This makes keystone use the proxy uwsgi module when running in uwsgi
mode. It also introduces a new stackrc variable which is WSGI_MODE
that we can use to control the conditionals in services that current
work with mod_wsgi.
Also update retry timeouts on proxy pass so that workers don't disable
their connections during polling for initial activity.
Change-Id: I46294fb24e3c23fa19fcfd7d6c9ee8a932354702
... | ... |
@@ -260,7 +260,7 @@ function write_uwsgi_config { |
260 | 260 |
else |
261 | 261 |
local apache_conf="" |
262 | 262 |
apache_conf=$(apache_site_config_for $name) |
263 |
- echo "ProxyPass \"${url}\" \"unix:${socket}|uwsgi://uwsgi-uds-${name}/\"" | sudo tee $apache_conf |
|
263 |
+ echo "ProxyPass \"${url}\" \"unix:${socket}|uwsgi://uwsgi-uds-${name}/\" retry=0 " | sudo tee $apache_conf |
|
264 | 264 |
enable_apache_site $name |
265 | 265 |
reload_apache_server |
266 | 266 |
fi |
... | ... |
@@ -55,21 +55,13 @@ KEYSTONE_ADMIN_UWSGI_CONF=$KEYSTONE_CONF_DIR/keystone-uwsgi-admin.ini |
55 | 55 |
KEYSTONE_PUBLIC_UWSGI=$KEYSTONE_BIN_DIR/keystone-wsgi-public |
56 | 56 |
KEYSTONE_ADMIN_UWSGI=$KEYSTONE_BIN_DIR/keystone-wsgi-admin |
57 | 57 |
|
58 |
-# Toggle for deploying Keystone under HTTPD + mod_wsgi |
|
59 |
-# Deprecated in Mitaka, use KEYSTONE_DEPLOY instead. |
|
60 |
-KEYSTONE_USE_MOD_WSGI=${KEYSTONE_USE_MOD_WSGI:-${ENABLE_HTTPD_MOD_WSGI_SERVICES}} |
|
61 |
- |
|
62 | 58 |
# KEYSTONE_DEPLOY defines how keystone is deployed, allowed values: |
63 | 59 |
# - mod_wsgi : Run keystone under Apache HTTPd mod_wsgi |
64 | 60 |
# - uwsgi : Run keystone under uwsgi |
65 |
-if [ -z "$KEYSTONE_DEPLOY" ]; then |
|
66 |
- if [ -z "$KEYSTONE_USE_MOD_WSGI" ]; then |
|
67 |
- KEYSTONE_DEPLOY=mod_wsgi |
|
68 |
- elif [ "$KEYSTONE_USE_MOD_WSGI" == True ]; then |
|
69 |
- KEYSTONE_DEPLOY=mod_wsgi |
|
70 |
- else |
|
71 |
- KEYSTONE_DEPLOY=uwsgi |
|
72 |
- fi |
|
61 |
+if [[ "$WSGI_MODE" == "uwsgi" ]]; then |
|
62 |
+ KEYSTONE_DEPLOY=uwsgi |
|
63 |
+else |
|
64 |
+ KEYSTONE_DEPLOY=mod_wsgi |
|
73 | 65 |
fi |
74 | 66 |
|
75 | 67 |
# Select the token persistence backend driver |
... | ... |
@@ -121,15 +113,8 @@ if is_service_enabled tls-proxy; then |
121 | 121 |
KEYSTONE_SERVICE_PROTOCOL="https" |
122 | 122 |
fi |
123 | 123 |
|
124 |
-# complete URIs |
|
125 |
-if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then |
|
126 |
- # If running in Apache, use path access rather than port. |
|
127 |
- KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}/identity_admin |
|
128 |
- KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}/identity |
|
129 |
-else |
|
130 |
- KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT} |
|
131 |
- KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT} |
|
132 |
-fi |
|
124 |
+KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}/identity_admin |
|
125 |
+KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}/identity |
|
133 | 126 |
|
134 | 127 |
# V3 URIs |
135 | 128 |
KEYSTONE_AUTH_URI_V3=$KEYSTONE_AUTH_URI/v3 |
... | ... |
@@ -155,8 +140,15 @@ function is_keystone_enabled { |
155 | 155 |
# cleanup_keystone() - Remove residual data files, anything left over from previous |
156 | 156 |
# runs that a clean run would need to clean up |
157 | 157 |
function cleanup_keystone { |
158 |
- disable_apache_site keystone |
|
159 |
- sudo rm -f $(apache_site_config_for keystone) |
|
158 |
+ if [[ "$WSGI_MODE" == "uwsgi" ]]; then |
|
159 |
+ remove_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" |
|
160 |
+ remove_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" |
|
161 |
+ sudo rm -f $(apache_site_config_for keystone-wsgi-public) |
|
162 |
+ sudo rm -f $(apache_site_config_for keystone-wsgi-admin) |
|
163 |
+ else |
|
164 |
+ disable_apache_site keystone |
|
165 |
+ sudo rm -f $(apache_site_config_for keystone) |
|
166 |
+ fi |
|
160 | 167 |
} |
161 | 168 |
|
162 | 169 |
# _config_keystone_apache_wsgi() - Set WSGI config files of Keystone |
... | ... |
@@ -256,10 +248,8 @@ function configure_keystone { |
256 | 256 |
# work when you want to use a different port (in the case of proxy), or you |
257 | 257 |
