Keystone is going to remove support for eventlet. Rather than only
have one way to run keystone (in Apache Httpd with mod_wsgi), we
should continue to gate on multiple wsgi containers to ensure that
keystone remains container-agnostic. The suggested alternative
container is uwsgi.
To run keystone in uwsgi rather than httpd or eventlet, set the
following env var in local.conf:
KEYSTONE_DEPLOY=uwsgi
There's a lot of options to uwsgi. Here's some protips:
http://uwsgi-docs.readthedocs.org/en/latest/ThingsToKnow.html
Change-Id: If3b49879ce5181c16f0f0ab0db12fa55fe810a41
... | ... |
@@ -1428,14 +1428,17 @@ function run_process { |
1428 | 1428 |
local service=$1 |
1429 | 1429 |
local command="$2" |
1430 | 1430 |
local group=$3 |
1431 |
+ local subservice=$4 |
|
1432 |
+ |
|
1433 |
+ local name=${subservice:-$service} |
|
1431 | 1434 |
|
1432 | 1435 |
time_start "run_process" |
1433 | 1436 |
if is_service_enabled $service; then |
1434 | 1437 |
if [[ "$USE_SCREEN" = "True" ]]; then |
1435 |
- screen_process "$service" "$command" "$group" |
|
1438 |
+ screen_process "$name" "$command" "$group" |
|
1436 | 1439 |
else |
1437 | 1440 |
# Spawn directly without screen |
1438 |
- _run_process "$service" "$command" "$group" & |
|
1441 |
+ _run_process "$name" "$command" "$group" & |
|
1439 | 1442 |
fi |
1440 | 1443 |
fi |
1441 | 1444 |
time_stop "run_process" |
... | ... |
@@ -62,6 +62,7 @@ KEYSTONE_USE_MOD_WSGI=${KEYSTONE_USE_MOD_WSGI:-${ENABLE_HTTPD_MOD_WSGI_SERVICES} |
62 | 62 |
# KEYSTONE_DEPLOY defines how keystone is deployed, allowed values: |
63 | 63 |
# - mod_wsgi : Run keystone under Apache HTTPd mod_wsgi |
64 | 64 |
# - eventlet : Run keystone-all |
65 |
+# - uwsgi : Run keystone under uwsgi |
|
65 | 66 |
if [ -z "$KEYSTONE_DEPLOY" ]; then |
66 | 67 |
if [ -z "$KEYSTONE_USE_MOD_WSGI" ]; then |
67 | 68 |
KEYSTONE_DEPLOY=mod_wsgi |
... | ... |
@@ -244,16 +245,15 @@ function configure_keystone { |
244 | 244 |
# Register SSL certificates if provided |
245 | 245 |
if is_ssl_enabled_service key; then |
246 | 246 |
ensure_certificates KEYSTONE |
247 |
- |
|
248 |
- iniset $KEYSTONE_CONF eventlet_server_ssl enable True |
|
249 |
- iniset $KEYSTONE_CONF eventlet_server_ssl certfile $KEYSTONE_SSL_CERT |
|
250 |
- iniset $KEYSTONE_CONF eventlet_server_ssl keyfile $KEYSTONE_SSL_KEY |
|
251 | 247 |
fi |
252 | 248 |
|
249 |
+ local service_port=$KEYSTONE_SERVICE_PORT |
|
250 |
+ local auth_port=$KEYSTONE_AUTH_PORT |
|
251 |
+ |
|
253 | 252 |
if is_service_enabled tls-proxy; then |
254 | 253 |
# Set the service ports for a proxy to take the originals |
255 |
- iniset $KEYSTONE_CONF eventlet_server public_port $KEYSTONE_SERVICE_PORT_INT |
|
256 |
- iniset $KEYSTONE_CONF eventlet_server admin_port $KEYSTONE_AUTH_PORT_INT |
|
254 |
+ service_port=$KEYSTONE_SERVICE_PORT_INT |
|
255 |
+ auth_port=$KEYSTONE_AUTH_PORT_INT |
|
257 | 256 |
|
258 | 257 |
iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI |
259 | 258 |
iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI |
... | ... |
@@ -273,7 +273,7 @@ function configure_keystone { |
273 | 273 |
fi |
274 | 274 |
|
275 | 275 |
# Format logging |
276 |
- if [ "$LOG_COLOR" == "True" ] && [ "$SYSLOG" == "False" ] && [ "$KEYSTONE_DEPLOY" == "eventlet" ] ; then |
|
276 |
+ if [ "$LOG_COLOR" == "True" ] && [ "$SYSLOG" == "False" ] && [ "$KEYSTONE_DEPLOY" != "mod_wsgi" ] ; then |
|
277 | 277 |
setup_colorized_logging $KEYSTONE_CONF DEFAULT |
278 | 278 |
fi |
279 | 279 |
|
... | ... |
@@ -285,7 +285,58 @@ function configure_keystone { |
285 | 285 |
iniset $KEYSTONE_CONF DEFAULT logging_debug_format_suffix "%(asctime)s.%(msecs)03d %(funcName)s %(pathname)s:%(lineno)d" |
286 | 286 |
iniset $KEYSTONE_CONF DEFAULT logging_exception_prefix "%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s" |
287 | 287 |
_config_keystone_apache_wsgi |
288 |
- else |
|
288 |
+ elif [ "$KEYSTONE_DEPLOY" == "uwsgi" ]; then |
|
289 |
+ # iniset creates these files when it's called if they don't exist. |
|
290 |
+ KEYSTONE_PUBLIC_UWSGI_FILE=$KEYSTONE_CONF_DIR/keystone-uwsgi-public.ini |
|
291 |
+ KEYSTONE_ADMIN_UWSGI_FILE=$KEYSTONE_CONF_DIR/keystone-uwsgi-admin.ini |
