Skip to content

Commit

Permalink
setup keystone using apache mod_wsgi
Browse files Browse the repository at this point in the history 
Allow keystone to be set up to use apache mod_wsgi as the server
instead of a standalone eventlet service.  There is a new keystone
class parameter: service_name.  The default is 'keystone', which will
set up the standalone eventlet service.  If 'httpd' is used, the
keystone class will skip creating the keystone service, which also means
no 'openstack-keystone' service.  The class 'keystone::wsgi::apache' is
then used to configure apache mod_wsgi to serve keystone.

Had to remove the File resource default in the keystone class.  When
using wsgi::apache, the apache class and other classes are included.
Since puppet uses dynamic scoping, this overrides the file resources
in those classes as well.  keystone now explicitly sets all of the
parameters in files/directory resources.

Closes-Bug: #1348728
(cherry picked from commit 879f872)

Conflicts:
	manifests/init.pp
	manifests/params.pp
	spec/classes/keystone_spec.rb

Change-Id: Ia228cb3c582c2890f35e1f0ee11e0fef69179523
  • Loading branch information
@richm
richm committed Dec 1, 2014
1 parent 2cbe33d commit bab7304
Show file tree
Hide file tree
Showing 5 changed files with 244 additions and 160 deletions.
72 changes: 51 additions & 21 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,22 @@
# Tested versions include 0.9 and 2.2
# Default to '0.9'
#
# [*service_name*]
# (optional) Name of the service that will be providing the
# server functionality of keystone. For example, the default
# is just 'keystone', which means keystone will be run as a
# standalone eventlet service, and will able to be managed
# separately by the operating system's service manager. For
# example, you will be able to use
# service openstack-keystone restart
# to restart the service.
# If the value is 'httpd', this means keystone will be a web
# service, and you must use another class to configure that
# web service. For example, after calling class {'keystone'...}
# use class { 'keystone::wsgi::apache'...} to make keystone be
# a web app using apache mod_wsgi.
# Defaults to 'keystone'
#
# == Dependencies
# None
#
Expand All @@ -141,6 +157,17 @@
# admin_token => 'my_special_token',
# }
#
# OR
#
# class { 'keystone':
# ...
# service_name => 'httpd',
# ...
# }
# class { 'keystone::wsgi::apache':
# ...
# }
#
# == Authors
#
# Dan Bode [email protected]
Expand Down Expand Up @@ -195,6 +222,7 @@
$notification_driver = false,
$notification_topics = false,
$control_exchange = false,
$service_name = 'keystone',
# DEPRECATED PARAMETERS
$sql_connection = undef,
$idle_timeout = undef,
Expand All @@ -218,19 +246,10 @@
$database_idle_timeout_real = $database_idle_timeout
}

File['/etc/keystone/keystone.conf'] -> Keystone_config<||> ~> Service['keystone']
File['/etc/keystone/keystone.conf'] -> Keystone_config<||> ~> Service[$service_name]
Keystone_config<||> ~> Exec<| title == 'keystone-manage db_sync'|>
Keystone_config<||> ~> Exec<| title == 'keystone-manage pki_setup'|>

include keystone::params

File {
ensure => present,
owner => 'keystone',
group => 'keystone',
require => Package['keystone'],
notify => Service['keystone'],
}
include ::keystone::params

package { 'keystone':
ensure => $package_ensure,
Expand All @@ -253,10 +272,19 @@
file { ['/etc/keystone', '/var/log/keystone', '/var/lib/keystone']:
ensure => directory,
mode => '0750',
owner => 'keystone',
group => 'keystone',
require => Package['keystone'],
notify => Service[$service_name],
}

file { '/etc/keystone/keystone.conf':
ensure => present,
mode => '0600',
owner => 'keystone',
group => 'keystone',
require => Package['keystone'],
notify => Service[$service_name],
}

if $bind_host {
Expand Down Expand Up @@ -390,7 +418,7 @@
user => 'keystone',
refreshonly => true,
creates => '/etc/keystone/ssl/private/signing_key.pem',
notify => Service['keystone'],
notify => Service[$service_name],
subscribe => Package['keystone'],
require => User['keystone'],
}
Expand Down Expand Up @@ -439,18 +467,20 @@
$service_ensure = 'stopped'
}

service { 'keystone':
ensure => $service_ensure,
name => $::keystone::params::service_name,
enable => $enabled,
hasstatus => true,
hasrestart => true,
provider => $::keystone::params::service_provider,
if $service_name == 'keystone' {
service { 'keystone':
ensure => $service_ensure,
name => $::keystone::params::service_name,
enable => $enabled,
hasstatus => true,
hasrestart => true,
provider => $::keystone::params::service_provider,
}
}

if $enabled {
include keystone::db::sync
Class['keystone::db::sync'] ~> Service['keystone']
include ::keystone::db::sync
Class['::keystone::db::sync'] ~> Service[$service_name]
}

