Update Glance Configuration for Liberty

This patch includes the following updates based on the updated source in Glance's Liberty release: - glance-api-paste.ini - glance-api.conf - glance-registry-paste.ini - glance-registry.conf - glance-cache.conf - glance-manage.conf - glance-scrubber.conf The following defaults have their values changed based on new defaults for the Liberty release. Note that any user_variables.yml values that have been set to customise these will need to be reviewed and adjusted accordingly for liberty. - glance_digest_algorithm Note also that the glance_swift_store_auth_version has been set to use '3' as the default, meaning that it will use Keystone's v3 API as the default. New configurable options: - glance_swift_store_auth_version This is the Keystone API auth version to use. The previous default was 2, but this patch changes it to 3. - glance_swift_store_user_domain This is the Domain ID for the user used to authenticate to Swift. - glance_swift_store_project_domain This is the Domain ID for the project used to authenticate to Swift. Note that the policy.json file included is not the same as the upstream default. Changes have been included which improve the security of image publication and image group membership. DocImpact UpgradeImpact Closes-Bug: #1479131 Implements: blueprint liberty-release Co-Authored-By: Ian Cordasco <graffatcolmingov@gmail.com> Change-Id: I2f58c0dbdb3ee55c0a4792df6e7b5b15aa8f0b01
2015-10-01 16:32:35 +01:00 · 2015-10-01 16:32:35 +01:00 · 573ee602ae
commit 573ee602ae
parent 3f543ce600
8 changed files with 61 additions and 39 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -87,7 +87,10 @@ glance_service_adminuri: "{{ glance_service_adminuri_proto }}://{{ internal_lb_v
 glance_service_adminurl: "{{ glance_service_adminuri }}"

 ## Swift Options
-glance_swift_store_auth_address: "{{ keystone_service_internalurl }}"
+glance_swift_store_auth_address: "{{ keystone_service_internalurl_v3 }}"
+glance_swift_store_auth_version: 3
+glance_swift_store_user_domain: default
+glance_swift_store_project_domain: default
 glance_swift_store_user: "service:{{ glance_service_user_name }}"
 glance_swift_store_key: "{{ glance_service_password }}"
 glance_swift_store_region: "{{ glance_service_region }}"
@ -112,7 +115,7 @@ glance_image_cache_max_size: 10737418240
 # glance_registry_workers: 16

 glance_task_executor: taskflow
-glance_digest_algorithm: sha1
+glance_digest_algorithm: sha256
 glance_http_keepalive: True

 ## Glance policy
@ -178,4 +181,4 @@ glance_glance_registry_paste_ini_overrides: {}
 glance_glance_registry_conf_overrides: {}
 glance_glance_scrubber_conf_overrides: {}
 glance_glance_scheme_json_overrides: {}
-glance_policy_overrides: {}
+glance_policy_overrides: {}
--- a/templates/glance-api-paste.ini.j2
+++ b/templates/glance-api-paste.ini.j2
@ -1,44 +1,45 @@
 # Use this pipeline for no auth or image caching - DEFAULT
 [pipeline:glance-api]
-pipeline = versionnegotiation osprofiler unauthenticated-context rootapp
+pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context rootapp

 # Use this pipeline for image caching and no auth
 [pipeline:glance-api-caching]
-pipeline = versionnegotiation osprofiler unauthenticated-context cache rootapp
+pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context cache rootapp

 # Use this pipeline for caching w/ management interface but no auth
 [pipeline:glance-api-cachemanagement]
-pipeline = versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp
+pipeline = healthcheck versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp

 # Use this pipeline for keystone auth
 [pipeline:glance-api-keystone]
-pipeline = versionnegotiation osprofiler authtoken context rootapp
+pipeline = healthcheck versionnegotiation osprofiler authtoken context  rootapp

 # Use this pipeline for keystone auth with image caching
 [pipeline:glance-api-keystone+caching]
-pipeline = versionnegotiation osprofiler authtoken context cache rootapp
+pipeline = healthcheck versionnegotiation osprofiler authtoken context cache rootapp

 # Use this pipeline for keystone auth with caching and cache management
 [pipeline:glance-api-keystone+cachemanagement]
-pipeline = versionnegotiation osprofiler authtoken context cache cachemanage rootapp
+pipeline = healthcheck versionnegotiation osprofiler authtoken context cache cachemanage rootapp

 # Use this pipeline for authZ only. This means that the registry will treat a
 # user as authenticated without making requests to keystone to reauthenticate
 # the user.
 [pipeline:glance-api-trusted-auth]
-pipeline = versionnegotiation osprofiler context rootapp
+pipeline = healthcheck versionnegotiation osprofiler context rootapp

 # Use this pipeline for authZ only. This means that the registry will treat a
 # user as authenticated without making requests to keystone to reauthenticate
 # the user and uses cache management
 [pipeline:glance-api-trusted-auth+cachemanagement]
-pipeline = versionnegotiation osprofiler context cache cachemanage rootapp
+pipeline = healthcheck versionnegotiation osprofiler context cache cachemanage rootapp

