Convert keystone to use uwsgi with the proxy This makes keystone use the proxy uwsgi module when running in uwsgi mode. It also introduces a new stackrc variable which is WSGI_MODE that we can use to control the conditionals in services that current work with mod_wsgi. Also update retry timeouts on proxy pass so that workers don't disable their connections during polling for initial activity. Change-Id: I46294fb24e3c23fa19fcfd7d6c9ee8a932354702

commit: 6ed53156b6198e69d59d1cf3a3497e96f5b7a870 [log] [tgz]
author: Sean Dague <sean@dague.net> Thu Apr 13 13:33:16 2017 -0400
committer: Sean Dague <sean@dague.net> Mon Apr 17 16:27:35 2017 -0400
tree: 07c09ef525734b2b3c3fa7fc1e3b8e5bd0c6869a
parent: 64ffff9b7d79b9e75616cf43f9f7b31c89026f30 [diff]
diff --git a/lib/apache b/lib/apache
index 9fed100..20700d8 100644
--- a/lib/apache
+++ b/lib/apache

@@ -260,7 +260,7 @@
     else
         local apache_conf=""
         apache_conf=$(apache_site_config_for $name)
-        echo "ProxyPass \"${url}\" \"unix:${socket}|uwsgi://uwsgi-uds-${name}/\"" | sudo tee $apache_conf
+        echo "ProxyPass \"${url}\" \"unix:${socket}|uwsgi://uwsgi-uds-${name}/\" retry=0 " | sudo tee $apache_conf
         enable_apache_site $name
         reload_apache_server
     fi

diff --git a/lib/keystone b/lib/keystone
index 45ba2c5..a26ef8a 100644
--- a/lib/keystone
+++ b/lib/keystone

@@ -55,21 +55,13 @@
 KEYSTONE_PUBLIC_UWSGI=$KEYSTONE_BIN_DIR/keystone-wsgi-public
 KEYSTONE_ADMIN_UWSGI=$KEYSTONE_BIN_DIR/keystone-wsgi-admin
 
-# Toggle for deploying Keystone under HTTPD + mod_wsgi
-# Deprecated in Mitaka, use KEYSTONE_DEPLOY instead.
-KEYSTONE_USE_MOD_WSGI=${KEYSTONE_USE_MOD_WSGI:-${ENABLE_HTTPD_MOD_WSGI_SERVICES}}
-
 # KEYSTONE_DEPLOY defines how keystone is deployed, allowed values:
 # - mod_wsgi : Run keystone under Apache HTTPd mod_wsgi
 # - uwsgi : Run keystone under uwsgi
-if [ -z "$KEYSTONE_DEPLOY" ]; then
-    if [ -z "$KEYSTONE_USE_MOD_WSGI" ]; then
-        KEYSTONE_DEPLOY=mod_wsgi
-    elif [ "$KEYSTONE_USE_MOD_WSGI" == True ]; then
-        KEYSTONE_DEPLOY=mod_wsgi
-    else
-        KEYSTONE_DEPLOY=uwsgi
-    fi
+if [[ "$WSGI_MODE" == "uwsgi" ]]; then
+    KEYSTONE_DEPLOY=uwsgi
+else
+    KEYSTONE_DEPLOY=mod_wsgi
 fi
 
 # Select the token persistence backend driver
@@ -121,15 +113,8 @@
     KEYSTONE_SERVICE_PROTOCOL="https"
 fi
 
-# complete URIs
-if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
-    # If running in Apache, use path access rather than port.
-    KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}/identity_admin
-    KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}/identity
-else
-    KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT}
-    KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT}
-fi
+KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}/identity_admin
+KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}/identity
 
 # V3 URIs
 KEYSTONE_AUTH_URI_V3=$KEYSTONE_AUTH_URI/v3
@@ -155,8 +140,15 @@
 # cleanup_keystone() - Remove residual data files, anything left over from previous
 # runs that a clean run would need to clean up
 function cleanup_keystone {
-    disable_apache_site keystone
-    sudo rm -f $(apache_site_config_for keystone)
+    if [[ "$WSGI_MODE" == "uwsgi" ]]; then
+        remove_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI"
+        remove_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI"
+        sudo rm -f $(apache_site_config_for keystone-wsgi-public)
+        sudo rm -f $(apache_site_config_for keystone-wsgi-admin)
+    else
+        disable_apache_site keystone
+        sudo rm -f $(apache_site_config_for keystone)
+    fi
 }
 
