[Openstack] Quantum and HTTPD

Dan Wendlandt dan at nicira.com
Thu Apr 12 17:32:26 UTC 2012


On Thu, Apr 12, 2012 at 10:16 AM, Adam Young <ayoung at redhat.com> wrote:

>  On 04/12/2012 01:05 PM, Dan Wendlandt wrote:
>
> Hi Adam, cool stuff!
>
>  Thanks for reporting the issues.  I'm in favor of both changes your
> suggest.  Any interest on working on the openstack common stuff?  More
> details inline.
>
>
> I'll probably help out with common stuff across the board, especially WRT
> to running in HTTPD and PKI/Cert issues come up.  My sorter term goal is to
> harden an Essex deploy so that it can be used in places where the policies
> dictate SSL for all communications.
>
> Thanks for validating what I saw.  Nice to know I don't have to beat my
> head against it for too long.
>
> Any idea how mature the SSL support is that Quantum is using right now?
>

I do not.  I don't know of any deployments using it right now.  Its likely
that we just have whatever code "came along for the ride" when the web
framework was borrowed from nova/glance.  Salvatore might know, as he did a
lot of the heavy lifting on the Quantum API side.

Dan



>
>
>
>  Dan
>
> On Thu, Apr 12, 2012 at 8:26 AM, Adam Young <ayoung at redhat.com> wrote:
>
>>
>> from paste.deploy.loadwsgi  import loadapp
>> application = loadapp('config:/etc/quantum/quantum.conf', 'quantum')
>>
>> But it fails due to issues finding the plugins (error log at the end of
>> the message). It deploys cleanly once I made the following changes to
>> quantum.
>>
>> --- a/quantum/extensions/extensions.py
>> +++ b/quantum/extensions/extensions.py
>> @@ -538,8 +538,9 @@ class ResourceExtension(object):
>>  # Returns the extention paths from a config entry and the __path__
>>  # of quantum.extensions
>>  def get_extensions_path(config=None):
>> -    paths = ':'.join(quantum.extensions.__path__)
>> -    if config:
>> -        paths = ':'.join([config.get('api_extensions_path', ''), paths])
>> +#    paths = ':'.join(quantum.extensions.__path__)
>> +    paths = "*/etc/quantum/plugins/*"
>> +#    if config:
>> +#        paths = ':'.join([config.get('api_extensions_path', ''),
>> paths])
>>
>>      return paths
>>
>> Without this, there is a spurious error message due to the leading ':'
>> which puts a blank first element to the path.  It also fails to find the
>> extensions path regardless of values put into config files etc.  It is this
>> last issue which leads me to highly suggest we push Quantum to get on the
>> openstack-common bandwagon,  as its Config file processing is confusing
>> and,  I think, broken for the general case.
>>
>
>  I'm a big proponent of using openstack common as much as possible in
> Quantum.  Much of this existing code was ripped from nova/glance/etc. and
> is probably now out of date.  I created a page in the wiki identifying
> areas in quantum that are ripe for using openstack-common:
> http://wiki.openstack.org/QuantumOpenstackCommon .  Config if right at
> the top :)
>
>
>
>>
>> The other issue which leads me to suspect this approach won't work is the
>> fact that the quantum command line client accepts a hostname and a port,
>> but not an URL.  So,  while we could deploy quantum behind HTTPD and port
>> 443,  it would basically be the root of the HTTP directory,  and we
>> wouldn't be able to share the HTTPD instance.  We couldn't do
>>
>> https://hostname/quantum
>>
>> and put it next to
>>
>> https://hostname/keystone
>>
>>
>> Again, not without a code change.
>>
>> Finally,  there seems to be some support for SSL in Quantum.  I note that
>> the quantum client has   the option
>>
>> -s, --ssl             use ssl
>>
>> which leads me to believe that it has been at least attempted.  It may be
>> that the quantum server would not be severely impacted by the overhead of
>> SSL in Python.
>>
>
>  The quantum client is going to get a complete re-write in Folsom, as
> this is one of our key community projects listed on the wiki:
> http://wiki.openstack.org/QuantumStarterBugs
>
>  This new client will match other openstack clients in terms of options,
> etc.  This should mean that you can specify the endpoint as a URL, which
> should take care of both the SSL and the non-root issues, if I'm
> understanding you correctly.
>
>  Jason Koelker will be leading a session in the Quantum track on
> redesigning the client, if folks are interested in helping out.
>
>
>
>
>>
>>
>>
>> Here's the HTTP error log if I don't make the above change:
>>
>>
>> [Thu Apr 12 11:21:13 2012] [info] Initial (No.1) HTTPS request received
>> for chil
>> d 7 (server ayoungstack.bos.redhat.com:443)
>> [Thu Apr 12 11:21:13 2012] [info] [client 10.16.187.36] mod_wsgi
>> (pid=8747, proc
>> ess='', application='ayoungstack.bos.redhat.com|/quantum/api'): Loading
>> WSGI scr
>> ipt '/var/www/cgi-bin/quantum/api'.
>> [Thu Apr 12 11:21:13 2012] [error]
>> ERROR:quantum.extensions.extensions:Extension
>>  path "/etc/quantum/extension" doesn't exist!
>> [Thu Apr 12 11:21:13 2012] [error]
>> WARNING:quantum.extensions.extensions:extensi
>> on file portstats.py wasnt loaded due to cannot import name extensions
>> [Thu Apr 12 11:21:13 2012] [error]
>> WARNING:quantum.extensions.extensions:extensi
>> on Cisco Nova Tenant not supported by plugin
>> <quantum.plugins.openvswitch.ovs_qu
>> antum_plugin.OVSQuantumPlugin object at 0x7f1fae80e450>
>> [Thu Apr 12 11:21:13 2012] [error]
>> WARNING:quantum.extensions.extensions:extensi
>> on Cisco Port Profile not supported by plugin
>> <quantum.plugins.openvswitch.ovs_q
>> uantum_plugin.OVSQuantumPlugin object at 0x7f1fae80e450>
>> [Thu Apr 12 11:21:13 2012] [error]
>> WARNING:quantum.extensions.extensions:extensi
>> on Cisco Multiport not supported by plugin
>> <quantum.plugins.openvswitch.ovs_quan
>> tum_plugin.OVSQuantumPlugin object at 0x7f1fae80e450>
>> [Thu Apr 12 11:21:13 2012] [error]
>> WARNING:quantum.extensions.extensions:Did not
>>  find expected name "Extensions" in
>> /opt/stack/quantum/quantum/extensions/extens
>> ions.py
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack at lists.launchpad.net
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>
>
>  --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Dan Wendlandt
> Nicira, Inc: www.nicira.com
> twitter: danwendlandt
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
>


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dan Wendlandt
Nicira, Inc: www.nicira.com
twitter: danwendlandt
~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120412/35d02c9a/attachment.html>


More information about the Openstack mailing list