Bug 1029576
| Summary: | Update puppet modules for SSL support | |||
|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Rob Crittenden <rcritten> | |
| Component: | openstack-puppet-modules | Assignee: | Ivan Chavero <ichavero> | |
| Status: | CLOSED ERRATA | QA Contact: | Nir Magnezi <nmagnezi> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 4.0 | CC: | ajeain, aortega, breeler, ichavero, mmagr, morazi, yeylon | |
| Target Milestone: | z1 | Keywords: | Triaged, ZStream | |
| Target Release: | 4.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | openstack-puppet-modules-2013.2-5.el6ost | Doc Type: | Bug Fix | |
| Doc Text: |
Cause: There were no options to configure qpid, mysql and horizon with SSL using puppet.
Consequence: It was difficult if not impossible to configure SSL to encrypt backend communication.
Fix: New options were added to puppet-qpid, including two new modules, puppet-nssdb and puppet-certmonger. The former is used to manage NSS-based security libraries and the later is used for handing automatic issuance of SSL certificates from an IdM server. New options were also added to mysql. The top-level mysql module had support for SSL but the OpenStack module did not. Horizon had an option to enable SSL but it didn't actually do that.
Result: The lower level puppet modules now support enabling SSL. This will provide the building blocks for securing services with SSL.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1029579 (view as bug list) | Environment: | ||
| Last Closed: | 2014-01-23 14:23:50 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1029579 | |||
|
Description
Rob Crittenden
2013-11-12 16:19:27 UTC
Depending on the timing of the transition, this BZ might also be needed in openstack-packstack sub-rpm These changes made it to the packstack's puppet modules, but not yet to openstack-puppet-modules. Will need this change to glance as well, https://review.openstack.org/#/c/56460/ To note specific versions for nssdb and certmonger, this requires puppet-nssdb 1.0.0 and puppet-certmonger 1.0.2 Some of this is included in openstack-packstack-2013.2.1-0.12.dev870 For the purposes of the SSL work, the following needs to be added/updated: puppet-qpid module needs to be updated. It is missing commit https://github.com/dprince/puppet-qpid/commit/e1eac84deb9da3beca2eac4a1efc488698287439 which is pull https://github.com/dprince/puppet-qpid/pull/7 puppet-certmonger needs to be updated. We require upstream version 1.0.2 Changed to upstream qpid puppet module. Merged in this review: https://review.openstack.org/#/c/65636/ Install openstack-puppet-modules-2013.2-5.el6ost and check for: $max_connections = '65535' in /usr/share/openstack-puppet/modules/qpid/manifests/server.pp check for the existence of: /usr/share/openstack-puppet/modules/nssdb /usr/share/openstack-puppet/modules/certmonger Verified NVR: openstack-puppet-modules-2013.2-5.el6ost.noarch Verified following to the Comment #11 Tested OK. NEEDINFO: Ivan Chavero I see that you added Doc Text, but then you set the requires_doc_text flag to "-". This means that the Doc Text will NOT be included in the Release Notes. Just confirming that is what you intended? Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2014-0046.html it's intended, that doc-text shouln't be there. i can take it out if needed. |