Improve wsgi app loading

* move WSGI app code to main code base so it can be used with other WSGI servers that expect a Python package. * populate LDAP schema early to speed up first request by ~200ms * gc.collect() and gc.freeze() to improve memory handling and GC Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2021-01-04 09:24:56 +01:00
parent 931d92d353
commit 2832621512
2 changed files with 86 additions and 38 deletions
--- a/install/share/wsgi.py
+++ b/install/share/wsgi.py
@@ -21,43 +21,8 @@
 #

 """
-WSGI appliction for IPA server.
+WSGI application for IPA server.
 """
-from __future__ import absolute_import
+from ipaserver.wsgi import create_application

-import logging
-import os
-import sys
-
-# Some dependencies like Dogtag's pki.client library and custodia use
-# python-requsts to make HTTPS connection. python-requests prefers
-# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
-# of python-cryptography which trigger a execmem SELinux violation
-# in the context of Apache HTTPD (httpd_execmem).
-# When requests is imported, it always tries to import pyopenssl glue
-# code from urllib3's contrib directory. The import of PyOpenSSL is
-# enough to trigger the SELinux denial.
-# Block any import of PyOpenSSL's SSL module by raising an ImportError
-sys.modules['OpenSSL.SSL'] = None
-
-from ipaplatform.paths import paths
-from ipalib import api
-
-logger = logging.getLogger(os.path.basename(__file__))
-
-api.bootstrap(context='server', confdir=paths.ETC_IPA, log=None)
-try:
-    api.finalize()
-except Exception as e:
-    logger.error('Failed to start IPA: %s', e)
-else:
-    logger.info('*** PROCESS START ***')
-
-    # This is the WSGI callable:
-    def application(environ, start_response):
-        if not environ['wsgi.multithread']:
-            return api.Backend.wsgi_dispatch(environ, start_response)
-        else:
-            logger.error("IPA does not work with the threaded MPM, "
-                         "use the pre-fork MPM")
-            raise RuntimeError('threaded MPM detected')
+application = create_application()
--- a/ipaserver/wsgi.py
+++ b/ipaserver/wsgi.py
@@ -0,0 +1,83 @@
+#
+# Copyright (C) 2021  FreeIPA Contributors see COPYING for license
+#
+"""WSGI server application
+"""
+import gc
+import logging
+import os
+import sys
+
+# Some dependencies like Dogtag's pki.client library and custodia use
+# python-requsts to make HTTPS connection. python-requests prefers
+# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
+# of python-cryptography which trigger a execmem SELinux violation
+# in the context of Apache HTTPD (httpd_execmem).
+# When requests is imported, it always tries to import pyopenssl glue
+# code from urllib3's contrib directory. The import of PyOpenSSL is
+# enough to trigger the SELinux denial.
+# Block any import of PyOpenSSL's SSL module by raising an ImportError
+sys.modules["OpenSSL.SSL"] = None
+
+from ipaplatform.paths import paths
+from ipalib import api
+from ipapython import ipaldap
+
+logger = logging.getLogger(os.path.basename(__file__))
+
+
+def populate_schema_cache(api=api):
+    """populate schema cache in parent process
+
+    LDAP server schema is available for anonymous binds.
+    """
+    conn = ipaldap.ldap_initialize(api.env.ldap_uri)
+    try:
+        ipaldap.schema_cache.get_schema(api.env.ldap_uri, conn)
+    except Exception as e:
+        logger.error("Failed to pre-populate LDAP schema cache: %s", e)
+    finally:
+        try:
+            conn.unbind_s()
+        except AttributeError:
+            # SimpleLDAPObject has no attribute '_l'
+            pass
+
+
+def create_application():
+    api.bootstrap(context="server", confdir=paths.ETC_IPA, log=None)
+
+    try:
+        api.finalize()
+    except Exception as e:
+        logger.error("Failed to start IPA: %s", e)
+        raise
+
+    # speed up first request to each worker by 200ms
+    populate_schema_cache()
+
+    # collect garbage and freeze all objects that are currently tracked by
+    # cyclic garbage collector. We assume that vast majority of currently
+    # loaded objects won't be removed in requests. This speeds up GC
+    # collections and improve CoW memory handling.
+    gc.collect()
+    if hasattr(gc, "freeze"):
+        # Python 3.7+
+        gc.freeze()
+
+    # This is the WSGI callable:
+    def application(environ, start_response):
+        if not environ["wsgi.multithread"]:
+            return api.Backend.wsgi_dispatch(environ, start_response)
+        else:
+            logger.error(
+                "IPA does not work with the threaded MPM, "
+                "use the pre-fork MPM"
+            )
+            raise RuntimeError("threaded MPM detected")
+
+    return application
+
+
+if __name__ == "__main__":
+    application = create_application()