From 19b028e660fde34d83311025b5a4a1d4d3d59e2e Mon Sep 17 00:00:00 2001
From: James Kirsch <generalfuzz@gmail.com>
Date: Thu, 6 Aug 2020 13:09:01 -0700
Subject: [PATCH] Add Keep Alive Timeout for httpd
This patch introduces a global keep alive timeout value for services
that leverage httpd + wsgi to handle http/https requests. The default
value is one minute.
Change-Id: Icf7cb0baf86b428a60a7e9bbed642999711865cd
Partially-Implements: blueprint add-ssl-internal-network
---
ansible/group_vars/all.yml | 11 ++++++++++-
ansible/roles/aodh/templates/wsgi-aodh.conf.j2 | 1 +
ansible/roles/cinder/templates/cinder-wsgi.conf.j2 | 1 +
.../cloudkitty/templates/wsgi-cloudkitty.conf.j2 | 1 +
.../roles/freezer/templates/wsgi-freezer-api.conf.j2 | 1 +
ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2 | 1 +
.../roles/heat/templates/wsgi-heat-api-cfn.conf.j2 | 1 +
ansible/roles/heat/templates/wsgi-heat-api.conf.j2 | 1 +
.../roles/keystone/templates/wsgi-keystone.conf.j2 | 1 +
.../roles/masakari/templates/wsgi-masakari.conf.j2 | 1 +
.../monasca/templates/monasca-api/wsgi-api.conf.j2 | 1 +
ansible/roles/panko/templates/wsgi-panko.conf.j2 | 1 +
.../placement/templates/placement-api-wsgi.conf.j2 | 1 +
ansible/roles/qinling/templates/wsgi-qinling.conf.j2 | 1 +
ansible/roles/vitrage/templates/wsgi-vitrage.conf.j2 | 1 +
ansible/roles/zun/templates/wsgi-zun.conf.j2 | 1 +
etc/kolla/globals.yml | 11 ++++++++++-
...keep-alive-timeout-for-httpd-0d51a9d139c50f66.yaml | 6 ++++++
18 files changed, 41 insertions(+), 2 deletions(-)
create mode 100644 releasenotes/notes/add-keep-alive-timeout-for-httpd-0d51a9d139c50f66.yaml
diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index 507051cfc6..715cce6ebf 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -758,10 +758,19 @@ kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem"
kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem"
kolla_admin_openrc_cacert: ""
kolla_copy_ca_into_containers: "no"
-kolla_verify_tls_backend: "yes"
haproxy_backend_cacert: "{{ 'ca-certificates.crt' if kolla_base_distro in ['debian', 'ubuntu'] else 'ca-bundle.trust.crt' }}"
haproxy_backend_cacert_dir: "/etc/ssl/certs"
+
+##################
+# Backend options
+##################
+kolla_httpd_keep_alive: "60"
+
+######################
+# Backend TLS options
+######################
kolla_enable_tls_backend: "no"
+kolla_verify_tls_backend: "yes"
kolla_tls_backend_cert: "{{ kolla_certificates_dir }}/backend-cert.pem"
kolla_tls_backend_key: "{{ kolla_certificates_dir }}/backend-key.pem"
diff --git a/ansible/roles/aodh/templates/wsgi-aodh.conf.j2 b/ansible/roles/aodh/templates/wsgi-aodh.conf.j2
index 152f97d38b..2b790afc1f 100644
--- a/ansible/roles/aodh/templates/wsgi-aodh.conf.j2
+++ b/ansible/roles/aodh/templates/wsgi-aodh.conf.j2
@@ -10,6 +10,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ aodh_api_l
ServerSignature Off
ServerTokens Prod
TraceEnable off
+KeepAliveTimeout {{ kolla_httpd_keep_alive }}
ErrorLog "{{ aodh_log_dir }}/apache-error.log"
<IfModule log_config_module>
diff --git a/ansible/roles/cinder/templates/cinder-wsgi.conf.j2 b/ansible/roles/cinder/templates/cinder-wsgi.conf.j2
index 2d98e73a7e..58d3b700c1 100644
--- a/ansible/roles/cinder/templates/cinder-wsgi.conf.j2
+++ b/ansible/roles/cinder/templates/cinder-wsgi.conf.j2
@@ -15,6 +15,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ cinder_api
ServerSignature Off
ServerTokens Prod
TraceEnable off
+KeepAliveTimeout {{ kolla_httpd_keep_alive }}
{% if cinder_logging_debug | bool %}
LogLevel info
diff --git a/ansible/roles/cloudkitty/templates/wsgi-cloudkitty.conf.j2 b/ansible/roles/cloudkitty/templates/wsgi-cloudkitty.conf.j2
index 0c9e4fd8b4..39776d1528 100644
--- a/ansible/roles/cloudkitty/templates/wsgi-cloudkitty.conf.j2
+++ b/ansible/roles/cloudkitty/templates/wsgi-cloudkitty.conf.j2
@@ -6,6 +6,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ cloudkitty
ServerSignature Off
ServerTokens Prod
