Andrew Bogott has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/330371 )
Change subject: Keystone: Move api service to uwsgi/nginx ...................................................................... Keystone: Move api service to uwsgi/nginx Bug: T150774 Change-Id: I8b82360b5080dbe0b2b6e043bec0db1c8f9c4655 --- M hieradata/common.yaml M hieradata/eqiad.yaml M hieradata/regex.yaml M modules/openstack/manifests/keystone/service.pp 4 files changed, 67 insertions(+), 15 deletions(-) Approvals: Andrew Bogott: Looks good to me, approved jenkins-bot: Verified diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 93e7062..16ea298 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -357,6 +357,7 @@ ldap_proxyagent : 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org' auth_protocol: 'http' auth_port: '35357' + public_port: '5000' db_host: 'm5-master.eqiad.wmnet' ldap_host: 'ldap-labs.eqiad.wikimedia.org' token_driver: 'normal' diff --git a/hieradata/eqiad.yaml b/hieradata/eqiad.yaml index 4f05197..4b9c47f 100644 --- a/hieradata/eqiad.yaml +++ b/hieradata/eqiad.yaml @@ -145,6 +145,7 @@ keystoneconfig: auth_port: '35357' + public_port: '5000' auth_protocol: 'http' auth_host: 208.80.154.92 admin_project_id: 'admin' diff --git a/hieradata/regex.yaml b/hieradata/regex.yaml index 1e59764..f18e091 100644 --- a/hieradata/regex.yaml +++ b/hieradata/regex.yaml @@ -455,6 +455,7 @@ ldap_proxyagent : 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org' auth_protocol: 'http' auth_port: '35357' + public_port: '5000' db_host: 'labtestcontrol2001.wikimedia.org' ldap_host: 'labtestservices2001.wikimedia.org' token_driver: 'normal' diff --git a/modules/openstack/manifests/keystone/service.pp b/modules/openstack/manifests/keystone/service.pp index 08d77e2..944c3bd 100644 --- a/modules/openstack/manifests/keystone/service.pp +++ b/modules/openstack/manifests/keystone/service.pp @@ -26,13 +26,28 @@ $labs_networks = $network::constants::labs_networks file { + '/var/log/keystone': + ensure => directory, + owner => 'www-data', + group => 'www-data', + mode => '0755'; + '/var/log/keystone/uwsgi': + ensure => directory, + owner => 'www-data', + group => 'www-data', + mode => '0755'; + '/etc/keystone': + ensure => directory, + owner => 'keystone', + group => 'keystone', + mode => '0755'; '/etc/keystone/keystone.conf': content => template("openstack/${openstack_version}/keystone/keystone.conf.erb"), owner => 'keystone', group => 'keystone', - notify => Service['keystone'], + notify => Service['uwsgi-keystone-admin', 'uwsgi-keystone-public'], require => Package['keystone'], - mode => '0440'; + mode => '0444'; '/etc/keystone/policy.json': source => "puppet:///modules/openstack/${openstack_version}/keystone/policy.json", mode => '0644', @@ -44,22 +59,50 @@ owner => 'root', group => 'root', mode => '0644', - notify => Service['keystone'], + notify => Service['uwsgi-keystone-admin', 'uwsgi-keystone-public'], recurse => true; '/usr/lib/python2.7/dist-packages/wmfkeystoneauth.egg-info': source => "puppet:///modules/openstack/${openstack_version}/keystone/wmfkeystoneauth.egg-info", owner => 'root', group => 'root', mode => '0644', - notify => Service['keystone'], + notify => Service['uwsgi-keystone-admin', 'uwsgi-keystone-public'], recurse => true; + # Disable the keystone process itself; this will be handled + # by nginx and uwsgi + '/etc/init/keystone.conf': + ensure => 'absent'; } if $::fqdn == hiera('labs_nova_controller') { - service { 'keystone': - ensure => running, - subscribe => File['/etc/keystone/keystone.conf'], - require => Package['keystone']; + # Set up uwsgi services + + # Keystone admin API + service::uwsgi { 'keystone-admin': + port => $keystoneconfig['auth_port'], + healthcheck_url => '/', + deployment => None, + config => { + wsgi-file => '/usr/bin/keystone-wsgi-admin', + name => 'keystone', + processes => '10', + threads => '2', + logto => '/var/log/keystone/uwsgi/keystone-admin.log', + logger => 'file:/var/log/keystone/uwsgi/keystone-admin-uwsgi.log', + }, + } + service::uwsgi { 'keystone-public': + port => $keystoneconfig['public_port'], + healthcheck_url => '/', + deployment => None, + config => { + wsgi-file => '/usr/bin/keystone-wsgi-public', + name => 'keystone', + processes => '10', + threads => '2', + logto => '/var/log/keystone/uwsgi/keystone-public.log', + logger => 'file:/var/log/keystone/uwsgi/keystone-public-uwsgi.log', + }, } # Clean up expired keystone tokens, because keystone seems to leak them @@ -75,10 +118,6 @@ command => "/usr/bin/mysql ${keystone_db_name} -h${keystone_db_host} -u${keystone_db_user} -p${keystone_db_pass} -e 'DELETE FROM token WHERE NOW() - INTERVAL 2 day > expires LIMIT 10000;'", } - nrpe::monitor_service { 'check_keystone_process': - description => 'keystone process', - nrpe_command => "/usr/lib/nagios/plugins/check_procs -c 1: --ereg-argument-array '^/usr/bin/python /usr/bin/keystone-all'", - } monitoring::service { 'keystone-http-35357': description => 'keystone http', check_command => 'check_http_on_port!35357', @@ -88,9 +127,19 @@ check_command => 'check_http_on_port!5000', } } else { - service { 'keystone': - ensure => stopped, - require => Package['keystone']; + # Don't run uwsgi services on the spare + service { 'uwsgi-keystone-admin': + ensure => stopped, } + service { 'uwsgi-keystone-public': + ensure => stopped, + } + } + + # stop the keystone process itself; this will be handled + # by nginx and uwsgi + service { 'keystone': + ensure => stopped, + require => Package['keystone']; } } -- To view, visit https://gerrit.wikimedia.org/r/330371 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I8b82360b5080dbe0b2b6e043bec0db1c8f9c4655 Gerrit-PatchSet: 6 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Andrew Bogott <abog...@wikimedia.org> Gerrit-Reviewer: Andrew Bogott <abog...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits