Source code for ironic.common.wsgi_service
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import os
import threading
from cheroot.ssl import builtin as cheroot_ssl
from cheroot import wsgi
from oslo_concurrency import processutils
from oslo_log import log as logging
from oslo_service import service
from oslo_service import sslutils
from ironic.api import app
from ironic.common import exception
from ironic.common.i18n import _
from ironic.common import utils
from ironic.conf import CONF
LOG = logging.getLogger(__name__)
_MAX_DEFAULT_WORKERS = 4
[docs]
def validate_cert_paths(cert_file, key_file):
if cert_file and not os.path.exists(cert_file):
raise RuntimeError(_("Unable to find cert_file: %s") % cert_file)
if key_file and not os.path.exists(key_file):
raise RuntimeError(_("Unable to find key_file: %s") % key_file)
if not cert_file or not key_file:
raise RuntimeError(_("When running server in SSL mode, you must "
"specify a valid cert_file and key_file "
"paths in your configuration file"))
[docs]
class BaseWSGIService(service.ServiceBase):
def __init__(self, name, app, conf, use_ssl=None):
"""Initialize, but do not start the WSGI server.
:param name: The name of the WSGI server given to the loader.
:param app: WSGI application to run.
:param conf: Object to load configuration from.
:param use_ssl: Whether to use TLS on the socker.
:returns: None
"""
self.name = name
self._conf = conf
if use_ssl is None:
use_ssl = conf.use_ssl
socket_mode = None
bind_addr = (conf.host_ip, conf.port)
if conf.unix_socket:
utils.unlink_without_raise(conf.unix_socket)
bind_addr = conf.unix_socket
socket_mode = conf.unix_socket_mode
self.server = wsgi.Server(
bind_addr=bind_addr,
wsgi_app=app,
server_name=name)
if use_ssl:
cert_file = getattr(conf, "cert_file", None)
key_file = getattr(conf, "key_file", None)
if not (cert_file and key_file):
LOG.warning(
"Falling back to deprecated [ssl] group for TLS "
"credentials: the global [ssl] configuration block is "
"deprecated and will be removed in 2026.1"
)
# Register global SSL config options and validate the
# existence of configured certificate/private key file paths,
# when in secure mode.
sslutils.is_enabled(CONF)
cert_file = CONF.ssl.cert_file
key_file = CONF.ssl.key_file
validate_cert_paths(cert_file, key_file)
self.server.ssl_adapter = cheroot_ssl.BuiltinSSLAdapter(
certificate=cert_file,
private_key=key_file,
)
self._unix_socket = conf.unix_socket
self._socket_mode = socket_mode
self._thread = None
[docs]
def start(self):
"""Start serving this service using loaded configuration.
:returns: None
"""
self.server.prepare()
if self._unix_socket and self._socket_mode is not None:
os.chmod(self._unix_socket, self._socket_mode)
self._thread = threading.Thread(
target=self.server.serve,
daemon=True
)
self._thread.start()
[docs]
def stop(self):
"""Stop serving this API.
:returns: None
"""
if self.server:
self.server.stop()
if self._thread:
self._thread.join(timeout=2)
if self._unix_socket:
utils.unlink_without_raise(self._unix_socket)
[docs]
def wait(self):
"""Wait for the service to stop serving this API.
:returns: None
"""
if self._thread:
self._thread.join()
[docs]
def reset(self):
"""No server greenpools to resize."""
pass
[docs]
class WSGIService(BaseWSGIService):
"""Provides ability to launch ironic API from wsgi app."""
def __init__(self, name, use_ssl=False):
"""Initialize, but do not start the WSGI server.
:param name: The name of the WSGI server given to the loader.
:param use_ssl: Wraps the socket in an SSL context if True.
:returns: None
"""
self.app = app.VersionSelectorApplication()
self.workers = (
CONF.api.api_workers
# NOTE(dtantsur): each worker takes a substantial amount of memory,
# so we don't want to end up with dozens of them.
or min(processutils.get_worker_count(), _MAX_DEFAULT_WORKERS)
)
if self.workers and self.workers < 1:
raise exception.ConfigInvalid(
_("api_workers value of %d is invalid, "
"must be greater than 0.") % self.workers)
super().__init__(name, self.app, CONF.api, use_ssl=use_ssl)