Migrate panko to use uWSGI

This patch moves panko-api from usage of apache with mod_wsgi to uWSGI, which means unification across another roles and reduced maintenance costs During migration period tasks that ensures apache won't listen on panko_service_port are present, but they are supposed to be removed after train release. Change-Id: Ic61c60e2db45ac5e51bb3a43d7928648d9ae5d19
2019-08-02 15:42:24 +03:00 · 2019-08-02 15:42:24 +03:00 · 50f1a48c6c
parent 46bb2417ea
commit 50f1a48c6c
14 changed files with 183 additions and 230 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -57,10 +57,8 @@ panko_db_address: "{{ galera_address | default('127.0.0.1') }}"
 panko_connection_string: "{{ panko_db_type }}://{{ panko_database_user }}:{{ panko_container_db_password }}@{{ panko_db_address }}/{{ panko_database_name }}?charset=utf8"


-## Apache setup
-panko_apache_log_level: info
-panko_apache_servertokens: "Prod"
-panko_apache_serversignature: "Off"
+## uWSGI setup
+panko_api_init_overrides: {}
 panko_wsgi_threads: 10
 panko_wsgi_processes_max: 16
 panko_wsgi_processes: "{{ [[ansible_processor_vcpus|default(1), 1] | max * 2, panko_wsgi_processes_max] | min }}"
@ -72,6 +70,7 @@ panko_role_name: admin
 panko_service_region: RegionOne
 panko_service_endpoint_type: internalURL
 panko_service_name: panko
+panko_service_address: 0.0.0.0
 panko_service_port: 8777
 panko_service_proto: http
 panko_service_type: event
@ -99,6 +98,15 @@ panko_event_time_to_live: -1
 #   reboot, yearly, annually, monthly, weekly, daily, hourly
 panko_expirer_job_time: daily

+panko_services:
+  panko-api:
+    group: "panko_api"
+    service_name: "panko-api"
+    service_enabled: true
+    config_overrides: "{{ panko_api_init_overrides }}"
+    execstarts: "{{ panko_bin }}/uwsgi --autoload --ini /etc/uwsgi/panko-api.ini"
+    execreloads: "{{ panko_bin }}/uwsgi --reload /var/run/panko-api/panko-api.pid"
+
 # Common pip packages
 panko_pip_packages:
  - alembic>=0.7.2
@ -108,11 +116,11 @@ panko_pip_packages:
  - osprofiler
  - panko
  - PyMySQL>=0.6.2
-  - python-ceilometerclient
  - python-memcached
  - sqlalchemy>=0.9.7
  - sqlalchemy-utils
  - systemd-python
+  - uwsgi
  - warlock


@ -133,3 +141,4 @@ panko_role_project_group: panko_all
 panko_policy_overrides: {}
 panko_panko_conf_overrides: {}
 panko_api_paste_ini_overrides: {}
+panko_uwsgi_conf_overrides: {}
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -13,6 +13,32 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+- name: Stop services
+  service:
+    name: "{{ item.value.service_name }}"
+    enabled: yes
+    state: "stopped"
+    daemon_reload: yes
+  with_dict: "{{ panko_services }}"
+  when:
+    - "item.value.group in group_names"
+    - item.value.service_enabled | bool
+  register: _stop
+  until: _stop is success
+  retries: 5
+  delay: 2
+  listen:
+    - "Restart panko services"
+    - "venv changed"
+
+# Note (odyssey4me):
+# The policy.json file is currently read continually by the services
+# and is not only read on service start. We therefore cannot template
+# directly to the file read by the service because the new policies
+# may not be valid until the service restarts. This is particularly
+# important during a major upgrade. We therefore only put the policy
+# file in place after the service has been stopped.
+#
 - name: Copy new policy file into place
  copy:
    src: "/etc/panko/policy.json-{{ panko_venv_tag }}"
@ -22,18 +48,33 @@
    mode: "0640"
    remote_src: yes
  listen:
-    - "Restart web server"
+    - "Restart panko services"
    - "venv changed"

