Run ironic-api as WSGI when standalone with TLS capability#230
Run ironic-api as WSGI when standalone with TLS capability#230metal3-io-bot merged 1 commit intometal3-io:masterfrom
Conversation
metal3-io-bot
added
the
size/L
namnx228
force-pushed
the
ironic-api-behind-wsgi-nam
branch
from
9a02de5 to
6e4ced8
Compare
|
/assign @dtantsur |
namnx228
force-pushed
the
ironic-api-behind-wsgi-nam
branch
2 times, most recently
from
d66a4ae to
03d3fc3
Compare
|
/test-integration |
|
/cc @zaneb |
namnx228
force-pushed
the
ironic-api-behind-wsgi-nam
branch
3 times, most recently
from
3cecfab to
758a1c7
Compare
dtantsur
left a comment
dtantsur
left a comment
There was a problem hiding this comment.
Missed an important bit (may explain why we need to keep the old approach around).
| else | ||
| python3 -c 'import os; import sys; import jinja2; sys.stdout.write(jinja2.Template(sys.stdin.read()).render(env=os.environ))' < /etc/httpd-ironic-api.conf.j2 > /etc/httpd/conf.d/ironic.conf | ||
| sed -i "/Listen 80/c\#Listen 80" /etc/httpd/conf/httpd.conf | ||
| exec /usr/sbin/httpd -DFOREGROUND |
There was a problem hiding this comment.
There is already an httpd container here, let's not run several more instances of httpd
There was a problem hiding this comment.
Currently, the PR adds 2 more httpd instance to the picture. If we avoid to add extra httpd instances and make use of the existing one, IMO there will be two problems:
- Web server and WSGI application need to be on the same container. if we only have one httpd instance, we have to run Ironic-api on the existing httpd container.
- In the PR, a dedicated instance of Apache server acts as a reverse proxy offloading TLS and forward http requests to the conductor. If the existing httpd container also becomes a reverse proxy, that means we are forcing the ironic-api and ironic-conductor to live on the same pod. This may reduce the flexibility of design we can choose for our system.
There was a problem hiding this comment.
Actually, I think we can split conductor and httpd into different containers, and also make use of the existing httpd instance (used by IPA) to acts as a reverse proxy for the conductor. However, a httpd instance is needed to be in the ironic-api container since we run it as a WSGI application. Therefore, we need at least two httpd instance in the picture, and one instance needs to be in the same container as the ironic-api. WDYT @dtantsur ?
There was a problem hiding this comment.
First, I'm not convinced that we should use httpd for the conductor. This is a setup nobody has ever used, and I'm not sure what the implications are. I'd leave it alone. I don't see a problem with having ironic-api in the httpd container, after all, this is how non-containerized deployments work. Having 2 httpd containers will raise memory requirements quite severely.
There was a problem hiding this comment.
@dtantsur The reason why httpd is used for the conductor is that it also takes care of offloading the encrypted traffic and forward the unencrypted traffic to the conductor. Since we put httpd and the conduct into one K8S pod, I think the unencrypted traffic doesn't hurt too much. The aim is to make Ironic get rid of handling TLS.
namnx228
force-pushed
the
ironic-api-behind-wsgi-nam
branch
2 times, most recently
from
4c61356 to
e0f6659
Compare
namnx228
changed the title
metal3-io-bot
added
the
do-not-merge/work-in-progress
namnx228
force-pushed
the
ironic-api-behind-wsgi-nam
branch
from
e0f6659 to
8360d7d
Compare
metal3-io-bot
added
size/M
| sed -i 's/^Listen .*$/Listen [::]:'"$HTTP_PORT"'/' /etc/httpd/conf/httpd.conf | ||
| sed -i -e 's|\(^[[:space:]]*\)\(DocumentRoot\)\(.*\)|\1\2 "/shared/html"|' \ | ||
| -e 's|<Directory "/var/www/html">|<Directory "/shared/html">|' \ | ||
| -e 's|<Directory "/var/www">|<Directory "/shared">|' /etc/httpd/conf/httpd.conf | ||
|
|
||
| # Log to std out/err | ||
| sed -i -e 's%^ \+CustomLog.*% CustomLog /dev/stderr combined%g' /etc/httpd/conf/httpd.conf | ||
| sed -i -e 's%^ErrorLog.*%ErrorLog /dev/stderr%g' /etc/httpd/conf/httpd.conf |
There was a problem hiding this comment.
I'm not sure I like managing config files via sed, what if the config file changes just enough that the regex no longer matches?
Can we just ship a minimal /etc/httpd/conf/httpd.conf for this, possibly a jinja template?
There was a problem hiding this comment.
Ok, I can do that, but should we do this in a separate PR? These sed commands already existed before, and I just move it from one place to another.
There was a problem hiding this comment.
Sure that's fine, I didn't realize this was pre-existing.
namnx228
force-pushed
the
ironic-api-behind-wsgi-nam
branch
from
e456ac3 to
0679edd
Compare
|
/test-integration |
|
/test-centos-integration |
1 similar comment
|
/test-centos-integration |
|
@stbenjam Thank you for your comments. I have addressed all of them. Please take a look again. |
|
|
||
| Listen 6385 | ||
|
|
||
| <VirtualHost {{ env.IRONIC_IP }}:6385> |
There was a problem hiding this comment.
I think we should obey the LISTEN_ALL_INTERFACES env variable here. In the Ironic config, the logic is:
host_ip = {% if env.LISTEN_ALL_INTERFACES | lower == "true" %}::{% else %}{{ env.IRONIC_IP }}{% endif %}
There was a problem hiding this comment.
Oh! I failed to get your point in the comment above. Now it is fixed. Thanks.
|
Just one comment, please fix that but I think otherwise this good. |
namnx228
force-pushed
the
ironic-api-behind-wsgi-nam
branch
from
0679edd to
2ca3197
Compare
|
/test-integration |
namnx228
force-pushed
the
ironic-api-behind-wsgi-nam
branch
from
2ca3197 to
63e6163
Compare
|
/test-integration |
|
/test-centos-integration |
|
@stbenjam Thanks, the last comment has been fixed. PTAL |
| {% if env.LISTEN_ALL_INTERFACES | lower == "true" %} | ||
| <VirtualHost *:6385> | ||
| {% else %} | ||
| <VirtualHost {{ env.IRONIC_IP }}:6385> |
There was a problem hiding this comment.
Thanks! This is better. One small nit, if IRONIC_IP is IPv6, this won't get wrapped correctly, e.g it'd need to be [fd00::2]:6385. I think you can use the env.IRONIC_URL_HOST instead, which is provided by the ironic common.sh include.
There was a problem hiding this comment.
Do you mean change env.IRONIC_IP to env.IRONIC_URL_HOST in line 18?
namnx228
force-pushed
the
ironic-api-behind-wsgi-nam
branch
from
63e6163 to
d0db1d5
Compare
|
/test-integration |
|
/approve |
|
/lgtm @elfosardo Would you mind taking a look again? |
|
/assign @dtantsur |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dtantsur, elfosardo, namnx228, stbenjam The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
metal3-io-bot
added
the
approved
|
Thanks very much @dtantsur, @stbenjam, @elfosardo for your reviews and approval. |
Merge metal3 20211102
6 participants
This PR runs Ironic-api as a WSGI application on top of a fully-capable web server (Apache) and lets this Apache server takes care of TLS. In details, Ironic-api runs as a WSGI application on top of an Apache server. This web server handles the HTTPS connections between ironic-api and other components.
Related PRs:
metal3-io/baremetal-operator#728
metal3-io/ironic-inspector-image#70