 # _config_keystone_apache_wsgi() - Set WSGI config files of Keystone
@@ -256,10 +248,8 @@
     # work when you want to use a different port (in the case of proxy), or you
     # don't want the port (in the case of putting keystone on a path in
     # apache).
-    if is_service_enabled tls-proxy || [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
-        iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI
-        iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI
-    fi
+    iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI
+    iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI
 
     if [[ "$KEYSTONE_TOKEN_FORMAT" != "" ]]; then
         iniset $KEYSTONE_CONF token provider $KEYSTONE_TOKEN_FORMAT
@@ -285,9 +275,8 @@
         iniset $KEYSTONE_CONF DEFAULT logging_exception_prefix "%(asctime)s.%(msecs)03d %(process)d TRACE %(name)s %(instance)s"
         _config_keystone_apache_wsgi
     else # uwsgi
-        # iniset creates these files when it's called if they don't exist.
-        write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity" "$KEYSTONE_SERVICE_HOST:$service_port"
-        write_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" "/identity_admin" "$KEYSTONE_ADMIN_BIND_HOST:$auth_port"
+        write_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI" "/identity"
+        write_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI" "/identity_admin"
     fi
 
     iniset $KEYSTONE_CONF DEFAULT max_token_size 16384
@@ -568,10 +557,7 @@
     # unencryted traffic at this point.
     # If running in Apache, use the path rather than port.
 
-    local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/
-    if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
-        service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/
-    fi
+    local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/
 
     if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then
         die $LINENO "keystone did not start"
@@ -595,6 +581,8 @@
     else
         stop_process key-p
         stop_process key-a
+        remove_uwsgi_config "$KEYSTONE_PUBLIC_UWSGI_CONF" "$KEYSTONE_PUBLIC_UWSGI"
+        remove_uwsgi_config "$KEYSTONE_ADMIN_UWSGI_CONF" "$KEYSTONE_ADMIN_UWSGI"
     fi
     # Kill the Keystone screen window
     stop_process key

diff --git a/openrc b/openrc
index 483b5af..4cdb50e 100644
--- a/openrc
+++ b/openrc

@@ -73,8 +73,6 @@
 fi
 
 SERVICE_PROTOCOL=${SERVICE_PROTOCOL:-http}
-KEYSTONE_AUTH_PROTOCOL=${KEYSTONE_AUTH_PROTOCOL:-$SERVICE_PROTOCOL}
-KEYSTONE_AUTH_HOST=${KEYSTONE_AUTH_HOST:-$SERVICE_HOST}
 
 # Identity API version
 export OS_IDENTITY_API_VERSION=${IDENTITY_API_VERSION:-3}
@@ -84,7 +82,7 @@
 # the user/project has access to - including nova, glance, keystone, swift, ...
 # We currently recommend using the version 3 *identity api*.
 #
-export OS_AUTH_URL=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:5000/v${OS_IDENTITY_API_VERSION}
+export OS_AUTH_URL=$KEYSTONE_AUTH_URI
 
 # Currently, in order to use openstackclient with Identity API v3,
 # we need to set the domain which the user and project belong to.

diff --git a/stackrc b/stackrc
index 3ceb78c..adcb942 100644
--- a/stackrc
+++ b/stackrc

@@ -225,6 +225,12 @@
 # Zero disables timeouts
 GIT_TIMEOUT=${GIT_TIMEOUT:-0}
 
+# How should we be handling WSGI deployments. By default we're going
+# to allow for 2 modes, which is "uwsgi" which runs with an apache
+# proxy uwsgi in front of it, or "mod_wsgi", which runs in
+# apache. mod_wsgi is deprecated, don't use it.
+WSGI_MODE=${WSGI_MODE:-"uwsgi"}
+
 # Repositories
 # ------------
commit	6ed53156b6198e69d59d1cf3a3497e96f5b7a870	[log] [tgz]
author	Sean Dague <sean@dague.net>	Thu Apr 13 13:33:16 2017 -0400
committer	Sean Dague <sean@dague.net>	Mon Apr 17 16:27:35 2017 -0400
tree	07c09ef525734b2b3c3fa7fc1e3b8e5bd0c6869a
parent	64ffff9b7d79b9e75616cf43f9f7b31c89026f30 [diff]