# don't want the port (in the case of putting keystone on a path in |
258 | 258 |
# apache). |
259 |
- if is_service_enabled tls-proxy || [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then |
|
260 |
- iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI |
|
261 |
- iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI |
|
262 |
- fi |
|
259 |
+ iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI |
|
260 |
+ iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI |
|
263 | 261 |
|
264 | 262 |
if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then |
265 | 263 |
iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT |
... | ... |
@@ -285,9 +275,8 @@ function configure_keystone { |
285 | 285 |
iniset $KEYSTONE_CONF DEFAULT logging_exception_prefix "%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s" |
286 | 286 |
_config_keystone_apache_wsgi |
287 | 287 |
else # uwsgi |
288 |
- # iniset creates these files when it's called if they don't exist. |
|
289 |
- write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity" "$KEYSTONE_SERVICE_HOST:$service_port" |
|
290 |
- write_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" "/identity_admin" "$KEYSTONE_ADMIN_BIND_HOST:$auth_port" |
|
288 |
+ write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity" |
|
289 |
+ write_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" "/identity_admin" |
|
291 | 290 |
fi |
292 | 291 |
|
293 | 292 |
iniset $KEYSTONE_CONF DEFAULT max_token_size 16384 |
... | ... |
@@ -568,10 +557,7 @@ function start_keystone { |
568 | 568 |
# unencryted traffic at this point. |
569 | 569 |
# If running in Apache, use the path rather than port. |
570 | 570 |
|
571 |
- local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/ |
|
572 |
- if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then |
|
573 |
- service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/ |
|
574 |
- fi |
|
571 |
+ local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/ |
|
575 | 572 |
|
576 | 573 |
if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then |
577 | 574 |
die $LINENO "keystone did not start" |
... | ... |
@@ -595,6 +581,8 @@ function stop_keystone { |
595 | 595 |
else |
596 | 596 |
stop_process key-p |
597 | 597 |
stop_process key-a |
598 |
+ remove_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" |
|
599 |
+ remove_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" |
|
598 | 600 |
fi |
599 | 601 |
# Kill the Keystone screen window |
600 | 602 |
stop_process key |
... | ... |
@@ -73,8 +73,6 @@ else |
73 | 73 |
fi |
74 | 74 |
|
75 | 75 |
SERVICE_PROTOCOL=${SERVICE_PROTOCOL:-http} |
76 |
-KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL} |
|
77 |
-KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST} |
|
78 | 76 |
|
79 | 77 |
# Identity API version |
80 | 78 |
export OS_IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-3} |
... | ... |
@@ -84,7 +82,7 @@ export OS_IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-3} |
84 | 84 |
# the user/project has access to - including nova, glance, keystone, swift, ... |
85 | 85 |
# We currently recommend using the version 3 *identity api*. |
86 | 86 |
# |
87 |
-export OS_AUTH_URL=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:5000/v${OS_IDENTITY_API_VERSION} |
|
87 |
+export OS_AUTH_URL=$KEYSTONE_AUTH_URI |
|
88 | 88 |
|
89 | 89 |
# Currently, in order to use openstackclient with Identity API v3, |
90 | 90 |
# we need to set the domain which the user and project belong to. |
... | ... |
@@ -225,6 +225,12 @@ DATABASE_QUERY_LOGGING=$(trueorfalse False DATABASE_QUERY_LOGGING) |
225 | 225 |
# Zero disables timeouts |
226 | 226 |
GIT_TIMEOUT=${GIT_TIMEOUT:-0} |
227 | 227 |
|
228 |
+# How should we be handling WSGI deployments. By default we're going |
|
229 |
+# to allow for 2 modes, which is "uwsgi" which runs with an apache |
|
230 |
+# proxy uwsgi in front of it, or "mod_wsgi", which runs in |
|
231 |
+# apache. mod_wsgi is deprecated, don't use it. |
|
232 |
+WSGI_MODE=${WSGI_MODE:-"uwsgi"} |
|
233 |
+ |
|
228 | 234 |
# Repositories |
229 | 235 |
# ------------ |
230 | 236 |
|