Wire-in Apache MPM module parameters and switch it

Allow to configure Apache MPM module for the containerized API/WSGI'ish
services running Apache as a backend. Change the default from 'prefork'
to 'event', which is a low level change and should provide no sensible
upgrade impact. This alleviates the related heartbeats threading issue
arising with the monkey-patched eventlet.

Merge the missing ApacheServiceBase config settings for Octavia API,
Horizon and Ironix PXE. This is needed to apply the base Apache
service hiera settings, including MPM module switches, for those
as well.

Related-bug: #1829062

Change-Id: Ia65af7a9d6ae106a61ec52912bebba72830d5f28
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
This commit is contained in:
Bogdan Dobrelya 2019-07-17 18:38:06 +02:00
parent 80d12514d5
commit 09cfcc1464
22 changed files with 206 additions and 3 deletions

View File

@ -52,6 +52,12 @@ parameters:
e.g. { aodh-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
ApacheMPMModule:
type: string
default: 'event'
description: Specifies the used MPM module for Apache.
constraints:
- allowed_values: ['prefork', 'event']
conditions:
@ -84,6 +90,7 @@ resources:
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ApacheMPMModule: {get_param: ApacheMPMModule}
EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:

View File

@ -47,10 +47,17 @@ parameters:
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
ApacheMPMModule:
type: string
default: 'event'
description: Specifies the used MPM module for Apache.
constraints:
- allowed_values: ['prefork', 'event']
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
use_mpm_prefork: {equals: [{get_param: ApacheMPMModule}, 'prefork']}
resources:
@ -90,14 +97,22 @@ outputs:
apache::trace_enable: 'Off'
apache::server_signature: 'Off'
apache::server_tokens: 'Prod'
apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers }
apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
apache::mod::remoteip::proxy_ips:
get_param:
- ServiceData
- net_cidr_map
- {get_param: [ServiceNetMap, ApacheNetwork]}
apache::mod::alias::icons_options: 'None'
- if:
- use_mpm_prefork
-
apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers }
apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
tripleo::profile::base::apache::mpm_module: 'prefork'
-
apache::mod::event::maxclients: { get_param: ApacheMaxRequestWorkers }
apache::mod::event::serverlimit: { get_param: ApacheServerLimit }
tripleo::profile::base::apache::mpm_module: 'event'
- if:
- internal_tls_enabled
-

View File

@ -78,6 +78,12 @@ parameters:
type: string
default: 'messagingv2'
description: Driver or drivers to handle sending notifications.
ApacheMPMModule:
type: string
default: 'event'
description: Specifies the used MPM module for Apache.
constraints:
- allowed_values: ['prefork', 'event']
conditions:
@ -111,6 +117,7 @@ resources:
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ApacheMPMModule: {get_param: ApacheMPMModule}
EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:

View File

@ -101,6 +101,12 @@ parameters:
description: >
Cron to delete events from db - Week Day
default: '*'
ApacheMPMModule:
type: string
default: 'event'
description: Specifies the used MPM module for Apache.
constraints:
- allowed_values: ['prefork', 'event']
conditions:
service_debug_unset: {equals : [{get_param: PankoDebug}, '']}
@ -123,6 +129,7 @@ resources:
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ApacheMPMModule: {get_param: ApacheMPMModule}
PankoApiLogging:
type: OS::TripleO::Services::Logging::PankoApi

View File

@ -78,6 +78,12 @@ parameters:
e.g. { ec2api-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
ApacheMPMModule:
type: string
default: 'event'
description: Specifies the used MPM module for Apache.
constraints:
- allowed_values: ['prefork', 'event']
conditions:
@ -102,6 +108,7 @@ resources:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
ApacheMPMModule: {get_param: ApacheMPMModule}
EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:

View File

@ -227,6 +227,12 @@ parameters:
ContainerGlanceApiConfigImage:
description: The container image to use for the glance_api config_volume
type: string
ApacheMPMModule:
type: string
default: 'event'
description: Specifies the used MPM module for Apache.
constraints:
- allowed_values: ['prefork', 'event']
conditions:
@ -282,6 +288,7 @@ resources:
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ApacheMPMModule: {get_param: ApacheMPMModule}
EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:

View File

@ -106,6 +106,12 @@ parameters:
default: ''
description: Indicate whether this resource may be shared with the domain received in the request
"origin" header.
ApacheMPMModule:
type: string
default: 'event'
description: Specifies the used MPM module for Apache.
constraints:
- allowed_values: ['prefork', 'event']
conditions:
cors_allowed_origin_unset: {equals : [{get_param: GnocchiCorsAllowedOrigin}, '']}
@ -135,6 +141,7 @@ resources:
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ApacheMPMModule: {get_param: ApacheMPMModule}
EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:

