def _create_glance_client(context, host, port, use_ssl, version=1):
"""Instantiate a new glanceclient.Client object."""
params = {}
if use_ssl:
scheme = 'https'
# https specific params
params['insecure'] = CONF.glance.api_insecure
params['ssl_compression'] = False
sslutils.is_enabled(CONF)
if CONF.ssl.cert_file:
params['cert_file'] = CONF.ssl.cert_file
if CONF.ssl.key_file:
params['key_file'] = CONF.ssl.key_file
if CONF.ssl.ca_file:
params['cacert'] = CONF.ssl.ca_file
else:
scheme = 'http'
if CONF.auth_strategy == 'keystone':
# NOTE(isethi): Glanceclient <= 0.9.0.49 accepts only
# keyword 'token', but later versions accept both the
# header 'X-Auth-Token' and 'token'
params['token'] = context.auth_token
params['identity_headers'] = generate_identity_headers(context)
if netutils.is_valid_ipv6(host):
# if so, it is ipv6 address, need to wrap it with '[]'
host = '[%s]' % host
endpoint = '%s://%s:%s' % (scheme, host, port)
return glanceclient.Client(str(version), endpoint, **params)
def __init__(self, conf, name, app, host='0.0.0.0', port=0, # nosec
pool_size=None, protocol=eventlet.wsgi.HttpProtocol,
backlog=128, use_ssl=False, max_url_len=None,
logger_name='eventlet.wsgi.server',
socket_family=None, socket_file=None, socket_mode=None):
"""Initialize, but do not start, a WSGI server.
:param conf: Instance of ConfigOpts.
:param name: Pretty name for logging.
:param app: The WSGI application to serve.
:param host: IP address to serve the application.
:param port: Port number to server the application.
:param pool_size: Maximum number of eventlets to spawn concurrently.
:param protocol: Protocol class.
:param backlog: Maximum number of queued connections.
:param use_ssl: Wraps the socket in an SSL context if True.
:param max_url_len: Maximum length of permitted URLs.
:param logger_name: The name for the logger.
:param socket_family: Socket family.
:param socket_file: location of UNIX socket.
:param socket_mode: UNIX socket mode.
:returns: None
:raises: InvalidInput
:raises: EnvironmentError
"""
self.conf = conf
self.conf.register_opts(_options.wsgi_opts)
self.default_pool_size = self.conf.wsgi_default_pool_size
# Allow operators to customize http requests max header line size.
eventlet.wsgi.MAX_HEADER_LINE = conf.max_header_line
self.name = name
self.app = app
self._server = None
self._protocol = protocol
self.pool_size = pool_size or self.default_pool_size
self._pool = eventlet.GreenPool(self.pool_size)
self._logger = logging.getLogger(logger_name)
self._use_ssl = use_ssl
self._max_url_len = max_url_len
self.client_socket_timeout = conf.client_socket_timeout or None
if backlog < 1:
raise InvalidInput(reason=_('The backlog must be more than 0'))
if not socket_family or socket_family in [socket.AF_INET,
socket.AF_INET6]:
self.socket = self._get_socket(host, port, backlog)
elif hasattr(socket, "AF_UNIX") and socket_family == socket.AF_UNIX:
self.socket = self._get_unix_socket(socket_file, socket_mode,
backlog)
else:
raise ValueError(_("Unsupported socket family: %s"), socket_family)
(self.host, self.port) = self.socket.getsockname()[0:2]
if self._use_ssl:
sslutils.is_enabled(conf)
def test_is_enabled(self, exists_mock, runtime_error_mock):
exists_mock.return_value = True
self.conf.set_default("cert_file", self.cert_file_name,
group=sslutils.config_section)
self.conf.set_default("key_file", self.key_file_name,
group=sslutils.config_section)
self.conf.set_default("ca_file", self.ca_file_name,
group=sslutils.config_section)
sslutils.is_enabled(self.conf)
self.assertFalse(runtime_error_mock.called)
def __init__(self, name, num_threads=1000):
# Raise the default from 8192 to accommodate large tokens
eventlet.wsgi.MAX_HEADER_LINE = CONF.max_header_line
self.num_threads = num_threads
# Pool for a greenthread in which wsgi server will be running
self.pool = eventlet.GreenPool(1)