TraceEnable off
+KeepAliveTimeout {{ kolla_httpd_keep_alive }}
ErrorLog "{{ cloudkitty_log_dir }}/apache-error.log"
<IfModule log_config_module>
diff --git a/ansible/roles/freezer/templates/wsgi-freezer-api.conf.j2 b/ansible/roles/freezer/templates/wsgi-freezer-api.conf.j2
index c5e147071a..c71b75c0ed 100644
--- a/ansible/roles/freezer/templates/wsgi-freezer-api.conf.j2
+++ b/ansible/roles/freezer/templates/wsgi-freezer-api.conf.j2
@@ -5,6 +5,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ freezer_ap
ServerSignature Off
ServerTokens Prod
TraceEnable off
+KeepAliveTimeout {{ kolla_httpd_keep_alive }}
ErrorLog "{{ freezer_log_dir }}/apache-error.log"
<IfModule log_config_module>
diff --git a/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2 b/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2
index 672016c9f3..bb745351be 100644
--- a/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2
+++ b/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2
@@ -10,6 +10,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ gnocchi_ap
ServerSignature Off
ServerTokens Prod
TraceEnable off
+KeepAliveTimeout {{ kolla_httpd_keep_alive }}
ErrorLog "{{ gnocchi_log_dir }}/apache-error.log"
<IfModule log_config_module>
diff --git a/ansible/roles/heat/templates/wsgi-heat-api-cfn.conf.j2 b/ansible/roles/heat/templates/wsgi-heat-api-cfn.conf.j2
index da49496894..1269803c22 100644
--- a/ansible/roles/heat/templates/wsgi-heat-api-cfn.conf.j2
+++ b/ansible/roles/heat/templates/wsgi-heat-api-cfn.conf.j2
@@ -17,6 +17,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ heat_api_c
ServerSignature Off
ServerTokens Prod
TraceEnable off
+KeepAliveTimeout {{ kolla_httpd_keep_alive }}
<Directory "{{ binary_path }}">
<FilesMatch "heat-wsgi-api-cfn">
diff --git a/ansible/roles/heat/templates/wsgi-heat-api.conf.j2 b/ansible/roles/heat/templates/wsgi-heat-api.conf.j2
index f5423e4918..067866505f 100644
--- a/ansible/roles/heat/templates/wsgi-heat-api.conf.j2
+++ b/ansible/roles/heat/templates/wsgi-heat-api.conf.j2
@@ -17,6 +17,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ heat_api_l
ServerSignature Off
ServerTokens Prod
TraceEnable off
+KeepAliveTimeout {{ kolla_httpd_keep_alive }}
<Directory "{{ binary_path }}">
<FilesMatch "heat-wsgi-api">
diff --git a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
index ec1aa43d2f..5cd5d0c46a 100644
--- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
+++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
@@ -18,6 +18,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_a
ServerSignature Off
ServerTokens Prod
TraceEnable off
+KeepAliveTimeout {{ kolla_httpd_keep_alive }}
ErrorLog "{{ keystone_log_dir }}/apache-error.log"
<IfModule log_config_module>
diff --git a/ansible/roles/masakari/templates/wsgi-masakari.conf.j2 b/ansible/roles/masakari/templates/wsgi-masakari.conf.j2
index 1c20de3c95..734d8f7579 100644
--- a/ansible/roles/masakari/templates/wsgi-masakari.conf.j2
+++ b/ansible/roles/masakari/templates/wsgi-masakari.conf.j2
@@ -11,6 +11,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ masakari_a
ServerSignature Off
ServerTokens Prod
TraceEnable off
+KeepAliveTimeout {{ kolla_httpd_keep_alive }}
ErrorLog "{{ masakari_log_dir }}/apache-error.log"
<IfModule log_config_module>
diff --git a/ansible/roles/monasca/templates/monasca-api/wsgi-api.conf.j2 b/ansible/roles/monasca/templates/monasca-api/wsgi-api.conf.j2
index ceb26e88d0..5362f13014 100644
--- a/ansible/roles/monasca/templates/monasca-api/wsgi-api.conf.j2
+++ b/ansible/roles/monasca/templates/monasca-api/wsgi-api.conf.j2
@@ -5,6 +5,7 @@
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ monasca_api_port }}
TraceEnable off
+KeepAliveTimeout {{ kolla_httpd_keep_alive }}
ErrorLog "{{ monasca_log_dir }}/apache-api-error.log"
<IfModule log_config_module>
diff --git a/ansible/roles/panko/templates/wsgi-panko.conf.j2 b/ansible/roles/panko/templates/wsgi-panko.conf.j2