+- name: Start services
+  service:
+    name: "{{ item.value.service_name }}"
+    enabled: yes
+    state: "started"
+    daemon_reload: yes
+  with_dict: "{{ panko_services }}"
+  when:
+    - "item.value.group in group_names"
+    - item.value.service_enabled | bool
+  register: _start
+  until: _start is success
+  retries: 5
+  delay: 2
+  listen:
+    - "Restart panko services"
+    - "venv changed"
+
+# NOTE(noonedeadpunk): This task is created due to migration from apache to uwsgi
+# which was introduced during train release. It can be dropped afterwards.
 - name: Restart web server
  service:
    name: "{{ panko_system_service_name }}"
    enabled: yes
    state: "restarted"
    daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
-  register: _restart
-  until: _restart is success
-  retries: 5
-  delay: 2
-  listen:
-    - "venv changed"
+  failed_when: false
--- a/releasenotes/notes/use_uwsgi-ec064b70a3b4e0c1.yaml
+++ b/releasenotes/notes/use_uwsgi-ec064b70a3b4e0c1.yaml
@ -0,0 +1,12 @@
+upgrade:
+  - |
+    Panko migrated from usage of Apache mod_wsgi or native daemon to uWSGI
+    daemon. This means, that `panko_apache_*` variables are not available and has no effect
+    anymore.
+
+    During upgrade process role will drop `panko_service_port` from apache
+    listeners (ports.conf) and panko virtualhost, which by default means
+    misconfigured apache service (since it won't have any listeners) unless
+    it's aio build and this apache server is in use by other role/service.
+    Apache server won't be dropped from panko_api hosts, so deployers
+    are encoureged to remove it manually.
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -71,12 +71,43 @@
  tags:
    - panko-config

- import_tasks: panko_db_sync.yml
-  when: inventory_hostname == groups['panko_all'][0]
+- name: Run the systemd service role
+  import_role:
+    name: systemd_service
+  vars:
+    systemd_user_name: "{{ panko_system_user_name }}"
+    systemd_group_name: "{{ panko_system_group_name }}"
+    systemd_tempd_prefix: openstack
+    systemd_slice_name: panko
+    systemd_lock_path: /var/lock/panko
+    systemd_CPUAccounting: true
+    systemd_BlockIOAccounting: true
+    systemd_MemoryAccounting: true
+    systemd_TasksAccounting: true
+    systemd_services: |-
+      {% set services = [] %}
+      {% for name, service in panko_services.items() %}
+      {%   if (service['group'] in group_names) and
+           (('service_enabled' not in service) or
+           ('service_enabled' in service and service['service_enabled'])) %}
+      {%     set _ = service.update(
+           {
+             'service_key': name,
+             'enabled': 'yes',
+             'state': 'started',
+           }
+         )
+      %}
+      {%     set _ = services.append(service) %}
+      {%   endif %}
+      {% endfor %}
+      {{ services }}
  tags:
    - panko-config
+    - systemd-service

- import_tasks: panko_apache.yml
+- import_tasks: panko_db_sync.yml
+  when: inventory_hostname == groups['panko_all'][0]
  tags:
    - panko-config

--- a/tasks/panko_apache.yml
+++ b/tasks/panko_apache.yml
@ -1,90 +0,0 @@
---
-# Copyright 2016, Comcast Corporation
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# NOTE(hwoarang) default openSUSE apache2 installation is missing
-# some required modules so enable them here. This can possibly be
-# extended to other distributions if necessary.
- name: Enable required apache2 modules (SUSE)
-  apache2_module:
-    name: "{{ item.name }}"
-    state: "{{ item.state }}"
-  with_items: "{{ panko_apache_modules }}"
-  when:
-    - ansible_pkg_mgr ==  'zypper'
-    - panko_apache_modules is defined
-  notify:
-    - Restart web server
-
- name: Drop apache2 virtual host and ports file
-  template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: "root"
-    group: "root"
-  with_items: "{{ panko_apache_config }}"
-  notify:
-    - Restart web server
-
- name: Disable default apache site
-  file:
-    path: "{{ item }}"
-    state: "absent"
-  with_items: "{{ panko_apache_default_sites }}"
-  notify:
-    - Restart web server
-
- name: Enabled panko vhost
-  file:
-    src: "{{ panko_apache_site_available }}"
-    dest: "{{ panko_apache_site_enabled }}"
-    state: "link"
-  when:
-    - panko_apache_site_available is defined
-    - panko_apache_site_enabled is defined
-  notify:
-    - Restart web server
-
- name: Ensure Apache ServerName
-  lineinfile:
-    dest: "{{ panko_apache_conf }}"
-    line: "ServerName {{ inventory_hostname }}"
-  notify:
-    - Restart web server
-
- name: Ensure Apache ServerTokens
-  lineinfile:
-    dest: "{{ panko_apache_security_conf }}"
-    regexp: '^ServerTokens'
-    line: "ServerTokens {{ panko_apache_servertokens }}"
-  notify:
-    - Restart web server
-
- name: Ensure Apache ServerSignature
-  lineinfile:
-    dest: "{{ panko_apache_security_conf }}"
-    regexp: '^ServerSignature'
-    line: "ServerSignature {{ panko_apache_serversignature }}"
-  notify:
-    - Restart web server
-
- name: remove Listen from Apache config
-  lineinfile:
-    dest: "{{ panko_apache_security_conf }}"
-    regexp: '^(Listen.*)'
-    backrefs: yes
-    line: '#\1'
-  notify:
-    - Restart web server
--- a/tasks/panko_post_install.yml
+++ b/tasks/panko_post_install.yml
@ -36,17 +36,43 @@
      config_overrides: "{{ panko_policy_overrides }}"
      config_type: "json"
  notify:
-    - Restart web server
+    - Restart panko services

- name: Drop panko API WSGI Configs
-  template:
-    src: panko-api-wsgi.py.j2
-    dest: /var/www/cgi-bin/panko/panko-api
-    owner: "{{ panko_system_user_name }}"
-    group: "{{ panko_system_group_name }}"
-    mode: "0755"
+- name: Configurng uWSGI
+  block:
+    - name: Ensure uWSGI directory exists
+      file:
+        path: "/etc/uwsgi/"
+        state: directory
+        mode: "0711"
+    - name: Apply uWSGI configuration
+      config_template:
+        src: "panko-uwsgi.ini.j2"
+        dest: "/etc/uwsgi/panko-api.ini"
+        mode: "0644"
+        config_overrides: "{{ panko_uwsgi_conf_overrides }}"
+        config_type: ini
+      notify:
+        - Restart panko services
+  when: "'panko_api' in group_names"
+
+# NOTE(noonedeadpunk): This task is created due to migration from apache to uwsgi
+# which was introduced during train release. It can be dropped afterwards.
+- name: Drop Apache related configs
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items: "{{ panko_apache_config }}"
  notify:
-    - Restart web server
+   - Restart web server
+
+- name: Stop Apache listening on Panko port
+  lineinfile:
+    path: "{{ panko_apache_ports }}"
+    state: absent
+    line: "Listen {{ panko_service_port }}"
+  notify:
+   - Restart web server