self.name = name
self._server = None
# A value of 0 is converted to None because None is what causes the
# wsgi server to wait forever.
self.client_socket_timeout = CONF.client_socket_timeout or None
if CONF.use_ssl:
sslutils.is_enabled(CONF)
def __init__(self, name, num_threads=None, disable_ssl=False):
# Raise the default from 8192 to accommodate large tokens
eventlet.wsgi.MAX_HEADER_LINE = CONF.max_header_line
self.num_threads = num_threads or CONF.wsgi_default_pool_size
self.disable_ssl = disable_ssl
# Pool for a greenthread in which wsgi server will be running
self.pool = eventlet.GreenPool(1)
self.name = name
self._server = None
# A value of 0 is converted to None because None is what causes the
# wsgi server to wait forever.
self.client_socket_timeout = CONF.client_socket_timeout or None
if CONF.use_ssl and not self.disable_ssl:
sslutils.is_enabled(CONF)
def _get_socket(self, host, port, backlog):
# TODO(dims): eventlet's green dns/socket module does not actually
# support IPv6 in getaddrinfo(). We need to get around this in the
# future or monitor upstream for a fix
info = socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket.SOCK_STREAM)[0]
family = info[0]
bind_addr = info[-1]
sock = None
retry_until = time.time() + 30
while not sock and time.time() < retry_until:
try:
sock = eventlet.listen(bind_addr, backlog=backlog, family=family)
if sslutils.is_enabled(CONF):
sock = sslutils.wrap(CONF, sock)
except socket.error as err:
if err.args[0] != errno.EADDRINUSE:
raise
eventlet.sleep(0.1)
if not sock:
raise RuntimeError(
_("Could not bind to %(host)s:%(port)s " "after trying for 30 seconds") % {"host": host, "port": port}
)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
# sockets can hang around forever without keepalive
sock.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1)
# This option isn't available in the OS X version of eventlet
if hasattr(socket, "TCP_KEEPIDLE"):
sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_KEEPIDLE, CONF.tcp_keepidle)
return sock
def _get_socket(host, port, backlog):
info = socket.getaddrinfo(
host, port, socket.AF_UNSPEC, socket.SOCK_STREAM
)[0]
family = info[0]
bind_addr = info[-1]
sock = None
retry_until = time.time() + 30
while not sock and time.time() < retry_until:
try:
sock = eventlet.listen(bind_addr, backlog=backlog,
family=family)
if sslutils.is_enabled(CONF):
sock = sslutils.wrap(CONF, sock)
except socket.error as err:
if err.args[0] != errno.EADDRINUSE:
raise
if not sock:
raise RuntimeError(_(
"Could not bind to %(host)s:%(port)s "
"after trying for 30 seconds") %
{'host': host, 'port': port})
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
# sockets can hang around forever without keepalive
sock.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1)
# This option isn't available in the OS X version of eventlet
if hasattr(socket, 'TCP_KEEPIDLE'):
sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_KEEPIDLE,
CONF.tcp_keepidle)
return sock
def __init__(self, service_name, app):
super(SaharaWSGIService,
self).__init__(CONF,
service_name,
app,
host=CONF.host,
port=CONF.port,
use_ssl=sslutils.is_enabled(CONF))
def _start(self, host, port):
wsgi_sock = utils.bind_tcp(host, port, CONF.backlog, CONF.tcp_keepidle)
if sslutils.is_enabled(CONF):
wsgi_sock = sslutils.wrap(CONF, wsgi_sock)
self._wsgi_socks.append(wsgi_sock)
self.tg.add_thread(self._wsgi_handle, wsgi_sock)
def _glanceclient_from_endpoint(context, endpoint, version=1):
"""Instantiate a new glanceclient.Client object."""
