作为web服务器,nginx占用内存少,性能高而扬名大江南北。以前我都是用apache作为web服务器,将openstack的api服务搭建在apache上。为了体验nginx的高性能而换成nginx。
找一台服务器,系统是标准的 centos7,部署keystone服务
第0步:先stop 原生的keystone服务
systmctl stop openstack-keystone
第一步: 安装需要的软件
yum install nginx uwsgi uwsgi-plugin-python
第二步:keystone是Python程序,监听在两个端口上,keystone kilo版原生就支持uwsgi,接口已经存在。只是需要和uwsgi接口
cp /usr/share/keystone/keystone.wsgi /usr/share/keystone/main
cp /usr/share/keystone/keystone.wsgi /usr/share/keystone/admin
chmod ug+x /usr/share/keystone/admin
chmod ug+x /usr/share/keystone/main
第三步:配置uwsgi进程
vim /etc/uwsgi.ini
[uwsgi]
uid = root
gid = root
socket = /var/run/uwsgi/uwsgi.socket
pidfile = /var/run/uwsgi/uwsgi.pid
emperor = /etc/uwsgi.d
#emperor-tyrant = true
master = true
autoload = true
log-date = true
logto = /var/log/uwsgi/uwsgi-emperor.log
这里设置uid 和gid,uwsgi本身进程在运行时会使用的权限。这里为了和nginx匹配权限, 设置为root
emperor:uwsgi可以使用君主制度,管理vassal。这个值指定vassal的配置文件路径
emperor-tyrant: boole值,vassal是否有自己的运行权限,如果这个值为true,需要设置
cap = setgid,setuid;并且在vassal里必须设置uid和gid。这里不使用单独指定权限,统一使 用root
第四步:配置vassal
vim /etc/uwsgi.d/admin.ini #这个路径必须和上面的emperor一致
[uwsgi]
chmod-socket = 666
master = true
plugin = python
socket = /run/uwsgi/keystone-admin.sock
thunder-lock = true
workers = 4
wsgi-file = /usr/share/keystone/admin
chmod-socket: 这里设置成666,为了能让nginx有权限访问socket
plugin: 因为后端是Python,所以需要设置plugin=python
socket:定义socket的路径,这个路径需要保证uwsgi进程有权限访问
wsgi-file: 指定python接口文件的具体路径。
在这里我卡住好长一段时间,后来发现这里python文件的命名是有规范的,需要和keystone的ini配置文件里定义的api接口名一致,不然是加载不了的。
vim /etc/uwsgi/main.ini
[uwsgi]
chmod-socket = 666
master = true
plugin = python
socket = /run/uwsgi/keystone-mainsock
thunder-lock = true
workers = 4
wsgi-file = /usr/share/keystone/main
第五步:验证uwsgi能正确加载python module
$: systemctl start uwsgi
$: systemctl status uwsgi
uwsgi.service - uWSGI Emperor Service
Loaded: loaded (/usr/lib/systemd/system/uwsgi.service; enabled)
Active: active (running) since 2016-02-27 16:22:16 CST; 1 day 1h ago
Process: 11168 ExecStartPre=/bin/chown uwsgi:uwsgi /run/uwsgi (code=exited, status=0/SUCCESS)
Process: 11166 ExecStartPre=/bin/mkdir -p /run/uwsgi (code=exited, status=0/SUCCESS)
Main PID: 11172 (uwsgi)
Status: "The Emperor is governing 2 vassals"
CGroup: /system.slice/uwsgi.service
|-11172 /usr/sbin/uwsgi --ini /etc/uwsgi.ini
|-11175 /usr/sbin/uwsgi --ini /etc/uwsgi.ini
|-11176 /usr/sbin/uwsgi --ini /etc/uwsgi.ini
|-11177 /usr/sbin/uwsgi --ini admin.ini
|-11178 /usr/sbin/uwsgi --ini main.ini
|-11251 /usr/sbin/uwsgi --ini main.ini
|-11252 /usr/sbin/uwsgi --ini main.ini
|-11253 /usr/sbin/uwsgi --ini main.ini
|-11254 /usr/sbin/uwsgi --ini main.ini
|-11255 /usr/sbin/uwsgi --ini admin.ini
|-11256 /usr/sbin/uwsgi --ini admin.ini
|-11257 /usr/sbin/uwsgi --ini admin.ini
`-11258 /usr/sbin/uwsgi --ini admin.ini
需要systemctl status 输出的状态这上面这样,正确加载了main.ini admin.ini.
如果提示不能加载vassal配置文件,错误类似“no python application found, check your startup logs for errors”,原因就是python的接口不能正常加载。多半是加载python的module的名不对。
第六步:配置nginx
vim /etc/nginx/nginx.conf 添加一行引用
http{
.
.
.
.
include /etc/nginx/sites-enabled/*.conf;
}
vim /etc/nginx/sites-enabled/keystone.conf
server {
listen *:35357 ;
server_name keystone.com;
access_log /var/log/nginx/keystone_wsgi_admin.access.log;
error_log /var/log/nginx/keystone_wsgi_admin.error.log;
location / {
uwsgi_pass unix:///run/uwsgi/keystone-admin.sock;
include uwsgi_params;
uwsgi_param SCRIPT_NAME "";
}
}
server {
listen *:5000 ;
server_name keystone.com;
access_log /var/log/nginx/keystone_wsgi_main.access.log;
error_log /var/log/nginx/keystone_wsgi_main.error.log;
location / {
uwsgi_pass unix:///run/uwsgi/keystone-main.sock;
include uwsgi_params;
uwsgi_param SCRIPT_NAME "";
}
}
location 里需要添加一个uwsgi_param SCRIPT_NAME ""。因为keystone kilo版本代码里需要这个值SCRIPT_NAME。所以在报文里需要带着这个值
最后一步:将nginx uwsgi服务起来,验证一下
$: systemctl restart nginx
$: systemctl restart uwsgi
$: keystone user-list
+----------------------------------+---------+---------+-------------------+
| id | name | enabled | email |
+----------------------------------+---------+---------+-------------------+
| |
| |
+----------------------------------+---------+---------+-------------------+