 - name: Create cron job for panko event expirer
  cron:
@ -56,4 +82,4 @@
    job: "{{ panko_bin }}/panko-expirer"
  when:
    - inventory_hostname == groups['panko_all'][0]
-    - panko_event_time_to_live > 0
+    - panko_event_time_to_live > 0
--- a/tasks/panko_pre_install.yml
+++ b/tasks/panko_pre_install.yml
@ -42,14 +42,4 @@
    - { path: "{{ panko_system_user_home }}" }
    - { path: "{{ panko_system_user_home }}/.ssh", mode: "0700" }
    - { path: "/var/cache/panko", mode: "0700" }
-
- name: Create Apache mod_wsgi dirs
-  file:
-    path: "{{ item.path }}"
-    state: directory
-    owner: "{{ item.owner|default(panko_system_user_name) }}"
-    group: "{{ item.group|default(panko_system_group_name) }}"
-    mode: "{{ item.mode|default('0755') }}"
-  with_items:
-    - { path: "/var/www/cgi-bin", owner: root, group: root }
-    - { path: "/var/www/cgi-bin/panko" }
+    - { path: "/var/run/panko-api" }
--- a/templates/panko-api-wsgi.py.j2
+++ b/templates/panko-api-wsgi.py.j2
@ -1,22 +0,0 @@
-# Copyright 2016 Comcast Corporation
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-import os
-
-activate_this = os.path.expanduser("{{ panko_bin }}/activate_this.py")
-execfile(activate_this, dict(__file__=activate_this))
-
-from panko.api import app
-
-application = app.build_wsgi_app()
--- a/templates/panko-httpd.conf.j2
+++ b/templates/panko-httpd.conf.j2
@ -1,28 +0,0 @@
-# {{ ansible_managed }}
-
-<VirtualHost *:{{ panko_service_port }}>
-    WSGIDaemonProcess panko-api lang='en_US.UTF-8' locale='en_US.UTF-8' user={{ panko_system_user_name }} group={{ panko_system_group_name }} processes={{ panko_wsgi_processes }} threads={{ panko_wsgi_threads }} display-name=%{GROUP}
-    WSGIProcessGroup panko-api
-    WSGIScriptAlias / /var/www/cgi-bin/panko/panko-api
-    WSGIApplicationGroup  %{GLOBAL}
-
-    <IfVersion >= 2.4>
-      ErrorLogFormat "%{cu}t %M"
-    </IfVersion>
-
-    LogLevel  {{  panko_apache_log_level }}
-    ErrorLog  /var/log/panko/panko-apache-error.log
-    CustomLog /var/log/panko/panko-access.log combined
-</VirtualHost>
-
-<Directory "/var/www/cgi-bin">
-        AllowOverride None
-        Options +ExecCGI -Includes
-        <IfModule !mod_access_compat.c>
-                Require all granted
-        </IfModule>
-        <IfModule mod_access_compat.c>
-                Order allow,deny
-                Allow from all
-        </IfModule>
-</Directory>
--- a/templates/panko-ports.conf.j2
+++ b/templates/panko-ports.conf.j2
@ -1,3 +0,0 @@
-# {{ ansible_managed }}
-
-Listen {{ panko_service_port }}
--- a/templates/panko-uwsgi.ini.j2
+++ b/templates/panko-uwsgi.ini.j2
@ -0,0 +1,25 @@
+[uwsgi]
+uid = {{ panko_system_user_name }}
+gid = {{ panko_system_group_name }}
+
+virtualenv = {{ panko_bin | dirname }}
+wsgi-file = {{ panko_bin }}/panko-api
+http-socket = {{ panko_service_address }}:{{ panko_service_port }}
+
+master = true
+enable-threads = true
+processes = {{ panko_wsgi_processes }}
+threads = {{ panko_wsgi_threads }}
+exit-on-reload = true
+die-on-term = true
+lazy-apps = true
+add-header = Connection: close
+buffer-size = 65535
+thunder-lock = true
+disable-logging = true
+http-auto-chunked = true
+http-raw-body = true
+socket-timeout = 10
+
+# Avoid filling up the logs with health check requests from haproxy.
+route-user-agent = ^osa-haproxy-healthcheck$ donotlog:
--- a/vars/debian.yml
+++ b/vars/debian.yml
@ -19,9 +19,6 @@ cache_timeout: 600
 # Common apt packages
 panko_distro_packages:
  - rpcbind
-  - apache2
-  - apache2-utils
-  - libapache2-mod-wsgi
  - libffi-dev
  - libssl-dev
  - libxml2-dev
@ -31,18 +28,10 @@ panko_devel_distro_packages:
  - git
  - libsystemd-dev

