a3488d5f00
Calling setenv appears to be globally scoped which is breaking the glance path which relies on chunked uploads. The glance path is separated by using mod_proxy instead of mod_proxy_uwsgi because mod_proxy_uwsgi doesn't support chunked encoding.[1] The proxy-sendcl [2] was set on the mod_proxy_uwsgi path just in case someone tried to send a chunked request to the api server we would be able to handle it. It tells apache to locally cache the chunked request and send the content-length as a normal upload to the upstream server. However, if we can only set it globally across then small potential benefit is not worth having all glance uploads cached by apache. This commit just removes setting the flag. In the future if we can have devstack isolate this flag it might be worth adding back to the mod_proxy_uwsgi path, but for right now it's not worth the tradeoff. [1] https://github.com/unbit/uwsgi/issues/1540 [2] https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#request-bodies Depends-On: Idf6b4b891ba31cccbeb53d373b40fce5380cea64 Change-Id: Iab2e2848877fa1497008d18c05b0154892941589 Closes-Bug: #1709970
360 lines
13 KiB
Bash
360 lines
13 KiB
Bash
#!/bin/bash
|
|
#
|
|
# lib/apache
|
|
# Functions to control configuration and operation of apache web server
|
|
|
|
# Dependencies:
|
|
#
|
|
# - ``functions`` file
|
|
# - ``STACK_USER`` must be defined
|
|
#
|
|
# lib/apache exports the following functions:
|
|
#
|
|
# - install_apache_wsgi
|
|
# - apache_site_config_for
|
|
# - enable_apache_site
|
|
# - disable_apache_site
|
|
# - start_apache_server
|
|
# - stop_apache_server
|
|
# - restart_apache_server
|
|
|
|
# Save trace setting
|
|
_XTRACE_LIB_APACHE=$(set +o | grep xtrace)
|
|
set +o xtrace
|
|
|
|
# Allow overriding the default Apache user and group, default to
|
|
# current user and his default group.
|
|
APACHE_USER=${APACHE_USER:-$STACK_USER}
|
|
APACHE_GROUP=${APACHE_GROUP:-$(id -gn $APACHE_USER)}
|
|
|
|
|
|
# Set up apache name and configuration directory
|
|
# Note that APACHE_CONF_DIR is really more accurately apache's vhost
|
|
# configuration dir but we can't just change this because public interfaces.
|
|
if is_ubuntu; then
|
|
APACHE_NAME=apache2
|
|
APACHE_CONF_DIR=${APACHE_CONF_DIR:-/etc/$APACHE_NAME/sites-available}
|
|
APACHE_SETTINGS_DIR=${APACHE_SETTINGS_DIR:-/etc/$APACHE_NAME/conf-enabled}
|
|
elif is_fedora; then
|
|
APACHE_NAME=httpd
|
|
APACHE_CONF_DIR=${APACHE_CONF_DIR:-/etc/$APACHE_NAME/conf.d}
|
|
APACHE_SETTINGS_DIR=${APACHE_SETTINGS_DIR:-/etc/$APACHE_NAME/conf.d}
|
|
elif is_suse; then
|
|
APACHE_NAME=apache2
|
|
APACHE_CONF_DIR=${APACHE_CONF_DIR:-/etc/$APACHE_NAME/vhosts.d}
|
|
APACHE_SETTINGS_DIR=${APACHE_SETTINGS_DIR:-/etc/$APACHE_NAME/conf.d}
|
|
fi
|
|
APACHE_LOG_DIR="/var/log/${APACHE_NAME}"
|
|
|
|
# Functions
|
|
# ---------
|
|
|
|
# Enable apache mod and restart apache if it isn't already enabled.
|
|
function enable_apache_mod {
|
|
local mod=$1
|
|
# Apache installation, because we mark it NOPRIME
|
|
if is_ubuntu; then
|
|
# Skip mod_version as it is not a valid mod to enable
|
|
# on debuntu, instead it is built in.
|
|
if [[ "$mod" != "version" ]] && ! a2query -m $mod ; then
|
|
sudo a2enmod $mod
|
|
restart_apache_server
|
|
fi
|
|
elif is_suse; then
|
|
if ! a2enmod -q $mod ; then
|
|
sudo a2enmod $mod
|
|
restart_apache_server
|
|
fi
|
|
elif is_fedora; then
|
|
# pass
|
|
true
|
|
else
|
|
exit_distro_not_supported "apache enable mod"
