subject:"\[Openstack\] Quantum and HTTPD"

[Openstack] Quantum and HTTPD

2012-04-12 Thread Adam Young

Over the past day or so, I've made an effort  to get Quantum running in 
HTTPD.


My rationale has been to provide:

1. Native SSL support
2. IPv6
3. Certificate based Authentication

My goal has been to do this all on Essex without changing the projects' 
python code base. I'm attempting to do this for all of the Openstack 
components,  and since Quantum has no dependencies,  it seemed a good 
next step after Keystone.



The obvious way to set it up should be to use a wsgi file with just


from paste.deploy.loadwsgi  import loadapp
application = loadapp('config:/etc/quantum/quantum.conf', 'quantum')

But it fails due to issues finding the plugins (error log at the end of 
the message). It deploys cleanly once I made the following changes to 
quantum.


--- a/quantum/extensions/extensions.py
+++ b/quantum/extensions/extensions.py
@@ -538,8 +538,9 @@ class ResourceExtension(object):
 # Returns the extention paths from a config entry and the __path__
 # of quantum.extensions
 def get_extensions_path(config=None):
-paths = ':'.join(quantum.extensions.__path__)
-if config:
-paths = ':'.join([config.get('api_extensions_path', ''), paths])
+#paths = ':'.join(quantum.extensions.__path__)
+paths = /etc/quantum/plugins/
+#if config:
+#paths = ':'.join([config.get('api_extensions_path', ''), paths])

 return paths

Without this, there is a spurious error message due to the leading ':'  
which puts a blank first element to the path.  It also fails to find the 
extensions path regardless of values put into config files etc.  It is 
this last issue which leads me to highly suggest we push Quantum to get 
on the openstack-common bandwagon,  as its Config file processing is 
confusing and,  I think, broken for the general case.



The other issue which leads me to suspect this approach won't work is 
the fact that the quantum command line client accepts a hostname and a 
port,  but not an URL.  So,  while we could deploy quantum behind HTTPD 
and port 443,  it would basically be the root of the HTTP directory,  
and we wouldn't be able to share the HTTPD instance.  We couldn't do


https://hostname/quantum

and put it next to

https://hostname/keystone


Again, not without a code change.

Finally,  there seems to be some support for SSL in Quantum.  I note 
that the quantum client has   the option


-s, --ssl use ssl

which leads me to believe that it has been at least attempted.  It may 
be that the quantum server would not be severely impacted by the 
overhead of SSL in Python.




Here's the HTTP error log if I don't make the above change:


[Thu Apr 12 11:21:13 2012] [info] Initial (No.1) HTTPS request received 
for chil

d 7 (server ayoungstack.bos.redhat.com:443)
[Thu Apr 12 11:21:13 2012] [info] [client 10.16.187.36] mod_wsgi 
(pid=8747, proc
ess='', application='ayoungstack.bos.redhat.com|/quantum/api'): Loading 
WSGI scr

ipt '/var/www/cgi-bin/quantum/api'.
[Thu Apr 12 11:21:13 2012] [error] 
ERROR:quantum.extensions.extensions:Extension

 path /etc/quantum/extension doesn't exist!
[Thu Apr 12 11:21:13 2012] [error] 
WARNING:quantum.extensions.extensions:extensi

on file portstats.py wasnt loaded due to cannot import name extensions
[Thu Apr 12 11:21:13 2012] [error] 
WARNING:quantum.extensions.extensions:extensi
on Cisco Nova Tenant not supported by plugin 
quantum.plugins.openvswitch.ovs_qu

antum_plugin.OVSQuantumPlugin object at 0x7f1fae80e450
[Thu Apr 12 11:21:13 2012] [error] 
WARNING:quantum.extensions.extensions:extensi
on Cisco Port Profile not supported by plugin 
quantum.plugins.openvswitch.ovs_q

uantum_plugin.OVSQuantumPlugin object at 0x7f1fae80e450
[Thu Apr 12 11:21:13 2012] [error] 
WARNING:quantum.extensions.extensions:extensi
on Cisco Multiport not supported by plugin 
quantum.plugins.openvswitch.ovs_quan

tum_plugin.OVSQuantumPlugin object at 0x7f1fae80e450
[Thu Apr 12 11:21:13 2012] [error] 
WARNING:quantum.extensions.extensions:Did not
 find expected name Extensions in 
/opt/stack/quantum/quantum/extensions/extens

ions.py

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] Quantum and HTTPD

2012-04-12 Thread Adam Young


On 04/12/2012 01:05 PM, Dan Wendlandt wrote:

Hi Adam, cool stuff!

Thanks for reporting the issues.  I'm in favor of both changes your 
suggest.  Any interest on working on the openstack common stuff?  More 
details inline.


