nova: Split out metadata to a separate container

This is needed for introducing standalone uWSGI

Change-Id: I7c7213eed10dc408238071a43fd89d5e66665e7b

ansible/inventory/all-in-one

@@ -211,6 +211,9 @@ nova
 [nova-conductor:children]
 nova
 
+[nova-metadata:children]
+nova
+
 [nova-super-conductor:children]
 nova
 

ansible/inventory/multinode

@@ -229,6 +229,9 @@ nova
 [nova-conductor:children]
 nova
 
+[nova-metadata:children]
+nova
+
 [nova-super-conductor:children]
 nova
 

ansible/roles/nova/defaults/main.yml

@@ -25,6 +25,15 @@ nova_services:
         port: "{{ nova_api_public_port }}"
         listen_port: "{{ nova_api_listen_port }}"
         tls_backend: "{{ nova_enable_tls_backend }}"
+  nova-metadata:
+    container_name: "nova_metadata"
+    group: "nova-metadata"
+    image: "{{ nova_api_image_full }}"
+    enabled: True
+    volumes: "{{ nova_metadata_default_volumes + nova_metadata_extra_volumes }}"
+    dimensions: "{{ nova_metadata_dimensions }}"
+    healthcheck: "{{ nova_metadata_healthcheck }}"
+    haproxy:
       nova_metadata:
         enabled: "{{ enable_nova }}"
         mode: "http"
@@ -118,6 +127,7 @@ nova_api_tag: "{{ nova_tag }}"
 nova_api_image_full: "{{ nova_api_image }}:{{ nova_api_tag }}"
 
 nova_api_dimensions: "{{ default_container_dimensions }}"
+nova_metadata_dimensions: "{{ default_container_dimensions }}"
 nova_scheduler_dimensions: "{{ default_container_dimensions }}"
 nova_super_conductor_dimensions: "{{ default_container_dimensions }}"
 
@@ -134,6 +144,19 @@ nova_api_healthcheck:
   test: "{% if nova_api_enable_healthchecks | bool %}{{ nova_api_healthcheck_test }}{% else %}NONE{% endif %}"
   timeout: "{{ nova_api_healthcheck_timeout }}"
 
+nova_metadata_enable_healthchecks: "{{ enable_container_healthchecks }}"
+nova_metadata_healthcheck_interval: "{{ default_container_healthcheck_interval }}"
+nova_metadata_healthcheck_retries: "{{ default_container_healthcheck_retries }}"
+nova_metadata_healthcheck_start_period: "{{ default_container_healthcheck_start_period }}"
+nova_metadata_healthcheck_test: ["CMD-SHELL", "healthcheck_curl {{ 'https' if nova_enable_tls_backend | bool else 'http' }}://{{ api_interface_address | put_address_in_context('url') }}:{{ nova_metadata_listen_port }} "]
+nova_metadata_healthcheck_timeout: "{{ default_container_healthcheck_timeout }}"
+nova_metadata_healthcheck:
+  interval: "{{ nova_metadata_healthcheck_interval }}"
+  retries: "{{ nova_metadata_healthcheck_retries }}"
+  start_period: "{{ nova_metadata_healthcheck_start_period }}"
+  test: "{% if nova_metadata_enable_healthchecks | bool %}{{ nova_metadata_healthcheck_test }}{% else %}NONE{% endif %}"
+  timeout: "{{ nova_metadata_healthcheck_timeout }}"
+
 nova_scheduler_enable_healthchecks: "{{ enable_container_healthchecks }}"
 nova_scheduler_healthcheck_interval: "{{ default_container_healthcheck_interval }}"
 nova_scheduler_healthcheck_retries: "{{ default_container_healthcheck_retries }}"
@@ -167,6 +190,12 @@ nova_api_default_volumes:
   - "/lib/modules:/lib/modules:ro"
   - "kolla_logs:/var/log/kolla/"
   - "{{ kolla_dev_repos_directory ~ '/nova:/dev-mode/nova' if nova_dev_mode | bool else '' }}"
+nova_metadata_default_volumes:
+  - "{{ node_config_directory }}/nova-metadata/:{{ container_config_directory }}/:ro"
+  - "/etc/localtime:/etc/localtime:ro"
+  - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
+  - "kolla_logs:/var/log/kolla/"
+  - "{{ kolla_dev_repos_directory ~ '/nova:/dev-mode/nova' if nova_dev_mode | bool else '' }}"
 nova_scheduler_default_volumes:
   - "{{ node_config_directory }}/nova-scheduler/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
@@ -189,6 +218,7 @@ nova_api_bootstrap_default_volumes:
 
 nova_extra_volumes: "{{ default_extra_volumes }}"
 nova_api_extra_volumes: "{{ nova_extra_volumes }}"
+nova_metadata_extra_volumes: "{{ nova_extra_volumes }}"
 nova_scheduler_extra_volumes: "{{ nova_extra_volumes }}"
 nova_super_conductor_extra_volumes: "{{ nova_extra_volumes }}"
 # Used by bootstrapping containers.

