Templates for OpenStack Antelope version

Main changes compared to Yoga templates:

- All API services, except Keystone, handled by uwsgi instead of the
  openstack-xxx-api service (recommended configuration)
- https terminated by a Nginx proxy for all API services, including
  the WSGI apps run into Apache (Keystone, Horizon)

defaults/openstack/functions.pan

@@ -137,3 +137,35 @@ function openstack_add_if_defined = {
         null;
     };
 };
+
+
+@documentation {
+
+This function returns a filecopy/services entry to load the policy file passed as argument,
+after checking it as a valid extension
+
+Arguments:
+  - Name of the service the policy applies to (must match a directory under /etc on the target server)
+  - File path containing the policy source, relative to the current loadpath
+}
+function openstack_load_policy = {
+    if ( ARGC != 2 ) {
+        error('openstack_load_policy usage: openstack_load_policy(service, policy_file)');
+    };
+    service = ARGV[0];
+    policy_source = ARGV[1];
+    if ( is_defined(policy_source) ) {
+        if ( !match(policy_source, '.*\.yaml$') ) {
+            error('policy_source must be a file name with the extension .yaml');
+        };
+        policy_file = format('/etc/%s/policy.yaml', service);
+        SELF[escape(policy_file)] = dict(
+            'config', file_contents(policy_source),
+            'owner', 'root',
+            'perms', '0644',
+            'backup', true,
+        );
+    };
+
+    SELF;
+};

defaults/openstack/utils.pan

@@ -40,8 +40,8 @@ prefix '/software/components/filecopy/services';
     OS_GLANCE_CONTROLLER_HOST,
     OS_NOVA_CONTROLLER_HOST,
     OS_NEUTRON_CONTROLLER_HOST,
-    OS_HEAT_HOST,
-    OS_HEAT_HOST,
+    OS_HEAT_CONTROLLER_HOST,
+    OS_HEAT_CONTROLLER_HOST,
     OS_CINDER_CONTROLLER_HOST,
     OS_CINDER_CONTROLLER_HOST,
     OS_CEILOMETER_CONTROLLER_HOST,

features/barbican/config.pan

@@ -2,6 +2,11 @@ unique template features/barbican/config;
 
 variable OS_NODE_SERVICES = append('barbican');
 
+final variable OS_BARBICAN_API_PROCESSES ?= 8;
+final variable OS_BARBICAN_LOG_DIR ?= '/var/log/barbican';
+final variable OS_BARBICAN_GROUP ?= OS_BARBICAN_USERNAME;
+
+
 # Load some useful functions
 include 'defaults/openstack/functions';
 
@@ -11,11 +16,13 @@ include 'types/openstack/barbican';
 # Include general openstack variables
 include 'defaults/openstack/config';
 
+# Include policy file if OS_BARBICAN_POLICY is defined
+include 'components/filecopy/config';
+'/software/components/filecopy/services' = openstack_load_policy('barbican', OS_BARBICAN_POLICY);
+
+
 include 'features/barbican/rpms';
 
-include 'components/systemd/config';
-prefix '/software/components/systemd/unit';
-'httpd/startstop' = true;
 
 ###################################
 # Configuration file for Barbican #
@@ -26,7 +33,6 @@ prefix '/software/components/metaconfig/services/{/etc/barbican/barbican.conf}';
 'module' = 'tiny';
 'convert/joincomma' = true;
 'convert/truefalse' = true;
-'daemons/httpd' = 'restart';
 # Restart memcached to ensure considtency with service configuration changes
 'daemons/memcached' = 'restart';
 bind '/software/components/metaconfig/services/{/etc/barbican/barbican.conf}/contents' = openstack_barbican_config;
@@ -35,37 +41,34 @@ bind '/software/components/metaconfig/services/{/etc/barbican/barbican.conf}/con
 # [DEFAULT] section
 'contents/DEFAULT' = openstack_load_config('features/openstack/base');
 'contents/DEFAULT' = openstack_load_config('features/openstack/logging/' + OS_LOGGING_TYPE);
-'contents/DEFAULT' = openstack_load_ssl_config( OS_BARBICAN_PROTOCOL == 'https' );
 'contents/DEFAULT/my_ip' = PRIMARY_IP;
 'contents/DEFAULT/log_file' = 'barbican-api.log';
-'contents/DEFAULT/host_href' = format('%s://%s:%s', OS_BARBICAN_PROTOCOL, OS_BARBICAN_HOST, OS_BARBICAN_PORT);
+'contents/DEFAULT/host_href' = format('%s://%s:%s',
+                                      OS_BARBICAN_PROTOCOL,
+                                      OS_BARBICAN_PUBLIC_HOST,
+                                      if ( is_defined(OS_BARBICAN_PUBLIC_PORT) ) OS_BARBICAN_PUBLIC_PORT else OS_BARBICAN_CONTROLLER_PORT);
 'contents/DEFAULT/log_dir' = '/var/log/barbican';
+'contents/DEFAULT/rpc_response_timeout' = 120;
 'contents/DEFAULT/sql_connection' = format('mysql+pymysql://%s:%s@%s/barbican', OS_BARBICAN_DB_USERNAME, OS_BARBICAN_DB_PASSWORD, OS_BARBICAN_DB_HOST);
+'contents/DEFAULT/wsgi_default_pool_size' = OS_BARBICAN_WSGI_POOL_SIZE;
 