|
|
fi
|
|
}
|
|
|
|
# NOTE(sdague): Install uwsgi including apache module, we need to get
|
|
# to 2.0.6+ to get a working mod_proxy_uwsgi. We can probably build a
|
|
# check for that and do it differently for different platforms.
|
|
function install_apache_uwsgi {
|
|
local apxs="apxs2"
|
|
if is_fedora; then
|
|
apxs="apxs"
|
|
fi
|
|
|
|
# Ubuntu xenial is back level on uwsgi so the proxy doesn't
|
|
# actually work. Hence we have to build from source for now.
|
|
#
|
|
# Centos 7 actually has the module in epel, but there was a big
|
|
# push to disable epel by default. As such, compile from source
|
|
# there as well.
|
|
|
|
local dir
|
|
dir=$(mktemp -d)
|
|
pushd $dir
|
|
pip_install uwsgi
|
|
pip download uwsgi -c $REQUIREMENTS_DIR/upper-constraints.txt
|
|
local uwsgi
|
|
uwsgi=$(ls uwsgi*)
|
|
tar xvf $uwsgi
|
|
cd uwsgi*/apache2
|
|
sudo $apxs -i -c mod_proxy_uwsgi.c
|
|
popd
|
|
# delete the temp directory
|
|
sudo rm -rf $dir
|
|
|
|
if is_ubuntu || is_suse ; then
|
|
# we've got to enable proxy and proxy_uwsgi for this to work
|
|
sudo a2enmod proxy
|
|
sudo a2enmod proxy_uwsgi
|
|
elif is_fedora; then
|
|
# redhat is missing a nice way to turn on/off modules
|
|
echo "LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so" \
|
|
| sudo tee /etc/httpd/conf.modules.d/02-proxy-uwsgi.conf
|
|
fi
|
|
restart_apache_server
|
|
}
|
|
|
|
# install_apache_wsgi() - Install Apache server and wsgi module
|
|
function install_apache_wsgi {
|
|
# Apache installation, because we mark it NOPRIME
|
|
if is_ubuntu; then
|
|
# Install apache2, which is NOPRIME'd
|
|
install_package apache2
|
|
if python3_enabled; then
|
|
if is_package_installed libapache2-mod-wsgi; then
|
|
uninstall_package libapache2-mod-wsgi
|
|
fi
|
|
install_package libapache2-mod-wsgi-py3
|
|
else
|
|
install_package libapache2-mod-wsgi
|
|
fi
|
|
elif is_fedora; then
|
|
sudo rm -f /etc/httpd/conf.d/000-*
|
|
install_package httpd mod_wsgi
|
|
# For consistency with Ubuntu, switch to the worker mpm, as
|
|
# the default is prefork
|
|
sudo sed -i '/mod_mpm_prefork.so/s/^/#/g' /etc/httpd/conf.modules.d/00-mpm.conf
|
|
sudo sed -i '/mod_mpm_worker.so/s/^#//g' /etc/httpd/conf.modules.d/00-mpm.conf
|
|
elif is_suse; then
|
|
install_package apache2 apache2-mod_wsgi
|
|
else
|
|
exit_distro_not_supported "apache wsgi installation"