ansible/roles/nova/handlers/main.yml

@@ -49,3 +49,20 @@
     healthcheck: "{{ service.healthcheck | default(omit) }}"
   when:
     - kolla_action != "upgrade" or not nova_safety_upgrade | bool
+
+- name: Restart nova-metadata container
+  vars:
+    service_name: "nova-metadata"
+    service: "{{ nova_services[service_name] }}"
+  become: true
+  kolla_container:
+    action: "recreate_or_restart_container"
+    common_options: "{{ docker_common_options }}"
+    name: "{{ service.container_name }}"
+    image: "{{ service.image }}"
+    privileged: "{{ service.privileged | default(False) }}"
+    volumes: "{{ service.volumes | reject('equalto', '') | list }}"
+    dimensions: "{{ service.dimensions }}"
+    healthcheck: "{{ service.healthcheck | default(omit) }}"
+  when:
+    - kolla_action != "upgrade" or not nova_safety_upgrade | bool

ansible/roles/nova/tasks/config.yml

@@ -89,6 +89,16 @@
   become: true
   when: service | service_enabled_and_mapped_to_host
 
+- name: Copying over nova-metadata-wsgi.conf
+  vars:
+    service: "{{ nova_services['nova-metadata'] }}"
+  template:
+    src: "nova-metadata-wsgi.conf.j2"
+    dest: "{{ node_config_directory }}/nova-metadata/nova-metadata-wsgi.conf"
+    mode: "0660"
+  become: true
+  when: service | service_enabled_and_mapped_to_host
+
 - name: Copying over vendordata file
   vars:
     service: "{{ nova_services['nova-api'] }}"

ansible/roles/nova/templates/nova-api-wsgi.conf.j2

@@ -8,7 +8,6 @@ LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
 {% endif %}
 {% endif %}
 Listen {{ api_interface_address | put_address_in_context('url') }}:{{ nova_api_listen_port }}
-Listen {{ api_interface_address | put_address_in_context('url') }}:{{ nova_metadata_listen_port }}
 
 ServerSignature Off
 ServerTokens Prod
@@ -17,7 +16,7 @@ TimeOut {{ kolla_httpd_timeout }}
 KeepAliveTimeout {{ kolla_httpd_keep_alive }}
 
 <Directory "{{ wsgi_directory }}">
-    <FilesMatch "^nova-(api-wsgi|metadata-wsgi)$">
+    <FilesMatch "^nova-api-wsgi$">
         Options None
         Require all granted
     </FilesMatch>
@@ -50,22 +49,3 @@ LogLevel info
     SSLCertificateKeyFile /etc/nova/certs/nova-key.pem
 {% endif %}
 </VirtualHost>
-
-<VirtualHost *:{{ nova_metadata_listen_port }}>
-    WSGIDaemonProcess nova-metadata processes={{ nova_metadata_api_workers }} threads=1 user=nova group=nova display-name=nova-metadata-api
-    WSGIProcessGroup nova-metadata
-    WSGIScriptAlias / {{ wsgi_directory }}/nova-metadata-wsgi
-    WSGIApplicationGroup %{GLOBAL}
-    WSGIPassAuthorization On
-    <IfVersion >= 2.4>
-      ErrorLogFormat "%{cu}t %M"
-    </IfVersion>
-    ErrorLog "{{ nova_log_dir }}/nova-metadata-error.log"
-    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
-    CustomLog "{{ nova_log_dir }}/nova-metadata-access.log" logformat
-{% if nova_enable_tls_backend | bool %}
-    SSLEngine on
-    SSLCertificateFile /etc/nova/certs/nova-cert.pem
-    SSLCertificateKeyFile /etc/nova/certs/nova-key.pem
-{% endif %}
-</VirtualHost>

