[MediaWiki-commits] [Gerrit] operations/puppet[production]: Revert "Keystone: Move api service to uwsgi/nginx"
Andrew Bogott has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/330364 )
Change subject: Revert "Keystone: Move api service to uwsgi/nginx"
..
Revert "Keystone: Move api service to uwsgi/nginx"
This reverts commit 2e2dd27d6e40886bcd048b675e5b4befc8777cee.
Change-Id: Ia28fa7a6af5a903885de49b1ddb072e594714458
---
M hieradata/common.yaml
M hieradata/eqiad.yaml
M hieradata/regex.yaml
M modules/openstack/manifests/keystone/service.pp
M modules/role/manifests/labs/openstack/keystone.pp
5 files changed, 15 insertions(+), 53 deletions(-)
Approvals:
Andrew Bogott: Looks good to me, approved
jenkins-bot: Verified
diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 16ea298..93e7062 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -357,7 +357,6 @@
ldap_proxyagent : 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org'
auth_protocol: 'http'
auth_port: '35357'
- public_port: '5000'
db_host: 'm5-master.eqiad.wmnet'
ldap_host: 'ldap-labs.eqiad.wikimedia.org'
token_driver: 'normal'
diff --git a/hieradata/eqiad.yaml b/hieradata/eqiad.yaml
index 4b9c47f..4f05197 100644
--- a/hieradata/eqiad.yaml
+++ b/hieradata/eqiad.yaml
@@ -145,7 +145,6 @@
keystoneconfig:
auth_port: '35357'
- public_port: '5000'
auth_protocol: 'http'
auth_host: 208.80.154.92
admin_project_id: 'admin'
diff --git a/hieradata/regex.yaml b/hieradata/regex.yaml
index f18e091..1e59764 100644
--- a/hieradata/regex.yaml
+++ b/hieradata/regex.yaml
@@ -455,7 +455,6 @@
ldap_proxyagent : 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org'
auth_protocol: 'http'
auth_port: '35357'
-public_port: '5000'
db_host: 'labtestcontrol2001.wikimedia.org'
ldap_host: 'labtestservices2001.wikimedia.org'
token_driver: 'normal'
diff --git a/modules/openstack/manifests/keystone/service.pp
b/modules/openstack/manifests/keystone/service.pp
index 2982a66..08d77e2 100644
--- a/modules/openstack/manifests/keystone/service.pp
+++ b/modules/openstack/manifests/keystone/service.pp
@@ -53,13 +53,15 @@
mode=> '0644',
notify => Service['keystone'],
recurse => true;
-# Disable the keystone process itself; this will be handled
-# by nginx and uwsgi
-'/etc/init/keystone.conf':
-ensure => 'absent';
}
if $::fqdn == hiera('labs_nova_controller') {
+service { 'keystone':
+ensure=> running,
+subscribe => File['/etc/keystone/keystone.conf'],
+require => Package['keystone'];
+}
+
# Clean up expired keystone tokens, because keystone seems to leak them
$keystone_db_name = $keystoneconfig['db_name']
$keystone_db_user = $keystoneconfig['db_user']
@@ -73,6 +75,10 @@
command => "/usr/bin/mysql ${keystone_db_name}
-h${keystone_db_host} -u${keystone_db_user} -p${keystone_db_pass} -e 'DELETE
FROM token WHERE NOW() - INTERVAL 2 day > expires LIMIT 1;'",
}
+nrpe::monitor_service { 'check_keystone_process':
+description => 'keystone process',
+nrpe_command => "/usr/lib/nagios/plugins/check_procs -c 1:
--ereg-argument-array '^/usr/bin/python /usr/bin/keystone-all'",
+}
monitoring::service { 'keystone-http-35357':
description => 'keystone http',
check_command => 'check_http_on_port!35357',
@@ -81,12 +87,10 @@
description => 'keystone http',
check_command => 'check_http_on_port!5000',
}
-}
-
-# stop the keystone process itself; this will be handled
-# by nginx and uwsgi
-service { 'keystone':