I'll probably help out with common stuff across the board, especially 
WRT to running in HTTPD and PKI/Cert issues come up.  My sorter term 
goal is to harden an Essex deploy so that it can be used in places where 
the policies dictate SSL for all communications.


Thanks for validating what I saw.  Nice to know I don't have to beat my 
head against it for too long.


Any idea how mature the SSL support is that Quantum is using right now?



Dan

On Thu, Apr 12, 2012 at 8:26 AM, Adam Young ayo...@redhat.com 
mailto:ayo...@redhat.com wrote:



from paste.deploy.loadwsgi  import loadapp
application = loadapp('config:/etc/quantum/quantum.conf', 'quantum')

But it fails due to issues finding the plugins (error log at the
end of the message). It deploys cleanly once I made the following
changes to quantum.

--- a/quantum/extensions/extensions.py
+++ b/quantum/extensions/extensions.py
@@ -538,8 +538,9 @@ class ResourceExtension(object):
 # Returns the extention paths from a config entry and the __path__
 # of quantum.extensions
 def get_extensions_path(config=None):
-paths = ':'.join(quantum.extensions.__path__)
-if config:
-paths = ':'.join([config.get('api_extensions_path', ''),
paths])
+#paths = ':'.join(quantum.extensions.__path__)
+paths = //etc/quantum/plugins//
+#if config:
+#paths = ':'.join([config.get('api_extensions_path', ''),
paths])

 return paths

Without this, there is a spurious error message due to the leading
':'  which puts a blank first element to the path.  It also fails
to find the extensions path regardless of values put into config
files etc.  It is this last issue which leads me to highly suggest
we push Quantum to get on the openstack-common bandwagon,  as its
Config file processing is confusing and,  I think, broken for the
general case.


I'm a big proponent of using openstack common as much as possible in 
Quantum.  Much of this existing code was ripped from nova/glance/etc. 
and is probably now out of date.  I created a page in the wiki 
identifying areas in quantum that are ripe for using openstack-common: 
http://wiki.openstack.org/QuantumOpenstackCommon .  Config if right at 
the top :)



The other issue which leads me to suspect this approach won't work
is the fact that the quantum command line client accepts a
hostname and a port,  but not an URL.  So,  while we could deploy
quantum behind HTTPD and port 443,  it would basically be the root
of the HTTP directory,  and we wouldn't be able to share the HTTPD
instance.  We couldn't do

https://hostname/quantum

and put it next to

https://hostname/keystone


Again, not without a code change.

Finally,  there seems to be some support for SSL in Quantum.  I
note that the quantum client has   the option

-s, --ssl use ssl

which leads me to believe that it has been at least attempted.  It
may be that the quantum server would not be severely impacted by
the overhead of SSL in Python.


The quantum client is going to get a complete re-write in Folsom, as 
this is one of our key community projects listed on the wiki: 
http://wiki.openstack.org/QuantumStarterBugs


This new client will match other openstack clients in terms of 
options, etc.  This should mean that you can specify the endpoint as a 
URL, which should take care of both the SSL and the non-root issues, 
if I'm understanding you correctly.


Jason Koelker will be leading a session in the Quantum track on 
redesigning the client, if folks are interested in helping out.






Here's the HTTP error log if I don't make the above change:


[Thu Apr 12 11:21:13 2012] [info] Initial (No.1) HTTPS request
received for chil
d 7 (server ayoungstack.bos.redhat.com:443
http://ayoungstack.bos.redhat.com:443)
[Thu Apr 12 11:21:13 2012] [info] [client 10.16.187.36] mod_wsgi
(pid=8747, proc
ess='', application='ayoungstack.bos.redhat.com
http://ayoungstack.bos.redhat.com|/quantum/api'): Loading WSGI scr
ipt '/var/www/cgi-bin/quantum/api'.
[Thu Apr 12 11:21:13 2012] [error]
ERROR:quantum.extensions.extensions:Extension
 path /etc/quantum/extension doesn't exist!
[Thu Apr 12 11:21:13 2012] [error]
WARNING:quantum.extensions.extensions:extensi
on file portstats.py wasnt loaded due to cannot import name extensions
[Thu Apr 12 11:21:13 2012] [error]
WARNING:quantum.extensions.extensions:extensi
on Cisco Nova Tenant not supported by plugin
quantum.plugins.openvswitch.ovs_qu
antum_plugin.OVSQuantumPlugin object at 0x7f1fae80e450
[Thu Apr 12 11:21:13 2012]

Re: [Openstack] Quantum and HTTPD

2012-04-12 Thread Dan Wendlandt

On Thu, Apr 12, 2012 at 10:16 AM, Adam Young ayo...@redhat.com wrote:

  On 04/12/2012 01:05 PM, Dan Wendlandt wrote:

 Hi Adam, cool stuff!

  Thanks for reporting the issues.  I'm in favor of both changes your
 suggest.  Any interest on working on the openstack common stuff?  More
 details inline.