index 89d902721e..e6d83f160d 100644
--- a/ansible/roles/panko/templates/wsgi-panko.conf.j2
+++ b/ansible/roles/panko/templates/wsgi-panko.conf.j2
@@ -6,6 +6,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ panko_api_
ServerSignature Off
ServerTokens Prod
TraceEnable off
+KeepAliveTimeout {{ kolla_httpd_keep_alive }}
ErrorLog "{{ panko_log_dir }}/apache-error.log"
<IfModule log_config_module>
diff --git a/ansible/roles/placement/templates/placement-api-wsgi.conf.j2 b/ansible/roles/placement/templates/placement-api-wsgi.conf.j2
index 26d68199cf..02e051cf32 100644
--- a/ansible/roles/placement/templates/placement-api-wsgi.conf.j2
+++ b/ansible/roles/placement/templates/placement-api-wsgi.conf.j2
@@ -17,6 +17,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ placement_
ServerSignature Off
ServerTokens Prod
TraceEnable off
+KeepAliveTimeout {{ kolla_httpd_keep_alive }}
{% if placement_logging_debug | bool %}
LogLevel info
diff --git a/ansible/roles/qinling/templates/wsgi-qinling.conf.j2 b/ansible/roles/qinling/templates/wsgi-qinling.conf.j2
index 3f9df860dc..6eceb64f8e 100644
--- a/ansible/roles/qinling/templates/wsgi-qinling.conf.j2
+++ b/ansible/roles/qinling/templates/wsgi-qinling.conf.j2
@@ -10,6 +10,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ qinling_ap
ServerSignature Off
ServerTokens Prod
TraceEnable off
+KeepAliveTimeout {{ kolla_httpd_keep_alive }}
ErrorLog "{{ qinling_log_dir }}/apache-error.log"
<IfModule log_config_module>
diff --git a/ansible/roles/vitrage/templates/wsgi-vitrage.conf.j2 b/ansible/roles/vitrage/templates/wsgi-vitrage.conf.j2
index f8184f1ccb..5953671af1 100644
--- a/ansible/roles/vitrage/templates/wsgi-vitrage.conf.j2
+++ b/ansible/roles/vitrage/templates/wsgi-vitrage.conf.j2
@@ -5,6 +5,7 @@ Listen {{ 'api' | kolla_address | put_address_in_context('url') }}:{{ vitrage_ap
ServerSignature Off
ServerTokens Prod
TraceEnable off
+KeepAliveTimeout {{ kolla_httpd_keep_alive }}
ErrorLog "{{ vitrage_log_dir }}/apache-error.log"
<IfModule log_config_module>
diff --git a/ansible/roles/zun/templates/wsgi-zun.conf.j2 b/ansible/roles/zun/templates/wsgi-zun.conf.j2
index 5fa866e168..fecbb63577 100644
--- a/ansible/roles/zun/templates/wsgi-zun.conf.j2
+++ b/ansible/roles/zun/templates/wsgi-zun.conf.j2
@@ -5,6 +5,7 @@ Listen {{ api_interface_address | put_address_in_context('url') }}:{{ zun_api_po
ServerSignature Off
ServerTokens Prod
TraceEnable off
+KeepAliveTimeout {{ kolla_httpd_keep_alive }}
ErrorLog "{{ zun_log_dir }}/apache-error.log"
<IfModule log_config_module>
diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml
index 4d5348728e..5352dda9e7 100644
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -191,10 +191,19 @@
#kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem"
#kolla_admin_openrc_cacert: ""
#kolla_copy_ca_into_containers: "no"
-#kolla_verify_tls_backend: "yes"
#haproxy_backend_cacert: "{{ 'ca-certificates.crt' if kolla_base_distro in ['debian', 'ubuntu'] else 'ca-bundle.trust.crt' }}"
#haproxy_backend_cacert_dir: "/etc/ssl/certs"
+
+##################
+# Backend options
+##################
+#kolla_httpd_keep_alive: "60"
+
+#####################
+# Backend TLS options
+#####################
#kolla_enable_tls_backend: "no"
+#kolla_verify_tls_backend: "yes"
#kolla_tls_backend_cert: "{{ kolla_certificates_dir }}/backend-cert.pem"
#kolla_tls_backend_key: "{{ kolla_certificates_dir }}/backend-key.pem"
diff --git a/releasenotes/notes/add-keep-alive-timeout-for-httpd-0d51a9d139c50f66.yaml b/releasenotes/notes/add-keep-alive-timeout-for-httpd-0d51a9d139c50f66.yaml
new file mode 100644
index 0000000000..92d9d49861
--- /dev/null
+++ b/releasenotes/notes/add-keep-alive-timeout-for-httpd-0d51a9d139c50f66.yaml
@@ -0,0 +1,6 @@
+---
+features:
+ - |
+ Adds configuration parameter ``kolla_httpd_keep_alive`` to configure the
+ keep-alive timeout for services that use httpd to handle HTTP requests.
+ The default value is 60 seconds.