Andrew Bogott has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/330371 )
Change subject: Keystone: Move api service to uwsgi/nginx
......................................................................
Keystone: Move api service to uwsgi/nginx
Bug: T150774
Change-Id: I8b82360b5080dbe0b2b6e043bec0db1c8f9c4655
---
M hieradata/common.yaml
M hieradata/eqiad.yaml
M hieradata/regex.yaml
M modules/openstack/manifests/keystone/service.pp
4 files changed, 67 insertions(+), 15 deletions(-)
Approvals:
Andrew Bogott: Looks good to me, approved
jenkins-bot: Verified
diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 93e7062..16ea298 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -357,6 +357,7 @@
ldap_proxyagent : 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org'
auth_protocol: 'http'
auth_port: '35357'
+ public_port: '5000'
db_host: 'm5-master.eqiad.wmnet'
ldap_host: 'ldap-labs.eqiad.wikimedia.org'
token_driver: 'normal'
diff --git a/hieradata/eqiad.yaml b/hieradata/eqiad.yaml
index 4f05197..4b9c47f 100644
--- a/hieradata/eqiad.yaml
+++ b/hieradata/eqiad.yaml
@@ -145,6 +145,7 @@
keystoneconfig:
auth_port: '35357'
+ public_port: '5000'
auth_protocol: 'http'
auth_host: 208.80.154.92
admin_project_id: 'admin'
diff --git a/hieradata/regex.yaml b/hieradata/regex.yaml
index 1e59764..f18e091 100644
--- a/hieradata/regex.yaml
+++ b/hieradata/regex.yaml
@@ -455,6 +455,7 @@
ldap_proxyagent : 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org'
auth_protocol: 'http'
auth_port: '35357'
+ public_port: '5000'
db_host: 'labtestcontrol2001.wikimedia.org'
ldap_host: 'labtestservices2001.wikimedia.org'
token_driver: 'normal'
diff --git a/modules/openstack/manifests/keystone/service.pp
b/modules/openstack/manifests/keystone/service.pp
index 08d77e2..944c3bd 100644
--- a/modules/openstack/manifests/keystone/service.pp
+++ b/modules/openstack/manifests/keystone/service.pp
@@ -26,13 +26,28 @@
$labs_networks = $network::constants::labs_networks
file {
+ '/var/log/keystone':
+ ensure => directory,
+ owner => 'www-data',
+ group => 'www-data',
+ mode => '0755';
+ '/var/log/keystone/uwsgi':
+ ensure => directory,
+ owner => 'www-data',
+ group => 'www-data',
+ mode => '0755';
+ '/etc/keystone':
+ ensure => directory,
+ owner => 'keystone',
+ group => 'keystone',
+ mode => '0755';
'/etc/keystone/keystone.conf':
content =>
template("openstack/${openstack_version}/keystone/keystone.conf.erb"),
owner => 'keystone',
group => 'keystone',
- notify => Service['keystone'],
+ notify => Service['uwsgi-keystone-admin',
'uwsgi-keystone-public'],
require => Package['keystone'],
- mode => '0440';
+ mode => '0444';
'/etc/keystone/policy.json':
source =>
"puppet:///modules/openstack/${openstack_version}/keystone/policy.json",
mode => '0644',
@@ -44,22 +59,50 @@
owner => 'root',
group => 'root',
mode => '0644',
- notify => Service['keystone'],
+ notify => Service['uwsgi-keystone-admin',
'uwsgi-keystone-public'],
recurse => true;
'/usr/lib/python2.7/dist-packages/wmfkeystoneauth.egg-info':
source =>
"puppet:///modules/openstack/${openstack_version}/keystone/wmfkeystoneauth.egg-info",
owner => 'root',
group => 'root',
mode => '0644',
- notify => Service['keystone'],
+ notify => Service['uwsgi-keystone-admin',
'uwsgi-keystone-public'],
recurse => true;
+ # Disable the keystone process itself; this will be handled
+ # by nginx and uwsgi
+ '/etc/init/keystone.conf':
+ ensure => 'absent';
}
if $::fqdn == hiera('labs_nova_controller') {
- service { 'keystone':
- ensure => running,
- subscribe => File['/etc/keystone/keystone.conf'],
- require => Package['keystone'];
+ # Set up uwsgi services
+
+ # Keystone admin API
+ service::uwsgi { 'keystone-admin':
+ port => $keystoneconfig['auth_port'],
+ healthcheck_url => '/',
+ deployment => None,
+ config => {
+ wsgi-file => '/usr/bin/keystone-wsgi-admin',
+ name => 'keystone',
+ processes => '10',
+ threads => '2',
+ logto => '/var/log/keystone/uwsgi/keystone-admin.log',
+ logger =>
'file:/var/log/keystone/uwsgi/keystone-admin-uwsgi.log',
+ },
+ }
+ service::uwsgi { 'keystone-public':
+ port => $keystoneconfig['public_port'],
+ healthcheck_url => '/',
+ deployment => None,
+ config => {
+ wsgi-file => '/usr/bin/keystone-wsgi-public',
+ name => 'keystone',
+ processes => '10',
+ threads => '2',
+ logto => '/var/log/keystone/uwsgi/keystone-public.log',
+ logger =>
'file:/var/log/keystone/uwsgi/keystone-public-uwsgi.log',
+ },
}
# Clean up expired keystone tokens, because keystone seems to leak them
@@ -75,10 +118,6 @@
command => "/usr/bin/mysql ${keystone_db_name}
-h${keystone_db_host} -u${keystone_db_user} -p${keystone_db_pass} -e 'DELETE
FROM token WHERE NOW() - INTERVAL 2 day > expires LIMIT 10000;'",
}
- nrpe::monitor_service { 'check_keystone_process':
- description => 'keystone process',
- nrpe_command => "/usr/lib/nagios/plugins/check_procs -c 1:
--ereg-argument-array '^/usr/bin/python /usr/bin/keystone-all'",
- }
monitoring::service { 'keystone-http-35357':
description => 'keystone http',
check_command => 'check_http_on_port!35357',
@@ -88,9 +127,19 @@
check_command => 'check_http_on_port!5000',
}
} else {
- service { 'keystone':
- ensure => stopped,
- require => Package['keystone'];
+ # Don't run uwsgi services on the spare
+ service { 'uwsgi-keystone-admin':
+ ensure => stopped,
}
+ service { 'uwsgi-keystone-public':
+ ensure => stopped,
+ }
+ }
+
+ # stop the keystone process itself; this will be handled
+ # by nginx and uwsgi
+ service { 'keystone':
+ ensure => stopped,
+ require => Package['keystone'];
}
}
--
To view, visit https://gerrit.wikimedia.org/r/330371
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I8b82360b5080dbe0b2b6e043bec0db1c8f9c4655
Gerrit-PatchSet: 6
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <abog...@wikimedia.org>
Gerrit-Reviewer: Andrew Bogott <abog...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
