diff --git a/etc/openstack_deploy/user_secrets.yml b/etc/openstack_deploy/user_secrets.yml index 951b0951fa..652cfb8605 100644 --- a/etc/openstack_deploy/user_secrets.yml +++ b/etc/openstack_deploy/user_secrets.yml @@ -42,6 +42,7 @@ cinder_profiler_hmac_key: ## Glance Options glance_container_mysql_password: glance_service_password: +glance_profiler_hmac_key: ### Extra options when configuring swift as a glance back-end. glance_swift_store_auth_address: "https://some.auth.url.com" glance_swift_store_user: "OPENSTACK_TENANT_ID:OPENSTACK_USER_NAME" diff --git a/playbooks/roles/os_glance/defaults/main.yml b/playbooks/roles/os_glance/defaults/main.yml index 824c1191ee..c596825366 100644 --- a/playbooks/roles/os_glance/defaults/main.yml +++ b/playbooks/roles/os_glance/defaults/main.yml @@ -19,6 +19,7 @@ is_metal: true ## Verbosity Options debug: False verbose: True +glance_profiler_enabled: False glance_fatal_deprecations: False ## System info @@ -93,6 +94,14 @@ glance_image_cache_max_size: 10737418240 # compute the number of api workers to use. # glance_registry_workers: 16 +glance_task_executor: taskflow +glance_digest_algorithm: sha1 +glance_http_keepalive: True + +## Glance policy +glance_policy_file: policy.json +glance_policy_default_rule: default +glance_policy_dirs: policy.d ## Define nfs information for glance. When the glance_nfs_client dictionary is ## defined it will enable nfs shares as mounted directories. The diff --git a/playbooks/roles/os_glance/tasks/glance_post_install.yml b/playbooks/roles/os_glance/tasks/glance_post_install.yml index 7ab9983e73..cd1582200a 100644 --- a/playbooks/roles/os_glance/tasks/glance_post_install.yml +++ b/playbooks/roles/os_glance/tasks/glance_post_install.yml @@ -39,8 +39,11 @@ owner: "{{ glance_system_user_name }}" group: "{{ glance_system_group_name }}" with_items: + - { src: "glance-api-paste.ini.j2", dest: "/etc/glance/glance-api-paste.ini" } + - { src: "glance-registry-paste.ini.j2", dest: "/etc/glance/glance-registry-paste.ini" } - { src: "glance-api.conf.j2", dest: "/etc/glance/glance-api.conf" } - { src: "glance-cache.conf.j2", dest: "/etc/glance/glance-cache.conf" } + - { src: "glance-manage.conf.j2", dest: "/etc/glance/glance-manage.conf" } - { src: "glance-registry.conf.j2", dest: "/etc/glance/glance-registry.conf" } - { src: "glance-scrubber.conf.j2", dest: "/etc/glance/glance-scrubber.conf" } notify: @@ -56,8 +59,6 @@ owner: "{{ glance_system_user_name }}" group: "{{ glance_system_group_name }}" with_items: - - { src: "glance-api-paste.ini", dest: "/etc/glance/glance-api-paste.ini" } - - { src: "glance-registry-paste.ini", dest: "/etc/glance/glance-registry-paste.ini" } - { src: "policy.json", dest: "/etc/glance/policy.json" } - { src: "schema.json", dest: "/etc/glance/schema.json" } - { src: "schema.json", dest: "/etc/glance/schema-image.json" } diff --git a/playbooks/roles/os_glance/files/glance-api-paste.ini b/playbooks/roles/os_glance/templates/glance-api-paste.ini.j2 similarity index 73% rename from playbooks/roles/os_glance/files/glance-api-paste.ini rename to playbooks/roles/os_glance/templates/glance-api-paste.ini.j2 index e4baa269fa..029221ccf7 100644 --- a/playbooks/roles/os_glance/files/glance-api-paste.ini +++ b/playbooks/roles/os_glance/templates/glance-api-paste.ini.j2 @@ -1,38 +1,38 @@ # Use this pipeline for no auth or image caching - DEFAULT [pipeline:glance-api] -pipeline = versionnegotiation unauthenticated-context rootapp +pipeline = versionnegotiation osprofiler unauthenticated-context rootapp # Use this pipeline