Source code for ironic.common.wsgi_service

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

import os
import threading

from cheroot.ssl import builtin as cheroot_ssl
from cheroot import wsgi
from oslo_concurrency import processutils
from oslo_log import log as logging
from oslo_service import service
from oslo_service import sslutils

from ironic.api import app
from ironic.common import exception
from ironic.common.i18n import _
from ironic.common import utils
from ironic.conf import CONF


LOG = logging.getLogger(__name__)
_MAX_DEFAULT_WORKERS = 4




[docs]
def validate_cert_paths(cert_file, key_file):
    if cert_file and not os.path.exists(cert_file):
        raise RuntimeError(_("Unable to find cert_file: %s") % cert_file)
    if key_file and not os.path.exists(key_file):
        raise RuntimeError(_("Unable to find key_file: %s") % key_file)

    if not cert_file or not key_file:
        raise RuntimeError(_("When running server in SSL mode, you must "
                             "specify a valid cert_file and key_file "
                             "paths in your configuration file"))






[docs]
class BaseWSGIService(service.ServiceBase):

    def __init__(self, name, app, conf, use_ssl=None):
        """Initialize, but do not start the WSGI server.

        :param name: The name of the WSGI server given to the loader.
        :param app: WSGI application to run.
        :param conf: Object to load configuration from.
        :param use_ssl: Whether to use TLS on the socker.
        :returns: None
        """
        self.name = name
        self._conf = conf
        if use_ssl is None:
            use_ssl = conf.use_ssl

        socket_mode = None
        bind_addr = (conf.host_ip, conf.port)
        if conf.unix_socket:
            utils.unlink_without_raise(conf.unix_socket)
            bind_addr = conf.unix_socket
            socket_mode = conf.unix_socket_mode

        self.server = wsgi.Server(
            bind_addr=bind_addr,
            wsgi_app=app,
            server_name=name)

        if use_ssl:
            cert_file = getattr(conf, "cert_file", None)
            key_file = getattr(conf, "key_file", None)

            if not (cert_file and key_file):
                LOG.warning(
                    "Falling back to deprecated [ssl] group for TLS "
                    "credentials: the global [ssl] configuration block is "
                    "deprecated and will be removed in 2026.1"
                )

                # Register global SSL config options and validate the
                # existence of configured certificate/private key file paths,
                # when in secure mode.
                sslutils.is_enabled(CONF)
                cert_file = CONF.ssl.cert_file
                key_file = CONF.ssl.key_file

            validate_cert_paths(cert_file, key_file)

            self.server.ssl_adapter = cheroot_ssl.BuiltinSSLAdapter(
                certificate=cert_file,
                private_key=key_file,
            )

        self._unix_socket = conf.unix_socket
        self._socket_mode = socket_mode
        self._thread = None



[docs]
    def start(self):
        """Start serving this service using loaded configuration.

        :returns: None
        """
        self.server.prepare()

        if self._unix_socket and self._socket_mode is not None:
            os.chmod(self._unix_socket, self._socket_mode)

        self._thread = threading.Thread(
            target=self.server.serve,
            daemon=True
        )

        self._thread.start()





[docs]
    def stop(self):
        """Stop serving this API.

        :returns: None
        """
        if self.server:
            self.server.stop()
            if self._thread:
                self._thread.join(timeout=2)

        if self._unix_socket:
            utils.unlink_without_raise(self._unix_socket)





[docs]
    def wait(self):
        """Wait for the service to stop serving this API.

        :returns: None
        """
        if self._thread:
            self._thread.join()





[docs]
    def reset(self):
        """No server greenpools to resize."""
        pass








[docs]
class WSGIService(BaseWSGIService):
    """Provides ability to launch ironic API from wsgi app."""

    def __init__(self, name, use_ssl=False):
        """Initialize, but do not start the WSGI server.

        :param name: The name of the WSGI server given to the loader.
        :param use_ssl: Wraps the socket in an SSL context if True.
        :returns: None
        """
        self.app = app.VersionSelectorApplication()
        self.workers = (
            CONF.api.api_workers
            # NOTE(dtantsur): each worker takes a substantial amount of memory,
            # so we don't want to end up with dozens of them.
            or min(processutils.get_worker_count(), _MAX_DEFAULT_WORKERS)
        )
        if self.workers and self.workers < 1:
            raise exception.ConfigInvalid(
                _("api_workers value of %d is invalid, "
                  "must be greater than 0.") % self.workers)

        super().__init__(name, self.app, CONF.api, use_ssl=use_ssl)