params = {}
# NOTE(sdague): even if we aren't using keystone, it doesn't
# hurt to send these headers.
params['identity_headers'] = generate_identity_headers(context)
if endpoint.startswith('https://'):
# https specific params
params['insecure'] = CONF.glance.api_insecure
params['ssl_compression'] = False
sslutils.is_enabled(CONF)
if CONF.ssl.cert_file:
params['cert_file'] = CONF.ssl.cert_file
if CONF.ssl.key_file:
params['key_file'] = CONF.ssl.key_file
if CONF.ssl.ca_file:
params['cacert'] = CONF.ssl.ca_file
return glanceclient.Client(str(version), endpoint, **params)
def _glanceclient_from_endpoint(context, endpoint, version=1):
"""Instantiate a new glanceclient.Client object."""
params = {}
# NOTE(sdague): even if we aren't using keystone, it doesn't
# hurt to send these headers.
params['identity_headers'] = generate_identity_headers(context)
if endpoint.startswith('https://'):
# https specific params
params['insecure'] = CONF.glance.api_insecure
params['ssl_compression'] = False
sslutils.is_enabled(CONF)
if CONF.ssl.cert_file:
params['cert_file'] = CONF.ssl.cert_file
if CONF.ssl.key_file:
params['key_file'] = CONF.ssl.key_file
if CONF.ssl.ca_file:
params['cacert'] = CONF.ssl.ca_file
return glanceclient.Client(str(version), endpoint, **params)
def _start(self, host, port):
wsgi_sock = utils.bind_tcp(
host, port, CONF.backlog, CONF.tcp_keepidle)
if sslutils.is_enabled(CONF):
wsgi_sock = sslutils.wrap(CONF, wsgi_sock)
self._wsgi_socks.append(wsgi_sock)
self.tg.add_thread(self._wsgi_handle, wsgi_sock)
def start(self):
super(WSGIService, self).start()
self._wsgi_sock = utils.bind_tcp(self._service_config.api_host,
self._service_config.api_port,
CONF.backlog, CONF.tcp_keepidle)
if sslutils.is_enabled(CONF):
self._wsgi_sock = sslutils.wrap(CONF, self._wsgi_sock)
self.tg.add_thread(self._wsgi_handle)
def start(self):
super(WSGIService, self).start()
self._wsgi_sock = utils.bind_tcp(
self._service_config.api_host,
self._service_config.api_port,
CONF.backlog,
CONF.tcp_keepidle)
if sslutils.is_enabled(CONF):
self._wsgi_sock = sslutils.wrap(CONF, self._wsgi_sock)
self.tg.add_thread(self._wsgi_handle)
def _wsgi_get_socket(self):
# TODO(dims): eventlet's green dns/socket module does not actually
# support IPv6 in getaddrinfo(). We need to get around this in the
# future or monitor upstream for a fix
info = socket.getaddrinfo(self._service_config.api_host,
self._service_config.api_port,
socket.AF_UNSPEC, socket.SOCK_STREAM)[0]
family = info[0]
bind_addr = info[-1]
sock = None
retry_until = time.time() + 30
while not sock and time.time() < retry_until:
try:
# TODO(kiall): Backlog should be a service specific setting,
# rather than a global
sock = eventlet.listen(bind_addr,
backlog=cfg.CONF.backlog,
family=family)
if sslutils.is_enabled(CONF):
sock = sslutils.wrap(CONF, sock)
except socket.error as err:
if err.args[0] != errno.EADDRINUSE:
raise
eventlet.sleep(0.1)
if not sock:
raise RuntimeError(
_("Could not bind to %(host)s:%(port)s "
"after trying for 30 seconds") % {
'host': self._service_config.api_host,
'port': self._service_config.api_port
})
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
# sockets can hang around forever without keepalive
sock.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1)
# This option isn't available in the OS X version of eventlet
if hasattr(socket, 'TCP_KEEPIDLE'):
sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_KEEPIDLE,
CONF.tcp_keepidle)
return sock
def _run_wsgi(app_name):
app = config.load_paste_app(app_name)
if not app:
LOG.error(_('No known API applications configured.'))