-ensure => stopped,
-require => Package['keystone'];
+} else {
+service { 'keystone':
+ensure => stopped,
+require => Package['keystone'];
+}
}
}
diff --git a/modules/role/manifests/labs/openstack/keystone.pp
b/modules/role/manifests/labs/openstack/keystone.pp
index 824948b..c8a568c 100644
--- a/modules/role/manifests/labs/openstack/keystone.pp
+++ b/modules/role/manifests/labs/openstack/keystone.pp
@@ -30,43 +30,4 @@
description => 'Keystone admin and observer projects exist',
check_command => 'check_keystone_projects',
}
-
-file { '/var/log/uwsgi/keystone':
-ensure => directory,
-owner => 'www-data',
-group => 'www-data',
-mode => '0644',
-}
-
-# Keystone admin API
-service::uwsgi { 'keystone-admin':
-port=> $keystoneconfig['auth_port'],
-healthcheck_url => '/',
-deployment => None,
-config => {
-wsgi-file => '/usr/bin/keystone-wsgi-admin',
-name => 'keystone',
-uid => 'keystone',
-gid => 'keystone',
-processes =>
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Revert "Keystone: Move api service to uwsgi/nginx"
Hello jenkins-bot,
I'd like you to do a code review. Please visit
https://gerrit.wikimedia.org/r/330364
to review the following change.
Change subject: Revert "Keystone: Move api service to uwsgi/nginx"
..
Revert "Keystone: Move api service to uwsgi/nginx"
This reverts commit 2e2dd27d6e40886bcd048b675e5b4befc8777cee.
Change-Id: Ia28fa7a6af5a903885de49b1ddb072e594714458
---
M hieradata/common.yaml
M hieradata/eqiad.yaml
M hieradata/regex.yaml
M modules/openstack/manifests/keystone/service.pp
M modules/role/manifests/labs/openstack/keystone.pp
5 files changed, 15 insertions(+), 53 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/64/330364/1
diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 16ea298..93e7062 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -357,7 +357,6 @@
ldap_proxyagent : 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org'
auth_protocol: 'http'
auth_port: '35357'
- public_port: '5000'
db_host: 'm5-master.eqiad.wmnet'
ldap_host: 'ldap-labs.eqiad.wikimedia.org'
token_driver: 'normal'
diff --git a/hieradata/eqiad.yaml b/hieradata/eqiad.yaml
index 4b9c47f..4f05197 100644
--- a/hieradata/eqiad.yaml
+++ b/hieradata/eqiad.yaml
@@ -145,7 +145,6 @@
keystoneconfig:
auth_port: '35357'
- public_port: '5000'
auth_protocol: 'http'
auth_host: 208.80.154.92
admin_project_id: 'admin'
diff --git a/hieradata/regex.yaml b/hieradata/regex.yaml
index f18e091..1e59764 100644
--- a/hieradata/regex.yaml
+++ b/hieradata/regex.yaml
@@ -455,7 +455,6 @@
ldap_proxyagent : 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org'
auth_protocol: 'http'
auth_port: '35357'
-public_port: '5000'
db_host: 'labtestcontrol2001.wikimedia.org'
ldap_host: 'labtestservices2001.wikimedia.org'
token_driver: 'normal'
diff --git a/modules/openstack/manifests/keystone/service.pp
b/modules/openstack/manifests/keystone/service.pp
index 2982a66..08d77e2 100644
--- a/modules/openstack/manifests/keystone/service.pp
+++ b/modules/openstack/manifests/keystone/service.pp
@@ -53,13 +53,15 @@
mode=> '0644',
notify => Service['keystone'],
recurse => true;
-# Disable the keystone process itself; this will be handled
-# by nginx and uwsgi
-'/etc/init/keystone.conf':
-ensure => 'absent';
}
if $::fqdn == hiera('labs_nova_controller') {
+service { 'keystone':
+ensure=> running,
+subscribe => File['/etc/keystone/keystone.conf'],