+# NOTE(noonedeadpunk): These variables are left for migration from apache to uwsgi
+# which was introduced during train release. They can be dropped afterwards.
 panko_system_service_name: apache2
-
 panko_apache_config:
-  - { src: "panko-ports.conf.j2", dest: "/etc/apache2/ports.conf" }
-  - { src: "panko-httpd.conf.j2", dest: "/etc/apache2/sites-available/panko-httpd.conf" }
-
-panko_apache_default_sites:
-  - "/etc/apache2/sites-enabled/000-default.conf"
-
-panko_apache_site_available: "/etc/apache2/sites-available/panko-httpd.conf"
-panko_apache_site_enabled: "/etc/apache2/sites-enabled/panko-httpd.conf"
-
-panko_apache_conf: "/etc/apache2/apache2.conf"
-panko_apache_security_conf: "/etc/apache2/conf-available/security.conf"
-
+  - "/etc/apache2/sites-available/panko-httpd.conf"
+  - "/etc/apache2/sites-enabled/panko-httpd.conf"
+panko_apache_ports: "/etc/apache2/ports.conf"
--- a/vars/redhat-7.yml
+++ b/vars/redhat-7.yml
@ -16,9 +16,6 @@
 # Common packages
 panko_distro_packages:
  - rpcbind
-  - httpd
-  - httpd-tools
-  - mod_wsgi
  - libffi-devel
  - openssl-devel
  - libxml2-devel
@ -29,17 +26,9 @@ panko_devel_distro_packages:
  - git
  - systemd-devel

+# NOTE(noonedeadpunk): These variables are left for migration from apache to uwsgi
+# which was introduced during train release. They can be dropped afterwards.
 panko_system_service_name: httpd
-
 panko_apache_config:
-  - { src: "panko-ports.conf.j2", dest: "/etc/httpd/conf.d/ports.conf" }
-  - { src: "panko-httpd.conf.j2", dest: "/etc/httpd/conf.d/panko-httpd.conf" }
-
-panko_apache_default_sites:
-  - "/etc/httpd/conf.d/userdir.conf"
-  - "/etc/httpd/conf.d/welcome.conf"
-  - "/etc/httpd/conf.d/ssl.conf"
-
-panko_apache_conf: "/etc/httpd/conf/httpd.conf"
-panko_apache_security_conf: "{{ panko_apache_conf }}"
-
+  - "/etc/httpd/conf.d/panko-httpd.conf"
+panko_apache_ports: "/etc/httpd/conf.d/ports.conf"
--- a/vars/suse.yml
+++ b/vars/suse.yml
@ -17,9 +17,6 @@
 # Common packages
 panko_distro_packages:
  - rpcbind
-  - apache2
-  - apache2-utils
-  - apache2-mod_wsgi
  - libffi-devel
  - libopenssl-devel
  - libxml2-devel
@ -30,22 +27,9 @@ panko_devel_distro_packages:
  - git-core
  - systemd-devel

+# NOTE(noonedeadpunk): These variables are left for migration from apache to uwsgi
+# which was introduced during train release. They can be dropped afterwards.
 panko_system_service_name: apache2
-
 panko_apache_config:
-  - { src: "panko-ports.conf.j2", dest: "/etc/apache2/conf.d/ports.conf" }
-  - { src: "panko-httpd.conf.j2", dest: "/etc/apache2/conf.d/panko-httpd.conf" }
-
-panko_apache_default_sites:
-  - "/etc/apache2/conf.d/gitweb.conf"
-
-panko_apache_conf: "/etc/apache2/httpd.conf"
-panko_apache_security_conf: "{{ panko_apache_conf }}"
-
-panko_apache_modules:
-  - name: "authz_host"
-    state: "present"
-  - name: "access_compat"
-    state: "present"
-  - name: "version"
-    state: "present"
+  -  "/etc/apache2/conf.d/panko-httpd.conf"
+panko_apache_ports: /etc/apache2/conf.d/ports.conf