 # [keystone_authtoken] section
 'contents/keystone_authtoken' = openstack_load_config(OS_AUTH_CLIENT_CONFIG);
 'contents/keystone_authtoken/username' = OS_BARBICAN_USERNAME;
 'contents/keystone_authtoken/password' = OS_BARBICAN_PASSWORD;
 
+#[oslo_messaging_rabbit] section
+'contents/oslo_messaging_rabbit' = openstack_load_config('features/rabbitmq/openstack/client/base');
+'contents/oslo_messaging_rabbit/heartbeat_in_pthread' = false;
+'contents/oslo_messaging_rabbit/kombu_missing_consumer_retry_timeout' = 120;
 
-# ############
-# httpd conf #
-# ############
-
-prefix '/software/components/metaconfig/services/{/etc/httpd/conf.d/wsgi-barbican.conf}';
-'module' = 'openstack/wsgi-barbican';
-'daemons/httpd' = 'restart';
-'contents/listen' = '9311';
+###################
+# Configure uSWGI #
+###################
+include 'features/barbican/uwsgi/config';
 
-'contents/vhosts/0/port' = 9311;
-'contents/vhosts/0/processgroup' = 'barbican-api';
-'contents/vhosts/0/script' = ' /usr/lib/python3.6/site-packages/barbican/api/app.wsgi';
-'contents/vhosts/0/ssl' = openstack_load_ssl_config( OS_BARBICAN_PROTOCOL == 'https' );
 
-# Load TT file to configure Barbican virtual host
-# Run metaconfig in case the TT file was modified and configuration must be regenerated
-include 'components/filecopy/config';
-'/software/components/filecopy/dependencies/post' = openstack_add_component_dependency('metaconfig');
-prefix '/software/components/filecopy/services/{/usr/share/templates/quattor/metaconfig/openstack/wsgi-barbican.tt}';
-'config' = file_contents('features/barbican/metaconfig/wsgi-barbican.tt');
-'perms' = '0644';
+#########################################
+# Configure SSL proxy if SSL is enabled #
+#########################################
+include if ( OS_BARBICAN_PROTOCOL == 'https' ) 'features/barbican/nginx/config';

features/barbican/metaconfig/wsgi-barbican.tt

@@ -7,7 +7,7 @@ Listen [% port %]
 <VirtualHost *:[% vhost.port %]>
     WSGIDaemonProcess [% vhost.processgroup %] processes=2 threads=8 user=barbican group=barbican display-name=%{GROUP}
     WSGIProcessGroup [% vhost.processgroup %]
-    WSGIScriptAlias / [% vhost.script %]
+    WSGIScriptAlias / [% vhost.script_path %]/[% vhost.script_name %]
     WSGIApplicationGroup %{GLOBAL}
     WSGIPassAuthorization On
     <IfVersion >= 2.4>
@@ -23,7 +23,7 @@ Listen [% port %]
     ErrorLog /var/log/httpd//barbican_wsgi_main_error_ssl.log
     CustomLog /var/log/httpd/barbican_wsgi_main_access_ssl.log combined
 