return
server = wsgi.Server(cfg.CONF,
app_name,
app,
host=cfg.CONF.bind_host,
port=cfg.CONF.bind_port,
use_ssl=sslutils.is_enabled(cfg.CONF))
server.start()
# Dump all option values here after all options are parsed
cfg.CONF.log_opt_values(LOG, std_logging.DEBUG)
LOG.info(_("Hypernet service started, listening on %(host)s:%(port)s"), {
'host': cfg.CONF.bind_host,
'port': cfg.CONF.bind_port
})
return server
def __init__(self, app, name, listen, max_url_len=None):
super(WSGIService, self).__init__(CONF.senlin_api.threads)
self.app = app
self.name = name
self.listen = listen
self.servers = []
for address in self.listen:
host, port = netutils.parse_host_port(address)
server = wsgi.Server(CONF,
name,
app,
host=host,
port=port,
pool_size=CONF.senlin_api.threads,
use_ssl=sslutils.is_enabled(CONF),
max_url_len=max_url_len)
self.servers.append(server)
def start(self, application):
"""Run a WSGI server with the given application.
:param application: The application to run in the WSGI server
"""
def kill_children(*args):
"""Kills the entire process group."""
LOG.error(_LE('SIGTERM received'))
signal.signal(signal.SIGTERM, signal.SIG_IGN)
self.running = False
os.killpg(0, signal.SIGTERM)
def hup(*args):
"""Shuts down the server(s).
Shuts down the server(s), but allows running requests to complete
"""
LOG.error(_LE('SIGHUP received'))
signal.signal(signal.SIGHUP, signal.SIG_IGN)
os.killpg(0, signal.SIGHUP)
signal.signal(signal.SIGHUP, hup)
self.application = application
self.sock = eventlet.listen((CONF.host, CONF.port), backlog=500)
if sslutils.is_enabled(CONF):
LOG.info(_LI("Using HTTPS for port %s"), CONF.port)
self.sock = sslutils.wrap(CONF, self.sock)
if CONF.api_workers == 0:
# Useful for profiling, test, debug etc.
self.pool = eventlet.GreenPool(size=self.threads)
self.pool.spawn_n(self._single_run, application, self.sock)
return
LOG.debug("Starting %d workers", CONF.api_workers)
signal.signal(signal.SIGTERM, kill_children)
signal.signal(signal.SIGHUP, hup)
while len(self.children) < CONF.api_workers:
self.run_child()
default=True,
help='Validate security group names'
' according to EC2 specification'),
cfg.IntOpt('ec2_timestamp_expiry',
default=300,
help='Time in seconds before ec2 timestamp expires'),
cfg.BoolOpt('keystone_ec2_insecure',
default=False,
help='Disable SSL '
'certificate verification.'),
]
CONF = cfg.CONF
CONF.register_opts(ec2_opts)
CONF.import_opt('use_forwarded_for', 'nova.api.auth')
sslutils.is_enabled(CONF)
# Fault Wrapper around all EC2 requests
class FaultWrapper(wsgi.Middleware):
"""Calls the middleware stack, captures any exceptions into faults."""
@webob.dec.wsgify(RequestClass=wsgi.Request)
def __call__(self, req):
try:
return req.get_response(self.application)
except Exception:
LOG.exception(_LE("FaultWrapper error"))
return faults.Fault(webob.exc.HTTPInternalServerError())
class RequestLogging(wsgi.Middleware):
cfg.BoolOpt(
"ec2_private_dns_show_ip",
default=False,
help="Return the IP address as private dns hostname in " "describe instances",
),
cfg.BoolOpt(
"ec2_strict_validation", default=True, help="Validate security group names" " according to EC2 specification"
),
cfg.IntOpt("ec2_timestamp_expiry", default=300, help="Time in seconds before ec2 timestamp expires"),
cfg.BoolOpt("keystone_ec2_insecure", default=False, help="Disable SSL " "certificate verification."),
]
CONF = cfg.CONF
CONF.register_opts(ec2_opts)
CONF.import_opt("use_forwarded_for", "nova.api.auth")
sslutils.is_enabled(CONF)
# Fault Wrapper around all EC2 requests
class FaultWrapper(wsgi.Middleware):
"""Calls the middleware stack, captures any exceptions into faults."""
