It's been a while since we started deploying our OpenStack services behind an Apache HTTPD server, using mod_wsgi. We started with Keystone, since it was something needed in order to get our VOMS Authentication Plugin working, but afterwards we decided to homogenize our setup and move all the services from Eventlet to Apache.

All the OpenStack services are WSGI applications, and therefore they can be moved easily from Eventlet to Apache running in prefork mode. Adam Young (one of the Keystone core developers) wrote almost two years ago a great article about this: "Keystone should move to Apache HTTPD". As you can infer from that article, there are several advantages that overcome de configuration overhead of this setup. Namely we switched from Eventlet to Apache because of the following reasons:

  • You can use any of the authentication modules that are available for Apache and configure Keystone to use external authentication. We are using this for several modules, but the most important for us is the VOMS Authentication Plugin.
  • SSL configuration is handled by Apache and not by the OpenStack service itself. Since we are using Puppet in our deployments we only need to create a template and apply it to all of our services, instead of configuring each of the services individually.

Nova configuration

Keystone configuration

Glance configuration

Cinder configuration

Ceilometer configuration