[openstack-dev] Apache2 vs uWSGI vs ...
Morgan Fainberg
morgan.fainberg at gmail.com
Fri Sep 25 16:47:47 UTC 2015
There is no reason why the wsgi app container matters. This is simply a "we should document use if uwsgi and/or gunicorn as an alternative to mod_wsgi". If one solution is better for the gate it will be used there and each deployment will make the determination of what they want to use. Adam's point remains regardless of what wsgi solution is used.
> On Sep 25, 2015, at 09:23, Adam Young <ayoung at redhat.com> wrote:
>
>> On 09/25/2015 07:09 AM, Sergii Golovatiuk wrote:
>> Hi,
>>
>> Morgan gave the perfect case why operators want to use uWSGI. Let's imagine a future when all openstack services will work as mod_wsgi processes under apache. It's like to put all eggs in one basket. If you need to reconfigure one service on controller it may affect another service. For instance, sometimes operators need to increase number of Threads/Processes for wsgi or add new virtual host to apache. That will require graceful or cold restart of apache. It affects other services. Another case, internal problems in mod_wsgi where it may lead to apache crash affecting all services.
>>
>> uWSGI/gunicorn model is safer as in this case apache is reverse_proxy only. This model gives flexibility for operators. They may use apache/nginx as proxy or load balancer. Stop or crash of one service won't lead to downtime of other services. The complexity of OpenStack management will be easier and friendly.
>
> There are some fallacies here:
>
> 1. OpenStack services should all be on the same machine.
> 2. OpenStack web services should run on ports other than 443.
>
> I think both of these are ideas who's time have come and gone.
>
> If you have a single machine, run them out of separate containers. That allows different services to work with different versions of the libraries. It lets you mix a newer Keystone with older everything else.
>
Often the APIs are deployed on a common set of nodes.
> If everything is on port 443, you need a single web server at the front end to multiplex it; uWSGI or any other one does not obviate that.
>
++
>
> There are no good ports left in /etc/services; stop trying to reserve new ones for the web. If you need to run on a web service, you need to be able to get through firewalls. You need to run on standard ports. Run on 443.
>
> Keystone again is a great example of this: it has two ports: 5000 and 35357.
>
> port 5000 in /etc/services is
>
> commplex-main 5000/tcp
>
> and port 35357 is smack dab in the middle of the ephemeral range.
>
This is a disconnect between linux and IANA. IANA has said 35357 is not ephemeral, linux defaults to say it is.
>
> Again, so long as the web server supports the cryptographic secure mechanisms, I don't care what one you chose. But The idea of use going to Keystone and getting a bearer token as the basis for security is immature; we should be doing the following on every call:
>
> 1. TLS
> 2. Cryptographic authentication.
>
>
> They can be together or split up.
>
> So, lets get everything running inside Apache, and, at the same time, push our other favorite web servers to support the necessary pieces to make OpenStack and the Web secure.
>
++. We should do this and also document alternatives for wsgi which has no impact on this goal. Lets try and keep focused on the different initiatives and not cross the reasons for them.
More information about the OpenStack-dev
mailing list