Re: [Freeipa-devel] [PATCH] jderose 050 Run ipaserver under mod_wsgi
On Mon, 2010-03-01 at 14:56 -0500, Rob Crittenden wrote: > Jason Gerard DeRose wrote: > > This patch completes the transition to running under mod_wsgi. It > > requires my previous "049 Consolidate to single WSGI entry point" patch. > > > > This is pretty strait forward, but a few things need highlighting: > > > > 1. mod_wsgi requires an entry point script (you can't give it a Python > > package name like we were doing with mod_python). Based on my reading > > of the Filesystem Hierarchy Standard, it seems this should be in > > share/ipa, so that's what I did. The script is /usr/share/ipa/wsgi.py > > I was expecting this to cause SELinux problems, but things seem to work > > fine. > > > > 2. We are running mod_wsgi in daemon mode, which is the preferred way of > > deploying it. The mod_wsgi daemon has both multi-process and > > multi-threading capabilities. As we haven't actually used threaded code > > much in IPA thus far (although lite-server.py is threaded), for now I > > have the daemon running 2 processes and 1 thread (aka it's not > > threaded). For production I think we probably should run something like > > 4 processes and 8 threads per process. This can be a later change (just > > requires a change in our ipa.conf Apache config file). > > > > 3. As ipaserver is now running inside the mod_wsgi daemon, we can > > changed from using the Apache "prefork" MPM to using "worker", which is > > far superior for static content. I haven't changed this yet, but we > > should put this on our TODO. > > > > I pretty much had this patch all done last Friday, but I've let things > > slow-roast for several days to make sure it's stable. I feel confident > > that this is a low risk change. All the same, I think we should get > > this pushed as soon as possible so we can shake out any remaining > > issues. > > > > I'm going to go ahead and ack this if you fix one thing before you push. > > In ipa.spec.in you need to change: > -%{_usr}/share/ipa/wsgi.py > +%{_usr}/share/ipa/wsgi.py* pushed to master, along with my 051 patch making the changes you asked for. > I don't think we need the Location entries at the top of ipa.conf > setting no handler. It worked ok for me without them, the similar > setting in the Directory should take care of things. More testing is > probably needed. In my testing, the Location tag with "Handler none" was the only way I could prevent the WSGI handler from gobbling up these URIs. I think this is because of the order in which Directory and Location are applied. > This doesn't work on my F-11 box, I think primarily because > /var/run/httpd/ has the wrong permissions. I'll investigate fixing this > up but since F-11 won't be supported for a whole lot longer I'm not > going to worry about this too much. I'll fix this in a follow-up patch. > > rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] jderose 050 Run ipaserver under mod_wsgi
Jason Gerard DeRose wrote: This patch completes the transition to running under mod_wsgi. It requires my previous "049 Consolidate to single WSGI entry point" patch. This is pretty strait forward, but a few things need highlighting: 1. mod_wsgi requires an entry point script (you can't give it a Python package name like we were doing with mod_python). Based on my reading of the Filesystem Hierarchy Standard, it seems this should be in share/ipa, so that's what I did. The script is /usr/share/ipa/wsgi.py I was expecting this to cause SELinux problems, but things seem to work fine. 2. We are running mod_wsgi in daemon mode, which is the preferred way of deploying it. The mod_wsgi daemon has both multi-process and multi-threading capabilities. As we haven't actually used threaded code much in IPA thus far (although lite-server.py is threaded), for now I have the daemon running 2 processes and 1 thread (aka it's not threaded). For production I think we probably should run something like 4 processes and 8 threads per process. This can be a later change (just requires a change in our ipa.conf Apache config file). 3. As ipaserver is now running inside the mod_wsgi daemon, we can changed from using the Apache "prefork" MPM to using "worker", which is far superior for static content. I haven't changed this yet, but we should put this on our TODO. I pretty much had this patch all done last Friday, but I've let things slow-roast for several days to make sure it's stable. I feel confident that this is a low risk change. All the same, I think we should get this pushed as soon as possible so we can shake out any remaining issues. I'm going to go ahead and ack this if you fix one thing before you push. In ipa.spec.in you need to change: -%{_usr}/share/ipa/wsgi.py +%{_usr}/share/ipa/wsgi.py* I don't think we need the Location entries at the top of ipa.conf setting no handler. It worked ok for me without them, the similar setting in the Directory should take care of things. More testing is probably needed. This doesn't work on my F-11 box, I think primarily because /var/run/httpd/ has the wrong permissions. I'll investigate fixing this up but since F-11 won't be supported for a whole lot longer I'm not going to worry about this too much. I'll fix this in a follow-up patch. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] jderose 050 Run ipaserver under mod_wsgi
