Jason Gerard DeRose wrote:
This patch completes the transition to running under mod_wsgi. It
requires my previous "049 Consolidate to single WSGI entry point" patch.
This is pretty strait forward, but a few things need highlighting:
1. mod_wsgi requires an entry point script (you can't give it a Python
package name like we were doing with mod_python). Based on my reading
of the Filesystem Hierarchy Standard, it seems this should be in
share/ipa, so that's what I did. The script is /usr/share/ipa/wsgi.py
I was expecting this to cause SELinux problems, but things seem to work
fine.
2. We are running mod_wsgi in daemon mode, which is the preferred way of
deploying it. The mod_wsgi daemon has both multi-process and
multi-threading capabilities. As we haven't actually used threaded code
much in IPA thus far (although lite-server.py is threaded), for now I
have the daemon running 2 processes and 1 thread (aka it's not
threaded). For production I think we probably should run something like
4 processes and 8 threads per process. This can be a later change (just
requires a change in our ipa.conf Apache config file).
3. As ipaserver is now running inside the mod_wsgi daemon, we can
changed from using the Apache "prefork" MPM to using "worker", which is
far superior for static content. I haven't changed this yet, but we
should put this on our TODO.
I pretty much had this patch all done last Friday, but I've let things
slow-roast for several days to make sure it's stable. I feel confident
that this is a low risk change. All the same, I think we should get
this pushed as soon as possible so we can shake out any remaining
issues.
I'm going to go ahead and ack this if you fix one thing before you push.
In ipa.spec.in you need to change:
-%{_usr}/share/ipa/wsgi.py
+%{_usr}/share/ipa/wsgi.py*
I don't think we need the Location entries at the top of ipa.conf
setting no handler. It worked ok for me without them, the similar
setting in the Directory should take care of things. More testing is
probably needed.
This doesn't work on my F-11 box, I think primarily because
/var/run/httpd/ has the wrong permissions. I'll investigate fixing this
up but since F-11 won't be supported for a whole lot longer I'm not
going to worry about this too much. I'll fix this in a follow-up patch.
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
