Move nova-metadata api to httpd wsgi

Upstream will deprecate usage of eventlet of all the WSGI-run services, including nova-api and nova-metadata-api. See https://review.openstack.org/#/c/549510/ for more details. With this change we move nova-metadata to run via httpd wsgi and therefore uses its own config volume. Closes-Bug: 1781405 Change-Id: I7206925c5416814bcbf92021e606afeaedde4b1b Depends-On: Ic65736cb0e95c400a728cd699ecf06c6aecff832 Depends-On: Ic46acdbac280ac648ec5ed9d7af0139126334fe0 Depends-On: I47d79ab8e274e94cbe0d4cadd204e63cbbe3dca8 Depends-On: I069510b8dfc8e6a7c5ff6f07826f10a2038856d7 Depends-On: I3d572dda2e90b7e24f2f8912d704462b9332d807
2018-07-13 16:57:31 +02:00 · 2018-07-13 16:57:31 +02:00 · a823be0733
commit a823be0733
parent fa8b4bb955
7 changed files with 241 additions and 102 deletions
--- a/docker/services/logging/files/nova-metadata.yaml
+++ b/docker/services/logging/files/nova-metadata.yaml
@ -0,0 +1,46 @@
 heat_template_version: rocky
 description: >
  Template for nova-metadata's logging to files
 parameters:
  DockerNovaMetadataImage:
    description: image
    type: string
 outputs:
  config_settings:
    description: Extra hieradata needed to log to files in the host.
    value: null
  volumes:
    description: The volumes needed to log to files in the host.
    value: &nova_metadata_volumes
      - /var/log/containers/nova:/var/log/nova
      - /var/log/containers/httpd/nova-metadata:/var/log/httpd
  docker_config:
    description: Extra containers needed for logging to files in the host.
    value:
      step_2:
        nova_metadata_init_logs:
          image: {get_param: DockerNovaMetadataImage}
          privileged: false
          user: root
          volumes: *nova_metadata_volumes
          command: ['/bin/bash', '-c', 'chown -R nova:nova /var/log/nova']
  host_prep_tasks:
    description: Extra ansible tasks needed for logging to files in the host.
    value:
      - name: create persistent logs directory
        file:
          path: "{{ item }}"
          state: directory
        with_items:
          - /var/log/containers/nova
          - /var/log/containers/httpd/nova-metadata
      - name: nova logs readme
        copy:
          dest: /var/log/nova/readme.txt
          content: |
            Log files from nova containers can be found under
            /var/log/containers/nova and /var/log/containers/httpd/nova-*.
        ignore_errors: true
--- a/docker/services/logging/stdout/nova-metadata.yaml
+++ b/docker/services/logging/stdout/nova-metadata.yaml
@ -0,0 +1,60 @@
 heat_template_version: rocky
 description: >
  Template for nova-metadata's logging to stdout
 parameters:
  DockerNovaMetadataImage:
    description: image
    type: string
 outputs:
  config_settings:
    description: Extra hieradata needed to log to stdout.
    value:
      nova::wsgi::apache_metadata::access_log_file: /var/log/httpd/access.log
      nova::wsgi::apache_metadata::error_log_file: /var/log/httpd/error_log
  volumes:
    description: The volumes needed to log to stdout or a sidecar container.
    value:
      - NovaMetadataLogs:/var/log/
  docker_config:
    description: Extra containers needed for logging to stdout or a sidecar container.