+require => Package['keystone'];
+}
+
# Clean up expired keystone tokens, because keystone seems to leak them
$keystone_db_name = $keystoneconfig['db_name']
$keystone_db_user = $keystoneconfig['db_user']
@@ -73,6 +75,10 @@
command => "/usr/bin/mysql ${keystone_db_name}
-h${keystone_db_host} -u${keystone_db_user} -p${keystone_db_pass} -e 'DELETE
FROM token WHERE NOW() - INTERVAL 2 day > expires LIMIT 1;'",
}
+nrpe::monitor_service { 'check_keystone_process':
+description => 'keystone process',
+nrpe_command => "/usr/lib/nagios/plugins/check_procs -c 1:
--ereg-argument-array '^/usr/bin/python /usr/bin/keystone-all'",
+}
monitoring::service { 'keystone-http-35357':
description => 'keystone http',
check_command => 'check_http_on_port!35357',
@@ -81,12 +87,10 @@
description => 'keystone http',
check_command => 'check_http_on_port!5000',
}
-}
-
-# stop the keystone process itself; this will be handled
-# by nginx and uwsgi
-service { 'keystone':
-ensure => stopped,
-require => Package['keystone'];
+} else {
+service { 'keystone':
+ensure => stopped,
+require => Package['keystone'];
+}
}
}
diff --git a/modules/role/manifests/labs/openstack/keystone.pp
b/modules/role/manifests/labs/openstack/keystone.pp
index 824948b..c8a568c 100644
--- a/modules/role/manifests/labs/openstack/keystone.pp
+++ b/modules/role/manifests/labs/openstack/keystone.pp
@@ -30,43 +30,4 @@
description => 'Keystone admin and observer projects exist',
check_command => 'check_keystone_projects',
}
-
-file { '/var/log/uwsgi/keystone':
-ensure => directory,
-owner => 'www-data',
-group => 'www-data',
-mode => '0644',
-}
-
-# Keystone admin API
-service::uwsgi { 'keystone-admin':
-port=> $keystoneconfig['auth_port'],
-healthcheck_url => '/',
-deployment => None,
-config => {
-wsgi-file => '/usr/bin/keystone-wsgi-admin',
-name => 'keystone',
-uid => 'keystone',
-gid
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Revert "Keystone: Move api service to uwsgi/nginx"
Andrew Bogott has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/330341 )
Change subject: Revert "Keystone: Move api service to uwsgi/nginx"
..
Revert "Keystone: Move api service to uwsgi/nginx"
This works but I can't get the old keystone process to quit and relinquish the
port
This reverts commit 7122564873c55b8cb819c49786fc70f9c10de3df.
Change-Id: Idb4143fb9cb57771a43aa2e3f9c85d5a4ac08bee
---
M hieradata/common.yaml
M hieradata/eqiad.yaml
M hieradata/regex.yaml
M modules/openstack/manifests/keystone/service.pp
M modules/role/manifests/labs/openstack/keystone.pp
5 files changed, 15 insertions(+), 53 deletions(-)
Approvals:
Andrew Bogott: Looks good to me, approved
jenkins-bot: Verified
diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 16ea298..93e7062 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -357,7 +357,6 @@
ldap_proxyagent : 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org'
auth_protocol: 'http'
auth_port: '35357'
- public_port: '5000'
db_host: 'm5-master.eqiad.wmnet'
ldap_host: 'ldap-labs.eqiad.wikimedia.org'
token_driver: 'normal'
diff --git a/hieradata/eqiad.yaml b/hieradata/eqiad.yaml
index 4b9c47f..4f05197 100644
--- a/hieradata/eqiad.yaml
+++ b/hieradata/eqiad.yaml
@@ -145,7 +145,6 @@
keystoneconfig:
auth_port: '35357'
- public_port: '5000'
auth_protocol: 'http'
auth_host: 208.80.154.92
admin_project_id: 'admin'
