-conductor'
$consoleauth_service_name = 'openstack-nova-consoleauth'
$placement_service_name = 'httpd'
$libvirt_service_name = 'libvirtd'
$libvirt_guests_service_name = 'libvirt-guests'
$virtlock_service_name = 'virtlockd'
$virtlog_service_name = undef
$network_service_name = 'openstack-nova-network'
$scheduler_service_name = 'openstack-nova-scheduler'
$tgt_service_name = 'tgtd'
$vncproxy_service_name = 'openstack-nova-novncproxy'
$serialproxy_service_name = 'openstack-nova-serialproxy'
$spicehtml5proxy_service_name = 'openstack-nova-spicehtml5proxy'
# redhat specific config defaults
$root_helper = 'sudo nova-rootwrap'
$lock_path = '/var/lib/nova/tmp'
$nova_log_group = 'root'
$nova_wsgi_script_path = '/var/www/cgi-bin/nova'
$nova_api_wsgi_script_source = '/usr/bin/nova-api-wsgi'
$placement_public_url = 'http://127.0.0.1/placement'
$placement_internal_url = 'http://127.0.0.1/placement'
$placement_admin_url = 'http://127.0.0.1/placement'
$placement_wsgi_script_source = '/usr/bin/nova-placement-api'
$placement_httpd_config_file = '/etc/httpd/conf.d/00-nova-placement-api.conf'
$root_helper = 'sudo nova-rootwrap'
$lock_path = '/var/lib/nova/tmp'
$nova_log_group = 'root'
$nova_wsgi_script_path = '/var/www/cgi-bin/nova'
$nova_api_wsgi_script_source = '/usr/bin/nova-api-wsgi'
$nova_metadata_wsgi_script_source = '/usr/bin/nova-metadata-wsgi'
$placement_public_url = 'http://127.0.0.1/placement'
$placement_internal_url = 'http://127.0.0.1/placement'
$placement_admin_url = 'http://127.0.0.1/placement'
$placement_wsgi_script_source = '/usr/bin/nova-placement-api'
$placement_httpd_config_file = '/etc/httpd/conf.d/00-nova-placement-api.conf'
case $::operatingsystem {
'RedHat', 'CentOS', 'Scientific', 'OracleLinux': {
if (versioncmp($::operatingsystemmajrelease, '7') < 0) {
@ -88,46 +89,47 @@ class nova::params {
}
'Debian': {
# package names
$client_package = "python${pyvers}-novaclient"
$api_package_name = 'nova-api'
$placement_package_name = 'nova-placement-api'
$cells_package_name = 'nova-cells'
$common_package_name = 'nova-common'
$python_package_name = "python${pyvers}-nova"
$compute_package_name = 'nova-compute'
$conductor_package_name = 'nova-conductor'
$consoleauth_package_name = 'nova-consoleauth'
$doc_package_name = 'nova-doc'
$client_package = "python${pyvers}-novaclient"
$api_package_name = 'nova-api'
$placement_package_name = 'nova-placement-api'
$cells_package_name = 'nova-cells'
$common_package_name = 'nova-common'
$python_package_name = "python${pyvers}-nova"
$compute_package_name = 'nova-compute'