ansible/roles/nova/templates/nova-metadata-wsgi.conf.j2

@@ -0,0 +1,51 @@
+{% set nova_log_dir = '/var/log/kolla/nova' %}
+{% set wsgi_directory = '/var/lib/kolla/venv/bin' %}
+{% if nova_enable_tls_backend | bool %}
+{% if kolla_base_distro in ['centos', 'rocky']  %}
+LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
+{% else %}
+LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
+{% endif %}
+{% endif %}
+Listen {{ api_interface_address | put_address_in_context('url') }}:{{ nova_metadata_listen_port }}
+
+ServerSignature Off
+ServerTokens Prod
+TraceEnable off
+TimeOut {{ kolla_httpd_timeout }}
+KeepAliveTimeout {{ kolla_httpd_keep_alive }}
+
+<Directory "{{ wsgi_directory }}">
+    <FilesMatch "^nova-metadata-wsgi$">
+        Options None
+        Require all granted
+    </FilesMatch>
+</Directory>
+
+ErrorLog "{{ nova_log_dir }}/apache-error.log"
+<IfModule log_config_module>
+CustomLog "{{ nova_log_dir }}/apache-access.log" common
+</IfModule>
+
+{% if nova_logging_debug | bool %}
+LogLevel info
+{% endif %}
+
+<VirtualHost *:{{ nova_metadata_listen_port }}>
+    WSGIDaemonProcess nova-metadata processes={{ nova_metadata_api_workers }} threads=1 user=nova group=nova display-name=nova-metadata-api
+    WSGIProcessGroup nova-metadata
+    WSGIScriptAlias / {{ wsgi_directory }}/nova-metadata-wsgi
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+    <IfVersion >= 2.4>
+      ErrorLogFormat "%{cu}t %M"
+    </IfVersion>
+    ErrorLog "{{ nova_log_dir }}/nova-metadata-error.log"
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
+    CustomLog "{{ nova_log_dir }}/nova-metadata-access.log" logformat
+{% if nova_enable_tls_backend | bool %}
+    SSLEngine on
+    SSLCertificateFile /etc/nova/certs/nova-cert.pem
+    SSLCertificateKeyFile /etc/nova/certs/nova-key.pem
+{% endif %}
+</VirtualHost>

ansible/roles/nova/templates/nova-metadata.json.j2

@@ -0,0 +1,50 @@
+{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
+{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
+{
+    "command": "/usr/sbin/{{ apache_binary }} -DFOREGROUND",
+    "config_files": [
+        {
+            "source": "{{ container_config_directory }}/nova.conf",
+            "dest": "/etc/nova/nova.conf",
+            "owner": "nova",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/nova-metadata-wsgi.conf",
+            "dest": "/etc/{{ apache_conf_dir }}/nova-metadata-wsgi.conf",
+            "owner": "nova",
+            "perm": "0600"
+        }{% if nova_policy_file is defined %},
+        {
+            "source": "{{ container_config_directory }}/{{ nova_policy_file }}",
+            "dest": "/etc/nova/{{ nova_policy_file }}",
+            "owner": "nova",
+            "perm": "0600"
+        }{% endif %}{% if nova_enable_tls_backend | bool %},
+        {
+            "source": "{{ container_config_directory }}/nova-cert.pem",
+            "dest": "/etc/nova/certs/nova-cert.pem",
+            "owner": "nova",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/nova-key.pem",
+            "dest": "/etc/nova/certs/nova-key.pem",
+            "owner": "nova",
+            "perm": "0600"
+        }{% endif %}{% if vendordata_file_path is defined %},
+        {
+            "source": "{{ container_config_directory }}/vendordata.json",
+            "dest": "/etc/nova/vendordata.json",
+            "owner": "nova",
+            "perm": "0600"
+        }{% endif %}
+    ],
+    "permissions": [
+        {
+            "path": "/var/log/kolla/nova",
+            "owner": "nova:nova",
+            "recurse": true
+        }
+    ]
+}

ansible/roles/nova/templates/nova.conf.j2

@@ -6,6 +6,8 @@ debug = {{ nova_logging_debug }}
 log_file = /var/log/kolla/nova/nova-super-conductor.log
 {% elif service_name == "nova-api"  %}
 log_file = /var/log/kolla/nova/nova-api.log
+{% elif service_name == "nova-metadata" %}
+log_file = /var/log/kolla/nova/nova-metadata.log
 {% else %}
 log_dir = /var/log/kolla/nova
 {% endif %}

releasenotes/notes/nova-metadata-split-d1c9ff2010390352.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    ``nova-metadata`` service has been split into it's own container in
+    preparation for uWSGI support.

tests/templates/inventory.j2

@@ -281,6 +281,9 @@ nova
 [nova-conductor:children]
 nova
 
+[nova-metadata:children]
+nova
+
 [nova-super-conductor:children]
 nova