Ensure that selected Apache MPM is enforced

At the moment services might have different MPM selected while all
operating the same Apache setup, ie on metal setup.
This results in failures to set selected MPMs, so eventually second run
of roles after initial deployment will end up in failure (ie upgrade).

This patch ensures that all except selected MPMs are disabled and do
role get's the desired state of deployment.

We also need to align selected MPM across all roles to avoid
future conflicts.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-rabbitmq_server/+/930446
Change-Id: Ia3e4af7986166f0729840d2a61fb8f52ea053676
This commit is contained in:
Dmitriy Rabotyagov 2024-09-17 20:07:35 +02:00 committed by Jonathan Rosser
parent 95641cbd26
commit 870451e554
3 changed files with 30 additions and 1 deletions

View File

@ -232,7 +232,7 @@ keystone_apache_servertokens: "Prod"
keystone_apache_serversignature: "Off" keystone_apache_serversignature: "Off"
## Apache MPM tunables ## Apache MPM tunables
keystone_httpd_mpm_backend: event keystone_httpd_mpm_backend: "{{ openstack_apache_mpm_backend | default('event') }}"
keystone_httpd_mpm_server_limit: "{{ keystone_wsgi_processes }}" keystone_httpd_mpm_server_limit: "{{ keystone_wsgi_processes }}"
keystone_httpd_mpm_start_servers: 2 keystone_httpd_mpm_start_servers: 2
keystone_httpd_mpm_min_spare_threads: 25 keystone_httpd_mpm_min_spare_threads: 25

View File

@ -33,6 +33,27 @@
group: "{{ keystone_apache_default_log_grp }}" group: "{{ keystone_apache_default_log_grp }}"
mode: "0755" mode: "0755"
- name: Ensure apache2 MPM for Debian/Ubuntu
apache2_module:
name: "{{ item.name }}"
state: "{{ item.state }}"
warn_mpm_absent: false
with_items: "{{ keystone_apache_mpms | sort(attribute='state') }}"
when:
- ansible_facts['pkg_mgr'] == 'apt'
notify: Restart web server
- name: Ensure apache2 MPM for EL
copy:
content: |
LoadModule mpm_{{ keystone_httpd_mpm_backend }}_module modules/mod_mpm_{{ keystone_httpd_mpm_backend }}.so
dest: /etc/httpd/conf.modules.d/00-mpm.conf
mode: "0644"
when:
- ansible_facts['pkg_mgr'] == 'dnf'
notify: Restart web server
## NOTE(cloudnull): ## NOTE(cloudnull):
## Module enable/disable process is only functional on Debian ## Module enable/disable process is only functional on Debian
- name: Enable apache2 modules - name: Enable apache2 modules

View File

@ -82,6 +82,14 @@ keystone_apache_configs:
- { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" } - { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" }
- { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/apache2/mods-available/mpm_{{ keystone_httpd_mpm_backend }}.conf" } - { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/apache2/mods-available/mpm_{{ keystone_httpd_mpm_backend }}.conf" }
keystone_apache_mpms:
- name: "mpm_event"
state: "{{ (keystone_httpd_mpm_backend == 'event') | ternary('present', 'absent') }}"
- name: "mpm_worker"
state: "{{ (keystone_httpd_mpm_backend == 'worker') | ternary('present', 'absent') }}"
- name: "mpm_prefork"
state: "{{ (keystone_httpd_mpm_backend == 'prefork') | ternary('present', 'absent') }}"
keystone_apache_modules: keystone_apache_modules:
- name: "ssl" - name: "ssl"
state: "{{ (keystone_backend_ssl | bool) | ternary('present', 'absent') }}" state: "{{ (keystone_backend_ssl | bool) | ternary('present', 'absent') }}"