From 5c975611f4120b4660edbcde7c31214ca8aba4d9 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Thu, 28 Nov 2024 07:54:50 +0100 Subject: [PATCH] nova: Split out metadata to a separate container This is needed for introducing standalone uWSGI Change-Id: I7c7213eed10dc408238071a43fd89d5e66665e7b --- ansible/inventory/all-in-one | 3 ++ ansible/inventory/multinode | 3 ++ ansible/roles/nova/defaults/main.yml | 30 +++++++++++ ansible/roles/nova/handlers/main.yml | 17 +++++++ ansible/roles/nova/tasks/config.yml | 10 ++++ .../nova/templates/nova-api-wsgi.conf.j2 | 22 +------- .../nova/templates/nova-metadata-wsgi.conf.j2 | 51 +++++++++++++++++++ .../nova/templates/nova-metadata.json.j2 | 50 ++++++++++++++++++ ansible/roles/nova/templates/nova.conf.j2 | 2 + .../nova-metadata-split-d1c9ff2010390352.yaml | 5 ++ tests/templates/inventory.j2 | 3 ++ 11 files changed, 175 insertions(+), 21 deletions(-) create mode 100644 ansible/roles/nova/templates/nova-metadata-wsgi.conf.j2 create mode 100644 ansible/roles/nova/templates/nova-metadata.json.j2 create mode 100644 releasenotes/notes/nova-metadata-split-d1c9ff2010390352.yaml diff --git a/ansible/inventory/all-in-one b/ansible/inventory/all-in-one index 8d5c22344a..6e1bbe67b4 100644 --- a/ansible/inventory/all-in-one +++ b/ansible/inventory/all-in-one @@ -211,6 +211,9 @@ nova [nova-conductor:children] nova +[nova-metadata:children] +nova + [nova-super-conductor:children] nova diff --git a/ansible/inventory/multinode b/ansible/inventory/multinode index a12c51dc9a..0485a33b2c 100644 --- a/ansible/inventory/multinode +++ b/ansible/inventory/multinode @@ -229,6 +229,9 @@ nova [nova-conductor:children] nova +[nova-metadata:children] +nova + [nova-super-conductor:children] nova diff --git a/ansible/roles/nova/defaults/main.yml b/ansible/roles/nova/defaults/main.yml index 038257b48e..cbe554b878 100644 --- a/ansible/roles/nova/defaults/main.yml +++ b/ansible/roles/nova/defaults/main.yml @@ -25,6 +25,15 @@ nova_services: port: "{{ nova_api_public_port }}" listen_port: "{{ nova_api_listen_port }}" tls_backend: "{{ nova_enable_tls_backend }}" + nova-metadata: + container_name: "nova_metadata" + group: "nova-metadata" + image: "{{ nova_api_image_full }}" + enabled: True + volumes: "{{ nova_metadata_default_volumes + nova_metadata_extra_volumes }}" + dimensions: "{{ nova_metadata_dimensions }}" + healthcheck: "{{ nova_metadata_healthcheck }}" + haproxy: nova_metadata: enabled: "{{ enable_nova }}" mode: "http" @@ -118,6 +127,7 @@ nova_api_tag: "{{ nova_tag }}" nova_api_image_full: "{{ nova_api_image }}:{{ nova_api_tag }}" nova_api_dimensions: "{{ default_container_dimensions }}" +nova_metadata_dimensions: "{{ default_container_dimensions }}" nova_scheduler_dimensions: "{{ default_container_dimensions }}" nova_super_conductor_dimensions: "{{ default_container_dimensions }}" @@ -134,6 +144,19 @@ nova_api_healthcheck: test: "{% if nova_api_enable_healthchecks | bool %}{{ nova_api_healthcheck_test }}{% else %}NONE{% endif %}" timeout: "{{ nova_api_healthcheck_timeout }}" +nova_metadata_enable_healthchecks: "{{ enable_container_healthchecks }}" +nova_metadata_healthcheck_interval: "{{ default_container_healthcheck_interval }}" +nova_metadata_healthcheck_retries: "{{ default_container_healthcheck_retries }}" +nova_metadata_healthcheck_start_period: "{{ default_container_healthcheck_start_period }}" +nova_metadata_healthcheck_test: ["CMD-SHELL", "healthcheck_curl {{ 'https' if nova_enable_tls_backend | bool else 'http' }}://{{ api_interface_address | put_address_in_context('url') }}:{{ nova_metadata_listen_port }} "] +nova_metadata_healthcheck_timeout: "{{ default_container_healthcheck_timeout }}" +nova_metadata_healthcheck: + interval: "{{ nova_metadata_healthcheck_interval }}" + retries: "{{ nova_metadata_healthcheck_retries }}" + start_period: "{{ nova_metadata_healthcheck_start_period }}" + test: "{% if nova_metadata_enable_healthchecks | bool %}{{ nova_metadata_healthcheck_test }}{% else %}NONE{% endif %}" + timeout: "{{ nova_metadata_healthcheck_timeout }}" + nova_scheduler_enable_healthchecks: "{{ enable_container_healthchecks }}" nova_scheduler_healthcheck_interval: "{{ default_container_healthcheck_interval }}" nova_scheduler_healthcheck_retries: "{{ default_container_healthcheck_retries }}" @@ -167,6 +190,12 @@ nova_api_default_volumes: - "/lib/modules:/lib/modules:ro" - "kolla_logs:/var/log/kolla/" - "{{ kolla_dev_repos_directory ~ '/nova:/dev-mode/nova' if nova_dev_mode | bool else '' }}" +nova_metadata_default_volumes: + - "{{ node_config_directory }}/nova-metadata/:{{ container_config_directory }}/:ro" + - "/etc/localtime:/etc/localtime:ro" + - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}" + - "kolla_logs:/var/log/kolla/" + - "{{ kolla_dev_repos_directory ~ '/nova:/dev-mode/nova' if nova_dev_mode | bool else '' }}" nova_scheduler_default_volumes: - "{{ node_config_directory }}/nova-scheduler/:{{ container_config_directory }}/:ro" - "/etc/localtime:/etc/localtime:ro" @@ -189,6 +218,7 @@ nova_api_bootstrap_default_volumes: nova_extra_volumes: "{{ default_extra_volumes }}" nova_api_extra_volumes: "{{ nova_extra_volumes }}" +nova_metadata_extra_volumes: "{{ nova_extra_volumes }}" nova_scheduler_extra_volumes: "{{ nova_extra_volumes }}" nova_super_conductor_extra_volumes: "{{ nova_extra_volumes }}" # Used by bootstrapping containers. diff --git a/ansible/roles/nova/handlers/main.yml b/ansible/roles/nova/handlers/main.yml index e478445094..917113c2d5 100644 --- a/ansible/roles/nova/handlers/main.yml +++ b/ansible/roles/nova/handlers/main.yml @@ -49,3 +49,20 @@ healthcheck: "{{ service.healthcheck | default(omit) }}" when: - kolla_action != "upgrade" or not nova_safety_upgrade | bool + +- name: Restart nova-metadata container + vars: + service_name: "nova-metadata" + service: "{{ nova_services[service_name] }}" + become: true + kolla_container: + action: "recreate_or_restart_container" + common_options: "{{ docker_common_options }}" + name: "{{ service.container_name }}" + image: "{{ service.image }}" + privileged: "{{ service.privileged | default(False) }}" + volumes: "{{ service.volumes | reject('equalto', '') | list }}" + dimensions: "{{ service.dimensions }}" + healthcheck: "{{ service.healthcheck | default(omit) }}" + when: + - kolla_action != "upgrade" or not nova_safety_upgrade | bool diff --git a/ansible/roles/nova/tasks/config.yml b/ansible/roles/nova/tasks/config.yml index d7134abd2b..4904d496ca 100644 --- a/ansible/roles/nova/tasks/config.yml +++ b/ansible/roles/nova/tasks/config.yml @@ -89,6 +89,16 @@ become: true when: service | service_enabled_and_mapped_to_host +- name: Copying over nova-metadata-wsgi.conf + vars: + service: "{{ nova_services['nova-metadata'] }}" + template: + src: "nova-metadata-wsgi.conf.j2" + dest: "{{ node_config_directory }}/nova-metadata/nova-metadata-wsgi.conf" + mode: "0660" + become: true + when: service | service_enabled_and_mapped_to_host + - name: Copying over vendordata file vars: service: "{{ nova_services['nova-api'] }}" diff --git a/ansible/roles/nova/templates/nova-api-wsgi.conf.j2 b/ansible/roles/nova/templates/nova-api-wsgi.conf.j2 index e84c194960..7acd59eb8c 100644 --- a/ansible/roles/nova/templates/nova-api-wsgi.conf.j2 +++ b/ansible/roles/nova/templates/nova-api-wsgi.conf.j2 @@ -8,7 +8,6 @@ LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so {% endif %} {% endif %} Listen {{ api_interface_address | put_address_in_context('url') }}:{{ nova_api_listen_port }} -Listen {{ api_interface_address | put_address_in_context('url') }}:{{ nova_metadata_listen_port }} ServerSignature Off ServerTokens Prod @@ -17,7 +16,7 @@ TimeOut {{ kolla_httpd_timeout }} KeepAliveTimeout {{ kolla_httpd_keep_alive }} - + Options None Require all granted @@ -50,22 +49,3 @@ LogLevel info SSLCertificateKeyFile /etc/nova/certs/nova-key.pem {% endif %} - - - WSGIDaemonProcess nova-metadata processes={{ nova_metadata_api_workers }} threads=1 user=nova group=nova display-name=nova-metadata-api - WSGIProcessGroup nova-metadata - WSGIScriptAlias / {{ wsgi_directory }}/nova-metadata-wsgi - WSGIApplicationGroup %{GLOBAL} - WSGIPassAuthorization On - = 2.4> - ErrorLogFormat "%{cu}t %M" - - ErrorLog "{{ nova_log_dir }}/nova-metadata-error.log" - LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat - CustomLog "{{ nova_log_dir }}/nova-metadata-access.log" logformat -{% if nova_enable_tls_backend | bool %} - SSLEngine on - SSLCertificateFile /etc/nova/certs/nova-cert.pem - SSLCertificateKeyFile /etc/nova/certs/nova-key.pem -{% endif %} - diff --git a/ansible/roles/nova/templates/nova-metadata-wsgi.conf.j2 b/ansible/roles/nova/templates/nova-metadata-wsgi.conf.j2 new file mode 100644 index 0000000000..58ab62302f --- /dev/null +++ b/ansible/roles/nova/templates/nova-metadata-wsgi.conf.j2 @@ -0,0 +1,51 @@ +{% set nova_log_dir = '/var/log/kolla/nova' %} +{% set wsgi_directory = '/var/lib/kolla/venv/bin' %} +{% if nova_enable_tls_backend | bool %} +{% if kolla_base_distro in ['centos', 'rocky'] %} +LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so +{% else %} +LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so +{% endif %} +{% endif %} +Listen {{ api_interface_address | put_address_in_context('url') }}:{{ nova_metadata_listen_port }} + +ServerSignature Off +ServerTokens Prod +TraceEnable off +TimeOut {{ kolla_httpd_timeout }} +KeepAliveTimeout {{ kolla_httpd_keep_alive }} + + + + Options None + Require all granted + + + +ErrorLog "{{ nova_log_dir }}/apache-error.log" + +CustomLog "{{ nova_log_dir }}/apache-access.log" common + + +{% if nova_logging_debug | bool %} +LogLevel info +{% endif %} + + + WSGIDaemonProcess nova-metadata processes={{ nova_metadata_api_workers }} threads=1 user=nova group=nova display-name=nova-metadata-api + WSGIProcessGroup nova-metadata + WSGIScriptAlias / {{ wsgi_directory }}/nova-metadata-wsgi + WSGIApplicationGroup %{GLOBAL} + WSGIPassAuthorization On + = 2.4> + ErrorLogFormat "%{cu}t %M" + + ErrorLog "{{ nova_log_dir }}/nova-metadata-error.log" + LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat + CustomLog "{{ nova_log_dir }}/nova-metadata-access.log" logformat +{% if nova_enable_tls_backend | bool %} + SSLEngine on + SSLCertificateFile /etc/nova/certs/nova-cert.pem + SSLCertificateKeyFile /etc/nova/certs/nova-key.pem +{% endif %} + diff --git a/ansible/roles/nova/templates/nova-metadata.json.j2 b/ansible/roles/nova/templates/nova-metadata.json.j2 new file mode 100644 index 0000000000..0de4d593c3 --- /dev/null +++ b/ansible/roles/nova/templates/nova-metadata.json.j2 @@ -0,0 +1,50 @@ +{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %} +{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %} +{ + "command": "/usr/sbin/{{ apache_binary }} -DFOREGROUND", + "config_files": [ + { + "source": "{{ container_config_directory }}/nova.conf", + "dest": "/etc/nova/nova.conf", + "owner": "nova", + "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/nova-metadata-wsgi.conf", + "dest": "/etc/{{ apache_conf_dir }}/nova-metadata-wsgi.conf", + "owner": "nova", + "perm": "0600" + }{% if nova_policy_file is defined %}, + { + "source": "{{ container_config_directory }}/{{ nova_policy_file }}", + "dest": "/etc/nova/{{ nova_policy_file }}", + "owner": "nova", + "perm": "0600" + }{% endif %}{% if nova_enable_tls_backend | bool %}, + { + "source": "{{ container_config_directory }}/nova-cert.pem", + "dest": "/etc/nova/certs/nova-cert.pem", + "owner": "nova", + "perm": "0600" + }, + { + "source": "{{ container_config_directory }}/nova-key.pem", + "dest": "/etc/nova/certs/nova-key.pem", + "owner": "nova", + "perm": "0600" + }{% endif %}{% if vendordata_file_path is defined %}, + { + "source": "{{ container_config_directory }}/vendordata.json", + "dest": "/etc/nova/vendordata.json", + "owner": "nova", + "perm": "0600" + }{% endif %} + ], + "permissions": [ + { + "path": "/var/log/kolla/nova", + "owner": "nova:nova", + "recurse": true + } + ] +} diff --git a/ansible/roles/nova/templates/nova.conf.j2 b/ansible/roles/nova/templates/nova.conf.j2 index f55a3e25e6..31c554fa40 100644 --- a/ansible/roles/nova/templates/nova.conf.j2 +++ b/ansible/roles/nova/templates/nova.conf.j2 @@ -6,6 +6,8 @@ debug = {{ nova_logging_debug }} log_file = /var/log/kolla/nova/nova-super-conductor.log {% elif service_name == "nova-api" %} log_file = /var/log/kolla/nova/nova-api.log +{% elif service_name == "nova-metadata" %} +log_file = /var/log/kolla/nova/nova-metadata.log {% else %} log_dir = /var/log/kolla/nova {% endif %} diff --git a/releasenotes/notes/nova-metadata-split-d1c9ff2010390352.yaml b/releasenotes/notes/nova-metadata-split-d1c9ff2010390352.yaml new file mode 100644 index 0000000000..2cf1ffb5fd --- /dev/null +++ b/releasenotes/notes/nova-metadata-split-d1c9ff2010390352.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + ``nova-metadata`` service has been split into it's own container in + preparation for uWSGI support. diff --git a/tests/templates/inventory.j2 b/tests/templates/inventory.j2 index b5aadacd66..22ae0758a2 100644 --- a/tests/templates/inventory.j2 +++ b/tests/templates/inventory.j2 @@ -281,6 +281,9 @@ nova [nova-conductor:children] nova +[nova-metadata:children] +nova + [nova-super-conductor:children] nova