Andrew Bogott has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/330371 )
Change subject: Keystone: Move api service to uwsgi/nginx ...................................................................... Keystone: Move api service to uwsgi/nginx Change-Id: I8b82360b5080dbe0b2b6e043bec0db1c8f9c4655 Depends-on: 330370 Bug: T150774 --- M hieradata/common.yaml M hieradata/eqiad.yaml M hieradata/regex.yaml M modules/openstack/manifests/keystone/service.pp M modules/role/manifests/labs/openstack/keystone.pp 5 files changed, 53 insertions(+), 15 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/71/330371/1 diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 93e7062..16ea298 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -357,6 +357,7 @@ ldap_proxyagent : 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org' auth_protocol: 'http' auth_port: '35357' + public_port: '5000' db_host: 'm5-master.eqiad.wmnet' ldap_host: 'ldap-labs.eqiad.wikimedia.org' token_driver: 'normal' diff --git a/hieradata/eqiad.yaml b/hieradata/eqiad.yaml index 4f05197..4b9c47f 100644 --- a/hieradata/eqiad.yaml +++ b/hieradata/eqiad.yaml @@ -145,6 +145,7 @@ keystoneconfig: auth_port: '35357' + public_port: '5000' auth_protocol: 'http' auth_host: 208.80.154.92 admin_project_id: 'admin' diff --git a/hieradata/regex.yaml b/hieradata/regex.yaml index 1e59764..f18e091 100644 --- a/hieradata/regex.yaml +++ b/hieradata/regex.yaml @@ -455,6 +455,7 @@ ldap_proxyagent : 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org' auth_protocol: 'http' auth_port: '35357' + public_port: '5000' db_host: 'labtestcontrol2001.wikimedia.org' ldap_host: 'labtestservices2001.wikimedia.org' token_driver: 'normal' diff --git a/modules/openstack/manifests/keystone/service.pp b/modules/openstack/manifests/keystone/service.pp index 08d77e2..2982a66 100644 --- a/modules/openstack/manifests/keystone/service.pp +++ b/modules/openstack/manifests/keystone/service.pp @@ -53,15 +53,13 @@ mode => '0644', notify => Service['keystone'], recurse => true; + # Disable the keystone process itself; this will be handled + # by nginx and uwsgi + '/etc/init/keystone.conf': + ensure => 'absent'; } if $::fqdn == hiera('labs_nova_controller') { - service { 'keystone': - ensure => running, - subscribe => File['/etc/keystone/keystone.conf'], - require => Package['keystone']; - } - # Clean up expired keystone tokens, because keystone seems to leak them $keystone_db_name = $keystoneconfig['db_name'] $keystone_db_user = $keystoneconfig['db_user'] @@ -75,10 +73,6 @@ command => "/usr/bin/mysql ${keystone_db_name} -h${keystone_db_host} -u${keystone_db_user} -p${keystone_db_pass} -e 'DELETE FROM token WHERE NOW() - INTERVAL 2 day > expires LIMIT 10000;'", } - nrpe::monitor_service { 'check_keystone_process': - description => 'keystone process', - nrpe_command => "/usr/lib/nagios/plugins/check_procs -c 1: --ereg-argument-array '^/usr/bin/python /usr/bin/keystone-all'", - } monitoring::service { 'keystone-http-35357': description => 'keystone http', check_command => 'check_http_on_port!35357', @@ -87,10 +81,12 @@ description => 'keystone http', check_command => 'check_http_on_port!5000', } - } else { - service { 'keystone': - ensure => stopped, - require => Package['keystone']; - } + } + + # stop the keystone process itself; this will be handled + # by nginx and uwsgi + service { 'keystone': + ensure => stopped, + require => Package['keystone']; } } diff --git a/modules/role/manifests/labs/openstack/keystone.pp b/modules/role/manifests/labs/openstack/keystone.pp index c8a568c..824948b 100644 --- a/modules/role/manifests/labs/openstack/keystone.pp +++ b/modules/role/manifests/labs/openstack/keystone.pp @@ -30,4 +30,43 @@ description => 'Keystone admin and observer projects exist', check_command => 'check_keystone_projects', } + + file { '/var/log/uwsgi/keystone': + ensure => directory, + owner => 'www-data', + group => 'www-data', + mode => '0644', + } + + # Keystone admin API + service::uwsgi { 'keystone-admin': + port => $keystoneconfig['auth_port'], + healthcheck_url => '/', + deployment => None, + config => { + wsgi-file => '/usr/bin/keystone-wsgi-admin', + name => 'keystone', + uid => 'keystone', + gid => 'keystone', + processes => '10', + threads => '2', + logto => '/var/log/uwsgi/keystone/keystone-admin.log', + }, + require => File['/var/log/uwsgi/keystone'], + } + service::uwsgi { 'keystone-public': + port => $keystoneconfig['public_port'], + healthcheck_url => '/', + deployment => None, + config => { + wsgi-file => '/usr/bin/keystone-wsgi-public', + name => 'keystone', + uid => 'keystone', + gid => 'keystone', + processes => '10', + threads => '2', + logto => '/var/log/uwsgi/keystone/keystone-public.log', + }, + require => File['/var/log/uwsgi/keystone'], + } } -- To view, visit https://gerrit.wikimedia.org/r/330371 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I8b82360b5080dbe0b2b6e043bec0db1c8f9c4655 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Andrew Bogott <abog...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits