Bug 1029576 - Update puppet modules for SSL support
Summary: Update puppet modules for SSL support
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-puppet-modules
Version: 4.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: z1
: 4.0
Assignee: Ivan Chavero
QA Contact: Nir Magnezi
URL:
Whiteboard:
Depends On:
Blocks: 1029579
TreeView+ depends on / blocked
 
Reported: 2013-11-12 16:19 UTC by Rob Crittenden
Modified: 2016-04-26 23:40 UTC (History)
7 users (show)

Fixed In Version: openstack-puppet-modules-2013.2-5.el6ost
Doc Type: Bug Fix
Doc Text:
Cause: There were no options to configure qpid, mysql and horizon with SSL using puppet. Consequence: It was difficult if not impossible to configure SSL to encrypt backend communication. Fix: New options were added to puppet-qpid, including two new modules, puppet-nssdb and puppet-certmonger. The former is used to manage NSS-based security libraries and the later is used for handing automatic issuance of SSL certificates from an IdM server. New options were also added to mysql. The top-level mysql module had support for SSL but the OpenStack module did not. Horizon had an option to enable SSL but it didn't actually do that. Result: The lower level puppet modules now support enabling SSL. This will provide the building blocks for securing services with SSL.
Clone Of:
: 1029579 (view as bug list)
Environment:
Last Closed: 2014-01-23 14:23:50 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 65636 0 None None None Never
Red Hat Product Errata RHBA-2014:0046 0 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform 4 Bug Fix and Enhancement Advisory 2014-01-23 00:51:59 UTC

Description Rob Crittenden 2013-11-12 16:19:27 UTC
Description of problem:

A number of SSL changes have been made upstream that are not reflected in the current build.

modules/qpid needs to be refreshed from upstream https://github.com/dprince/puppet-qpid

The changes in this launchpad bug, https://bugs.launchpad.net/packstack/+bug/1214606

New upstream submodules puppet-certmonger and puppet-nssdb need to be included.

This packstack change in puppet-horizon, https://review.openstack.org/49799

Version-Release number of selected component (if applicable):

openstack-puppet-modules-2013.2-4.el6ost

Comment 1 Mike Orazi 2013-11-12 16:21:42 UTC
Depending on the timing of the transition, this BZ might also be needed in openstack-packstack sub-rpm

Comment 3 Alvaro Lopez Ortega 2013-11-15 13:29:21 UTC
These changes made it to the packstack's puppet modules, but not yet to openstack-puppet-modules.

Comment 4 Rob Crittenden 2013-11-15 14:43:12 UTC
Will need this change to glance as well, https://review.openstack.org/#/c/56460/

Comment 5 Rob Crittenden 2013-11-26 15:02:35 UTC
To note specific versions for nssdb and certmonger, this requires puppet-nssdb 1.0.0 and puppet-certmonger 1.0.2

Comment 6 Rob Crittenden 2013-12-02 18:33:00 UTC
Some of this is included in openstack-packstack-2013.2.1-0.12.dev870

For the purposes of the SSL work, the following needs to be added/updated:

puppet-qpid module needs to be updated. It is missing commit https://github.com/dprince/puppet-qpid/commit/e1eac84deb9da3beca2eac4a1efc488698287439 which is pull https://github.com/dprince/puppet-qpid/pull/7

puppet-certmonger needs to be updated. We require upstream version 1.0.2

Comment 7 Ivan Chavero 2014-01-10 19:41:40 UTC
Changed to upstream qpid puppet module.
Merged in this review: https://review.openstack.org/#/c/65636/

Comment 11 Ivan Chavero 2014-01-15 15:17:52 UTC
Install openstack-puppet-modules-2013.2-5.el6ost and check for:

$max_connections = '65535' in /usr/share/openstack-puppet/modules/qpid/manifests/server.pp

check for the existence of: 

/usr/share/openstack-puppet/modules/nssdb
/usr/share/openstack-puppet/modules/certmonger

Comment 12 Nir Magnezi 2014-01-15 15:24:22 UTC
Verified NVR: openstack-puppet-modules-2013.2-5.el6ost.noarch

Verified following to the Comment #11
Tested OK.

Comment 13 Bruce Reeler 2014-01-20 01:56:47 UTC
NEEDINFO: Ivan Chavero

I see that you added Doc Text, but then you set the requires_doc_text flag to "-". This means that the Doc Text will NOT be included in the Release Notes. Just confirming that is what you intended?

Comment 16 Lon Hohberger 2014-02-04 17:20:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2014-0046.html

Comment 17 Ivan Chavero 2014-06-09 15:33:12 UTC
it's intended, that doc-text shouln't be there. i can take it out if needed.


Note You need to log in before you can comment on or make changes to this bug.