 [composite:rootapp]
 paste.composite_factory = glance.api:root_app_factory
 /: apiversions
 /v1: apiv1app
 /v2: apiv2app
+/v3: apiv3app

 [app:apiversions]
 paste.app_factory = glance.api.versions:create_resource
@ -49,6 +50,14 @@ paste.app_factory = glance.api.v1.router:API.factory
 [app:apiv2app]
 paste.app_factory = glance.api.v2.router:API.factory

+[app:apiv3app]
+paste.app_factory = glance.api.v3.router:API.factory
+
+[filter:healthcheck]
+paste.filter_factory = oslo_middleware:Healthcheck.factory
+backends = disable_by_file
+disable_by_file_path = /etc/glance/healthcheck_disable
+
 [filter:versionnegotiation]
 paste.filter_factory = glance.api.middleware.version_negotiation:VersionNegotiationFilter.factory

--- a/templates/glance-api.conf.j2
+++ b/templates/glance-api.conf.j2
@ -8,7 +8,6 @@ verbose = {{ verbose }}
 debug = {{ debug }}
 log_file = /var/log/glance/glance-api.log
 fatal_deprecations = {{ glance_fatal_deprecations }}
-use_syslog = False
 bind_host = {{ glance_api_bind_address }}
 bind_port = {{ glance_api_service_port }}
 http_keepalive = {{ glance_http_keepalive }}
@ -25,22 +24,17 @@ enable_v1_registry = {{ glance_enable_v1_registry }}
 enable_v2_api = {{ glance_enable_v2_api }}
 enable_v2_registry = {{ glance_enable_v2_registry }}

+#
+# From oslo.messaging
+#
+
 {% if glance_ceilometer_enabled %}
 notification_driver = {{ glance_ceilometer_notification_driver }}
 {% else %}
 notification_driver = {{ glance_notification_driver }}
 {% endif %}
 {% if glance_notification_driver == "messaging" or (glance_ceilometer_notification_driver == "messagingv2" and glance_ceilometer_enabled) %}
-##### RPC MESSAGING OPTIONS #####
 rpc_backend = {{ glance_rpc_backend }}
-rabbit_hosts = {{ rabbitmq_servers }}
-rabbit_port = {{ rabbitmq_port }}
-rabbit_userid = {{ glance_rabbitmq_userid }}
-rabbit_password = {{ glance_rabbitmq_password }}
-rabbit_virtual_host = {{ glance_rabbitmq_vhost }}
-rabbit_notification_exchange = glance
-rabbit_notification_topic = notifications
-rabbit_durable_queues = False
 {% endif %}


@ -87,18 +81,30 @@ policy_file = {{ glance_policy_file }}
 policy_default_rule = {{ glance_policy_default_rule }}
 policy_dirs = {{ glance_policy_dirs }}

+[oslo_messaging_rabbit]
+rabbit_hosts = {{ rabbitmq_servers }}
+rabbit_port = {{ rabbitmq_port }}
+rabbit_userid = {{ glance_rabbitmq_userid }}
+rabbit_password = {{ glance_rabbitmq_password }}
+rabbit_virtual_host = {{ glance_rabbitmq_vhost }}
+rabbit_notification_exchange = glance
+rabbit_notification_topic = notifications
+
 [paste_deploy]
 flavor = {{ glance_flavor }}

 [glance_store]
 default_store = {{ glance_default_store }}
 {% if glance_default_store == "file" %}
-stores = glance.store.filesystem.Store,glance.store.http.Store,glance.store.cinder.Store
+stores = file,http,cinder
 filesystem_store_datadir = {{ glance_system_user_home }}/images/
 {% elif glance_default_store == "swift" %}
-stores = glance.store.swift.Store,glance.store.http.Store,glance.store.cinder.Store
-swift_store_auth_version = 2
+stores = swift,http,cinder
+user_domain_id = {{ glance_swift_store_user_domain }}
+project_domain_id = {{ glance_swift_store_project_domain }}
+swift_store_auth_version = {{ glance_swift_store_auth_version }}
 swift_store_auth_address = {{ glance_swift_store_auth_address }}
+swift_store_auth_insecure = {{ keystone_service_internaluri_insecure | bool }}
 swift_store_user = {{ glance_swift_store_user }}
 swift_store_key = {{ glance_swift_store_key }}
 swift_store_region = {{ glance_swift_store_region }}
@ -109,7 +115,7 @@ swift_store_large_object_chunk_size = {{ glance_swift_store_large_object_chunk_s
 swift_store_retry_get_count = 5
 swift_store_endpoint_type = {{ glance_swift_store_endpoint_type }}
 {% elif glance_default_store == "rbd" %}
-stores = glance.store.rbd.Store,glance.store.http.Store,glance.store.cinder.Store
+stores = rbd,http,cinder
 rbd_store_pool = {{ glance_rbd_store_pool }}
 rbd_store_user = {{ glance_rbd_store_user }}
 rbd_store_ceph_conf = /etc/ceph/ceph.conf
--- a/templates/glance-cache.conf.j2
+++ b/templates/glance-cache.conf.j2
@ -6,7 +6,6 @@ debug = {{ debug }}
 admin_password = {{ glance_service_password }}
 admin_user = {{ glance_service_user_name }}
 admin_tenant_name = {{ glance_service_project_name }}
-use_syslog = False
 image_cache_dir = {{ glance_system_user_home }}/cache/
 image_cache_stall_time = 86400
 image_cache_max_size = {{ glance_image_cache_max_size }}
--- a/templates/glance-manage.conf.j2
+++ b/templates/glance-manage.conf.j2
@ -3,7 +3,6 @@ verbose = {{ verbose }}
 debug = {{ debug }}
 log_file = /var/log/glance/glance-manage.log
 fatal_deprecations = {{ glance_fatal_deprecations }}
-use_syslog = False

