Install and configure Nginx

Apply configuration to add request time to the access log. Creates virtual hosts for each Keystone service. Enables SSL termination within Nginx. The Uwsgi sockets are updated to match the Keystone developer docs to improve consistency of experience for operators. No Shibboleth integration is included. Not introducing any additional Nginx restarts based on changes in Federation configuration yet for this reason. Change-Id: Iec42810be7ff6d05fa38deb23996e66e0c34da8e Related: blueprint keystone-uwsgi
2016-08-22 10:32:23 -07:00 · 2016-08-22 10:32:23 -07:00 · 4edb378b1e
parent 812ea82d71
commit 4edb378b1e
11 changed files with 149 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -184,6 +184,15 @@ keystone_httpd_mpm_thread_child: 25
 keystone_httpd_mpm_max_requests: 150
 keystone_httpd_mpm_max_conn_child: 0

+## Nginx setup
+keystone_nginx_access_log_format_combined: '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'
+keystone_nginx_access_log_format_extras: '$request_time $upstream_response_time'
+keystone_nginx_ports:
+  keystone-wsgi-public: "{{ keystone_service_port }}"
+  keystone-wsgi-admin: "{{ keystone_admin_port }}"
+keystone_nginx_extra_conf:
+  - keepalive_timeout   70;
+
 ## uWSGI setup
 keystone_wsgi_public_program_name: keystone-wsgi-public
 keystone_wsgi_admin_program_name: keystone-wsgi-admin
@ -191,8 +200,12 @@ keystone_wsgi_program_names:
  - "{{ keystone_wsgi_public_program_name }}"
  - "{{ keystone_wsgi_admin_program_name }}"
 keystone_uwsgi_ports:
-  keystone-wsgi-public: 37358
-  keystone-wsgi-admin: 37359
+  keystone-wsgi-public:
+    http: 37358
+    socket: 35358
+  keystone-wsgi-admin:
+    http: 37359
+    socket: 5001

 # set keystone_ssl to true to enable SSL configuration on the keystone containers
 keystone_ssl: false
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -24,6 +24,16 @@
  delay: 2
  when: keystone_apache_mod_wsgi_enabled | bool

+- name: Restart Nginx
+  service:
+    name: nginx
+    state: restarted
+  register: keystone_restart
+  until: keystone_restart | success
+  retries: 5
+  delay: 2
+  when: not keystone_apache_mod_wsgi_enabled | bool
+
 - name: Restart Keystone APIs
  service:
    name: "{{ item }}"
--- a/tasks/keystone_install_apt.yml
+++ b/tasks/keystone_install_apt.yml
@ -43,6 +43,17 @@
  with_items: "{{ keystone_apache_packages }}"
  when: keystone_apache_mod_wsgi_enabled | bool

+- name: Install Nginx apt packages
+  apt:
+    pkg: "{{ item }}"
+    state: "{{ keystone_package_state }}"
+  register: install_packages
+  until: install_packages|success
+  retries: 5
+  delay: 2
+  with_items: "{{ keystone_nginx_packages }}"
+  when: not keystone_apache_mod_wsgi_enabled | bool
+
 - name: Install IdP apt packages
  apt:
    pkg: "{{ item }}"
--- a/tasks/keystone_install_yum.yml
+++ b/tasks/keystone_install_yum.yml
@ -57,6 +57,17 @@
  with_items: "{{ keystone_apache_packages }}"
  when: keystone_apache_mod_wsgi_enabled | bool