@webob.dec.wsgify(RequestClass=wsgi.Request)
def __call__(self, req):
try:
return req.get_response(self.application)
except Exception:
LOG.exception(_LE("FaultWrapper error"))
return faults.Fault(webob.exc.HTTPInternalServerError())
def __init__(self, *args, **kwargs):
super(WSGIService, self).__init__(*args, **kwargs)
self._use_ssl = sslutils.is_enabled(CONF)
self._wsgi_socks = []
def __init__(self, *args, **kwargs):
super(WSGIService, self).__init__(*args, **kwargs)
self._use_ssl = sslutils.is_enabled(CONF)
self._wsgi_socks = []
def __init__(self, conf, name, app, host='0.0.0.0', port=0, pool_size=None,
protocol=eventlet.wsgi.HttpProtocol, backlog=128,
use_ssl=False, max_url_len=None):
"""Initialize, but do not start, a WSGI server.
:param conf: Instance of ConfigOpts.
:param name: Pretty name for logging.
:param app: The WSGI application to serve.
:param host: IP address to serve the application.
:param port: Port number to server the application.
:param pool_size: Maximum number of eventlets to spawn concurrently.
:param protocol: Protocol class.
:param backlog: Maximum number of queued connections.
:param use_ssl: Wraps the socket in an SSL context if True.
:param max_url_len: Maximum length of permitted URLs.
:returns: None
:raises: InvalidInput
:raises: EnvironmentError
"""
self.conf = conf
self.conf.register_opts(_options.wsgi_opts)
self.default_pool_size = self.conf.wsgi_default_pool_size
# Allow operators to customize http requests max header line size.
eventlet.wsgi.MAX_HEADER_LINE = conf.max_header_line
self.name = name
self.app = app
self._server = None
self._protocol = protocol
self.pool_size = pool_size or self.default_pool_size
self._pool = eventlet.GreenPool(self.pool_size)
self._logger = logging.getLogger("eventlet.wsgi.server")
self._use_ssl = use_ssl
self._max_url_len = max_url_len
self.client_socket_timeout = conf.client_socket_timeout or None
if backlog < 1:
raise InvalidInput(reason=_('The backlog must be more than 0'))
bind_addr = (host, port)
# TODO(dims): eventlet's green dns/socket module does not actually
# support IPv6 in getaddrinfo(). We need to get around this in the
# future or monitor upstream for a fix
try:
info = socket.getaddrinfo(bind_addr[0],
bind_addr[1],
socket.AF_UNSPEC,
socket.SOCK_STREAM)[0]
family = info[0]
bind_addr = info[-1]
except Exception:
family = socket.AF_INET
if self._use_ssl:
sslutils.is_enabled(conf)
try:
self._socket = eventlet.listen(bind_addr, family, backlog=backlog)
except EnvironmentError:
LOG.error(_LE("Could not bind to %(host)s:%(port)s"),
{'host': host, 'port': port})
raise
(self.host, self.port) = self._socket.getsockname()[0:2]
LOG.info(_LI("%(name)s listening on %(host)s:%(port)s"),
{'name': self.name, 'host': self.host, 'port': self.port})
def __init__(self, service_name, app):
super(SaharaWSGIService, self).__init__(
CONF, service_name, app, host=CONF.host, port=CONF.port,
use_ssl=sslutils.is_enabled(CONF))
def __init__(self,
conf,
name,
app,
host='0.0.0.0',
port=0,
pool_size=None,
protocol=eventlet.wsgi.HttpProtocol,
backlog=128,
use_ssl=False,
max_url_len=None):
"""Initialize, but do not start, a WSGI server.
:param name: Pretty name for logging.
:param app: The WSGI application to serve.
:param host: IP address to serve the application.
:param port: Port number to server the application.
:param pool_size: Maximum number of eventlets to spawn concurrently.
:param backlog: Maximum number of queued connections.
:param max_url_len: Maximum length of permitted URLs.