# Syslog configuration
Expand Down
5 changes: 4 additions & 1 deletion manifests/params.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@
$keystone_wsgi_script_source = '/usr/share/keystone/wsgi.py'
}
default: {
# NOTE: Ubuntu does not currently provide the keystone wsgi script in the
# keystone packages. When Ubuntu does provide the script, change this
# to use the correct path (which I'm assuming will be the same as Debian).
$service_provider = 'upstart'
$keystone_wsgi_script_source = 'puppet:///modules/keystone/httpd/keystone.py'
}
Expand All @@ -25,7 +28,7 @@
$service_name = 'openstack-keystone'
$keystone_wsgi_script_path = '/var/www/cgi-bin/keystone'
$service_provider = undef
$keystone_wsgi_script_source = 'puppet:///modules/keystone/httpd/keystone.py'
$keystone_wsgi_script_source = '/usr/share/keystone/keystone.wsgi'
}
}
}
71 changes: 41 additions & 30 deletions manifests/wsgi/apache.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,16 +93,19 @@
$ssl_ca = undef,
$ssl_crl_path = undef,
$ssl_crl = undef,
$ssl_certs_dir = undef
$ssl_certs_dir = undef,
$threads = $::processorcount,
$priority = '10',
) {

include keystone::params
include ::keystone::params
include ::apache
include ::apache::mod::wsgi
include keystone::db::sync
if $ssl {
include ::apache::mod::ssl
}

Exec <| title == 'keystone-manage pki_setup' |> ~> Service['httpd']
Exec <| title == 'keystone-manage db_sync' |> ~> Service['httpd']
Package['keystone'] -> Package['httpd']
Package['keystone'] ~> Service['httpd']
Keystone_config <| |> ~> Service['httpd']
Service['httpd'] -> Keystone_endpoint <| |>
Expand Down Expand Up @@ -137,7 +140,8 @@
owner => 'keystone',
group => 'keystone',
mode => '0644',
require => File[$::keystone::params::keystone_wsgi_script_path],
# source file provided by keystone package
require => [File[$::keystone::params::keystone_wsgi_script_path], Package['keystone']],
}

file { 'keystone_wsgi_main':
Expand All @@ -147,14 +151,15 @@
owner => 'keystone',
group => 'keystone',
mode => '0644',
require => File[$::keystone::params::keystone_wsgi_script_path],
# source file provided by keystone package
require => [File[$::keystone::params::keystone_wsgi_script_path], Package['keystone']],
}

$wsgi_daemon_process_options = {
user => 'keystone',
group => 'keystone',
processes => $workers,
threads => '1'
threads => $threads,
}
$wsgi_script_aliases_main = hash([$public_path_real,"${::keystone::params::keystone_wsgi_script_path}/main"])
$wsgi_script_aliases_admin = hash([$admin_path_real, "${::keystone::params::keystone_wsgi_script_path}/admin"])
Expand All @@ -165,13 +170,15 @@
$wsgi_script_aliases_main_real = $wsgi_script_aliases_main
}

apache::vhost { 'keystone_wsgi_main':
::apache::vhost { 'keystone_wsgi_main':
ensure => 'present',
servername => $servername,
ip => $bind_host,
port => $public_port,
docroot => $::keystone::params::keystone_wsgi_script_path,
docroot_owner => 'keystone',
docroot_group => 'keystone',
priority => $priority,
ssl => $ssl,
ssl_cert => $ssl_cert,
ssl_key => $ssl_key,
Expand All @@ -180,32 +187,36 @@
ssl_crl_path => $ssl_crl_path,
ssl_crl => $ssl_crl,
ssl_certs_dir => $ssl_certs_dir,
wsgi_daemon_process => 'keystone',
wsgi_daemon_process => 'keystone_main',
wsgi_daemon_process_options => $wsgi_daemon_process_options,
wsgi_process_group => 'keystone',
wsgi_process_group => 'keystone_main',
wsgi_script_aliases => $wsgi_script_aliases_main_real,
require => [Class['apache::mod::wsgi'], File['keystone_wsgi_main']],
require => File['keystone_wsgi_main'],
}

if $public_port != $admin_port {
apache::vhost { 'keystone_wsgi_admin':
servername => $servername,
ip => $bind_host,
port => $admin_port,
docroot => $::keystone::params::keystone_wsgi_script_path,
docroot_owner => 'keystone',
docroot_group => 'keystone',
ssl => $ssl,
ssl_cert => $ssl_cert,
ssl_key => $ssl_key,
ssl_chain => $ssl_chain,
ssl_ca => $ssl_ca,
ssl_crl_path => $ssl_crl_path,
ssl_crl => $ssl_crl,
ssl_certs_dir => $ssl_certs_dir,
wsgi_process_group => 'keystone',
wsgi_script_aliases => $wsgi_script_aliases_admin,
require => [Class['apache::mod::wsgi'], File['keystone_wsgi_admin']],
::apache::vhost { 'keystone_wsgi_admin':
ensure => 'present',
servername => $servername,
ip => $bind_host,
port => $admin_port,
docroot => $::keystone::params::keystone_wsgi_script_path,
docroot_owner => 'keystone',
docroot_group => 'keystone',
priority => $priority,
ssl => $ssl,
ssl_cert => $ssl_cert,
ssl_key => $ssl_key,
ssl_chain => $ssl_chain,
ssl_ca => $ssl_ca,
ssl_crl_path => $ssl_crl_path,
ssl_crl => $ssl_crl,
ssl_certs_dir => $ssl_certs_dir,
wsgi_daemon_process => 'keystone_admin',
wsgi_daemon_process_options => $wsgi_daemon_process_options,
wsgi_process_group => 'keystone_admin',
wsgi_script_aliases => $wsgi_script_aliases_admin,
require => File['keystone_wsgi_admin'],
}
}
}
Loading

0 comments on commit bab7304

Please sign in to comment.