|
|
fi
|
|
# WSGI isn't enabled by default, enable it
|
|
enable_apache_mod wsgi
|
|
}
|
|
|
|
# apache_site_config_for() - The filename of the site's configuration file.
|
|
# This function uses the global variables APACHE_NAME and APACHE_CONF_DIR.
|
|
#
|
|
# On Ubuntu 14.04+, the site configuration file must have a .conf suffix for a2ensite and a2dissite to
|
|
# recognise it. a2ensite and a2dissite ignore the .conf suffix used as parameter. The default sites'
|
|
# files are 000-default.conf and default-ssl.conf.
|
|
#
|
|
# On Fedora and openSUSE, any file in /etc/httpd/conf.d/ whose name ends with .conf is enabled.
|
|
#
|
|
# On RHEL and CentOS, things should hopefully work as in Fedora.
|
|
#
|
|
# The table below summarizes what should happen on each distribution:
|
|
# +----------------------+--------------------+--------------------------+--------------------------+
|
|
# | Distribution | File name | Site enabling command | Site disabling command |
|
|
# +----------------------+--------------------+--------------------------+--------------------------+
|
|
# | Ubuntu 14.04 | site.conf | a2ensite site | a2dissite site |
|
|
# | Fedora, RHEL, CentOS | site.conf.disabled | mv site.conf{.disabled,} | mv site.conf{,.disabled} |
|
|
# +----------------------+--------------------+--------------------------+--------------------------+
|
|
function apache_site_config_for {
|
|
local site=$@
|
|
if is_ubuntu; then
|
|
# Ubuntu 14.04 - Apache 2.4
|
|
echo $APACHE_CONF_DIR/${site}.conf
|
|
elif is_fedora || is_suse; then
|
|
# fedora conf.d is only imported if it ends with .conf so this is approx the same
|
|
local enabled_site_file="$APACHE_CONF_DIR/${site}.conf"
|
|
if [ -f $enabled_site_file ]; then
|
|
echo ${enabled_site_file}
|
|
else
|
|
echo ${enabled_site_file}.disabled
|
|
fi
|
|
fi
|
|
}
|
|
|
|
# enable_apache_site() - Enable a particular apache site
|
|
function enable_apache_site {
|
|
local site=$@
|
|
# Many of our sites use mod version. Just enable it.
|
|
enable_apache_mod version
|
|
if is_ubuntu; then
|
|
sudo a2ensite ${site}
|
|
elif is_fedora || is_suse; then
|
|
local enabled_site_file="$APACHE_CONF_DIR/${site}.conf"
|
|
# Do nothing if site already enabled or no site config exists
|
|
if [[ -f ${enabled_site_file}.disabled ]] && [[ ! -f ${enabled_site_file} ]]; then
|
|
sudo mv ${enabled_site_file}.disabled ${enabled_site_file}
|
|
fi
|
|
fi
|
|
}
|
|
|
|
# disable_apache_site() - Disable a particular apache site
|
|
function disable_apache_site {
|
|
local site=$@
|
|
if is_ubuntu; then
|
|
sudo a2dissite ${site} || true
|
|
elif is_fedora || is_suse; then
|
|
local enabled_site_file="$APACHE_CONF_DIR/${site}.conf"
|
|
# Do nothing if no site config exists
|
|
if [[ -f ${enabled_site_file} ]]; then
|
|
sudo mv ${enabled_site_file} ${enabled_site_file}.disabled
|
|
fi
|
|
fi
|
|
}
|
|
|
|
# start_apache_server() - Start running apache server
|
|
function start_apache_server {
|
|
start_service $APACHE_NAME
|
|
}
|
|
|
|
# stop_apache_server() - Stop running apache server
|
|
function stop_apache_server {
|
|
if [ -n "$APACHE_NAME" ]; then
|
|
stop_service $APACHE_NAME
|
|
else
|
|
exit_distro_not_supported "apache configuration"
|
|
fi
|
|
}
|
|
|
|
# restart_apache_server
|
|
function restart_apache_server {
|
|
# Apache can be slow to stop, doing an explicit stop, sleep, start helps
|
|
# to mitigate issues where apache will claim a port it's listening on is
|
|
# still in use and fail to start.
|
|
restart_service $APACHE_NAME
|
|
}
|
|
|
|
function write_uwsgi_config {
|
|
local file=$1
|
|
local wsgi=$2
|
|
local url=$3
|
|
local http=$4
|
|
local name=""
|
|
name=$(basename $wsgi)
|
|
|
|
# create a home for the sockets; note don't use /tmp -- apache has
|
|
# a private view of it on some platforms.
|
|
local socket_dir='/var/run/uwsgi'
|
|
|
|
# /var/run will be empty on ubuntu after reboot, so we can use systemd-temptiles
|
|
# to automatically create $socket_dir.
|
|
sudo mkdir -p /etc/tmpfiles.d/
|
|
echo "d $socket_dir 0755 $STACK_USER root" | sudo tee /etc/tmpfiles.d/uwsgi.conf
|
|
sudo systemd-tmpfiles --create /etc/tmpfiles.d/uwsgi.conf
|
|
|
|
local socket="$socket_dir/${name}.socket"
|
|
|
|
# always cleanup given that we are using iniset here
|
|
rm -rf $file
|
|
iniset "$file" uwsgi wsgi-file "$wsgi"
