Andrew Bogott has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/330371 )
Change subject: Keystone: Move api service to uwsgi/nginx
......................................................................
Keystone: Move api service to uwsgi/nginx
Change-Id: I8b82360b5080dbe0b2b6e043bec0db1c8f9c4655
Depends-on: 330370
Bug: T150774
---
M hieradata/common.yaml
M hieradata/eqiad.yaml
M hieradata/regex.yaml
M modules/openstack/manifests/keystone/service.pp
M modules/role/manifests/labs/openstack/keystone.pp
5 files changed, 53 insertions(+), 15 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/71/330371/1
diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 93e7062..16ea298 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -357,6 +357,7 @@
ldap_proxyagent : 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org'
auth_protocol: 'http'
auth_port: '35357'
+ public_port: '5000'
db_host: 'm5-master.eqiad.wmnet'
ldap_host: 'ldap-labs.eqiad.wikimedia.org'
token_driver: 'normal'
diff --git a/hieradata/eqiad.yaml b/hieradata/eqiad.yaml
index 4f05197..4b9c47f 100644
--- a/hieradata/eqiad.yaml
+++ b/hieradata/eqiad.yaml
@@ -145,6 +145,7 @@
keystoneconfig:
auth_port: '35357'
+ public_port: '5000'
auth_protocol: 'http'
auth_host: 208.80.154.92
admin_project_id: 'admin'
diff --git a/hieradata/regex.yaml b/hieradata/regex.yaml
index 1e59764..f18e091 100644
--- a/hieradata/regex.yaml
+++ b/hieradata/regex.yaml
@@ -455,6 +455,7 @@
ldap_proxyagent : 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org'
auth_protocol: 'http'
auth_port: '35357'
+ public_port: '5000'
db_host: 'labtestcontrol2001.wikimedia.org'
ldap_host: 'labtestservices2001.wikimedia.org'
token_driver: 'normal'
diff --git a/modules/openstack/manifests/keystone/service.pp
b/modules/openstack/manifests/keystone/service.pp
index 08d77e2..2982a66 100644
--- a/modules/openstack/manifests/keystone/service.pp
+++ b/modules/openstack/manifests/keystone/service.pp
@@ -53,15 +53,13 @@
mode => '0644',
notify => Service['keystone'],
recurse => true;
+ # Disable the keystone process itself; this will be handled
+ # by nginx and uwsgi
+ '/etc/init/keystone.conf':
+ ensure => 'absent';
}
if $::fqdn == hiera('labs_nova_controller') {
- service { 'keystone':
- ensure => running,
- subscribe => File['/etc/keystone/keystone.conf'],
- require => Package['keystone'];
- }
-
# Clean up expired keystone tokens, because keystone seems to leak them
$keystone_db_name = $keystoneconfig['db_name']
$keystone_db_user = $keystoneconfig['db_user']
@@ -75,10 +73,6 @@
command => "/usr/bin/mysql ${keystone_db_name}
-h${keystone_db_host} -u${keystone_db_user} -p${keystone_db_pass} -e 'DELETE
FROM token WHERE NOW() - INTERVAL 2 day > expires LIMIT 10000;'",
}
- nrpe::monitor_service { 'check_keystone_process':
- description => 'keystone process',
- nrpe_command => "/usr/lib/nagios/plugins/check_procs -c 1:
--ereg-argument-array '^/usr/bin/python /usr/bin/keystone-all'",
- }
monitoring::service { 'keystone-http-35357':
description => 'keystone http',
check_command => 'check_http_on_port!35357',
@@ -87,10 +81,12 @@
description => 'keystone http',
check_command => 'check_http_on_port!5000',
}
- } else {
- service { 'keystone':
- ensure => stopped,
- require => Package['keystone'];
- }
+ }
+
+ # stop the keystone process itself; this will be handled
+ # by nginx and uwsgi
+ service { 'keystone':
+ ensure => stopped,
+ require => Package['keystone'];
}
}
diff --git a/modules/role/manifests/labs/openstack/keystone.pp
b/modules/role/manifests/labs/openstack/keystone.pp
index c8a568c..824948b 100644
--- a/modules/role/manifests/labs/openstack/keystone.pp
+++ b/modules/role/manifests/labs/openstack/keystone.pp
@@ -30,4 +30,43 @@
description => 'Keystone admin and observer projects exist',
check_command => 'check_keystone_projects',
}
+
+ file { '/var/log/uwsgi/keystone':
+ ensure => directory,
+ owner => 'www-data',
+ group => 'www-data',
+ mode => '0644',
+ }
+
+ # Keystone admin API
+ service::uwsgi { 'keystone-admin':
+ port => $keystoneconfig['auth_port'],
+ healthcheck_url => '/',
+ deployment => None,
+ config => {
+ wsgi-file => '/usr/bin/keystone-wsgi-admin',
+ name => 'keystone',
+ uid => 'keystone',
+ gid => 'keystone',
+ processes => '10',
+ threads => '2',
+ logto => '/var/log/uwsgi/keystone/keystone-admin.log',
+ },
+ require => File['/var/log/uwsgi/keystone'],
+ }
+ service::uwsgi { 'keystone-public':
+ port => $keystoneconfig['public_port'],
+ healthcheck_url => '/',
+ deployment => None,
+ config => {
+ wsgi-file => '/usr/bin/keystone-wsgi-public',
+ name => 'keystone',
+ uid => 'keystone',
+ gid => 'keystone',
+ processes => '10',
+ threads => '2',
+ logto => '/var/log/uwsgi/keystone/keystone-public.log',
+ },
+ require => File['/var/log/uwsgi/keystone'],
+ }
}
--
To view, visit https://gerrit.wikimedia.org/r/330371
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I8b82360b5080dbe0b2b6e043bec0db1c8f9c4655
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <abog...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
