[Freeipa-devel] [PATCH] jderose 050 Run ipaserver under mod_wsgi
Jason Gerard DeRose
jderose at redhat.com
Tue Mar 2 04:59:19 UTC 2010
On Mon, 2010-03-01 at 14:56 -0500, Rob Crittenden wrote:
> Jason Gerard DeRose wrote:
> > This patch completes the transition to running under mod_wsgi. It
> > requires my previous "049 Consolidate to single WSGI entry point" patch.
> >
> > This is pretty strait forward, but a few things need highlighting:
> >
> > 1. mod_wsgi requires an entry point script (you can't give it a Python
> > package name like we were doing with mod_python). Based on my reading
> > of the Filesystem Hierarchy Standard, it seems this should be in
> > share/ipa, so that's what I did. The script is /usr/share/ipa/wsgi.py
> > I was expecting this to cause SELinux problems, but things seem to work
> > fine.
> >
> > 2. We are running mod_wsgi in daemon mode, which is the preferred way of
> > deploying it. The mod_wsgi daemon has both multi-process and
> > multi-threading capabilities. As we haven't actually used threaded code
> > much in IPA thus far (although lite-server.py is threaded), for now I
> > have the daemon running 2 processes and 1 thread (aka it's not
> > threaded). For production I think we probably should run something like
> > 4 processes and 8 threads per process. This can be a later change (just
> > requires a change in our ipa.conf Apache config file).
> >
> > 3. As ipaserver is now running inside the mod_wsgi daemon, we can
> > changed from using the Apache "prefork" MPM to using "worker", which is
> > far superior for static content. I haven't changed this yet, but we
> > should put this on our TODO.
> >
> > I pretty much had this patch all done last Friday, but I've let things
> > slow-roast for several days to make sure it's stable. I feel confident
> > that this is a low risk change. All the same, I think we should get
> > this pushed as soon as possible so we can shake out any remaining
> > issues.
> >
>
> I'm going to go ahead and ack this if you fix one thing before you push.
>
> In ipa.spec.in you need to change:
> -%{_usr}/share/ipa/wsgi.py
> +%{_usr}/share/ipa/wsgi.py*
pushed to master, along with my 051 patch making the changes you asked
for.
> I don't think we need the Location entries at the top of ipa.conf
> setting no handler. It worked ok for me without them, the similar
> setting in the Directory should take care of things. More testing is
> probably needed.
In my testing, the Location tag with "Handler none" was the only way I
could prevent the WSGI handler from gobbling up these URIs. I think
this is because of the order in which Directory and Location are
applied.
> This doesn't work on my F-11 box, I think primarily because
> /var/run/httpd/ has the wrong permissions. I'll investigate fixing this
> up but since F-11 won't be supported for a whole lot longer I'm not
> going to worry about this too much. I'll fix this in a follow-up patch.
>
> rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20100301/da723816/attachment.htm>
More information about the Freeipa-devel
mailing list