Pages

Choosing Apache mod_wsgi over Eventlet in OpenStack Kilo and Liberity

While installing OpenStack Liberty release you disable the keystone service from starting up automatically and we also see a note such as

"In Kilo and Liberty releases, the keystone project deprecates eventlet in favor of a separate web server with WSGI extensions. This guide uses the Apache HTTP server with mod_wsgi to serve Identity service requests on port 5000 and 35357. By default, the keystone service still listens on ports 5000 and 35357. Therefore, this guide disables the keystone service. The keystone project plans to remove eventlet support in Mitaka."

 
The reason behind this is

Eventlet by design performs well in networked environments and handles everything in a single thread. Due to Apache's ability to do multi-threading it was better to use it as the frontend.

Keystone depends on apache/web-server modules to handle federated identity (validation of SAML and etc) and similar Single Sign On type authentication.

Eventlet has proven problematic when it comes to workloads within Keystone, notably that a number of actions cannot yield (either due to lacking in Eventlet, or that the dependent library uses C-bindings that eventlet is not able to work with).

Apache has many modules available which can be used.