diff --git a/hieradata/regex.yaml b/hieradata/regex.yaml
index f18e091..1e59764 100644
--- a/hieradata/regex.yaml
+++ b/hieradata/regex.yaml
@@ -455,7 +455,6 @@
ldap_proxyagent : 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org'
auth_protocol: 'http'
auth_port: '35357'
-public_port: '5000'
db_host: 'labtestcontrol2001.wikimedia.org'
ldap_host: 'labtestservices2001.wikimedia.org'
token_driver: 'normal'
diff --git a/modules/openstack/manifests/keystone/service.pp
b/modules/openstack/manifests/keystone/service.pp
index 2982a66..08d77e2 100644
--- a/modules/openstack/manifests/keystone/service.pp
+++ b/modules/openstack/manifests/keystone/service.pp
@@ -53,13 +53,15 @@
mode=> '0644',
notify => Service['keystone'],
recurse => true;
-# Disable the keystone process itself; this will be handled
-# by nginx and uwsgi
-'/etc/init/keystone.conf':
-ensure => 'absent';
}
if $::fqdn == hiera('labs_nova_controller') {
+service { 'keystone':
+ensure=> running,
+subscribe => File['/etc/keystone/keystone.conf'],
+require => Package['keystone'];
+}
+
# Clean up expired keystone tokens, because keystone seems to leak them
$keystone_db_name = $keystoneconfig['db_name']
$keystone_db_user = $keystoneconfig['db_user']
@@ -73,6 +75,10 @@
command => "/usr/bin/mysql ${keystone_db_name}
-h${keystone_db_host} -u${keystone_db_user} -p${keystone_db_pass} -e 'DELETE
FROM token WHERE NOW() - INTERVAL 2 day > expires LIMIT 1;'",
}
+nrpe::monitor_service { 'check_keystone_process':
+description => 'keystone process',
+nrpe_command => "/usr/lib/nagios/plugins/check_procs -c 1:
--ereg-argument-array '^/usr/bin/python /usr/bin/keystone-all'",
+}
monitoring::service { 'keystone-http-35357':
description => 'keystone http',
check_command => 'check_http_on_port!35357',
@@ -81,12 +87,10 @@
description => 'keystone http',
check_command => 'check_http_on_port!5000',
}
-}
-
-# stop the keystone process itself; this will be handled
-# by nginx and uwsgi
-service { 'keystone':
-ensure => stopped,
-require => Package['keystone'];
+} else {
+service { 'keystone':
+ensure => stopped,
+require => Package['keystone'];
+}
}
}
diff --git a/modules/role/manifests/labs/openstack/keystone.pp
b/modules/role/manifests/labs/openstack/keystone.pp
index 824948b..c8a568c 100644
--- a/modules/role/manifests/labs/openstack/keystone.pp
+++ b/modules/role/manifests/labs/openstack/keystone.pp
@@ -30,43 +30,4 @@
description => 'Keystone admin and observer projects exist',
check_command => 'check_keystone_projects',
}
-
-file { '/var/log/uwsgi/keystone':
-ensure => directory,
-owner => 'www-data',
-group => 'www-data',
-mode => '0644',
-}
-
-# Keystone admin API
-service::uwsgi { 'keystone-admin':
-port=> $keystoneconfig['auth_port'],
-healthcheck_url => '/',
-deployment => None,
-config => {
-wsgi-file => '/usr/bin/keystone-wsgi-admin',
-name => 'keystone',
-uid
[MediaWiki-commits] [Gerrit] operations/puppet[production]: Revert "Keystone: Move api service to uwsgi/nginx"
Hello Alex Monk, BryanDavis, jenkins-bot,
I'd like you to do a code review. Please visit
https://gerrit.wikimedia.org/r/330341
to review the following change.
Change subject: Revert "Keystone: Move api service to uwsgi/nginx"
..
Revert "Keystone: Move api service to uwsgi/nginx"
This works but I can't get the old keystone process to quit and relinquish the
port
This reverts commit 7122564873c55b8cb819c49786fc70f9c10de3df.
