From 2e7b4f2027a1147ca28301e4f88adf8274b39a1f Mon Sep 17 00:00:00 2001 From: DUVAL Thomas Date: Thu, 9 Jun 2016 09:11:50 +0200 Subject: Update Keystone core to Mitaka. Change-Id: Ia10d6add16f4a9d25d1f42d420661c46332e69db --- keystone-moon/doc/source/apache-httpd.rst | 74 +++++++++++++++++++++++++++---- 1 file changed, 65 insertions(+), 9 deletions(-) (limited to 'keystone-moon/doc/source/apache-httpd.rst') diff --git a/keystone-moon/doc/source/apache-httpd.rst b/keystone-moon/doc/source/apache-httpd.rst index dbebc86e..1436ddad 100644 --- a/keystone-moon/doc/source/apache-httpd.rst +++ b/keystone-moon/doc/source/apache-httpd.rst @@ -19,17 +19,73 @@ Running Keystone in HTTPD ========================= -.. WARNING:: +mod_proxy_uwsgi +--------------- + +The recommended keystone deployment is to have a real web server such as Apache +HTTPD or nginx handle the HTTP connections and proxy requests to an independent +keystone server (or servers) running under a wsgi container such as uwsgi or +gunicorn. The typical deployment will have several applications proxied by the +web server (for example horizon on /dashboard and keystone on /identity, +/identity_admin, port :5000, and :35357). Proxying allows the applications to +be shut down and restarted independently, and a problem in one application +isn't going to affect the web server or other applications. The servers can +easily be run in their own virtualenvs. + +The httpd/ directory contains sample files for configuring HTTPD to proxy +requests to keystone servers running under uwsgi. + +Copy the `httpd/uwsgi-keystone.conf` sample configuration file to the +appropriate location for your Apache server, on Debian/Ubuntu systems it is:: + + /etc/apache2/sites-available/uwsgi-keystone.conf + +On Red Hat based systems it is:: + + /etc/httpd/conf.d/uwsgi-keystone.conf + +Update the file to match your system configuration. Enable TLS by supplying the +correct certificates. + +Enable mod_proxy_uwsgi. + +* On Ubuntu the required package is libapache2-mod-proxy-uwsgi; enable using + ``sudo a2enmod proxy`` +* On Fedora the required package is mod_proxy_uwsgi; enable by creating a file + ``/etc/httpd/conf.modules.d/11-proxy_uwsgi.conf`` containing + ``LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so`` - Running Keystone under HTTPD in the recommended (and tested) configuration - does not support the use of ``Transfer-Encoding: chunked``. This is due to - a limitation with the WSGI spec and the implementation used by - ``mod_wsgi``. It is recommended that all clients assume Keystone will not - support ``Transfer-Encoding: chunked``. +Enable the site by creating a symlink from the file in ``sites-available`` to +``sites-enabled``, for example, on Debian/Ubuntu systems +(not required on Red Hat based systems):: + + ln -s /etc/apache2/sites-available/uwsgi-keystone.conf /etc/apache2/sites-enabled/ + +Start or restart HTTPD to pick up the new configuration. + +Now configure and start the uwsgi services. Copy the +`httpd/keystone-uwsgi-admin.ini` and `httpd/keystone-uwsgi-public.ini` files to +`/etc/keystone`. Update the files to match your system configuration (for +example, you'll want to set the number of threads for the public and admin +servers). +Start up the keystone servers using uwsgi:: + + $ sudo pip install uwsgi + $ uwsgi /etc/keystone/keystone-uwsgi-admin.ini + $ uwsgi /etc/keystone/keystone-uwsgi-public.ini + + +mod_wsgi +-------- + +.. WARNING:: -Files ------ + Running Keystone under HTTPD in this configuration does not support the use + of ``Transfer-Encoding: chunked``. This is due to a limitation with the + WSGI spec and the implementation used by ``mod_wsgi``. It is recommended + that all clients assume Keystone will not support + ``Transfer-Encoding: chunked``. Copy the ``httpd/wsgi-keystone.conf`` sample configuration file to the appropriate location for your Apache server, on Debian/Ubuntu systems @@ -55,7 +111,7 @@ Enable the site by creating a symlink from the file in ``sites-available`` to ``sites-enabled``, for example, on Debian/Ubuntu systems (not required on Red Hat based systems):: - ln -s /etc/apache2/sites-available/keystone.conf /etc/apache2/sites-enabled/ + ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled/ Restart Apache to have it start serving keystone. -- cgit 1.2.3-korg