Add support for API through Apache + mod_wsgi

Also adds a delay and more retries to policy setup in order to ensure that
step completes successfully since the API takes a moment to stop returning
Status 503s.

defaults/main.yml

@@ -17,7 +17,10 @@
 is_metal: true
 
 debug: false
-gnocchi_fatal_deprecations: False
+gnocchi_fatal_deprecations: false
+
+#: Set this to false to disable API service through Apache + mod_wsgi
+gnocchi_use_mod_wsgi: true
 
 #: Set this to enable or disable installing in a venv
 gnocchi_venv_enabled: true
@@ -25,6 +28,7 @@ gnocchi_venv_enabled: true
 #: Name of the virtual env to deploy into
 gnocchi_venv_tag: untagged
 gnocchi_venv_bin: "/openstack/venvs/gnocchi-{{ gnocchi_venv_tag }}/bin"
+gnocchi_venv_pkgs: "/openstack/venvs/gnocchi-{{ gnocchi_venv_tag }}/lib/python2.7/site-packages"
 
 #: The bin path defaults to the venv path however if installation in a
 #  venv is disabled the bin path will be dynamically set based on the
@@ -76,6 +80,7 @@ gnocchi_archive_policy_rules:
 #: System info
 gnocchi_system_user_name: gnocchi
 gnocchi_system_group_name: gnocchi
+gnocchi_system_service_name: apache2
 gnocchi_system_shell: /bin/false
 gnocchi_system_comment: gnocchi system user
 gnocchi_system_user_home: "/var/lib/{{ gnocchi_system_user_name }}"
@@ -103,6 +108,30 @@ gnocchi_service_internalurl: "{{ gnocchi_service_internaluri_proto }}://{{ inter
 gnocchi_service_adminurl: "{{ gnocchi_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ gnocchi_service_port }}"
 gnocchi_healthcheck_disable_path: /etc/gnocchi/healthcheck_disable
 
+## Apache setup
+gnocchi_apache_log_level: info
+gnocchi_apache_servertokens: "Prod"
+gnocchi_apache_serversignature: "Off"
+gnocchi_wsgi_threads: 1
+gnocchi_wsgi_processes: "{{ ansible_processor_vcpus | default (1) * 2 }}"
+
+# set gnocchi_ssl to true to enable SSL configuration on the gnocchi containers
+gnocchi_ssl: false
+gnocchi_ssl_cert: /etc/ssl/certs/gnocchi.pem
+gnocchi_ssl_key: /etc/ssl/private/gnocchi.key
+gnocchi_ssl_ca_cert: /etc/ssl/certs/gnocchi-ca.pem
+gnocchi_ssl_protocol: "{{ ssl_protocol }}"
+gnocchi_ssl_cipher_suite: "{{ ssl_cipher_suite }}"
+
+# if using a self-signed certificate, set this to true to regenerate it
+gnocchi_ssl_self_signed_regen: false
+gnocchi_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
+
+# Set these in user_variables to deploy custom certificates
+#gnocchi_user_ssl_cert: <path to cert on ansible deployment host>
+#gnocchi_user_ssl_key: <path to cert on ansible deployment host>
+#gnocchi_user_ssl_ca_cert: <path to cert on ansible deployment host>
+
 #: Gnocchi API program name
 gnocchi_api_program_name: gnocchi-api
 #: Gnocchi Metricd program name
@@ -110,6 +139,9 @@ gnocchi_metricd_program_name: gnocchi-metricd
 
 #: Necessary packages
 gnocchi_apt_packages:
+  - apache2
+  - apache2-utils
+  - libapache2-mod-wsgi
   - git
   - build-essential
   - python-dev
@@ -131,9 +163,9 @@ gnocchi_pip_packages:
   - python-memcached
 
 #: List of programs/services owned by gnocchi
-gnocchi_service_names:
-  - "{{ gnocchi_api_program_name }}"
+gnocchi_service_names: []
 # TODO(stevelle) needs configuration help
+#  - "{{ gnocchi_api_program_name }}"
 #  - "{{ gnocchi_metricd_program_name }}"
 
 #: Tunable overrides

handlers/main.yml

@@ -13,6 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# gnocchi_service_names should exclude the API if {{ gnocchi_use_mod_wsgi }}
 - name: Restart gnocchi services
   service:
     name: "{{ item }}"
@@ -20,3 +21,13 @@
     pattern: "{{ item }}"
   with_items: gnocchi_service_names
 