:returns: None
:raises: InvalidInput
"""
self.conf = conf
self.conf.register_opts(_options.wsgi_opts)
self.default_pool_size = self.conf.wsgi_default_pool_size
# Allow operators to customize http requests max header line size.
eventlet.wsgi.MAX_HEADER_LINE = conf.max_header_line
self.name = name
self.app = app
self._server = None
self._protocol = protocol
self.pool_size = pool_size or self.default_pool_size
self._pool = eventlet.GreenPool(self.pool_size)
self._logger = logging.getLogger("eventlet.wsgi.server")
self._use_ssl = use_ssl
self._max_url_len = max_url_len
self.client_socket_timeout = conf.client_socket_timeout or None
self.default_pool_size = conf.wsgi_default_pool_size
if backlog < 1:
raise InvalidInput(reason='The backlog must be more than 0')
bind_addr = (host, port)
# TODO(dims): eventlet's green dns/socket module does not actually
# support IPv6 in getaddrinfo(). We need to get around this in the
# future or monitor upstream for a fix
try:
info = socket.getaddrinfo(bind_addr[0], bind_addr[1],
socket.AF_UNSPEC, socket.SOCK_STREAM)[0]
family = info[0]
bind_addr = info[-1]
except Exception:
family = socket.AF_INET
if self._use_ssl:
sslutils.is_enabled(conf)
try:
self._socket = eventlet.listen(bind_addr, family, backlog=backlog)
except EnvironmentError:
LOG.error(_LE("Could not bind to %(host)s:%(port)s"), {
'host': host,
'port': port
})
raise
(self.host, self.port) = self._socket.getsockname()[0:2]
LOG.info(_LI("%(name)s listening on %(host)s:%(port)s"), {
'name': self.name,
'host': self.host,
'port': self.port
})
def __init__(
self,
conf,
name,
app,
host='0.0.0.0',
port=0, # nosec
pool_size=None,
protocol=eventlet.wsgi.HttpProtocol,
backlog=128,
use_ssl=False,
max_url_len=None,
logger_name='eventlet.wsgi.server',
socket_family=None,
socket_file=None,
socket_mode=None):
"""Initialize, but do not start, a WSGI server.
:param conf: Instance of ConfigOpts.
:param name: Pretty name for logging.
:param app: The WSGI application to serve.
:param host: IP address to serve the application.
:param port: Port number to server the application.
:param pool_size: Maximum number of eventlets to spawn concurrently.
:param protocol: Protocol class.
:param backlog: Maximum number of queued connections.
:param use_ssl: Wraps the socket in an SSL context if True.
:param max_url_len: Maximum length of permitted URLs.
:param logger_name: The name for the logger.
:param socket_family: Socket family.
:param socket_file: location of UNIX socket.
:param socket_mode: UNIX socket mode.
:returns: None
:raises: InvalidInput
:raises: EnvironmentError
"""
self.conf = conf
self.conf.register_opts(_options.wsgi_opts)
self.default_pool_size = self.conf.wsgi_default_pool_size
# Allow operators to customize http requests max header line size.
eventlet.wsgi.MAX_HEADER_LINE = conf.max_header_line
self.name = name
self.app = app
self._server = None
self._protocol = protocol
self.pool_size = pool_size or self.default_pool_size
self._pool = eventlet.GreenPool(self.pool_size)
self._logger = logging.getLogger(logger_name)
self._use_ssl = use_ssl
self._max_url_len = max_url_len
self.client_socket_timeout = conf.client_socket_timeout or None
if backlog < 1:
raise InvalidInput(reason=_('The backlog must be more than 0'))
if not socket_family or socket_family in [
socket.AF_INET, socket.AF_INET6
]:
self.socket = self._get_socket(host, port, backlog)
elif hasattr(socket, "AF_UNIX") and socket_family == socket.AF_UNIX:
self.socket = self._get_unix_socket(socket_file, socket_mode,
backlog)
else:
raise ValueError(_("Unsupported socket family: %s"), socket_family)
(self.host, self.port) = self.socket.getsockname()[0:2]
if self._use_ssl:
sslutils.is_enabled(conf)
