Convert keystone to use uwsgi with the proxy
This makes keystone use the proxy uwsgi module when running in uwsgi mode. It also introduces a new stackrc variable which is WSGI_MODE that we can use to control the conditionals in services that current work with mod_wsgi. Also update retry timeouts on proxy pass so that workers don't disable their connections during polling for initial activity. Change-Id: I46294fb24e3c23fa19fcfd7d6c9ee8a932354702
This commit is contained in:
parent
64ffff9b7d
commit
6ed53156b6
@ -260,7 +260,7 @@ function write_uwsgi_config {
|
||||
else
|
||||
local apache_conf=""
|
||||
apache_conf=$(apache_site_config_for $name)
|
||||
echo "ProxyPass \"${url}\" \"unix:${socket}|uwsgi://uwsgi-uds-${name}/\"" | sudo tee $apache_conf
|
||||
echo "ProxyPass \"${url}\" \"unix:${socket}|uwsgi://uwsgi-uds-${name}/\" retry=0 " | sudo tee $apache_conf
|
||||
enable_apache_site $name
|
||||
reload_apache_server
|
||||
fi
|
||||
|
46
lib/keystone
46
lib/keystone
@ -55,21 +55,13 @@ KEYSTONE_ADMIN_UWSGI_CONF=$KEYSTONE_CONF_DIR/keystone-uwsgi-admin.ini
|
||||
KEYSTONE_PUBLIC_UWSGI=$KEYSTONE_BIN_DIR/keystone-wsgi-public
|
||||
KEYSTONE_ADMIN_UWSGI=$KEYSTONE_BIN_DIR/keystone-wsgi-admin
|
||||
|
||||
# Toggle for deploying Keystone under HTTPD + mod_wsgi
|
||||
# Deprecated in Mitaka, use KEYSTONE_DEPLOY instead.
|
||||
KEYSTONE_USE_MOD_WSGI=${KEYSTONE_USE_MOD_WSGI:-${ENABLE_HTTPD_MOD_WSGI_SERVICES}}
|
||||
|
||||
# KEYSTONE_DEPLOY defines how keystone is deployed, allowed values:
|
||||
# - mod_wsgi : Run keystone under Apache HTTPd mod_wsgi
|
||||
# - uwsgi : Run keystone under uwsgi
|
||||
if [ -z "$KEYSTONE_DEPLOY" ]; then
|
||||
if [ -z "$KEYSTONE_USE_MOD_WSGI" ]; then
|
||||
KEYSTONE_DEPLOY=mod_wsgi
|
||||
elif [ "$KEYSTONE_USE_MOD_WSGI" == True ]; then
|
||||
KEYSTONE_DEPLOY=mod_wsgi
|
||||
else
|
||||
if [[ "$WSGI_MODE" == "uwsgi" ]]; then
|
||||
KEYSTONE_DEPLOY=uwsgi
|
||||
fi
|
||||
else
|
||||
KEYSTONE_DEPLOY=mod_wsgi
|
||||
fi
|
||||
|
||||
# Select the token persistence backend driver
|
||||
@ -121,15 +113,8 @@ if is_service_enabled tls-proxy; then
|
||||
KEYSTONE_SERVICE_PROTOCOL="https"