|
|
iniset "$file" uwsgi processes $API_WORKERS
|
|
# This is running standalone
|
|
iniset "$file" uwsgi master true
|
|
# Set die-on-term & exit-on-reload so that uwsgi shuts down
|
|
iniset "$file" uwsgi die-on-term true
|
|
iniset "$file" uwsgi exit-on-reload true
|
|
iniset "$file" uwsgi enable-threads true
|
|
iniset "$file" uwsgi plugins python
|
|
# uwsgi recommends this to prevent thundering herd on accept.
|
|
iniset "$file" uwsgi thunder-lock true
|
|
# Override the default size for headers from the 4k default.
|
|
iniset "$file" uwsgi buffer-size 65535
|
|
# Make sure the client doesn't try to re-use the connection.
|
|
iniset "$file" uwsgi add-header "Connection: close"
|
|
# This ensures that file descriptors aren't shared between processes.
|
|
iniset "$file" uwsgi lazy-apps true
|
|
|
|
# If we said bind directly to http, then do that and don't start the apache proxy
|
|
if [[ -n "$http" ]]; then
|
|
iniset "$file" uwsgi http $http
|
|
else
|
|
local apache_conf=""
|
|
apache_conf=$(apache_site_config_for $name)
|
|
iniset "$file" uwsgi socket "$socket"
|
|
iniset "$file" uwsgi chmod-socket 666
|
|
echo "ProxyPass \"${url}\" \"unix:${socket}|uwsgi://uwsgi-uds-${name}/\" retry=0 " | sudo tee -a $apache_conf
|
|
enable_apache_site $name
|
|
restart_apache_server
|
|
fi
|
|
}
|
|
|
|
# For services using chunked encoding, the only services known to use this
|
|
# currently are Glance and Swift, we need to use an http proxy instead of
|
|
# mod_proxy_uwsgi because the chunked encoding gets dropped. See:
|
|
# https://github.com/unbit/uwsgi/issues/1540 You can workaround this on python2
|
|
# but that involves having apache buffer the request before sending it to
|
|
# uwsgi.
|
|
function write_local_uwsgi_http_config {
|
|
local file=$1
|
|
local wsgi=$2
|
|
local url=$3
|
|
name=$(basename $wsgi)
|
|
|
|
# create a home for the sockets; note don't use /tmp -- apache has
|
|
# a private view of it on some platforms.
|
|
|
|
# always cleanup given that we are using iniset here
|
|
rm -rf $file
|
|
iniset "$file" uwsgi wsgi-file "$wsgi"
|
|
port=$(get_random_port)
|
|
iniset "$file" uwsgi http-socket "127.0.0.1:$port"
|
|
iniset "$file" uwsgi processes $API_WORKERS
|
|
# This is running standalone
|
|
iniset "$file" uwsgi master true
|
|
# Set die-on-term & exit-on-reload so that uwsgi shuts down
|
|
iniset "$file" uwsgi die-on-term true
|
|
iniset "$file" uwsgi exit-on-reload true
|
|
iniset "$file" uwsgi enable-threads true
|
|
iniset "$file" uwsgi plugins python
|
|
# uwsgi recommends this to prevent thundering herd on accept.
|
|
iniset "$file" uwsgi thunder-lock true
|
|
# Override the default size for headers from the 4k default.
|
|
iniset "$file" uwsgi buffer-size 65535
|
|
# Make sure the client doesn't try to re-use the connection.
|
|
iniset "$file" uwsgi add-header "Connection: close"
|
|
# This ensures that file descriptors aren't shared between processes.
|
|
iniset "$file" uwsgi lazy-apps true
|
|
iniset "$file" uwsgi chmod-socket 666
|
|
iniset "$file" uwsgi http-raw-body true
|
|
iniset "$file" uwsgi http-chunked-input true
|
|
iniset "$file" uwsgi http-auto-chunked true
|
|
iniset "$file" uwsgi http-keepalive false
|
|
# Increase socket timeout for slow chunked uploads
|
|
iniset "$file" uwsgi socket-timeout 30
|
|
|
|
enable_apache_mod proxy
|
|
enable_apache_mod proxy_http
|
|
local apache_conf=""
|
|
apache_conf=$(apache_site_config_for $name)
|
|
echo "KeepAlive Off" | sudo tee $apache_conf
|
|
echo "SetEnv proxy-sendchunked 1" | sudo tee -a $apache_conf
|
|
echo "ProxyPass \"${url}\" \"http://127.0.0.1:$port\" retry=0 " | sudo tee -a $apache_conf
|
|
enable_apache_site $name
|
|
restart_apache_server
|
|
}
|
|
|
|
function remove_uwsgi_config {
|
|
local file=$1
|
|
local wsgi=$2
|
|
local name=""
|
|
name=$(basename $wsgi)
|
|
|
|
rm -rf $file
|
|
disable_apache_site $name
|
|
}
|
|
|
|
# Restore xtrace
|
|
$_XTRACE_LIB_APACHE
|
|
|
|
# Tell emacs to use shell-script-mode
|
|
## Local variables:
|
|
## mode: shell-script
|
|
## End:
|