 I'll probably help out with common stuff across the board, especially WRT
 to running in HTTPD and PKI/Cert issues come up.  My sorter term goal is to
 harden an Essex deploy so that it can be used in places where the policies
 dictate SSL for all communications.

 Thanks for validating what I saw.  Nice to know I don't have to beat my
 head against it for too long.

 Any idea how mature the SSL support is that Quantum is using right now?


I do not.  I don't know of any deployments using it right now.  Its likely
that we just have whatever code came along for the ride when the web
framework was borrowed from nova/glance.  Salvatore might know, as he did a
lot of the heavy lifting on the Quantum API side.

Dan






  Dan

 On Thu, Apr 12, 2012 at 8:26 AM, Adam Young ayo...@redhat.com wrote:


 from paste.deploy.loadwsgi  import loadapp
 application = loadapp('config:/etc/quantum/quantum.conf', 'quantum')

 But it fails due to issues finding the plugins (error log at the end of
 the message). It deploys cleanly once I made the following changes to
 quantum.

 --- a/quantum/extensions/extensions.py
 +++ b/quantum/extensions/extensions.py
 @@ -538,8 +538,9 @@ class ResourceExtension(object):
  # Returns the extention paths from a config entry and the __path__
  # of quantum.extensions
  def get_extensions_path(config=None):
 -paths = ':'.join(quantum.extensions.__path__)
 -if config:
 -paths = ':'.join([config.get('api_extensions_path', ''), paths])
 +#paths = ':'.join(quantum.extensions.__path__)
 +paths = */etc/quantum/plugins/*
 +#if config:
 +#paths = ':'.join([config.get('api_extensions_path', ''),
 paths])

  return paths

 Without this, there is a spurious error message due to the leading ':'
 which puts a blank first element to the path.  It also fails to find the
 extensions path regardless of values put into config files etc.  It is this
 last issue which leads me to highly suggest we push Quantum to get on the
 openstack-common bandwagon,  as its Config file processing is confusing
 and,  I think, broken for the general case.


  I'm a big proponent of using openstack common as much as possible in
 Quantum.  Much of this existing code was ripped from nova/glance/etc. and
 is probably now out of date.  I created a page in the wiki identifying
 areas in quantum that are ripe for using openstack-common:
 http://wiki.openstack.org/QuantumOpenstackCommon .  Config if right at
 the top :)




 The other issue which leads me to suspect this approach won't work is the
 fact that the quantum command line client accepts a hostname and a port,
 but not an URL.  So,  while we could deploy quantum behind HTTPD and port
 443,  it would basically be the root of the HTTP directory,  and we
 wouldn't be able to share the HTTPD instance.  We couldn't do

 https://hostname/quantum

 and put it next to

 https://hostname/keystone


 Again, not without a code change.

 Finally,  there seems to be some support for SSL in Quantum.  I note that
 the quantum client has   the option

 -s, --ssl use ssl

 which leads me to believe that it has been at least attempted.  It may be
 that the quantum server would not be severely impacted by the overhead of
 SSL in Python.


  The quantum client is going to get a complete re-write in Folsom, as
 this is one of our key community projects listed on the wiki:
 http://wiki.openstack.org/QuantumStarterBugs

  This new client will match other openstack clients in terms of options,
 etc.  This should mean that you can specify the endpoint as a URL, which
 should take care of both the SSL and the non-root issues, if I'm
 understanding you correctly.

  Jason Koelker will be leading a session in the Quantum track on
 redesigning the client, if folks are interested in helping out.







 Here's the HTTP error log if I don't make the above change:


 [Thu Apr 12 11:21:13 2012] [info] Initial (No.1) HTTPS request received
 for chil
 d 7 (server ayoungstack.bos.redhat.com:443)
 [Thu Apr 12 11:21:13 2012] [info] [client 10.16.187.36] mod_wsgi
 (pid=8747, proc
 ess='', application='ayoungstack.bos.redhat.com|/quantum/api'): Loading
 WSGI scr
 ipt '/var/www/cgi-bin/quantum/api'.
 [Thu Apr 12 11:21:13 2012] [error]
 ERROR:quantum.extensions.extensions:Extension
  path /etc/quantum/extension doesn't exist!
 [Thu Apr 12 11:21:13 2012] [error]
 WARNING:quantum.extensions.extensions:extensi
 on file portstats.py wasnt loaded due to cannot import name extensions
 [Thu Apr 12 11:21:13 2012] [error]
 WARNING:quantum.extensions.extensions:extensi
 on Cisco Nova Tenant not supported by plugin
 quantum.plugins.openvswitch.ovs_qu

[Openstack] Quantum and HTTPD

Re: [Openstack] Quantum and HTTPD

Re: [Openstack] Quantum and HTTPD

3 matches

Site Navigation

Mail list logo

Footer information