This patch completes the transition to running under mod_wsgi. It requires my previous "049 Consolidate to single WSGI entry point" patch. This is pretty strait forward, but a few things need highlighting: 1. mod_wsgi requires an entry point script (you can't give it a Python package name like we were doing with mod_python). Based on my reading of the Filesystem Hierarchy Standard, it seems this should be in share/ipa, so that's what I did. The script is /usr/share/ipa/wsgi.py I was expecting this to cause SELinux problems, but things seem to work fine. 2. We are running mod_wsgi in daemon mode, which is the preferred way of deploying it. The mod_wsgi daemon has both multi-process and multi-threading capabilities. As we haven't actually used threaded code much in IPA thus far (although lite-server.py is threaded), for now I have the daemon running 2 processes and 1 thread (aka it's not threaded). For production I think we probably should run something like 4 processes and 8 threads per process. This can be a later change (just requires a change in our ipa.conf Apache config file). 3. As ipaserver is now running inside the mod_wsgi daemon, we can changed from using the Apache "prefork" MPM to using "worker", which is far superior for static content. I haven't changed this yet, but we should put this on our TODO. I pretty much had this patch all done last Friday, but I've let things slow-roast for several days to make sure it's stable. I feel confident that this is a low risk change. All the same, I think we should get this pushed as soon as possible so we can shake out any remaining issues. >From dca4ee9920b8e9f323847486a5e80b0168d87b8a Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose Date: Wed, 24 Feb 2010 11:29:23 -0700 Subject: [PATCH] Run ipaserver under mod_wsgi --- install/conf/ipa.conf | 103 +-- install/share/Makefile.am |1 + install/share/wsgi.py | 13 +++ ipa.spec.in |5 + ipaserver/__init__.py | 206 - 5 files changed, 59 insertions(+), 269 deletions(-) create mode 100644 install/share/wsgi.py diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index f5987fb..dba47c5 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -4,7 +4,6 @@ # LoadModule auth_kerb_module modules/mod_auth_kerb.so ProxyRequests Off -PythonImport ipaserver main_interpreter # ipa-rewrite.conf is loaded separately @@ -12,79 +11,47 @@ PythonImport ipaserver main_interpreter AddType application/java-archivejar +# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package +# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf: +WSGISocketPrefix /var/run/httpd/wsgi - - AuthType Kerberos - AuthName "Kerberos Login" - KrbMethodNegotiate on - KrbMethodK5Passwd off - KrbServiceName HTTP - KrbAuthRealms $REALM - Krb5KeyTab /etc/httpd/conf/ipa.keytab - KrbSaveCredentials on - Require valid-user - ErrorDocument 401 /ipa/errors/unauthorized.html - - SetHandler python-program - PythonInterpreter main_interpreter - PythonHandler ipaserver::handler - PythonDebug Off - PythonOption SCRIPT_NAME /ipa - PythonAutoReload Off - - - -# -# SetHandler python-program -# PythonInterpreter main_interpreter -# PythonHandler ipaserver::xmlrpc -# PythonDebug Off -# PythonOption SCRIPT_NAME /ipa/xml -# PythonAutoReload Off -# - -# -# SetHandler python-program -# PythonInterpreter main_interpreter -# PythonHandler ipaserver::jsonrpc -# PythonDebug Off -# PythonOption SCRIPT_NAME /ipa/json -# PythonAutoReload Off -# - -# -# SetHandler python-program -# PythonInterpreter main_interpreter -# PythonHandler ipaserver::webui -# PythonDebug Off -# PythonOption SCRIPT_NAME /ipa/ui -# PythonAutoReload Off -# -Alias /ipa-assets/ "/var/cache/ipa/assets/" - - Allow from all - AllowOverride None - # add Indexes to Options to allow browsing - Options FollowSymLinks - ExpiresActive On - ExpiresDefault A31536000 - +# Configure mod_wsgi handler for /ipa +WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 +WSGIProcessGroup ipa +WSGIApplicationGroup ipa +WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa +WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py +WSGIScriptReloading Off +# Turn off mod_msgi handler for errors, config, crl: SetHandler None - SetHandler None - SetHandler None +# Protect /ipa with Kerberos + + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate on + KrbMethodK5Passwd off + KrbServiceName HTTP + KrbAuthRealms $REALM + Krb5KeyTab /etc/httpd/conf/ipa.keytab + KrbSaveCredentials on + Require valid-user + ErrorDocument 401 /ipa/errors/unauthorized.html + + + # This is where we redirect on failed auth Alias /ipa/errors "/usr/share/ipa/html" @@ -102,7 +69,6 @@ Alias /ipa/config "/usr/share/ipa/html" # For CRL publishing Alia