Bug 1029576 - Update puppet modules for SSL support
Update puppet modules for SSL support
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-puppet-modules (Show other bugs)
4.0
Unspecified Unspecified
unspecified Severity medium
: z1
: 4.0
Assigned To: Ivan Chavero
Nir Magnezi
: Triaged, ZStream
Depends On:
Blocks: 1029579
  Show dependency treegraph
 
Reported: 2013-11-12 11:19 EST by Rob Crittenden
Modified: 2016-04-26 19:40 EDT (History)
7 users (show)

See Also:
Fixed In Version: openstack-puppet-modules-2013.2-5.el6ost
Doc Type: Bug Fix
Doc Text:
Cause: There were no options to configure qpid, mysql and horizon with SSL using puppet. Consequence: It was difficult if not impossible to configure SSL to encrypt backend communication. Fix: New options were added to puppet-qpid, including two new modules, puppet-nssdb and puppet-certmonger. The former is used to manage NSS-based security libraries and the later is used for handing automatic issuance of SSL certificates from an IdM server. New options were also added to mysql. The top-level mysql module had support for SSL but the OpenStack module did not. Horizon had an option to enable SSL but it didn't actually do that. Result: The lower level puppet modules now support enabling SSL. This will provide the building blocks for securing services with SSL.
Story Points: ---
Clone Of:
: 1029579 (view as bug list)
Environment:
Last Closed: 2014-01-23 09:23:50 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 65636 None None None Never

  None (edit)
Description Rob Crittenden 2013-11-12 11:19:27 EST
Description of problem:

A number of SSL changes have been made upstream that are not reflected in the current build.

modules/qpid needs to be refreshed from upstream https://github.com/dprince/puppet-qpid

The changes in this launchpad bug, https://bugs.launchpad.net/packstack/+bug/1214606

New upstream submodules puppet-certmonger and puppet-nssdb need to be included.

This packstack change in puppet-horizon, https://review.openstack.org/49799

Version-Release number of selected component (if applicable):

openstack-puppet-modules-2013.2-4.el6ost
Comment 1 Mike Orazi 2013-11-12 11:21:42 EST
Depending on the timing of the transition, this BZ might also be needed in openstack-packstack sub-rpm
Comment 3 Alvaro Lopez Ortega 2013-11-15 08:29:21 EST
These changes made it to the packstack's puppet modules, but not yet to openstack-puppet-modules.
Comment 4 Rob Crittenden 2013-11-15 09:43:12 EST
Will need this change to glance as well, https://review.openstack.org/#/c/56460/
Comment 5 Rob Crittenden 2013-11-26 10:02:35 EST
To note specific versions for nssdb and certmonger, this requires puppet-nssdb 1.0.0 and puppet-certmonger 1.0.2
Comment 6 Rob Crittenden 2013-12-02 13:33:00 EST
Some of this is included in openstack-packstack-2013.2.1-0.12.dev870

For the purposes of the SSL work, the following needs to be added/updated:

puppet-qpid module needs to be updated. It is missing commit https://github.com/dprince/puppet-qpid/commit/e1eac84deb9da3beca2eac4a1efc488698287439 which is pull https://github.com/dprince/puppet-qpid/pull/7

puppet-certmonger needs to be updated. We require upstream version 1.0.2
Comment 7 Ivan Chavero 2014-01-10 14:41:40 EST
Changed to upstream qpid puppet module.
Merged in this review: https://review.openstack.org/#/c/65636/
Comment 11 Ivan Chavero 2014-01-15 10:17:52 EST
Install openstack-puppet-modules-2013.2-5.el6ost and check for:

$max_connections = '65535' in /usr/share/openstack-puppet/modules/qpid/manifests/server.pp

check for the existence of: 

/usr/share/openstack-puppet/modules/nssdb
/usr/share/openstack-puppet/modules/certmonger
Comment 12 Nir Magnezi 2014-01-15 10:24:22 EST
Verified NVR: openstack-puppet-modules-2013.2-5.el6ost.noarch

Verified following to the Comment #11
Tested OK.
Comment 13 Bruce Reeler 2014-01-19 20:56:47 EST
NEEDINFO: Ivan Chavero

I see that you added Doc Text, but then you set the requires_doc_text flag to "-". This means that the Doc Text will NOT be included in the Release Notes. Just confirming that is what you intended?
Comment 16 Lon Hohberger 2014-02-04 12:20:25 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2014-0046.html
Comment 17 Ivan Chavero 2014-06-09 11:33:12 EDT
it's intended, that doc-text shouln't be there. i can take it out if needed.

Note You need to log in before you can comment on or make changes to this bug.