+- name: Restart Apache
+  service:
+    name: "apache2"
+    state: "restarted"
+    pattern: "apache2"
+  when: gnocchi_use_mod_wsgi | bool
+  register: apache_restart
+  until: apache_restart|success
+  retries: 5
+  delay: 2

tasks/gnocchi_apache.yml

@@ -0,0 +1,89 @@
+---
+# Copyright 2014, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Drop apache2 virtual host and ports file
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "root"
+    group: "root"
+  with_items:
+    - { src: "gnocchi-ports.conf.j2", dest: "/etc/apache2/ports.conf" }
+    - { src: "gnocchi-httpd.conf.j2", dest: "/etc/apache2/sites-available/gnocchi-httpd.conf" }
+  notify:
+    - Restart Apache
+  tags:
+    - gnocchi-httpd
+
+- name: Disable default apache site
+  file:
+    path: "/etc/apache2/sites-enabled/000-default.conf"
+    state: "absent"
+  notify:
+    - Restart Apache
+  tags:
+    - gnocchi-httpd
+
+- name: Enabled gnocchi vhost
+  file:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    state: "{{ item.state }}"
+  with_items:
+    - { src: "/etc/apache2/sites-available/gnocchi-httpd.conf", dest: "/etc/apache2/sites-enabled/gnocchi-httpd.conf", state: "link" }
+  notify:
+    - Restart Apache
+  tags:
+    - gnocchi-httpd
+
+- name: Ensure Apache ServerName
+  lineinfile:
+    dest: "/etc/apache2/apache2.conf"
+    line: "ServerName {{ inventory_hostname }}"
+  notify:
+    - Restart Apache
+  tags:
+    - gnocchi-httpd
+
+- name: Ensure Apache ServerTokens
+  lineinfile:
+    dest: "/etc/apache2/conf-available/security.conf"
+    regexp: '^ServerTokens'
+    line: "ServerTokens {{ gnocchi_apache_servertokens }}"
+  notify:
+    - Restart Apache
+  tags:
+    - gnocchi-httpd
+
+- name: Ensure Apache ServerSignature
+  lineinfile:
+    dest: "/etc/apache2/conf-available/security.conf"
+    regexp: '^ServerSignature'
+    line: "ServerSignature {{ gnocchi_apache_serversignature }}"
+  notify:
+    - Restart Apache
+  tags:
+    - gnocchi-httpd
+
+- name: Enable/disable mod_ssl for apache2
+  apache2_module:
+    name: ssl
+    state: "{{ (gnocchi_ssl | bool) | ternary('present', 'absent') }}"
+  notify:
+    - Restart Apache
+  tags:
+    - gnocchi-httpd
+    - gnocchi-ssl

tasks/gnocchi_policy_setup.yml

@@ -13,13 +13,28 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Ensure gnocchi API service is started
-  service:
-    name: "{{ item }}"
-    state: "started"
-    pattern: "{{ item }}"
-  with_items:
-    - "{{ gnocchi_api_program_name }}"
+- name: Ensure Gnocchi API service is (re)started
+  meta: flush_handlers
+
+#- name: Ensure Gnocchi API service is started
+#  service:
+#    name: "{{ item }}"
+#    state: "started"
+#    pattern: "{{ item }}"
+#  when: not gnocchi_use_mod_wsgi | bool
+#  with_items:
+#    - "{{ gnocchi_api_program_name }}"
+#
+#- name: Ensure Gnocchi API is available through Apache
+#  service:
+#    name: "{{ item }}"
+#    state: "restarted"
+#    pattern: "{{ item }}"
+#  when: gnocchi_use_mod_wsgi | bool
+#  retries: 5
+#  delay: 3
+#  with_items:
+#    - apache2
 
 - name: Ensure Archive Policies
   gnocchi:

tasks/gnocchi_post_install.yml

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Drop gnocchi Config(s)
+- name: Drop Gnocchi Config(s)
   config_template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
@@ -36,22 +36,36 @@
       config_overrides: "{{ gnocchi_policy_overrides }}"
       config_type: "json"
   notify:
-    - Restart gnocchi services
+    - Restart Apache
   tags:
     - gnocchi-config
 
-- name: Get gnocchi command path
+- name: Get Gnocchi command path
   command: which gnocchi
   register: gnocchi_command_path
   when:
     - not gnocchi_venv_enabled | bool
   tags:
     - gnocchi-command-bin
+    - gnocchi-config
 