for image caching and no auth [pipeline:glance-api-caching] -pipeline = versionnegotiation unauthenticated-context cache rootapp +pipeline = versionnegotiation osprofiler unauthenticated-context cache rootapp # Use this pipeline for caching w/ management interface but no auth [pipeline:glance-api-cachemanagement] -pipeline = versionnegotiation unauthenticated-context cache cachemanage rootapp +pipeline = versionnegotiation osprofiler unauthenticated-context cache cachemanage rootapp # Use this pipeline for keystone auth [pipeline:glance-api-keystone] -pipeline = versionnegotiation authtoken context rootapp +pipeline = versionnegotiation osprofiler authtoken context rootapp # Use this pipeline for keystone auth with image caching [pipeline:glance-api-keystone+caching] -pipeline = versionnegotiation authtoken context cache rootapp +pipeline = versionnegotiation osprofiler authtoken context cache rootapp # Use this pipeline for keystone auth with caching and cache management [pipeline:glance-api-keystone+cachemanagement] -pipeline = versionnegotiation authtoken context cache cachemanage rootapp +pipeline = versionnegotiation osprofiler authtoken context cache cachemanage rootapp # Use this pipeline for authZ only. This means that the registry will treat a # user as authenticated without making requests to keystone to reauthenticate # the user. [pipeline:glance-api-trusted-auth] -pipeline = versionnegotiation context rootapp +pipeline = versionnegotiation osprofiler context rootapp # Use this pipeline for authZ only. This means that the registry will treat a # user as authenticated without making requests to keystone to reauthenticate # the user and uses cache management [pipeline:glance-api-trusted-auth+cachemanagement] -pipeline = versionnegotiation context cache cachemanage rootapp +pipeline = versionnegotiation osprofiler context cache cachemanage rootapp [composite:rootapp] paste.composite_factory = glance.api:root_app_factory @@ -70,3 +70,8 @@ delay_auth_decision = true [filter:gzip] paste.filter_factory = glance.api.middleware.gzip:GzipMiddleware.factory + +[filter:osprofiler] +paste.filter_factory = osprofiler.web:WsgiMiddleware.factory +hmac_keys = {{ glance_profiler_hmac_key }} +enabled = yes diff --git a/playbooks/roles/os_glance/templates/glance-api.conf.j2 b/playbooks/roles/os_glance/templates/glance-api.conf.j2 index d5993bd81a..396335cb38 100644 --- a/playbooks/roles/os_glance/templates/glance-api.conf.j2 +++ b/playbooks/roles/os_glance/templates/glance-api.conf.j2 @@ -11,6 +11,8 @@ fatal_deprecations = {{ glance_fatal_deprecations }} use_syslog = False bind_host = {{ glance_api_bind_address }} bind_port = {{ glance_api_service_port }} +http_keepalive = {{ glance_http_keepalive }} +digest_algorithm = {{ glance_digest_algorithm }} backlog = 4096 workers = {{ glance_api_workers | default(api_threads) }} registry_host = {{ glance_registry_host }} @@ -43,6 +45,9 @@ scrub_time = 43200 scrubber_datadir = {{ glance_system_user_home }}/scrubber/ image_cache_dir = {{ glance_system_user_home }}/cache/ +[task] +task_executor = {{ glance_task_executor }} + [database] connection = mysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ galera_address }}/{{ glance_galera_database }}?charset=utf8 @@ -66,6 +71,11 @@ memcache_secret_key = {{ memcached_encryption_key }} # if your keystone deployment uses PKI, and you value security over performance: check_revocations_for_cached = False +[oslo_policy] +policy_file = {{ glance_policy_file }} +policy_default_rule = {{ glance_policy_default_rule }} +policy_dirs = {{ glance_policy_dirs }} + [paste_deploy] flavor = {{ glance_flavor }} @@ -88,3 +98,6 @@ swift_store_large_object_chunk_size = {{ glance_swift_store_large_object_chunk_s swift_store_retry_get_count = 5 swift_store_endpoint_type = {{ glance_swift_store_endpoint_type }} {% endif %} + +[profiler] +enabled = {{ glance_profiler_enabled }} diff --git a/playbooks/roles/os_glance/templates/glance-manage.conf.j2 b/playbooks/roles/os_glance/templates/glance-manage.conf.j2 new file mode 100644 index 0000000000..33c5689ee2 --- /dev/null +++ b/playbooks/roles/os_glance/templates/glance-manage.conf.j2 @@ -0,0 +1,9 @@ +[DEFAULT] +verbose = {{ verbose }} +debug = {{ debug }} +log_file = /var/log/glance/glance-manage.log +fatal_deprecations = {{ glance_fatal_deprecations }} +use_syslog = False + +[database] +connection = mysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ galera_address }}/{{ glance_galera_database }}?charset=utf8 diff --git a/playbooks/roles/os_glance/files/glance-registry-paste.ini b/playbooks/roles/os_glance/templates/glance-registry-paste.ini.j2 similarity index 71% rename from playbooks/roles/os_glance/files/glance-registry-paste.ini rename to playbooks/roles/os_glance/templates/glance-registry-paste.ini.j2 index ab8c2856df..a962043e38 100644 --- a/playbooks/roles/os_glance/files/glance-registry-paste.ini +++ b/playbooks/roles/os_glance/templates/glance-registry-paste.ini.j2 @@ -1,16 +1,16 @@ # Use this pipeline for no auth - DEFAULT [pipeline:glance-registry] -pipeline = unauthenticated-context registryapp +pipeline = osprofiler unauthenticated-context registryapp # Use this pipeline for keystone auth [pipeline:glance-registry-keystone] -pipeline = authtoken context registryapp +pipeline = osprofiler authtoken context registryapp # Use this pipeline for authZ only. This means that the registry will treat a # user as authenticated without making requests to keystone to reauthenticate # the user. [pipeline:glance-registry-trusted-auth] -pipeline = context registryapp +pipeline = osprofiler context registryapp [app:registryapp] paste.app_factory = glance.registry.api:API.factory @@ -23,3 +23,8 @@ paste.filter_factory = glance.api.middleware.context:UnauthenticatedContextMiddl [filter:authtoken] paste.filter_factory = keystonemiddleware.auth_token:filter_factory + +[filter:osprofiler] +paste.filter_factory = osprofiler.web:WsgiMiddleware.factory +hmac_keys = {{ glance_profiler_hmac_key }} +enabled = yes diff --git a/playbooks/roles/os_glance/templates/glance-registry.conf.j2 b/playbooks/roles/os_glance/templates/glance-registry.conf.j2 index 07c1ba1930..c9dd6a920f 100644 --- a/playbooks/roles/os_glance/templates/glance-registry.conf.j2 +++ b/playbooks/roles/os_glance/templates/glance-registry.conf.j2 @@ -11,6 +11,7 @@ log_file = /var/log/glance/glance-registry.log use_syslog = False bind_host = {{ glance_registry_bind_address }} bind_port = {{ glance_registry_service_port }} +http_keepalive = {{ glance_http_keepalive }} backlog = 4096 workers = {{ glance_registry_workers | default(api_threads) }} api_limit_max = 1000 @@ -39,5 +40,13 @@ memcache_secret_key = {{ memcached_encryption_key }} # if your keystone deployment uses PKI, and you value security over performance: check_revocations_for_cached = False +[oslo_policy] +policy_file = {{ glance_policy_file }} +policy_default_rule = {{ glance_policy_default_rule }} +policy_dirs = {{ glance_policy_dirs }} + [paste_deploy] flavor = keystone + +[profiler] +enabled = {{ glance_profiler_enabled }} \ No newline at end of file