    value:
      step_2:
        nova_metadata_apache_error_logs:
          start_order: 1
          image: {get_param: DockerNovaMetadataImage}
          user: root
          privileged: false
          restart: always
          healthcheck:
            test: '[ -p /var/log/httpd/error_log ]'
          command: ['/bin/bash', '-c', 'mkdir -p /var/log/httpd && rm -f /var/log/httpd/error_log && mkfifo /var/log/httpd/error_log && while true; do cat /var/log/httpd/error_log; done']
          volumes:
            - NovaMetadataLogs:/var/log/
        nova_metadata_apache_access_logs:
          start_order: 1
          image: {get_param: DockerNovaMetadataImage}
          user: root
          privileged: false
          restart: always
          healthcheck:
            test: '[ -p /var/log/httpd/access.log ]'
          command: ['/bin/bash', '-c', 'mkdir -p /var/log/httpd && rm -f /var/log/httpd/access.log && mkfifo /var/log/httpd/access.log && while true; do cat /var/log/httpd/access.log; done']
          volumes:
            - NovaMetadataLogs:/var/log/
        nova_metadata_logs:
          start_order: 2
          image: {get_param: DockerNovaMetadataImage}
          user: nova
          privileged: false
          restart: always
          healthcheck:
            test: '[ -p /var/log/nova/nova-metadata-api.log ]'
          command: ['/bin/bash', '-c', 'mkdir -p /var/log/nova && rm -f /var/log/nova/nova-metadata-api.log && mkfifo /var/log/nova/nova-metadata-api.log && while true; do cat /var/log/nova/nova-metadata-api.log; done']
          volumes:
            - NovaMetadataLogs:/var/log/
  host_prep_tasks:
    description: Extra ansible tasks needed for logging to files in the host.
    value: null
--- a/docker/services/nova-metadata.yaml
+++ b/docker/services/nova-metadata.yaml
@ -7,7 +7,7 @@ parameters:
  DockerNovaMetadataImage:
    description: image
    type: string
-  DockerNovaConfigImage:
+  DockerNovaMetadataConfigImage:
    description: The container image to use for the nova config_volume
    type: string
  NovaMetadataLoggingSource:
@ -41,12 +41,22 @@ parameters:
    default: {}
    description: Parameters specific to the role
    type: json
  EnableInternalTLS:
    type: boolean
    default: false
 conditions:
  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
 resources:
  ContainersCommon:
    type: ./containers-common.yaml
  MySQLClient:
    type: ../../puppet/services/database/mysql-client.yaml
  NovaMetadataBase:
    type: ../../puppet/services/nova-metadata.yaml
    properties:
@ -57,11 +67,8 @@ resources:
      RoleName: {get_param: RoleName}
      RoleParameters: {get_param: RoleParameters}
-  NovaLogging:
+  NovaMetadataLogging:
-    type: OS::TripleO::Services::Logging::NovaCommon
+    type: OS::TripleO::Services::Logging::NovaMetadata
    properties:
      DockerNovaImage: {get_param: DockerNovaMetadataImage}
      NovaServiceName: 'metadata'
 outputs:
  role_data:
@ -71,7 +78,8 @@ outputs:
      config_settings:
        map_merge:
          - get_attr: [NovaMetadataBase, role_data, config_settings]
-          - {get_attr: [NovaLogging, config_settings]}
+          - get_attr: [NovaMetadataLogging, config_settings]
          - apache::default_vhost: false
      logging_source: {get_attr: [NovaMetadataBase, role_data, logging_source]}
      service_config_settings:
        map_merge:
@ -83,18 +91,17 @@ outputs:
                - {get_param: NovaMetadataLoggingSource}
      # BEGIN DOCKER SETTINGS
      puppet_config:
-        config_volume: nova
+        config_volume: nova_metadata
        puppet_tags: nova_config
        step_config:
-          get_attr: [NovaMetadataBase, role_data, step_config]
+          list_join:
-        config_image: {get_param: DockerNovaConfigImage}
+            - "\n"
            - - {get_attr: [NovaMetadataBase, role_data, step_config]}