Change-Id: Idb4143fb9cb57771a43aa2e3f9c85d5a4ac08bee
---
M hieradata/common.yaml
M hieradata/eqiad.yaml
M hieradata/regex.yaml
M modules/openstack/manifests/keystone/service.pp
M modules/role/manifests/labs/openstack/keystone.pp
5 files changed, 15 insertions(+), 53 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/41/330341/1
diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 16ea298..93e7062 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -357,7 +357,6 @@
ldap_proxyagent : 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org'
auth_protocol: 'http'
auth_port: '35357'
- public_port: '5000'
db_host: 'm5-master.eqiad.wmnet'
ldap_host: 'ldap-labs.eqiad.wikimedia.org'
token_driver: 'normal'
diff --git a/hieradata/eqiad.yaml b/hieradata/eqiad.yaml
index 4b9c47f..4f05197 100644
--- a/hieradata/eqiad.yaml
+++ b/hieradata/eqiad.yaml
@@ -145,7 +145,6 @@
keystoneconfig:
auth_port: '35357'
- public_port: '5000'
auth_protocol: 'http'
auth_host: 208.80.154.92
admin_project_id: 'admin'
diff --git a/hieradata/regex.yaml b/hieradata/regex.yaml
index f18e091..1e59764 100644
--- a/hieradata/regex.yaml
+++ b/hieradata/regex.yaml
@@ -455,7 +455,6 @@
ldap_proxyagent : 'cn=proxyagent,ou=profile,dc=wikimedia,dc=org'
auth_protocol: 'http'
auth_port: '35357'
-public_port: '5000'
db_host: 'labtestcontrol2001.wikimedia.org'
ldap_host: 'labtestservices2001.wikimedia.org'
token_driver: 'normal'
diff --git a/modules/openstack/manifests/keystone/service.pp
b/modules/openstack/manifests/keystone/service.pp
index 2982a66..08d77e2 100644
--- a/modules/openstack/manifests/keystone/service.pp
+++ b/modules/openstack/manifests/keystone/service.pp
@@ -53,13 +53,15 @@
mode=> '0644',
notify => Service['keystone'],
recurse => true;
-# Disable the keystone process itself; this will be handled
-# by nginx and uwsgi
-'/etc/init/keystone.conf':
-ensure => 'absent';
}
if $::fqdn == hiera('labs_nova_controller') {
+service { 'keystone':
+ensure=> running,
+subscribe => File['/etc/keystone/keystone.conf'],
+require => Package['keystone'];
+}
+
# Clean up expired keystone tokens, because keystone seems to leak them
$keystone_db_name = $keystoneconfig['db_name']
$keystone_db_user = $keystoneconfig['db_user']
@@ -73,6 +75,10 @@
command => "/usr/bin/mysql ${keystone_db_name}
-h${keystone_db_host} -u${keystone_db_user} -p${keystone_db_pass} -e 'DELETE
FROM token WHERE NOW() - INTERVAL 2 day > expires LIMIT 1;'",
}
+nrpe::monitor_service { 'check_keystone_process':
+description => 'keystone process',
+nrpe_command => "/usr/lib/nagios/plugins/check_procs -c 1:
--ereg-argument-array '^/usr/bin/python /usr/bin/keystone-all'",
+}
monitoring::service { 'keystone-http-35357':
description => 'keystone http',
check_command => 'check_http_on_port!35357',
@@ -81,12 +87,10 @@
description => 'keystone http',
check_command => 'check_http_on_port!5000',
}
-}
-
-# stop the keystone process itself; this will be handled
-# by nginx and uwsgi
-service { 'keystone':
-ensure => stopped,
-require => Package['keystone'];
+} else {
+service { 'keystone':
+ensure => stopped,
+require => Package['keystone'];
+}
}
}
diff --git a/modules/role/manifests/labs/openstack/keystone.pp
b/modules/role/manifests/labs/openstack/keystone.pp
index 824948b..c8a568c 100644
--- a/modules/role/manifests/labs/openstack/keystone.pp
+++ b/modules/role/manifests/labs/openstack/keystone.pp
@@ -30,43 +30,4 @@
description => 'Keystone admin and observer projects exist',
check_command => 'check_keystone_projects',
}
-
-file { '/var/log/uwsgi/keystone':
-ensure => directory,
-owner => 'www-data',
-group => 'www-data',
-mode => '0644',
-}
-
-# Keystone admin API
-service::uwsgi { 'keystone-admin':
-port=> $keystoneconfig['auth_port'],
-healthcheck_url => '/',
-deployment => None,
-config => {
-wsgi-file =>