$conductor_package_name = 'nova-conductor'
$consoleauth_package_name = 'nova-consoleauth'
$doc_package_name = 'nova-doc'
if ($::operatingsystem == 'Debian') and (versioncmp($::operatingsystemmajrelease, '9') >= 0 ) {
$libvirt_package_name = 'libvirt-daemon-system'
$libvirt_package_name = 'libvirt-daemon-system'
} else {
$libvirt_package_name = 'libvirt-bin'
$libvirt_package_name = 'libvirt-bin'
}
$network_package_name = 'nova-network'
$scheduler_package_name = 'nova-scheduler'
$tgt_package_name = 'tgt'
$serialproxy_package_name = 'nova-serialproxy'
$ceph_client_package_name = 'ceph'
$genisoimage_package_name = 'genisoimage'
$network_package_name = 'nova-network'
$scheduler_package_name = 'nova-scheduler'
$tgt_package_name = 'tgt'
$serialproxy_package_name = 'nova-serialproxy'
$ceph_client_package_name = 'ceph'
$genisoimage_package_name = 'genisoimage'
# service names
$api_service_name = 'nova-api'
$cells_service_name = 'nova-cells'
$compute_service_name = 'nova-compute'
$conductor_service_name = 'nova-conductor'
$consoleauth_service_name = 'nova-consoleauth'
$network_service_name = 'nova-network'
$scheduler_service_name = 'nova-scheduler'
$vncproxy_service_name = 'nova-novncproxy'
$serialproxy_service_name = 'nova-serialproxy'
$tgt_service_name = 'tgt'
$nova_log_group = 'adm'
$nova_wsgi_script_path = '/usr/lib/cgi-bin/nova'
$nova_api_wsgi_script_source = '/usr/bin/nova-api-wsgi'
$placement_wsgi_script_source = '/usr/bin/nova-placement-api'
$placement_httpd_config_file = '/etc/apache2/sites-available/nova-placement-api.conf'
$api_service_name = 'nova-api'
$cells_service_name = 'nova-cells'
$compute_service_name = 'nova-compute'
$conductor_service_name = 'nova-conductor'
$consoleauth_service_name = 'nova-consoleauth'
$network_service_name = 'nova-network'
$scheduler_service_name = 'nova-scheduler'
$vncproxy_service_name = 'nova-novncproxy'
$serialproxy_service_name = 'nova-serialproxy'
$tgt_service_name = 'tgt'
$nova_log_group = 'adm'
$nova_wsgi_script_path = '/usr/lib/cgi-bin/nova'
$nova_api_wsgi_script_source = '/usr/bin/nova-api-wsgi'
$nova_metadata_wsgi_script_source = '/usr/bin/nova-metadata-wsgi'
$placement_wsgi_script_source = '/usr/bin/nova-placement-api'
$placement_httpd_config_file = '/etc/apache2/sites-available/nova-placement-api.conf'
# debian specific nova config
$root_helper = 'sudo nova-rootwrap'
$lock_path = '/var/lock/nova'
$root_helper = 'sudo nova-rootwrap'
$lock_path = '/var/lock/nova'
case $::os_package_type {
'debian': {
$spicehtml5proxy_package_name = 'nova-consoleproxy'

View File

@ -0,0 +1,163 @@
# == Class: nova::wsgi::apache_metadata
#
# Class to serve Nova Metadata API with apache mod_wsgi in place of nova-metadata-api service.
#
# When using this class you should disable your nova-metadata-api_port service.
#
# == Parameters
#
# [*servername*]
# The servername for the virtualhost.
# Optional. Defaults to $::fqdn
#
# [*ensure_package*]
# (optional) Control the ensure parameter for the Nova Placement API package resource.
# Defaults to 'present'
#
# [*api_port*]
# The port for Nova API service.
# Optional. Defaults to 8774
#
# [*bind_host*]
# The host/ip address Apache will listen on.
# Optional. Defaults to undef (listen on all ip addresses).
#
# [*path*]
# The prefix for the endpoint.
# Optional. Defaults to '/'
#
# [*ssl*]
# Use ssl ? (boolean)
# Optional. Defaults to true
#
# [*workers*]
# Number of WSGI workers to spawn.
# Optional. Defaults to $::os_workers
#
# [*priority*]
# (optional) The priority for the vhost.
# Defaults to '10'
#
# [*threads*]
# (optional) The number of threads for the vhost.
# Defaults to 1
#
# [*wsgi_process_display_name*]
# (optional) Name of the WSGI process display-name.
# Defaults to undef
#
# [*ssl_cert*]
# [*ssl_key*]
# [*ssl_chain*]
# [*ssl_ca*]
# [*ssl_crl_path*]
# [*ssl_crl*]
# [*ssl_certs_dir*]
# apache::vhost ssl parameters.
# Optional. Default to apache::vhost 'ssl_*' defaults.
#
# [*access_log_file*]
# The log file name for the virtualhost.
# Optional. Defaults to false.
#
# [*access_log_format*]
# The log format for the virtualhost.
# Optional. Defaults to false.
#
# [*error_log_file*]
# The error log file name for the virtualhost.
# Optional. Defaults to undef.
#
# [*custom_wsgi_process_options*]
# (optional) gives you the oportunity to add custom process options or to
# overwrite the default options for the WSGI main process.
# eg. to use a virtual python environment for the WSGI process
# you could set it to:
# { python-path => '/my/python/virtualenv' }
# Defaults to {}
#
# == Dependencies
#
# requires Class['apache'] & Class['nova'] & Class['nova::metadata']
#
# == Examples
#
# include apache
#
# class { 'nova::wsgi::apache_metadata': }
#
class nova::wsgi::apache_metadata (
$servername = $::fqdn,
$api_port = 8775,
$bind_host = undef,
$path = '/',
$ssl = true,
$workers = $::os_workers,
$ssl_cert = undef,
$ssl_key = undef,
$ssl_chain = undef,
$ssl_ca = undef,
$ssl_crl_path = undef,
$ssl_crl = undef,
$ssl_certs_dir = undef,
$wsgi_process_display_name = undef,
$threads = 1,
$priority = '10',
$ensure_package = 'present',
$access_log_file = false,
$access_log_format = false,
$error_log_file = undef,
$custom_wsgi_process_options = {},
) {
include ::nova::params
include ::apache
include ::apache::mod::wsgi
if $ssl {
include ::apache::mod::ssl
}
nova::generic_service { 'api':
service_name => false,
package_name => $::nova::params::api_package_name,
ensure_package => $ensure_package,
}
if ! defined(Class[::nova::metadata]) {
fail('::nova::metadata class must be declared in composition layer.')
}
# notify apache on service refreshes
Anchor['nova::service::begin'] ~> Service['httpd']
::openstacklib::wsgi::apache { 'nova_metadata_wsgi':
bind_host => $bind_host,
bind_port => $api_port,
group => 'nova',
path => $path,
priority => $priority,
servername => $servername,
ssl => $ssl,
ssl_ca => $ssl_ca,
ssl_cert => $ssl_cert,
ssl_certs_dir => $ssl_certs_dir,
ssl_chain => $ssl_chain,
ssl_crl => $ssl_crl,
ssl_crl_path => $ssl_crl_path,
ssl_key => $ssl_key,
threads => $threads,
user => 'nova',
workers => $workers,
wsgi_daemon_process => 'nova-metadata',
wsgi_process_display_name => $wsgi_process_display_name,
wsgi_process_group => 'nova-metadata',
wsgi_script_dir => $::nova::params::nova_wsgi_script_path,
wsgi_script_file => 'nova-metadata-api',
wsgi_script_source => $::nova::params::nova_metadata_wsgi_script_source,
custom_wsgi_process_options => $custom_wsgi_process_options,
access_log_file => $access_log_file,
access_log_format => $access_log_format,
error_log_file => $error_log_file,
}
}

View File

@ -0,0 +1,18 @@
---
features:
- |
Class to serve Nova Metadata API with apache mod_wsgi in place of
nova-metadata-api service. The new classes to configure are
nova::metadata and nova::wsgi::apache_metadata.
deprecations:
- |
The following parameters gets deprecated in nova::api:
