From d4535b6dc3f05c13e6f8e09f8b7b4dde1f587a47 Mon Sep 17 00:00:00 2001
From: SamYaple <sam@yaple.net>
Date: Sat, 19 Mar 2016 16:42:26 +0000
Subject: [PATCH] Add memcached_servers to keystone_auth section

The in-process cache for keystone tokens has been deprecated due to
"incosistent results and high memory usage" with the expectation we
switch to memcached_servers if we want to stay performant.

Add memcache_servers [cache] section to the appropriate servers as the
[DEFAULT]\memcache_servers options was deprecated.

TrivialFix
Related-Id: Ied2b88c8cefe5655a88d0c2f334de04e588fa75a

Change-Id: Ic971bdddc0be3338b15924f7cc0f97d4a3ad2440
---
 ansible/roles/cinder/templates/cinder.conf.j2 |  5 +++++
 .../roles/glance/templates/glance-api.conf.j2 |  5 +++++
 .../glance/templates/glance-registry.conf.j2  |  5 +++++
 ansible/roles/heat/templates/heat.conf.j2     | 11 +++++++++++
 ansible/roles/ironic/templates/ironic.conf.j2 |  5 +++++
 .../roles/keystone/templates/keystone.conf.j2 |  6 ++++++
 ansible/roles/magnum/templates/magnum.conf.j2 |  5 +++++
 ansible/roles/manila/templates/manila.conf.j2 |  5 +++++
 .../roles/mistral/templates/mistral.conf.j2   |  5 +++++
 ansible/roles/murano/templates/murano.conf.j2 |  5 +++++
 .../roles/neutron/templates/neutron.conf.j2   |  5 +++++
 ansible/roles/nova/templates/nova.conf.j2     | 15 +++++++++++----
 .../swift/templates/proxy-server.conf.j2      |  5 +++++
 ansible/site.yml                              | 19 +++++++++++++++++--
 etc/kolla/passwords.yml                       |  1 +
 15 files changed, 96 insertions(+), 6 deletions(-)

diff --git a/ansible/roles/cinder/templates/cinder.conf.j2 b/ansible/roles/cinder/templates/cinder.conf.j2
index 9a64347551..d4a31dfe71 100644
--- a/ansible/roles/cinder/templates/cinder.conf.j2
+++ b/ansible/roles/cinder/templates/cinder.conf.j2
@@ -56,6 +56,11 @@ project_name = service
 username = {{ cinder_keystone_user }}
 password = {{ cinder_keystone_password }}
 
+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [oslo_concurrency]
 lock_path = /var/lib/cinder/tmp
 
diff --git a/ansible/roles/glance/templates/glance-api.conf.j2 b/ansible/roles/glance/templates/glance-api.conf.j2
index 2955137cbc..9fc2026a39 100644
--- a/ansible/roles/glance/templates/glance-api.conf.j2
+++ b/ansible/roles/glance/templates/glance-api.conf.j2
@@ -29,6 +29,11 @@ project_name = service
 username = {{ glance_keystone_user }}
 password = {{ glance_keystone_password }}
 
+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [paste_deploy]
 flavor = keystone
 
diff --git a/ansible/roles/glance/templates/glance-registry.conf.j2 b/ansible/roles/glance/templates/glance-registry.conf.j2
index 3d0d2f4e3d..a7f8f6dda9 100644
--- a/ansible/roles/glance/templates/glance-registry.conf.j2
+++ b/ansible/roles/glance/templates/glance-registry.conf.j2
@@ -21,6 +21,11 @@ project_name = service
 username = {{ glance_keystone_user }}
 password = {{ glance_keystone_password }}
 
+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [paste_deploy]
 flavor = keystone
 
diff --git a/ansible/roles/heat/templates/heat.conf.j2 b/ansible/roles/heat/templates/heat.conf.j2
index 8fd20fdfd3..cb521b2a6e 100644
--- a/ansible/roles/heat/templates/heat.conf.j2
+++ b/ansible/roles/heat/templates/heat.conf.j2
@@ -47,6 +47,17 @@ project_name = service
 username = {{ heat_keystone_user }}
 password = {{ heat_keystone_password }}
 
+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
+[cache]
+backend = oslo_cache.memcache_pool
+enabled = True
+memcache_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [trustee]
 auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}
 auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}
diff --git a/ansible/roles/ironic/templates/ironic.conf.j2 b/ansible/roles/ironic/templates/ironic.conf.j2
index 5ae13730f5..f19769d54a 100644
--- a/ansible/roles/ironic/templates/ironic.conf.j2
+++ b/ansible/roles/ironic/templates/ironic.conf.j2
@@ -40,6 +40,11 @@ project_name = service
 username = {{ ironic_keystone_user }}
 password = {{ ironic_keystone_password }}
 