+- name: Install Nginx yum packages
+  yum:
+    pkg: "{{ item }}"
+    state: "{{ keystone_package_state }}"
+  register: install_packages
+  until: install_packages|success
+  retries: 5
+  delay: 2
+  with_items: "{{ keystone_nginx_packages }}"
+  when: not keystone_apache_mod_wsgi_enabled | bool
+
 - name: Install IdP yum packages
  yum:
    pkg: "{{ item }}"
--- a/tasks/keystone_nginx.yml
+++ b/tasks/keystone_nginx.yml
@ -0,0 +1,51 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Ensure Apache is not running
+  service:
+    name: "{{ keystone_system_service_name }}"
+    state: stopped
+    pattern: "{{ keystone_system_service_name }}"
+  failed_when: false
+  when: not keystone_apache_mod_wsgi_enabled | bool
+
+- name: Disable default configuration
+  file:
+    path: /etc/nginx/sites-enabled/default
+    state: absent
+  notify: Restart Nginx
+
+- name: Configure custom nginx log format
+  lineinfile:
+    insertbefore: access_log
+    dest: "/etc/nginx/nginx.conf"
+    line: "log_format custom '{{ keystone_nginx_access_log_format_combined }} {{ keystone_nginx_access_log_format_extras }}';"
+  notify: Restart Nginx
+
+# Configure app
+- name: Configure virtual hosts
+  template:
+    src: keystone_nginx.conf.j2
+    dest: "/etc/nginx/sites-available/{{ item }}.conf"
+  with_items: keystone_wsgi_program_names
+  notify: Restart Nginx
+
+- name: Link to enable virtual hosts
+  file:
+    src: "/etc/nginx/sites-available/{{ item }}.conf"
+    path: "/etc/nginx/sites-enabled/{{ item }}.conf"
+    state: link
+  with_items: keystone_wsgi_program_names
+  notify: Restart Nginx
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -101,6 +101,12 @@
    - keystone-config
  when: keystone_apache_mod_wsgi_enabled | bool

+- include: keystone_nginx.yml
+  tags:
+    - keystone-install
+    - keystone-config
+  when: not keystone_apache_mod_wsgi_enabled | bool
+
 - include: keystone_uwsgi.yml
  tags:
    - keystone-install
--- a/templates/keystone-uwsgi.ini.j2
+++ b/templates/keystone-uwsgi.ini.j2
@ -5,7 +5,8 @@ gid = {{ keystone_system_group_name }}

 virtualenv = /openstack/venvs/keystone-{{ keystone_venv_tag }}
 wsgi-file = {{ keystone_bin }}/{{ item }}
-http = 0.0.0.0:{{ keystone_uwsgi_ports[item] }}
+http = :{{ keystone_uwsgi_ports[item]['http'] }}
+socket = 127.0.0.1:{{ keystone_uwsgi_ports[item]['socket'] }}

 master = true
 enable-threads = true
--- a/templates/keystone_nginx.conf.j2
+++ b/templates/keystone_nginx.conf.j2
@ -0,0 +1,34 @@
+# {{ ansible_managed }}
+server {
+
+    listen {{ keystone_nginx_ports[item] }};
+
+    {% if keystone_ssl | bool and keystone_service_adminuri_proto == "https" %}
+    ssl                     on;
+    ssl_protocols           {{ keystone_ssl_protocol }};
+    ssl_certificate         {{ keystone_ssl_cert }};
+    ssl_certificate_key     {{ keystone_ssl_key }};
+    ssl_trusted_certificate {{ keystone_ssl_ca_cert }};
+    ssl_ciphers             {{ keystone_ssl_cipher_suite }};
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache   shared:SSL:2m;
+    ssl_session_timeout 2m;
+    {%- endif %}
+
+    {% for line in keystone_nginx_extra_conf %}
+    {{ line }}
+    {%- endfor %}
+
+    access_log  /var/log/nginx/{{ item }}-access.log custom;
+    error_log   /var/log/nginx/{{ item }}-error.log info;
+
+    location / {
+        try_files   $uri @yourapplication;
+    }
+
+    location @yourapplication {
+        include     uwsgi_params;
+        uwsgi_pass  127.0.0.1:{{ keystone_uwsgi_ports[item]['socket'] }};
+        uwsgi_param SCRIPT_NAME {{ item }};
+    }
+}
--- a/vars/redhat-7.yml
+++ b/vars/redhat-7.yml
@ -42,6 +42,9 @@ keystone_apache_packages:
  - httpd
  - httpd-tools

+keystone_nginx_packages:
+  - nginx
+
 keystone_idp_packages:
  - xmlsec1

--- a/vars/ubuntu-14.04.yml
+++ b/vars/ubuntu-14.04.yml
@ -38,6 +38,9 @@ keystone_apache_packages:
  - apache2-utils
  - libapache2-mod-wsgi

+keystone_nginx_packages:
+  - nginx-full
+
 # The old name has been deprecated, remove the variables with the deprecation filers and change the package variable names.
 _keystone_idp_packages:
  - ssl-cert
--- a/vars/ubuntu-16.04.yml
+++ b/vars/ubuntu-16.04.yml
@ -35,6 +35,9 @@ keystone_apache_packages:
  - apache2-utils
  - libapache2-mod-wsgi

+keystone_nginx_packages:
+  - nginx-full
+
 keystone_idp_packages:
  - ssl-cert
  - xmlsec1