-- name: Set gnocchi command path
+- name: Set Gnocchi command path
   set_fact:
     gnocchi_bin: "{{ gnocchi_command_path.stdout | dirname }}"
   when:
     - not gnocchi_venv_enabled | bool
   tags:
     - gnocchi-command-bin
+    - gnocchi-config
+
+- name: Drop Gnocchi WSGI Configs
+  template:
+    src: gnocchi-wsgi.py.j2
+    dest: /var/www/cgi-bin/gnocchi/gnocchi-api
+    owner: "{{ gnocchi_system_user_name }}"
+    group: "{{ gnocchi_system_group_name }}"
+    mode: "0755"
+  notify:
+    - Restart Apache
+  tags:
+    - gnocchi-config

tasks/gnocchi_pre_install.yml

@@ -47,6 +47,8 @@
     - { path: "/var/lib/gnocchi/tmp" }
     - { path: "/var/lib/gnocchi/locks" }
     - { path: "/var/cache/gnocchi", mode: "0700" }
+    - { path: "/var/www/cgi-bin", owner: root, group: root }
+    - { path: "/var/www/cgi-bin/gnocchi" }
   tags:
     - gnocchi-dirs
 

tasks/main.yml

@@ -25,5 +25,15 @@
 - include: gnocchi_service_setup.yml
   run_once: true
 
+- include: gnocchi_apache.yml
+
 - include: gnocchi_policy_setup.yml
-  run_once: true
+  run_once: true
+
+#- include: gnocchi_ssl_self_signed.yml
+#  when: >
+#    gnocchi_user_ssl_cert is not defined or
+#    gnocchi_user_ssl_key is not defined
+#
+#- include: gnocchi_ssl_user_provided.yml
+

templates/gnocchi-httpd.conf.j2

@@ -0,0 +1,30 @@
+# {{ ansible_managed }}
+
+<VirtualHost *:{{ gnocchi_service_port }}>
+    WSGIDaemonProcess     gnocchi lang='en_US.UTF-8' locale='en_US.UTF-8' user={{ gnocchi_system_user_name }} group={{ gnocchi_system_group_name }} processes={{ gnocchi_wsgi_processes }} threads={{ gnocchi_wsgi_threads }} display-name=%{GROUP}
+    WSGIProcessGroup      gnocchi
+    WSGIScriptAlias       / /var/www/cgi-bin/gnocchi/gnocchi-api
+    WSGIApplicationGroup  %{GLOBAL}
+
+    <IfVersion >= 2.4>
+      ErrorLogFormat "%{cu}t %M"
+    </IfVersion>
+
+    LogLevel  {{  gnocchi_apache_log_level }}
+    ErrorLog  /var/log/gnocchi/gnocchi-apache-error.log
+    CustomLog /var/log/gnocchi/gnocchi-access.log combined
+
+    {% if gnocchi_ssl | bool and gnocchi_service_internaluri_proto == "https" -%}
+    SSLEngine on
+    SSLCertificateFile    {{ gnocchi_ssl_cert }}
+    SSLCertificateKeyFile {{ gnocchi_ssl_key }}
+    {% if gnocchi_user_ssl_ca_cert is defined -%}
+    SSLCACertificateFile  {{ gnocchi_ssl_ca_cert }}
+    {% endif -%}
+    SSLCompression Off
+    SSLProtocol {{ gnocchi_ssl_protocol }}
+    SSLHonorCipherOrder On
+    SSLCipherSuite {{ gnocchi_ssl_cipher_suite }}
+    SSLOptions +StdEnvVars +ExportCertData
+    {% endif %}
+</VirtualHost>

templates/gnocchi-ports.conf.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+Listen {{ gnocchi_service_port }}

templates/gnocchi-wsgi.py.j2

@@ -0,0 +1,31 @@
+# Copyright 2013 OpenStack Foundation
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import os
+
+{% if gnocchi_venv_enabled | bool %}
+activate_this = os.path.expanduser("{{ gnocchi_venv_bin }}/activate_this.py")
+execfile(activate_this, dict(__file__=activate_this))
+{% endif %}
+
+from oslo_config import cfg
+
+from gnocchi import service
+from gnocchi.rest import app
+
+# Initialize the oslo configuration library and logging
+conf = service.prepare_service()
+# The pecan debugger cannot be used in wsgi mode
+conf.set_default('pecan_debug', False, group='api')
+application = app.load_app(conf)