-    <Directory /usr/lib/python3.6/site-packages/barbican/api>
+    <Directory [% vhost.script_path %]>
         <IfVersion >= 2.4>
             Require all granted
         </IfVersion>

features/barbican/nginx/config.pan

@@ -0,0 +1,24 @@
+# Add a Nginx VH for handling barbican https requests
+
+unique template features/barbican/nginx/config;
+
+variable OS_BARBICAN_PUBLIC_HOST ?= error('OS_BARBICAN_PUBLIC_HOST must be defined when using SSL with Barbican');
+variable OS_BARBICAN_PUBLIC_PORT ?= error('OS_BARBICAN_PUBLIC_PORT must be defined when using SSL with Barbican');
+
+include 'types/openstack/core';
+
+# Add Nginx and its base configuration
+include 'features/nginx/openstack/config';
+
+# Nginx proxy configuration for Barbican
+prefix '/software/components/metaconfig/services/{/etc/nginx/conf.d/barbican.conf}';
+'module' = 'openstack/nginx-proxy';
+'daemons/nginx' = 'restart';
+bind '/software/components/metaconfig/services/{/etc/nginx/conf.d/barbican.conf}/contents' = openstack_nginx_proxy_config;
+
+'contents/bind_port' = OS_BARBICAN_PUBLIC_PORT;
+'contents/proxy_host' = OS_BARBICAN_CONTROLLER_HOST;
+'contents/proxy_port' = OS_BARBICAN_CONTROLLER_PORT;
+'contents/server_name' = OS_BARBICAN_PUBLIC_HOST;
+'contents/service' = 'barbican';
+'contents/ssl' = openstack_load_ssl_config( true );

features/barbican/rpms.pan

@@ -7,7 +7,6 @@ include 'defaults/openstack/functions';
     pkg_repl('python3-barbican');
     pkg_repl('openstack-barbican-api');
     pkg_repl('libibverbs');
-    openstack_add_httpd_packages( OS_BARBICAN_PROTOCOL == 'https' );
 
     SELF;
 };

features/barbican/uwsgi/config.pan

@@ -0,0 +1,29 @@
+unique template features/barbican/uwsgi/config;
+
+
+include 'features/uwsgi/openstack/config';
+
+# Load TT file to configure uwsgi application
+# Run metaconfig in case the TT file was modified and configuration must be regenerated
+include 'components/filecopy/config';
+'/software/components/filecopy/dependencies/post' = openstack_add_component_dependency('metaconfig');
+prefix '/software/components/filecopy/services/{/usr/share/templates/quattor/metaconfig/openstack/barbican-api.tt}';
+'config' = file_contents('features/uwsgi/openstack/vassal-paste_deploy.ini.tt');
+'perms' = '0644';
+
+# uwsgi configuration for Barbican API: no explicit restart needed, handled by uwsgi when config file changes
+prefix '/software/components/metaconfig/services/{/etc/uwsgi.d/barbican-api.ini}';
+'module' = 'openstack/barbican-api';
+# Owner/group must match the one used to run the application
+'group' = OS_BARBICAN_GROUP;
+'owner' = OS_BARBICAN_USERNAME;
+bind '/software/components/metaconfig/services/{/etc/uwsgi.d/barbican-api.ini}/contents' = openstack_uwsgi_application_config;
+
+'contents/bind_host' = OS_BARBICAN_CONTROLLER_HOST;
+'contents/bind_port' = OS_BARBICAN_CONTROLLER_PORT;
+'contents/config_files' = list('/etc/barbican/barbican.conf');
+'contents/group' = OS_BARBICAN_GROUP;
+'contents/log_file' = format("%s/api.log", OS_BARBICAN_LOG_DIR);
+'contents/processes' = OS_BARBICAN_API_PROCESSES;
+'contents/user' = OS_BARBICAN_USERNAME;
+'contents/wsgi_file' = '/etc/barbican/barbican-api-paste.ini';

features/cinder/config.pan

@@ -11,13 +11,23 @@ include 'types/openstack/cinder';
 # Include general openstack variables
 include 'defaults/openstack/config';
 
+variable OS_CINDER_API_PROCESSES ?= 8;
+variable OS_CINDER_GROUP ?= OS_CINDER_USERNAME;
+variable OS_CINDER_LOG_DIR ?= '/var/log/cinder';
+
+
+# Include policy file if OS_CINDER_POLICY is defined
+include 'components/filecopy/config';
+'/software/components/filecopy/services' = openstack_load_policy('cinder', OS_CINDER_POLICY);
+
 # Load Cinder RPMs
 include 'features/cinder/rpms';
 
 # Configure services
 include 'components/systemd/config';
 prefix '/software/components/systemd/unit';
 'openstack-cinder-api/startstop' = true;
+'openstack-cinder-api/state' = "disabled";
 'openstack-cinder-scheduler/startstop' = true;
 'openstack-cinder-volume/startstop' = true;
 