nova_metadata_wsgi_enabled, neutron_metadata_proxy_shared_secret,
metadata_cache_expiration, vendordata_jsonfile_path,
vendordata_providers, vendordata_dynamic_targets,
vendordata_dynamic_connect_timeout, vendordata_dynamic_read_timeout,
vendordata_dynamic_failure_fatal, vendordata_dynamic_auth_auth_type,
vendordata_dynamic_auth_auth_url, vendordata_dynamic_auth_os_region_name,
vendordata_dynamic_auth_password, vendordata_dynamic_auth_project_domain_name,
vendordata_dynamic_auth_project_name, vendordata_dynamic_auth_user_domain_name,
vendordata_dynamic_auth_username

View File

@ -325,6 +325,36 @@ describe 'nova::api' do
end
end
context 'when running nova API in wsgi for compute, and metadata in wsgi' do
before do
params.merge!({
:service_name => 'httpd',
:nova_metadata_wsgi_enabled => true })
end
let :pre_condition do
"include ::apache
include ::nova
class { '::nova::keystone::authtoken':
password => 'a_big_secret',
}"
end
it 'disable metadata in evenlet configuration' do
is_expected.to contain_nova_config('DEFAULT/enabled_apis').with('value' => '')
end
it 'disable nova API service' do
is_expected.to contain_service('nova-api').with(
:ensure => 'stopped',
:name => platform_params[:nova_api_service],
:enable => false,
:tag => 'nova-service',
)
end
end
context 'when disabling cinder client installation' do
before do
params.merge!({ :install_cinder_client => false })

View File

@ -0,0 +1,160 @@
require 'spec_helper'
describe 'nova::metadata' do
let :pre_condition do
"include nova
class { '::nova::keystone::authtoken':
password => 'passw0rd',
}"
end
let :params do
{}
end
shared_examples 'nova-metadata' do
context 'with default parameters' do
it { is_expected.to contain_class('nova::keystone::authtoken') }
it 'configures various stuff' do
is_expected.to contain_nova_config('DEFAULT/enabled_apis').with('value' => 'metadata')
is_expected.to contain_nova_config('api/metadata_cache_expiration').with('value' => '<SERVICE DEFAULT>')
is_expected.to contain_oslo__middleware('nova_config').with(
:enable_proxy_headers_parsing => '<SERVICE DEFAULT>',
)
is_expected.to contain_nova_config('api/metadata_cache_expiration').with('value' => '<SERVICE DEFAULT>')
is_expected.to contain_nova_config('api/vendordata_jsonfile_path').with('value' => '<SERVICE DEFAULT>')
is_expected.to contain_nova_config('api/vendordata_providers').with('value' => '<SERVICE DEFAULT>')
is_expected.to contain_nova_config('api/vendordata_dynamic_targets').with('value' => '<SERVICE DEFAULT>')
is_expected.to contain_nova_config('api/vendordata_dynamic_connect_timeout').with('value' => '<SERVICE DEFAULT>')
is_expected.to contain_nova_config('api/vendordata_dynamic_read_timeout').with('value' => '<SERVICE DEFAULT>')
is_expected.to contain_nova_config('api/vendordata_dynamic_failure_fatal').with('value' => '<SERVICE DEFAULT>')
is_expected.to contain_nova_config('vendordata_dynamic_auth/auth_type').with('value' => '<SERVICE DEFAULT>')
is_expected.to contain_nova_config('vendordata_dynamic_auth/auth_url').with('value' => '<SERVICE DEFAULT>')
is_expected.to contain_nova_config('vendordata_dynamic_auth/os_region_name').with('value' => '<SERVICE DEFAULT>')
is_expected.to contain_nova_config('vendordata_dynamic_auth/password').with('value' => '<SERVICE DEFAULT>')
is_expected.to contain_nova_config('vendordata_dynamic_auth/project_domain_name').with('value' => 'Default')
is_expected.to contain_nova_config('vendordata_dynamic_auth/project_name').with('value' => '<SERVICE DEFAULT>')
is_expected.to contain_nova_config('vendordata_dynamic_auth/user_domain_name').with('value' => 'Default')
is_expected.to contain_nova_config('vendordata_dynamic_auth/username').with('value' => '<SERVICE DEFAULT>')
end
it 'unconfigures neutron_metadata proxy' do
is_expected.to contain_nova_config('neutron/service_metadata_proxy').with(:value => false)
is_expected.to contain_nova_config('neutron/metadata_proxy_shared_secret').with(:ensure => 'absent')
end
end
context 'with overridden parameters' do
before do
params.merge!({
:neutron_metadata_proxy_shared_secret => 'secrete',
:enable_proxy_headers_parsing => true,
:metadata_cache_expiration => 15,
:vendordata_jsonfile_path => '/tmp',
:vendordata_providers => ['StaticJSON', 'DynamicJSON'],
:vendordata_dynamic_targets => ['join@http://127.0.0.1:9999/v1/'],
:vendordata_dynamic_connect_timeout => 30,
