When multiple processes are spawned with the same configuration
each process has the same backdoor_socket path configured and
only the first process able to bind to the socket can later be
accessed via the backdoor. To give each process a unique socket path
we now expose the PID of the process as a format string argument,
which can then be used like this:
backdoor_socket = /var/lib/neutron/backdoor-{pid}
Change-Id: I3f86f4867eb0cd5010abadf68620aa3450d3e64d
You can get large tokens when keystone is configured to use PKI
tokens. This doesn't have anything to do with v3 or v2.0.
Change-Id: I8a571a7f6f69c1f68a1991be09db093f91c29367
It turned out that distribution of WSGI requests between forks is not
even when eventlet is used, which can cause pool timeout issues under
load, while there are idle workers with open DB connections, which
should have served these HTTP requests.
The default number of greenthreads in pool should be decreased to allow
DB oriented services (mostly APIs) distribute load more evenly between
workers: one worker will stop accepting new requests, when there are no
more available greenthreads in the wsgi pool, accept() will block, but
there are other forks accept()'ing on the same FD to handle connections
from the queue in kernel.
Related change to oslo.db:
I2e9c2a71d8231e0dfbefc6293ad319e1e459beec
Testing was performed using this script:
https://gist.github.com/zzzeek/c69138fd0d0b3e553a1f
With 100 greenthreads in the pool, 50 DB connections allowed overflow
no pool timeout issues were seen with up to 500 concurrent requests
done by ab, while current default values (1000/10) could not handle
even 100 concurrent requests.
See this ML thread for details:
http://lists.openstack.org/pipermail/openstack-dev/2015-December/082717.html
Closes-Bug: #1535375
Change-Id: I65b40b9906b75146a0085bbe168f1e6bcae82f21
Local files can be made accessible to certain users vs random
ports which can be accessible to anyone on a machine so allow
using unix files as a way to start the eventlet backdoor (so that
user and group permissions common on unix are not lost).
To use this new type of files `socat` is needed (or other way
to interact with telnet over a unix domain socket).
For example (with the path at /tmp/my_special_socket):
socat - UNIX-CONNECT:/tmp/my_special_socket
Depends-On: Ia2385879e09991102f8f305ec41dbb651a4374de
Change-Id: I7f25913168ebe5854f360db3d6310b72a56b2b4d
Add ability to explicitly specify SSL/TLS protocol
version and ciphers. We add 2 string options and
do not specify any default for backward compatability.
If the values are not specified explicitly we fall
back to the python defaults as we did before.
DocImpact
Closes-Bug: #1513581
Change-Id: I149cf569e1e5277f30e89203d20731d4482509d4
Option graceful_shutdown_timeout is responsible for interruption of
graceful shutdown if graceful_shutdown_timeout is exceeded.
DocImpact
Closes-Bug: #1446583
Change-Id: I0dfbf2d0a4943337da24c0904a1ed6f0cdccd77b
1. Deprecated SSL options were added.
2. Server class become derived from service.ServiceBase.
3. InvalidInput message was wrapped with log translator.
Change-Id: Id99b77a4f45998c158de7aa5f93f0f4afd9b5f7e
Because of copy-pasted wsgi functionality in projects(nova, cinder,
glance, etc.) it is added to oslo.service with perspective to remove
it from other projects.
DocImpact
Change-Id: If8840168f10cc3561f4f01e6d456d6b4fd1de8b5
It is not always desirable to log full set of conf at service
start. This change adds new option "log_options" that allows to
enable or disable logging values of all registered options.
Also moved list_opts function for service submodule to service.py
as service and eventlet_backdoor opts have to be grouped together
and changed the entrypoint accordingly.
Change-Id: I2a97ebf736fd361e6f1d05796d5077bc9627ff85
Closes-Bug: #1461250