From d4535b6dc3f05c13e6f8e09f8b7b4dde1f587a47 Mon Sep 17 00:00:00 2001 From: SamYaple Date: Sat, 19 Mar 2016 16:42:26 +0000 Subject: [PATCH] Add memcached_servers to keystone_auth section The in-process cache for keystone tokens has been deprecated due to "incosistent results and high memory usage" with the expectation we switch to memcached_servers if we want to stay performant. Add memcache_servers [cache] section to the appropriate servers as the [DEFAULT]\memcache_servers options was deprecated. TrivialFix Related-Id: Ied2b88c8cefe5655a88d0c2f334de04e588fa75a Change-Id: Ic971bdddc0be3338b15924f7cc0f97d4a3ad2440 --- ansible/roles/cinder/templates/cinder.conf.j2 | 5 +++++ .../roles/glance/templates/glance-api.conf.j2 | 5 +++++ .../glance/templates/glance-registry.conf.j2 | 5 +++++ ansible/roles/heat/templates/heat.conf.j2 | 11 +++++++++++ ansible/roles/ironic/templates/ironic.conf.j2 | 5 +++++ .../roles/keystone/templates/keystone.conf.j2 | 6 ++++++ ansible/roles/magnum/templates/magnum.conf.j2 | 5 +++++ ansible/roles/manila/templates/manila.conf.j2 | 5 +++++ .../roles/mistral/templates/mistral.conf.j2 | 5 +++++ ansible/roles/murano/templates/murano.conf.j2 | 5 +++++ .../roles/neutron/templates/neutron.conf.j2 | 5 +++++ ansible/roles/nova/templates/nova.conf.j2 | 15 +++++++++++---- .../swift/templates/proxy-server.conf.j2 | 5 +++++ ansible/site.yml | 19 +++++++++++++++++-- etc/kolla/passwords.yml | 1 + 15 files changed, 96 insertions(+), 6 deletions(-) diff --git a/ansible/roles/cinder/templates/cinder.conf.j2 b/ansible/roles/cinder/templates/cinder.conf.j2 index 9a64347551..d4a31dfe71 100644 --- a/ansible/roles/cinder/templates/cinder.conf.j2 +++ b/ansible/roles/cinder/templates/cinder.conf.j2 @@ -56,6 +56,11 @@ project_name = service username = {{ cinder_keystone_user }} password = {{ cinder_keystone_password }} +memcache_security_strategy = ENCRYPT +memcache_secret_key = {{ memcache_secret_key }} +memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} + + [oslo_concurrency] lock_path = /var/lib/cinder/tmp diff --git a/ansible/roles/glance/templates/glance-api.conf.j2 b/ansible/roles/glance/templates/glance-api.conf.j2 index 2955137cbc..9fc2026a39 100644 --- a/ansible/roles/glance/templates/glance-api.conf.j2 +++ b/ansible/roles/glance/templates/glance-api.conf.j2 @@ -29,6 +29,11 @@ project_name = service username = {{ glance_keystone_user }} password = {{ glance_keystone_password }} +memcache_security_strategy = ENCRYPT +memcache_secret_key = {{ memcache_secret_key }} +memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} + + [paste_deploy] flavor = keystone diff --git a/ansible/roles/glance/templates/glance-registry.conf.j2 b/ansible/roles/glance/templates/glance-registry.conf.j2 index 3d0d2f4e3d..a7f8f6dda9 100644 --- a/ansible/roles/glance/templates/glance-registry.conf.j2 +++ b/ansible/roles/glance/templates/glance-registry.conf.j2 @@ -21,6 +21,11 @@ project_name = service username = {{ glance_keystone_user }} password = {{ glance_keystone_password }} +memcache_security_strategy = ENCRYPT +memcache_secret_key = {{ memcache_secret_key }} +memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} + + [paste_deploy] flavor = keystone diff --git a/ansible/roles/heat/templates/heat.conf.j2 b/ansible/roles/heat/templates/heat.conf.j2 index 8fd20fdfd3..cb521b2a6e 100644 --- a/ansible/roles/heat/templates/heat.conf.j2 +++ b/ansible/roles/heat/templates/heat.conf.j2 @@ -47,6 +47,17 @@ project_name = service username = {{ heat_keystone_user }} password = {{ heat_keystone_password }} +memcache_security_strategy = ENCRYPT +memcache_secret_key = {{ memcache_secret_key }} +memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} + + +[cache] +backend = oslo_cache.memcache_pool +enabled = True +memcache_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} + + [trustee] auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }} auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }} diff --git a/ansible/roles/ironic/templates/ironic.conf.j2 b/ansible/roles/ironic/templates/ironic.conf.j2 index 5ae13730f5..f19769d54a 100644 --- a/ansible/roles/ironic/templates/ironic.conf.j2 +++ b/ansible/roles/ironic/templates/ironic.conf.j2 @@ -40,6 +40,11 @@ project_name = service username = {{ ironic_keystone_user }} password = {{ ironic_keystone_password }} +memcache_security_strategy = ENCRYPT +memcache_secret_key = {{ memcache_secret_key }} +memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} + + [glance] glance_host = {{ kolla_internal_fqdn }} diff --git a/ansible/roles/keystone/templates/keystone.conf.j2 b/ansible/roles/keystone/templates/keystone.conf.j2 index 83e2e2a024..ac414b99e7 100644 --- a/ansible/roles/keystone/templates/keystone.conf.j2 +++ b/ansible/roles/keystone/templates/keystone.conf.j2 @@ -8,3 +8,9 @@ secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO [database] connection = mysql+pymysql://{{ keystone_database_user }}:{{ keystone_database_password }}@{{ keystone_database_address }}/{{ keystone_database_name }} + +[cache] +backend = oslo_cache.memcache_pool +enabled = True +memcache_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} + diff --git a/ansible/roles/magnum/templates/magnum.conf.j2 b/ansible/roles/magnum/templates/magnum.conf.j2 index 047353d55b..b147df0dc3 100644 --- a/ansible/roles/magnum/templates/magnum.conf.j2 +++ b/ansible/roles/magnum/templates/magnum.conf.j2 @@ -35,6 +35,11 @@ project_name = service username = {{ magnum_keystone_user }} password = {{ magnum_keystone_password }} +memcache_security_strategy = ENCRYPT +memcache_secret_key = {{ memcache_secret_key }} +memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} + + [oslo_concurrency] lock_path = /var/lib/magnum/tmp diff --git a/ansible/roles/manila/templates/manila.conf.j2 b/ansible/roles/manila/templates/manila.conf.j2 index f1f2062161..ab4013980d 100644 --- a/ansible/roles/manila/templates/manila.conf.j2 +++ b/ansible/roles/manila/templates/manila.conf.j2 @@ -99,3 +99,8 @@ user_domain_id = default project_name = service username = {{ manila_keystone_user }} password = {{ manila_keystone_password }} + +memcache_security_strategy = ENCRYPT +memcache_secret_key = {{ memcache_secret_key }} +memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} + diff --git a/ansible/roles/mistral/templates/mistral.conf.j2 b/ansible/roles/mistral/templates/mistral.conf.j2 index 52456733c7..f5f2be5cba 100644 --- a/ansible/roles/mistral/templates/mistral.conf.j2 +++ b/ansible/roles/mistral/templates/mistral.conf.j2 @@ -25,6 +25,11 @@ project_name = service username = {{ mistral_keystone_user }} password = {{ mistral_keystone_password }} +memcache_security_strategy = ENCRYPT +memcache_secret_key = {{ memcache_secret_key }} +memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} + + [mistral] url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ mistral_api_port }} diff --git a/ansible/roles/murano/templates/murano.conf.j2 b/ansible/roles/murano/templates/murano.conf.j2 index a48dea30ed..b4bf592f97 100644 --- a/ansible/roles/murano/templates/murano.conf.j2 +++ b/ansible/roles/murano/templates/murano.conf.j2 @@ -21,6 +21,11 @@ project_name = service username = {{ murano_keystone_user }} password = {{ murano_keystone_password }} +memcache_security_strategy = ENCRYPT +memcache_secret_key = {{ memcache_secret_key }} +memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} + + [murano] url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ murano_api_port }} diff --git a/ansible/roles/neutron/templates/neutron.conf.j2 b/ansible/roles/neutron/templates/neutron.conf.j2 index ef426a32f5..202367d6bc 100644 --- a/ansible/roles/neutron/templates/neutron.conf.j2 +++ b/ansible/roles/neutron/templates/neutron.conf.j2 @@ -69,5 +69,10 @@ project_name = service username = {{ neutron_keystone_user }} password = {{ neutron_keystone_password }} +memcache_security_strategy = ENCRYPT +memcache_secret_key = {{ memcache_secret_key }} +memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} + + [oslo_messaging_notifications] driver = noop diff --git a/ansible/roles/nova/templates/nova.conf.j2 b/ansible/roles/nova/templates/nova.conf.j2 index c623b6b6f8..1cbb4d0cfd 100644 --- a/ansible/roles/nova/templates/nova.conf.j2 +++ b/ansible/roles/nova/templates/nova.conf.j2 @@ -21,7 +21,6 @@ metadata_listen_port = {{ nova_metadata_port }} ec2_listen = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }} ec2_listen_port = {{ nova_api_ec2_port }} - use_neutron = True firewall_driver = nova.virt.firewall.NoopFirewallDriver @@ -50,9 +49,6 @@ compute_driver = fake.FakeDriver compute_driver = libvirt.LibvirtDriver {% endif %} -memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} - - # Though my_ip is not used directly, lots of other variables use $my_ip my_ip = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }} @@ -130,6 +126,12 @@ connection = mysql+pymysql://{{ nova_database_user }}:{{ nova_database_password [api_database] connection = mysql+pymysql://{{ nova_api_database_user }}:{{ nova_api_database_password }}@{{ nova_api_database_address }}/{{ nova_api_database_name }} +[cache] +backend = oslo_cache.memcache_pool +enabled = True +memcache_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} + + [keystone_authtoken] auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }} auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }} @@ -140,6 +142,11 @@ project_name = service username = {{ nova_keystone_user }} password = {{ nova_keystone_password }} +memcache_security_strategy = ENCRYPT +memcache_secret_key = {{ memcache_secret_key }} +memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} + + [libvirt] connection_uri = "qemu+tcp://{{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}/system" {% if enable_ceph | bool %} diff --git a/ansible/roles/swift/templates/proxy-server.conf.j2 b/ansible/roles/swift/templates/proxy-server.conf.j2 index e6b9e5b89c..40fc02a97a 100644 --- a/ansible/roles/swift/templates/proxy-server.conf.j2 +++ b/ansible/roles/swift/templates/proxy-server.conf.j2 @@ -39,6 +39,11 @@ project_name = service username = {{ swift_keystone_user }} password = {{ swift_keystone_password }} +memcache_security_strategy = ENCRYPT +memcache_secret_key = {{ memcache_secret_key }} +memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %} + + [filter:keystoneauth] use = egg:swift#keystoneauth operator_roles = admin,user diff --git a/ansible/site.yml b/ansible/site.yml index f84e40b9d5..c225c9452e 100644 --- a/ansible/site.yml +++ b/ansible/site.yml @@ -56,7 +56,9 @@ tags: rabbitmq, when: enable_rabbitmq | bool } -- hosts: keystone +- hosts: + - keystone + - memcached roles: - { role: keystone, tags: keystone, @@ -68,6 +70,7 @@ - swift-object-server - swift-proxy-server - rabbitmq + - memcached roles: - { role: swift, tags: swift, @@ -78,6 +81,7 @@ - glance-api - glance-registry - rabbitmq + - memcached roles: - { role: glance, tags: glance, @@ -93,6 +97,7 @@ - nova-novncproxy - nova-scheduler - rabbitmq + - memcached roles: - { role: nova, tags: nova, @@ -106,6 +111,7 @@ - neutron-metadata-agent - neutron-server - rabbitmq + - memcached roles: - { role: neutron, tags: neutron, @@ -118,6 +124,7 @@ - cinder-scheduler - cinder-volume - rabbitmq + - memcached roles: - { role: cinder, tags: cinder, @@ -128,12 +135,15 @@ - heat-api-cfn - heat-engine - rabbitmq + - memcached roles: - { role: heat, tags: heat, when: enable_heat | bool } -- hosts: horizon +- hosts: + - horizon + - memcached roles: - { role: horizon, tags: horizon, @@ -143,6 +153,7 @@ - murano-api - murano-engine - rabbitmq + - memcached roles: - { role: murano, tags: murano, @@ -154,6 +165,7 @@ - ironic-inspector - ironic-pxe - rabbitmq + - memcached roles: - { role: ironic, tags: ironic, @@ -163,6 +175,7 @@ - magnum-api - magnum-conductor - rabbitmq + - memcached roles: - { role: magnum, tags: magnum, @@ -173,6 +186,7 @@ - mistral-engine - mistral-executor - rabbitmq + - memcached roles: - { role: mistral, tags: mistral, @@ -190,6 +204,7 @@ - manila-share - manila-scheduler - rabbitmq + - memcached roles: - { role: manila, tags: manila, diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml index deed018da9..626a7ae429 100644 --- a/etc/kolla/passwords.yml +++ b/etc/kolla/passwords.yml @@ -67,6 +67,7 @@ horizon_secret_key: "password" manila_database_password: "password" manila_keystone_password: "password" +memcache_secret_key: "password" #################### # Manila options