View File

@ -60,6 +60,12 @@ parameters:
MonitoringSubscriptionHeatApiCnf:
default: 'overcloud-heat-api-cfn'
type: string
ApacheMPMModule:
type: string
default: 'event'
description: Specifies the used MPM module for Apache.
constraints:
- allowed_values: ['prefork', 'event']
conditions:
@ -80,6 +86,7 @@ resources:
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ApacheMPMModule: {get_param: ApacheMPMModule}
EnableInternalTLS: {get_param: EnableInternalTLS}
HeatBase:

View File

@ -74,6 +74,12 @@ parameters:
e.g. { heat-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
ApacheMPMModule:
type: string
default: 'event'
description: Specifies the used MPM module for Apache.
constraints:
- allowed_values: ['prefork', 'event']
conditions:
@ -94,6 +100,7 @@ resources:
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ApacheMPMModule: {get_param: ApacheMPMModule}
EnableInternalTLS: {get_param: EnableInternalTLS}
HeatBase:

View File

@ -124,6 +124,12 @@ parameters:
description: Specifies a mapping from SSO authentication choice to identity
provider and protocol. The identity provider and protocol names
must match the resources defined in keystone.
ApacheMPMModule:
type: string
default: 'event'
description: Specifies the used MPM module for Apache.
constraints:
- allowed_values: ['prefork', 'event']
conditions:
debug_unset: {equals : [{get_param: Debug}, '']}
@ -135,6 +141,18 @@ resources:
ContainersCommon:
type: ../containers-common.yaml
ApacheServiceBase:
type: ../../deployment/apache/apache-baremetal-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ApacheMPMModule: {get_param: ApacheMPMModule}
EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:
role_data:
description: Role data for the Horizon API role.
@ -143,6 +161,7 @@ outputs:
monitoring_subscription: {get_param: MonitoringSubscriptionHorizon}
config_settings:
map_merge:
- get_attr: [ApacheServiceBase, role_data, config_settings]
- horizon::allowed_hosts: {get_param: HorizonAllowedHosts}
tripleo::horizon::firewall_rules:
'126 horizon':

View File

@ -61,6 +61,12 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
ApacheMPMModule:
type: string
default: 'event'
description: Specifies the used MPM module for Apache.
constraints:
- allowed_values: ['prefork', 'event']
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
@ -77,6 +83,7 @@ resources:
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ApacheMPMModule: {get_param: ApacheMPMModule}
EnableInternalTLS: {get_param: EnableInternalTLS}
ContainersCommon:

View File

@ -36,18 +36,37 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
ApacheMPMModule:
type: string
default: 'event'
description: Specifies the used MPM module for Apache.
constraints:
- allowed_values: ['prefork', 'event']
resources:
ContainersCommon:
type: ../containers-common.yaml
ApacheServiceBase:
type: ../../deployment/apache/apache-baremetal-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ApacheMPMModule: {get_param: ApacheMPMModule}
EnableInternalTLS: false
outputs:
role_data:
description: Role data for the Ironic PXE role.
value:
service_name: ironic_pxe
config_settings: {}
config_settings:
get_attr: [ApacheServiceBase, role_data, config_settings]
service_config_settings: {}
# BEGIN DOCKER SETTINGS
puppet_config:

View File

@ -340,6 +340,12 @@ parameters:
description: >-
Attribute to be used to obtain the entity ID of the Identity Provider
from the environment.
ApacheMPMModule:
type: string
default: 'event'
description: Specifies the used MPM module for Apache.
constraints:
- allowed_values: ['prefork', 'event']
KeystoneOpenIdcEnableOAuth:
type: boolean
default: false
@ -368,6 +374,7 @@ resources:
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ApacheMPMModule: {get_param: ApacheMPMModule}
EnableInternalTLS: {get_param: EnableInternalTLS}
KeystoneLogging:

View File

@ -54,6 +54,12 @@ parameters:
MonitoringSubscriptionManilaApi:
default: 'overcloud-manila-api'
type: string
ApacheMPMModule:
type: string
default: 'event'
description: Specifies the used MPM module for Apache.
constraints:
- allowed_values: ['prefork', 'event']
conditions:
@ -87,6 +93,7 @@ resources:
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ApacheMPMModule: {get_param: ApacheMPMModule}
EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:

