First Last Prev Next    This bug is not in your last search results.
Bug 1029576 - Update puppet modules for SSL support
Update puppet modules for SSL support
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-puppet-modules (Show other bugs)
4.0
Unspecified Unspecified
unspecified Severity medium
: z1
: 4.0
Assigned To: Ivan Chavero
Nir Magnezi
: Triaged, ZStream
Depends On:
Blocks: 1029579
  Show dependency treegraph
 
Reported: 2013-11-12 11:19 EST by Rob Crittenden
Modified: 2016-04-26 19:40 EDT (History)
7 users (show)

See Also:
Fixed In Version: openstack-puppet-modules-2013.2-5.el6ost
Doc Type: Bug Fix
Doc Text:
Cause: There were no options to configure qpid, mysql and horizon with SSL using puppet. Consequence: It was difficult if not impossible to configure SSL to encrypt backend communication. Fix: New options were added to puppet-qpid, including two new modules, puppet-nssdb and puppet-certmonger. The former is used to manage NSS-based security libraries and the later is used for handing automatic issuance of SSL certificates from an IdM server. New options were also added to mysql. The top-level mysql module had support for SSL but the OpenStack module did not. Horizon had an option to enable SSL but it didn't actually do that. Result: The lower level puppet modules now support enabling SSL. This will provide the building blocks for securing services with SSL.
Story Points: ---
Clone Of:
: 1029579 (view as bug list)
Environment:
Last Closed: 2014-01-23 09:23:50 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 65636 None None None Never

  None (edit)
Description Rob Crittenden 2013-11-12 11:19:27 EST 
Description of problem:

A number of SSL changes have been made upstream that are not reflected in the current build.

modules/qpid needs to be refreshed from upstream https://github.com/dprince/puppet-qpid

The changes in this launchpad bug, https://bugs.launchpad.net/packstack/+bug/1214606

New upstream submodules puppet-certmonger and puppet-nssdb need to be included.

This packstack change in puppet-horizon, https://review.openstack.org/49799

Version-Release number of selected component (if applicable):

openstack-puppet-modules-2013.2-4.el6ost
Comment 1 Mike Orazi 2013-11-12 11:21:42 EST 
Depending on the timing of the transition, this BZ might also be needed in openstack-packstack sub-rpm
Comment 3 Alvaro Lopez Ortega 2013-11-15 08:29:21 EST 
These changes made it to the packstack's puppet modules, but not yet to openstack-puppet-modules.
Comment 4 Rob Crittenden 2013-11-15 09:43:12 EST 
Will need this change to glance as well, https://review.openstack.org/#/c/56460/
Comment 5 Rob Crittenden 2013-11-26 10:02:35 EST 
To note specific versions for nssdb and certmonger, this requires puppet-nssdb 1.0.0 and puppet-certmonger 1.0.2
Comment 6 Rob Crittenden 2013-12-02 13:33:00 EST 
Some of this is included in openstack-packstack-2013.2.1-0.12.dev870

For the purposes of the SSL work, the following needs to be added/updated:

puppet-qpid module needs to be updated. It is missing commit https://github.com/dprince/puppet-qpid/commit/e1eac84deb9da3beca2eac4a1efc488698287439 which is pull https://github.com/dprince/puppet-qpid/pull/7

puppet-certmonger needs to be updated. We require upstream version 1.0.2
Comment 7 Ivan Chavero 2014-01-10 14:41:40 EST 
Changed to upstream qpid puppet module.
Merged in this review: https://review.openstack.org/#/c/65636/
Comment 11 Ivan Chavero 2014-01-15 10:17:52 EST 
Install openstack-puppet-modules-2013.2-5.el6ost and check for:

$max_connections = '65535' in /usr/share/openstack-puppet/modules/qpid/manifests/server.pp

check for the existence of: 

/usr/share/openstack-puppet/modules/nssdb
/usr/share/openstack-puppet/modules/certmonger
Comment 12 Nir Magnezi 2014-01-15 10:24:22 EST 
Verified NVR: openstack-puppet-modules-2013.2-5.el6ost.noarch

Verified following to the Comment #11
Tested OK.
Comment 13 Bruce Reeler 2014-01-19 20:56:47 EST 
NEEDINFO: Ivan Chavero

I see that you added Doc Text, but then you set the requires_doc_text flag to "-". This means that the Doc Text will NOT be included in the Release Notes. Just confirming that is what you intended?
Comment 16 Lon Hohberger 2014-02-04 12:20:25 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2014-0046.html
Comment 17 Ivan Chavero 2014-06-09 11:33:12 EDT 
it's intended, that doc-text shouln't be there. i can take it out if needed.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.