@@ -27,7 +37,7 @@ prefix '/software/components/metaconfig/services/{/etc/cinder/cinder.conf}';
 'module' = 'tiny';
 'convert/truefalse' = true;
 'convert/joincomma' = true;
-'daemons/openstack-cinder-api' = 'restart';
+# Do not restart API on configuration change as it is controlled by uwsgi
 'daemons/openstack-cinder-scheduler' = 'restart';
 'daemons/openstack-cinder-volume' = 'restart';
 # Restart memcached to ensure considtency with service configuration changes
@@ -58,11 +68,17 @@ bind '/software/components/metaconfig/services/{/etc/cinder/cinder.conf}/content
 
 #[oslo_messaging_rabbit] section
 'contents/oslo_messaging_rabbit' = openstack_load_config('features/rabbitmq/openstack/client/base');
-
+'contents/oslo_messaging_rabbit/heartbeat_in_pthread' = false;
 
 # Configure Cinder backends
 include 'features/cinder/backend/config';
 
+###################
+# Configure uSWGI #
+###################
+include 'features/cinder/uwsgi/config';
+
+
 # Configure SSL proxy if SSL is enabled #
 include if ( OS_CINDER_CONTROLLER_PROTOCOL == 'https' ) 'features/cinder/nginx/config';
 

features/cinder/nginx/config.pan

@@ -10,7 +10,7 @@ include 'types/openstack/core';
 # Add Nginx and its base configuration
 include 'features/nginx/openstack/config';
 
-# Nginx proxy configuration for Glance
+# Nginx proxy configuration for Cinder
 prefix '/software/components/metaconfig/services/{/etc/nginx/conf.d/cinder.conf}';
 'module' = 'openstack/nginx-proxy';
 'daemons/nginx' = 'restart';
@@ -25,5 +25,6 @@ bind '/software/components/metaconfig/services/{/etc/nginx/conf.d/cinder.conf}/c
 
 # Define bind port used by Cinder and its public endpoint
 prefix '/software/components/metaconfig/services/{/etc/cinder/cinder.conf}';
+'contents/DEFAULT/osapi_volume_listen' = OS_CINDER_CONTROLLER_HOST;
 'contents/DEFAULT/osapi_volume_listen_port' = OS_CINDER_CONTROLLER_PORT;
 'contents/DEFAULT/public_endpoint' = format('https://%s:%s', OS_CINDER_PUBLIC_HOST, OS_CINDER_PUBLIC_PORT);

features/cinder/uwsgi/config.pan

@@ -0,0 +1,30 @@
+unique template features/cinder/uwsgi/config;
+
+
+include 'features/uwsgi/openstack/config';
+
+# Load TT file to configure uwsgi application
+# Run metaconfig in case the TT file was modified and configuration must be regenerated
+include 'components/filecopy/config';
+'/software/components/filecopy/dependencies/post' = openstack_add_component_dependency('metaconfig');
+prefix '/software/components/filecopy/services/{/usr/share/templates/quattor/metaconfig/openstack/cinder-api.tt}';
+'config' = file_contents('features/uwsgi/openstack/vassal-generic.ini.tt');
+'perms' = '0644';
+
+# uwsgi configuration for Cinder API: no explicit restart needed, handled by uwsgi when config file changes
+prefix '/software/components/metaconfig/services/{/etc/uwsgi.d/cinder-api.ini}';
+'module' = 'openstack/cinder-api';
+# Owner/group must match the one used to run the application
+'group' = OS_CINDER_GROUP;
+'owner' = OS_CINDER_USERNAME;
+bind '/software/components/metaconfig/services/{/etc/uwsgi.d/cinder-api.ini}/contents' = openstack_uwsgi_application_config;
+
+'contents/bind_host' = OS_CINDER_CONTROLLER_HOST;
+'contents/bind_port' = OS_CINDER_CONTROLLER_PORT;
+'contents/config_files' = list('/etc/cinder/cinder.conf');
+'contents/group' = OS_CINDER_GROUP;
+'contents/log_file' = format("%s/uwsgi-api.log", OS_CINDER_LOG_DIR);
+'contents/processes' = OS_CINDER_API_PROCESSES;
+'contents/threads' = 1;
+'contents/user' = OS_CINDER_USERNAME;
+'contents/wsgi_file' = '/usr/bin/cinder-wsgi';