+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [glance]
 glance_host = {{ kolla_internal_fqdn }}
 
diff --git a/ansible/roles/keystone/templates/keystone.conf.j2 b/ansible/roles/keystone/templates/keystone.conf.j2
index 83e2e2a024..ac414b99e7 100644
--- a/ansible/roles/keystone/templates/keystone.conf.j2
+++ b/ansible/roles/keystone/templates/keystone.conf.j2
@@ -8,3 +8,9 @@ secure_proxy_ssl_header = HTTP_X_FORWARDED_PROTO
 
 [database]
 connection = mysql+pymysql://{{ keystone_database_user }}:{{ keystone_database_password }}@{{ keystone_database_address }}/{{ keystone_database_name }}
+
+[cache]
+backend = oslo_cache.memcache_pool
+enabled = True
+memcache_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
diff --git a/ansible/roles/magnum/templates/magnum.conf.j2 b/ansible/roles/magnum/templates/magnum.conf.j2
index 047353d55b..b147df0dc3 100644
--- a/ansible/roles/magnum/templates/magnum.conf.j2
+++ b/ansible/roles/magnum/templates/magnum.conf.j2
@@ -35,6 +35,11 @@ project_name = service
 username = {{ magnum_keystone_user }}
 password = {{ magnum_keystone_password }}
 
+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [oslo_concurrency]
 lock_path = /var/lib/magnum/tmp
 
diff --git a/ansible/roles/manila/templates/manila.conf.j2 b/ansible/roles/manila/templates/manila.conf.j2
index f1f2062161..ab4013980d 100644
--- a/ansible/roles/manila/templates/manila.conf.j2
+++ b/ansible/roles/manila/templates/manila.conf.j2
@@ -99,3 +99,8 @@ user_domain_id = default
 project_name = service
 username = {{ manila_keystone_user }}
 password = {{ manila_keystone_password }}
+
+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
diff --git a/ansible/roles/mistral/templates/mistral.conf.j2 b/ansible/roles/mistral/templates/mistral.conf.j2
index 52456733c7..f5f2be5cba 100644
--- a/ansible/roles/mistral/templates/mistral.conf.j2
+++ b/ansible/roles/mistral/templates/mistral.conf.j2
@@ -25,6 +25,11 @@ project_name = service
 username = {{ mistral_keystone_user }}
 password = {{ mistral_keystone_password }}
 
+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [mistral]
 url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ mistral_api_port }}
 
diff --git a/ansible/roles/murano/templates/murano.conf.j2 b/ansible/roles/murano/templates/murano.conf.j2
index a48dea30ed..b4bf592f97 100644
--- a/ansible/roles/murano/templates/murano.conf.j2
+++ b/ansible/roles/murano/templates/murano.conf.j2
@@ -21,6 +21,11 @@ project_name = service
 username = {{ murano_keystone_user }}
 password = {{ murano_keystone_password }}
 
+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [murano]
 url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ murano_api_port }}
 
diff --git a/ansible/roles/neutron/templates/neutron.conf.j2 b/ansible/roles/neutron/templates/neutron.conf.j2
index ef426a32f5..202367d6bc 100644
--- a/ansible/roles/neutron/templates/neutron.conf.j2
+++ b/ansible/roles/neutron/templates/neutron.conf.j2
@@ -69,5 +69,10 @@ project_name = service
 username = {{ neutron_keystone_user }}
 password = {{ neutron_keystone_password }}
 
+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [oslo_messaging_notifications]
 driver = noop
diff --git a/ansible/roles/nova/templates/nova.conf.j2 b/ansible/roles/nova/templates/nova.conf.j2
index c623b6b6f8..1cbb4d0cfd 100644
--- a/ansible/roles/nova/templates/nova.conf.j2
+++ b/ansible/roles/nova/templates/nova.conf.j2
@@ -21,7 +21,6 @@ metadata_listen_port = {{ nova_metadata_port }}
 ec2_listen = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
 ec2_listen_port = {{ nova_api_ec2_port }}
 
-
 use_neutron = True
 firewall_driver = nova.virt.firewall.NoopFirewallDriver
 
@@ -50,9 +49,6 @@ compute_driver = fake.FakeDriver
 compute_driver = libvirt.LibvirtDriver
 {% endif %}
 
-memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
-
-
 # Though my_ip is not used directly, lots of other variables use $my_ip
 my_ip = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
 
@@ -130,6 +126,12 @@ connection = mysql+pymysql://{{ nova_database_user }}:{{ nova_database_password
 [api_database]
 connection = mysql+pymysql://{{ nova_api_database_user }}:{{ nova_api_database_password }}@{{ nova_api_database_address }}/{{ nova_api_database_name }}
 
+[cache]
+backend = oslo_cache.memcache_pool
+enabled = True
+memcache_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [keystone_authtoken]
 auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}
 auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}
@@ -140,6 +142,11 @@ project_name = service
 username = {{ nova_keystone_user }}
 password = {{ nova_keystone_password }}
 
+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [libvirt]
 connection_uri = "qemu+tcp://{{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}/system"
 {% if enable_ceph | bool %}
diff --git a/ansible/roles/swift/templates/proxy-server.conf.j2 b/ansible/roles/swift/templates/proxy-server.conf.j2
index e6b9e5b89c..40fc02a97a 100644
--- a/ansible/roles/swift/templates/proxy-server.conf.j2
+++ b/ansible/roles/swift/templates/proxy-server.conf.j2
@@ -39,6 +39,11 @@ project_name = service
 username = {{ swift_keystone_user }}
 password = {{ swift_keystone_password }}
 
+memcache_security_strategy = ENCRYPT
+memcache_secret_key = {{ memcache_secret_key }}
+memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
+
+
 [filter:keystoneauth]
 use = egg:swift#keystoneauth
 operator_roles = admin,user
diff --git a/ansible/site.yml b/ansible/site.yml
index f84e40b9d5..c225c9452e 100644
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -56,7 +56,9 @@
         tags: rabbitmq,
         when: enable_rabbitmq | bool }
 
-- hosts: keystone
+- hosts:
+    - keystone
+    - memcached
   roles:
     - { role: keystone,
         tags: keystone,
@@ -68,6 +70,7 @@
     - swift-object-server
     - swift-proxy-server
     - rabbitmq
+    - memcached
   roles:
     - { role: swift,
         tags: swift,
@@ -78,6 +81,7 @@
     - glance-api
     - glance-registry
     - rabbitmq
+    - memcached
   roles:
     - { role: glance,
         tags: glance,
@@ -93,6 +97,7 @@
     - nova-novncproxy
     - nova-scheduler
     - rabbitmq
+    - memcached
   roles:
     - { role: nova,
         tags: nova,
@@ -106,6 +111,7 @@
     - neutron-metadata-agent
     - neutron-server
     - rabbitmq
+    - memcached
   roles:
     - { role: neutron,
         tags: neutron,
@@ -118,6 +124,7 @@
     - cinder-scheduler
     - cinder-volume
     - rabbitmq
+    - memcached
   roles:
     - { role: cinder,
         tags: cinder,
@@ -128,12 +135,15 @@
     - heat-api-cfn
     - heat-engine
     - rabbitmq
+    - memcached
   roles:
     - { role: heat,
         tags: heat,
         when: enable_heat | bool }
 
-- hosts: horizon
+- hosts:
+    - horizon
+    - memcached
   roles:
     - { role: horizon,
         tags: horizon,
@@ -143,6 +153,7 @@
     - murano-api
     - murano-engine
     - rabbitmq
+    - memcached
   roles:
     - { role: murano,
         tags: murano,
@@ -154,6 +165,7 @@
     - ironic-inspector
     - ironic-pxe
     - rabbitmq
+    - memcached
   roles:
     - { role: ironic,
         tags: ironic,
@@ -163,6 +175,7 @@
     - magnum-api
     - magnum-conductor
     - rabbitmq
+    - memcached
   roles:
     - { role: magnum,
         tags: magnum,
@@ -173,6 +186,7 @@
     - mistral-engine
     - mistral-executor
     - rabbitmq
+    - memcached
   roles:
     - { role: mistral,
         tags: mistral,
@@ -190,6 +204,7 @@
     - manila-share
     - manila-scheduler
     - rabbitmq
+    - memcached
   roles:
     - { role: manila,
         tags: manila,
diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml
index deed018da9..626a7ae429 100644
--- a/etc/kolla/passwords.yml
+++ b/etc/kolla/passwords.yml
@@ -67,6 +67,7 @@ horizon_secret_key: "password"
 manila_database_password: "password"
 manila_keystone_password: "password"
 
+memcache_secret_key: "password"
 
 ####################
 # Manila options