              - {get_attr: [MySQLClient, role_data, step_config]}
        config_image: {get_param: DockerNovaMetadataConfigImage}
      kolla_config:
        /var/lib/kolla/config_files/nova_metadata.json:
-          command:
+          command: /usr/sbin/httpd -DFOREGROUND
            list_join:
            - ' '
            - - /usr/bin/nova-api-metadata
              - get_attr: [NovaLogging, cmd_extra_args]
          config_files:
            - source: "/var/lib/kolla/config_files/src/*"
              dest: "/"
@ -106,65 +113,35 @@ outputs:
              recurse: true
      docker_config:
        step_2:
-          get_attr: [NovaLogging, docker_config, step_2]
+          get_attr: [NovaMetadataLogging, docker_config, step_2]
        step_4:
          nova_metadata:
            start_order: 2
-            image: &nova_metadata_image {get_param: DockerNovaMetadataImage}
+            image: {get_param: DockerNovaMetadataImage}
            net: host
-            user: nova
+            user: root
            privileged: true
            restart: always
            healthcheck:
              test: /openstack/healthcheck
            volumes:
              list_concat:
                - {get_attr: [ContainersCommon, volumes]}
-                - {get_attr: [NovaLogging, volumes]}
+                - {get_attr: [NovaMetadataLogging, volumes]}
                -
                  - /var/lib/kolla/config_files/nova_metadata.json:/var/lib/kolla/config_files/config.json:ro
-                  - /var/lib/config-data/puppet-generated/nova/:/var/lib/kolla/config_files/src:ro
+                  - /var/lib/config-data/puppet-generated/nova_metadata/:/var/lib/kolla/config_files/src:ro
                  -
                    if:
                      - internal_tls_enabled
                      - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
                      - ''
                  -
                    if:
                      - internal_tls_enabled
                      - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
                      - ''
            environment:
              - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
      metadata_settings:
        get_attr: [NovaMetadataBase, role_data, metadata_settings]
-      host_prep_tasks: {get_attr: [NovaLogging, host_prep_tasks]}
+      host_prep_tasks: {get_attr: [NovaMetadataLogging, host_prep_tasks]}
      upgrade_tasks:
        - when: step|int == 0
          tags: common
          block:
            - name: Check if nova_api_metadata is deployed
              command: systemctl is-enabled --quiet openstack-nova-api
              ignore_errors: True
              register: nova_metadata_enabled_result
            - name: Set fact nova_metadata_enabled
              set_fact:
                nova_metadata_enabled: "{{ nova_metadata_enabled_result.rc == 0 }}"
            - name: "PreUpgrade step0,validation: Check service openstack-nova-api is running"
              command: systemctl is-active --quiet openstack-nova-api
              tags: validation
              when: nova_metadata_enabled|bool
        - when: step|int == 2
          block:
            - name: Stop and disable nova_api service
              when: nova_metadata_enabled|bool
              service: name=openstack-nova-api state=stopped enabled=no
      fast_forward_upgrade_tasks:
        - when:
            - step|int == 0
            - release == 'ocata'
          block:
            - name: Check if nova_api_metadata is deployed
              command: systemctl is-enabled --quiet openstack-nova-api
              tags: common
              ignore_errors: True
              register: nova_metadata_enabled_result
            - name: Set fact nova_metadata_enabled
              set_fact:
                nova_metadata_enabled: "{{ nova_metadata_enabled_result.rc == 0 }}"