|
||||
fi
|
||||
|
||||
# complete URIs
|
||||
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
|
||||
# If running in Apache, use path access rather than port.
|
||||
KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}/identity_admin
|
||||
KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}/identity
|
||||
else
|
||||
KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT}
|
||||
KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT}
|
||||
fi
|
||||
KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}/identity_admin
|
||||
KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}/identity
|
||||
|
||||
# V3 URIs
|
||||
KEYSTONE_AUTH_URI_V3=$KEYSTONE_AUTH_URI/v3
|
||||
@ -155,8 +140,15 @@ function is_keystone_enabled {
|
||||
# cleanup_keystone() - Remove residual data files, anything left over from previous
|
||||
# runs that a clean run would need to clean up
|
||||
function cleanup_keystone {
|
||||
if [[ "$WSGI_MODE" == "uwsgi" ]]; then
|
||||
remove_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI"
|
||||
remove_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI"
|
||||
sudo rm -f $(apache_site_config_for keystone-wsgi-public)
|
||||
sudo rm -f $(apache_site_config_for keystone-wsgi-admin)
|
||||
else
|
||||
disable_apache_site keystone
|
||||
sudo rm -f $(apache_site_config_for keystone)
|
||||
fi
|
||||
}
|
||||
|
||||
# _config_keystone_apache_wsgi() - Set WSGI config files of Keystone
|
||||
@ -256,10 +248,8 @@ function configure_keystone {
|
||||
# work when you want to use a different port (in the case of proxy), or you
|
||||
# don't want the port (in the case of putting keystone on a path in
|
||||
# apache).
|
||||
if is_service_enabled tls-proxy || [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
|
||||
iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI
|
||||
iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI
|
||||
fi
|
||||
|
||||
if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then
|
||||
iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT
|
||||
@ -285,9 +275,8 @@ function configure_keystone {
|
||||
iniset $KEYSTONE_CONF DEFAULT logging_exception_prefix "%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s"
|
||||
_config_keystone_apache_wsgi
|
||||
else # uwsgi
|
||||
# iniset creates these files when it's called if they don't exist.
|
||||
write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity" "$KEYSTONE_SERVICE_HOST:$service_port"
|
||||
write_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" "/identity_admin" "$KEYSTONE_ADMIN_BIND_HOST:$auth_port"
|
||||
write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity"
|
||||
write_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" "/identity_admin"
|
||||
fi
|
||||
|
||||
iniset $KEYSTONE_CONF DEFAULT max_token_size 16384
|
||||
@ -568,10 +557,7 @@ function start_keystone {
|
||||
# unencryted traffic at this point.
|
||||
# If running in Apache, use the path rather than port.
|
||||
|
||||
local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/
|
||||
if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
|
||||
service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/
|
||||
fi
|
||||
local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/
|
||||
|
||||
if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then
|
||||
die $LINENO "keystone did not start"
|
||||
@ -595,6 +581,8 @@ function stop_keystone {
|
||||
else
|
||||
stop_process key-p
|
||||
stop_process key-a
|
||||
remove_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI"
|
||||
remove_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI"
|
||||
fi
|
||||
# Kill the Keystone screen window
|
||||
stop_process key
|
||||
|
4
openrc
4
openrc
@ -73,8 +73,6 @@ else
|
||||
fi
|
||||
|
||||
SERVICE_PROTOCOL=${SERVICE_PROTOCOL:-http}
|
||||
KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL}
|
||||
KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
|
||||
|
||||
# Identity API version
|
||||
export OS_IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-3}
|
||||
@ -84,7 +82,7 @@ export OS_IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-3}
|
||||
# the user/project has access to - including nova, glance, keystone, swift, ...
|
||||
# We currently recommend using the version 3 *identity api*.
|
||||
#
|
||||
export OS_AUTH_URL=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:5000/v${OS_IDENTITY_API_VERSION}
|
||||
export OS_AUTH_URL=$KEYSTONE_AUTH_URI
|
||||
|
||||
# Currently, in order to use openstackclient with Identity API v3,
|
||||
# we need to set the domain which the user and project belong to.
|
||||
|
6
stackrc
6
stackrc
@ -225,6 +225,12 @@ DATABASE_QUERY_LOGGING=$(trueorfalse False DATABASE_QUERY_LOGGING)
|
||||
# Zero disables timeouts
|
||||
GIT_TIMEOUT=${GIT_TIMEOUT:-0}
|
||||
|
||||
# How should we be handling WSGI deployments. By default we're going
|
||||
# to allow for 2 modes, which is "uwsgi" which runs with an apache
|
||||
# proxy uwsgi in front of it, or "mod_wsgi", which runs in
|
||||
# apache. mod_wsgi is deprecated, don't use it.
|
||||
WSGI_MODE=${WSGI_MODE:-"uwsgi"}
|
||||
|
||||
# Repositories
|
||||
# ------------
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user