|
292 |
+ |
|
293 |
+ rm -f "$KEYSTONE_PUBLIC_UWSGI_FILE" |
|
294 |
+ rm -f "$KEYSTONE_ADMIN_UWSGI_FILE" |
|
295 |
+ |
|
296 |
+ if is_ssl_enabled_service key; then |
|
297 |
+ iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi https $KEYSTONE_SERVICE_HOST:$service_port,$KEYSTONE_SSL_CERT,$KEYSTONE_SSL_KEY |
|
298 |
+ iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi https $KEYSTONE_ADMIN_BIND_HOST:$auth_port,$KEYSTONE_SSL_CERT,$KEYSTONE_SSL_KEY |
|
299 |
+ else |
|
300 |
+ iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi http $KEYSTONE_SERVICE_HOST:$service_port |
|
301 |
+ iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi http $KEYSTONE_ADMIN_BIND_HOST:$auth_port |
|
302 |
+ fi |
|
303 |
+ |
|
304 |
+ iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi wsgi-file "$KEYSTONE_BIN_DIR/keystone-wsgi-public" |
|
305 |
+ # This is running standalone |
|
306 |
+ iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi master true |
|
307 |
+ iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi threads $(nproc) |
|
308 |
+ iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi enable-threads true |
|
309 |
+ iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi plugins python |
|
310 |
+ # uwsgi recommends this to prevent thundering herd on accept. |
|
311 |
+ iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi thunder-lock true |
|
312 |
+ # Override the default size for headers from the 4k default. |
|
313 |
+ iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi buffer-size 65535 |
|
314 |
+ # Make sure the client doesn't try to re-use the connection. |
|
315 |
+ iniset "$KEYSTONE_PUBLIC_UWSGI_FILE" uwsgi add-header "Connection: close" |
|
316 |
+ |
|
317 |
+ iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi wsgi-file "$KEYSTONE_BIN_DIR/keystone-wsgi-admin" |
|
318 |
+ # This is running standalone |
|
319 |
+ iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi master true |
|
320 |
+ iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi threads $API_WORKERS |
|
321 |
+ iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi enable-threads true |
|
322 |
+ iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi plugins python |
|
323 |
+ # uwsgi recommends this to prevent thundering herd on accept. |
|
324 |
+ iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi thunder-lock true |
|
325 |
+ # Override the default size for headers from the 4k default. |
|
326 |
+ iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi buffer-size 65535 |
|
327 |
+ # Make sure the client doesn't try to re-use the connection. |
|
328 |
+ iniset "$KEYSTONE_ADMIN_UWSGI_FILE" uwsgi add-header "Connection: close" |
|
329 |
+ |
|
330 |
+ else # eventlet |
|
331 |
+ if is_ssl_enabled_service key; then |
|
332 |
+ iniset $KEYSTONE_CONF eventlet_server_ssl enable True |
|
333 |
+ iniset $KEYSTONE_CONF eventlet_server_ssl certfile $KEYSTONE_SSL_CERT |
|
334 |
+ iniset $KEYSTONE_CONF eventlet_server_ssl keyfile $KEYSTONE_SSL_KEY |
|
335 |
+ fi |
|
336 |
+ |
|
337 |
+ iniset $KEYSTONE_CONF eventlet_server public_port $service_port |
|
338 |
+ iniset $KEYSTONE_CONF eventlet_server admin_port $auth_port |
|
339 |
+ |
|
289 | 340 |
iniset $KEYSTONE_CONF eventlet_server admin_bind_host "$KEYSTONE_ADMIN_BIND_HOST" |
290 | 341 |
iniset $KEYSTONE_CONF eventlet_server admin_workers "$API_WORKERS" |
291 | 342 |
# Public workers will use the server default, typically number of CPU. |
... | ... |
@@ -530,7 +581,10 @@ function start_keystone { |
530 | 530 |
restart_apache_server |
531 | 531 |
tail_log key /var/log/$APACHE_NAME/keystone.log |
532 | 532 |
tail_log key-access /var/log/$APACHE_NAME/keystone_access.log |
533 |
- else |
|
533 |
+ elif [ "$KEYSTONE_DEPLOY" == "uwsgi" ]; then |
|
534 |
+ run_process key "uwsgi $KEYSTONE_PUBLIC_UWSGI_FILE" "" "key-p" |
|
535 |
+ run_process key "uwsgi $KEYSTONE_ADMIN_UWSGI_FILE" "" "key-a" |
|
536 |
+ else # eventlet |
|
534 | 537 |
# Start Keystone in a screen window |
535 | 538 |
run_process key "$KEYSTONE_BIN_DIR/keystone-all --config-file $KEYSTONE_CONF" |
536 | 539 |
fi |