        - name: Stop and disable nova_api service
          when:
            - step|int == 1
            - release == 'ocata'
            - nova_metadata_enabled|bool
          service: name=openstack-nova-api state=stopped enabled=no
--- a/environments/stdout-logging.yaml
+++ b/environments/stdout-logging.yaml
@ -13,5 +13,6 @@ resource_registry:
  OS::TripleO::Services::Logging::NovaApi: ../docker/services/logging/stdout/nova-api.yaml
  OS::TripleO::Services::Logging::NovaCommon: ../docker/services/logging/stdout/nova-common.yaml
  OS::TripleO::Services::Logging::NovaPlacement: ../docker/services/logging/stdout/nova-placement.yaml
  OS::TripleO::Services::Logging::NovaMetadata: ../docker/services/logging/stdout/nova-metadata.yaml
  OS::TripleO::Services::Logging::NovaLibvirt: ../docker/services/logging/stdout/nova-libvirt.yaml
  OS::TripleO::Services::Logging::PankoApi: ../docker/services/logging/stdout/panko-api.yaml
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@ -343,6 +343,7 @@ resource_registry:
  OS::TripleO::Services::Logging::NeutronApi: docker/services/logging/files/neutron-api.yaml
  OS::TripleO::Services::Logging::NeutronCommon: docker/services/logging/files/neutron-common.yaml
  OS::TripleO::Services::Logging::NovaApi: docker/services/logging/files/nova-api.yaml
  OS::TripleO::Services::Logging::NovaMetadata: docker/services/logging/files/nova-metadata.yaml
  OS::TripleO::Services::Logging::NovaCommon: docker/services/logging/files/nova-common.yaml
  OS::TripleO::Services::Logging::NovaLibvirt: OS::Heat::None
  OS::TripleO::Services::Logging::NovaPlacement: docker/services/logging/files/nova-placement.yaml
--- a/puppet/services/nova-metadata.yaml
+++ b/puppet/services/nova-metadata.yaml
@ -1,7 +1,7 @@
 heat_template_version: rocky
 description: >
-  OpenStack Nova API service configured with Puppet
+  OpenStack Nova Metadata API service configured with Puppet
 parameters:
  ServiceData:
@ -34,75 +34,122 @@ parameters:
    default: 0
    description: Number of workers for Nova services.
    type: number
-  EnableInternalTLS:
+  NovaPassword:
-    type: boolean
+    description: The password for the nova service and db account
-    default: false
+    type: string
    hidden: true
  KeystoneRegion:
    type: string
    default: 'regionOne'
    description: Keystone region for endpoint
  NeutronMetadataProxySharedSecret:
    description: Shared secret to prevent spoofing
    type: string
    hidden: true
  MonitoringSubscriptionNovaMetadata:
    default: 'overcloud-nova-metadata'
    type: string
  NovaMetadataLoggingSource:
    type: json
    default:
-      tag: openstack.nova.api.metadata
+      tag: openstack.nova.metadata
-      path: /var/log/nova/nova-api-metadata.log
+      path: /var/log/httpd/nova_metadata_wsgi_error_ssl.log
  EnableInternalTLS:
    type: boolean
    default: false
 conditions:
  nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
  use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
 resources:
  ApacheServiceBase:
    type: ./apache.yaml
    properties:
      ServiceNetMap: {get_param: ServiceNetMap}
      DefaultPasswords: {get_param: DefaultPasswords}
      EndpointMap: {get_param: EndpointMap}
      RoleName: {get_param: RoleName}
      RoleParameters: {get_param: RoleParameters}
      EnableInternalTLS: {get_param: EnableInternalTLS}
-  TLSProxyBase:
+  NovaBase:
-    type: OS::TripleO::Services::TLSProxyBase
+    type: ./nova-base.yaml
    properties:
      ServiceData: {get_param: ServiceData}
      ServiceNetMap: {get_param: ServiceNetMap}
      DefaultPasswords: {get_param: DefaultPasswords}
      EndpointMap: {get_param: EndpointMap}
-      EnableInternalTLS: {get_param: EnableInternalTLS}
+      RoleName: {get_param: RoleName}
      RoleParameters: {get_param: RoleParameters}
 outputs:
  role_data:
    description: Role data for the Nova Metadata service.