 [database]
 connection = mysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ glance_galera_address }}/{{ glance_galera_database }}?charset=utf8
--- a/templates/glance-registry-paste.ini.j2
+++ b/templates/glance-registry-paste.ini.j2
@ -1,20 +1,25 @@
 # Use this pipeline for no auth - DEFAULT
 [pipeline:glance-registry]
-pipeline = osprofiler unauthenticated-context registryapp
+pipeline = healthcheck osprofiler unauthenticated-context registryapp

 # Use this pipeline for keystone auth
 [pipeline:glance-registry-keystone]
-pipeline = osprofiler authtoken context registryapp
+pipeline = healthcheck osprofiler authtoken context registryapp

 # Use this pipeline for authZ only. This means that the registry will treat a
 # user as authenticated without making requests to keystone to reauthenticate
 # the user.
 [pipeline:glance-registry-trusted-auth]
-pipeline = osprofiler context registryapp
+pipeline = healthcheck osprofiler context registryapp

 [app:registryapp]
 paste.app_factory = glance.registry.api:API.factory

+[filter:healthcheck]
+paste.filter_factory = oslo_middleware:Healthcheck.factory
+backends = disable_by_file
+disable_by_file_path = /etc/glance/healthcheck_disable
+
 [filter:context]
 paste.filter_factory = glance.api.middleware.context:ContextMiddleware.factory

--- a/templates/glance-registry.conf.j2
+++ b/templates/glance-registry.conf.j2
@ -8,7 +8,6 @@ verbose = {{ verbose }}
 debug = {{ debug }}
 fatal_deprecations = {{ glance_fatal_deprecations }}
 log_file = /var/log/glance/glance-registry.log
-use_syslog = False
 bind_host = {{ glance_registry_bind_address }}
 bind_port = {{ glance_registry_service_port }}
 http_keepalive = {{ glance_http_keepalive }}
@ -19,10 +18,6 @@ limit_param_default = 25
 {% if glance_ceilometer_enabled %}
 notification_driver = {{ glance_notification_driver }}
 rpc_backend = {{ glance_rpc_backend }}
-rabbit_hosts = {{ rabbitmq_servers }}
-rabbit_userid = {{ glance_rabbitmq_userid }}
-rabbit_password = {{ glance_rabbitmq_password }}
-rabbit_virtual_host = {{ glance_rabbitmq_vhost }}
 {% endif %}

 [database]
@ -52,6 +47,15 @@ memcache_secret_key = {{ memcached_encryption_key }}
 # if your keystone deployment uses PKI, and you value security over performance:
 check_revocations_for_cached = False

+[oslo_messaging_rabbit]
+rabbit_hosts = {{ rabbitmq_servers }}
+rabbit_port = {{ rabbitmq_port }}
+rabbit_userid = {{ glance_rabbitmq_userid }}
+rabbit_password = {{ glance_rabbitmq_password }}
+rabbit_virtual_host = {{ glance_rabbitmq_vhost }}
+rabbit_notification_exchange = glance
+rabbit_notification_topic = notifications
+
 [oslo_policy]
 policy_file = {{ glance_policy_file }}
 policy_default_rule = {{ glance_policy_default_rule }}
--- a/templates/glance-scrubber.conf.j2
+++ b/templates/glance-scrubber.conf.j2
@ -6,13 +6,10 @@ debug = {{ debug }}
 # Log to this file. Make sure you do not set the same log file for both the API
 # and registry servers!
 #
-# If `log_file` is omitted and `use_syslog` is false, then log messages are
+# If `log_file` is omitted then log messages are
 # sent to stdout as a fallback.
 log_file = /var/log/glance/scrubber.log

-# Send logs to syslog (/dev/log) instead of to file specified by `log_file`
-#use_syslog: False
-
 # Should we run our own loop or rely on cron/scheduler to run us
 daemon = False