:vendordata_dynamic_read_timeout => 30,
:vendordata_dynamic_failure_fatal => false,
:vendordata_dynamic_auth_auth_type => 'password',
:vendordata_dynamic_auth_auth_url => 'http://127.0.0.1:5000',
:vendordata_dynamic_auth_os_region_name => 'RegionOne',
:vendordata_dynamic_auth_password => 'secrete',
:vendordata_dynamic_auth_project_domain_name => 'Default',
:vendordata_dynamic_auth_project_name => 'project',
:vendordata_dynamic_auth_user_domain_name => 'Default',
:vendordata_dynamic_auth_username => 'user',
})
end
it 'configures various stuff' do
is_expected.to contain_nova_config('api/metadata_cache_expiration').with('value' => '15')
is_expected.to contain_nova_config('api/vendordata_jsonfile_path').with('value' => '/tmp')
is_expected.to contain_nova_config('api/vendordata_providers').with('value' => 'StaticJSON,DynamicJSON')
is_expected.to contain_nova_config('api/vendordata_dynamic_targets').with('value' => 'join@http://127.0.0.1:9999/v1/')
is_expected.to contain_nova_config('api/vendordata_dynamic_connect_timeout').with('value' => '30')
is_expected.to contain_nova_config('api/vendordata_dynamic_read_timeout').with('value' => '30')
is_expected.to contain_nova_config('api/vendordata_dynamic_failure_fatal').with('value' => false)
is_expected.to contain_nova_config('neutron/service_metadata_proxy').with('value' => true)
is_expected.to contain_nova_config('neutron/metadata_proxy_shared_secret').with('value' => 'secrete').with_secret(true)
is_expected.to contain_oslo__middleware('nova_config').with(
:enable_proxy_headers_parsing => true,
)
is_expected.to contain_nova_config('vendordata_dynamic_auth/auth_type').with('value' => 'password')
is_expected.to contain_nova_config('vendordata_dynamic_auth/auth_url').with('value' => 'http://127.0.0.1:5000')
is_expected.to contain_nova_config('vendordata_dynamic_auth/os_region_name').with('value' => 'RegionOne')
is_expected.to contain_nova_config('vendordata_dynamic_auth/password').with('value' => 'secrete').with_secret(true)
is_expected.to contain_nova_config('vendordata_dynamic_auth/project_domain_name').with('value' => 'Default')
is_expected.to contain_nova_config('vendordata_dynamic_auth/project_name').with('value' => 'project')
is_expected.to contain_nova_config('vendordata_dynamic_auth/user_domain_name').with('value' => 'Default')
is_expected.to contain_nova_config('vendordata_dynamic_auth/username').with('value' => 'user')
end
end
context 'with default database parameters' do
let :pre_condition do
"include nova
class { '::nova::keystone::authtoken':
password => 'a_big_secret',
}"
end
it { is_expected.to_not contain_nova_config('database/connection') }
it { is_expected.to_not contain_nova_config('database/slave_connection') }
it { is_expected.to_not contain_nova_config('api_database/connection') }
it { is_expected.to_not contain_nova_config('api_database/slave_connection') }
it { is_expected.to_not contain_nova_config('database/idle_timeout').with_value('<SERVICE DEFAULT>') }
end
context 'with overridden database parameters' do
let :pre_condition do
"class { 'nova':
database_connection => 'mysql://user:pass@db/db1',
slave_connection => 'mysql://user:pass@slave/db1',
api_database_connection => 'mysql://user:pass@db/db2',
api_slave_connection => 'mysql://user:pass@slave/db2',
database_idle_timeout => '30',
}
class { '::nova::keystone::authtoken':
password => 'passw0rd',
}
"
end
it { is_expected.to contain_nova_config('api_database/connection').with_value('mysql://user:pass@db/db2').with_secret(true) }
it { is_expected.to contain_nova_config('api_database/slave_connection').with_value('mysql://user:pass@slave/db2').with_secret(true) }
it { is_expected.to contain_oslo__db('nova_config').with(
:connection => 'mysql://user:pass@db/db1',
:slave_connection => 'mysql://user:pass@slave/db1',
:idle_timeout => '30',
)}
end
end
on_supported_os({
:supported_os => OSDefaults.get_supported_os
}).each do |os,facts|
context "on #{os}" do
let (:facts) do
facts.merge!(OSDefaults.get_facts({ :os_workers => 5 }))
end
let (:platform_params) do
case facts[:osfamily]
when 'Debian'
{ :nova_api_package => 'nova-api',
:nova_api_service => 'nova-api' }
when 'RedHat'
{ :nova_api_package => 'openstack-nova-api',
:nova_api_service => 'openstack-nova-api' }
end
end
it_behaves_like 'nova-metadata'
end
end
end