    value:
      service_name: nova_metadata
      monitoring_subscription: {get_param: MonitoringSubscriptionNovaMetadata}
      config_settings:
        map_merge:
-        - get_attr: [TLSProxyBase, role_data, config_settings]
+        - get_attr: [NovaBase, role_data, config_settings]
-        - nova::api::metadata_listen:
+        - get_attr: [ApacheServiceBase, role_data, config_settings]
-            if:
+        - tripleo.nova_placement.firewall_rules:
-            - use_tls_proxy
+            '139 nova_metadata':
-            - 'localhost'
+              dport:
-            - str_replace:
+                - 8775
-                template:
+                - 13775
-                  "%{hiera('$NETWORK')}"
+          nova::keystone::authtoken::project_name: 'service'
-                params:
+          nova::keystone::authtoken::password: {get_param: NovaPassword}
-                  $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
+          nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
          nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
          nova::metadata::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
          nova::metadata::enable_proxy_headers_parsing: true
          nova_metadata_wsgi_enabled: true
          nova::wsgi::apache_metadata::api_port: '8775'
          nova::wsgi::apache_metadata::ssl: {get_param: EnableInternalTLS}
          # NOTE: bind IP is found in Heat replacing the network name with the local node IP
          # for the given network; replacement examples (eg. for internal_api):
          # internal_api -> IP
          # internal_api_uri -> [IP]
          # internal_api_subnet - > IP/CIDR
          nova::wsgi::apache_metadata::bind_host:
            str_replace:
              template:
                "%{hiera('$NETWORK')}"
              params:
                $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
          nova::wsgi::apache_metadata::servername:
            str_replace:
              template:
                "%{hiera('fqdn_$NETWORK')}"
              params:
                $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
        -
          if:
          - nova_workers_zero
          - {}
-          - nova::api::metadata_workers: {get_param: NovaWorkers}
+          - nova::wsgi::apache_metadata::workers: {get_param: NovaWorkers}
-        -
+      step_config: |
-          if:
+        include tripleo::profile::base::nova::metadata
          - use_tls_proxy
          - tripleo::profile::base::nova::api::metadata_tls_proxy_bind_ip:
              str_replace:
                 template:
                   "%{hiera('$NETWORK')}"
                 params:
                   $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
            tripleo::profile::base::nova::api::metadata_tls_proxy_fqdn:
              str_replace:
                template:
                  "%{hiera('fqdn_$NETWORK')}"
                params:
                  $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
          - {}
      step_config: ""
      service_config_settings:
        fluentd:
          tripleo_fluentd_groups_nova_metadata:
            - nova
          tripleo_fluentd_sources_nova_metadata:
            - {get_param: NovaMetadataLoggingSource}
-      metadata_settings:
+        keystone:
-        get_attr: [TLSProxyBase, role_data, metadata_settings]
+          nova::keystone::auth::tenant: 'service'
          nova::keystone::auth::public_url: {get_param: [EndpointMap, NovaPublic, uri]}
          nova::keystone::auth::internal_url: {get_param: [EndpointMap, NovaInternal, uri]}
          nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]}
          nova::keystone::auth::password: {get_param: NovaPassword}
          nova::keystone::auth::region: {get_param: KeystoneRegion}
        mysql:
          map_merge:
          - {get_attr: [NovaBase, role_data, service_config_settings, mysql]}
          - nova::db::mysql_api::password: {get_param: NovaPassword}
            nova::db::mysql_api::user: nova_api
            nova::db::mysql_api::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]}
            nova::db::mysql_api::dbname: nova_api
            nova::db::mysql_api::allowed_hosts:
              - '%'
              - "%{hiera('mysql_bind_host')}"
--- a/releasenotes/notes/nova_metadata_wsgi-bfb240bc84194d05.yaml
+++ b/releasenotes/notes/nova_metadata_wsgi-bfb240bc84194d05.yaml
@ -0,0 +1,7 @@
 ---
 features:
  - |
    Usage of eventlet of all the WSGI-run nova services get
    deprecated, including nova-api and nova-metadata-api.
    See https://review.openstack.org/#/c/549510/ for more details.
    With this change we move nova-metadata to run via httpd wsgi.