View File

@ -152,6 +152,12 @@ parameters:
removed in Ocata. Future releases will enable L3 HA by default if it is
appropriate for the deployment type. Alternate mechanisms will be
available to override.
ApacheMPMModule:
type: string
default: 'event'
description: Specifies the used MPM module for Apache.
constraints:
- allowed_values: ['prefork', 'event']
parameter_groups:
- label: deprecated
description: |
@ -184,6 +190,7 @@ resources:
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ApacheMPMModule: {get_param: ApacheMPMModule}
EnableInternalTLS: {get_param: EnableInternalTLS}
ContainersCommon:

View File

@ -95,6 +95,12 @@ parameters:
e.g. { nova-context_is_admin: { key: context_is_admin, value: 'role:admin' } }
default: {}
type: json
ApacheMPMModule:
type: string
default: 'event'
description: Specifies the used MPM module for Apache.
constraints:
- allowed_values: ['prefork', 'event']
conditions:
@ -129,6 +135,7 @@ resources:
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ApacheMPMModule: {get_param: ApacheMPMModule}
EnableInternalTLS: {get_param: EnableInternalTLS}
NovaBase:

View File

@ -63,6 +63,12 @@ parameters:
MonitoringSubscriptionNovaMetadata:
default: 'overcloud-nova-metadata'
type: string
ApacheMPMModule:
type: string
default: 'event'
description: Specifies the used MPM module for Apache.
constraints:
- allowed_values: ['prefork', 'event']
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
@ -89,6 +95,7 @@ resources:
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ApacheMPMModule: {get_param: ApacheMPMModule}
EnableInternalTLS: {get_param: EnableInternalTLS}
NovaBase:

View File

@ -80,6 +80,12 @@ parameters:
default: true
description: Configure the nova flavor for the amphora.
type: boolean
ApacheMPMModule:
type: string
default: 'event'
description: Specifies the used MPM module for Apache.
constraints:
- allowed_values: ['prefork', 'event']
conditions:
@ -114,6 +120,18 @@ resources:
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ApacheServiceBase:
type: ../../deployment/apache/apache-baremetal-puppet.yaml
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ApacheMPMModule: {get_param: ApacheMPMModule}
EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:
role_data:
description: Role data for the Octavia API role.
@ -124,6 +142,7 @@ outputs:
map_merge:
- {get_attr: [OctaviaBase, role_data, config_settings]}
- {get_attr: [OctaviaWorker, role_data, config_settings]}
- {get_attr: [ApacheServiceBase, role_data, config_settings]}
- octavia::keystone::authtoken::www_authenticate_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
octavia::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] }
octavia::policy::policies: {get_param: OctaviaApiPolicies}

View File

@ -68,6 +68,12 @@ parameters:
description: The password for the nova service and db account
type: string
hidden: true
ApacheMPMModule:
type: string
default: 'event'
description: Specifies the used MPM module for Apache.
constraints:
- allowed_values: ['prefork', 'event']
conditions:
placement_workers_zero: {equals : [{get_param: PlacementWorkers}, 0]}
@ -84,6 +90,7 @@ resources:
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
ApacheMPMModule: {get_param: ApacheMPMModule}
EnableInternalTLS: {get_param: EnableInternalTLS}
ContainersCommon:

View File

@ -87,6 +87,12 @@ parameters:
default: ''
description: Indicate whether this resource may be shared with the domain received in the request
"origin" header.
ApacheMPMModule:
type: string
default: 'event'
description: Specifies the used MPM module for Apache.
constraints:
- allowed_values: ['prefork', 'event']
conditions:
@ -119,6 +125,7 @@ resources:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
ApacheMPMModule: {get_param: ApacheMPMModule}
EnableInternalTLS: {get_param: EnableInternalTLS}
outputs:

View File

@ -79,6 +79,12 @@ parameters:
description: The password for the redis service account.
type: string
hidden: true
ApacheMPMModule:
type: string
default: 'event'
description: Specifies the used MPM module for Apache.
constraints:
- allowed_values: ['prefork', 'event']
conditions:
internal_tls_enabled: {get_param: EnableInternalTLS}
@ -97,6 +103,7 @@ resources:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
ApacheMPMModule: {get_param: ApacheMPMModule}
EnableInternalTLS: {get_param: EnableInternalTLS}
ContainersCommon:

View File

@ -0,0 +1,12 @@
---
features:
- |
Add the 'ApacheMPMModule' parameter to control the used Apache MPM module
for the containerized API services executed as WSGI applications. Defaults
to 'prefork'.
upgrade:
- |
Switch 'ApacheMPMModule' to 'event' for better TCP keep alive handling for
WSGI applications executing heartbeat threads, which is the most of
OpenStack API services. This work-arounds
`bug 1829062 <https://bugs.launchpad.net/tripleo/+bug/1829062>`_.