1029576 – Update puppet modules for SSL support

Bug 1029576 - Update puppet modules for SSL support

Summary: Update puppet modules for SSL support

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-puppet-modules
Sub Component:
Version:	4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	z1
Target Release:	4.0
Assignee:	Ivan Chavero
QA Contact:	Nir Magnezi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1029579
TreeView+	depends on / blocked

Reported:	2013-11-12 16:19 UTC by Rob Crittenden
Modified:	2016-04-26 23:40 UTC (History)
CC List:	7 users (show)
Fixed In Version:	openstack-puppet-modules-2013.2-5.el6ost
Doc Type:	Bug Fix
Doc Text:	Cause: There were no options to configure qpid, mysql and horizon with SSL using puppet. Consequence: It was difficult if not impossible to configure SSL to encrypt backend communication. Fix: New options were added to puppet-qpid, including two new modules, puppet-nssdb and puppet-certmonger. The former is used to manage NSS-based security libraries and the later is used for handing automatic issuance of SSL certificates from an IdM server. New options were also added to mysql. The top-level mysql module had support for SSL but the OpenStack module did not. Horizon had an option to enable SSL but it didn't actually do that. Result: The lower level puppet modules now support enabling SSL. This will provide the building blocks for securing services with SSL.
Clone Of:
Clones:	1029579 (view as bug list)
Environment:
Last Closed:	2014-01-23 14:23:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
OpenStack gerrit	65636	0	None	None	None	Never
Red Hat Product Errata	RHBA-2014:0046	0	normal	SHIPPED_LIVE	Red Hat Enterprise Linux OpenStack Platform 4 Bug Fix and Enhancement Advisory	2014-01-23 00:51:59 UTC

Description Rob Crittenden 2013-11-12 16:19:27 UTC

Description of problem:

A number of SSL changes have been made upstream that are not reflected in the current build.

modules/qpid needs to be refreshed from upstream https://github.com/dprince/puppet-qpid

The changes in this launchpad bug, https://bugs.launchpad.net/packstack/+bug/1214606

New upstream submodules puppet-certmonger and puppet-nssdb need to be included.

This packstack change in puppet-horizon, https://review.openstack.org/49799

Version-Release number of selected component (if applicable):

openstack-puppet-modules-2013.2-4.el6ost

Comment 1 Mike Orazi 2013-11-12 16:21:42 UTC

Depending on the timing of the transition, this BZ might also be needed in openstack-packstack sub-rpm

Comment 3 Alvaro Lopez Ortega 2013-11-15 13:29:21 UTC

These changes made it to the packstack's puppet modules, but not yet to openstack-puppet-modules.

Comment 4 Rob Crittenden 2013-11-15 14:43:12 UTC

Will need this change to glance as well, https://review.openstack.org/#/c/56460/

Comment 5 Rob Crittenden 2013-11-26 15:02:35 UTC

To note specific versions for nssdb and certmonger, this requires puppet-nssdb 1.0.0 and puppet-certmonger 1.0.2

Comment 6 Rob Crittenden 2013-12-02 18:33:00 UTC

Some of this is included in openstack-packstack-2013.2.1-0.12.dev870

For the purposes of the SSL work, the following needs to be added/updated:

puppet-qpid module needs to be updated. It is missing commit https://github.com/dprince/puppet-qpid/commit/e1eac84deb9da3beca2eac4a1efc488698287439 which is pull https://github.com/dprince/puppet-qpid/pull/7

puppet-certmonger needs to be updated. We require upstream version 1.0.2

Comment 7 Ivan Chavero 2014-01-10 19:41:40 UTC

Changed to upstream qpid puppet module.
Merged in this review: https://review.openstack.org/#/c/65636/

Comment 11 Ivan Chavero 2014-01-15 15:17:52 UTC

Install openstack-puppet-modules-2013.2-5.el6ost and check for:

$max_connections = '65535' in /usr/share/openstack-puppet/modules/qpid/manifests/server.pp

check for the existence of: 

/usr/share/openstack-puppet/modules/nssdb
/usr/share/openstack-puppet/modules/certmonger

Comment 12 Nir Magnezi 2014-01-15 15:24:22 UTC

Verified NVR: openstack-puppet-modules-2013.2-5.el6ost.noarch

Verified following to the Comment #11
Tested OK.

Comment 13 Bruce Reeler 2014-01-20 01:56:47 UTC

NEEDINFO: Ivan Chavero

I see that you added Doc Text, but then you set the requires_doc_text flag to "-". This means that the Doc Text will NOT be included in the Release Notes. Just confirming that is what you intended?

Comment 16 Lon Hohberger 2014-02-04 17:20:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2014-0046.html

Comment 17 Ivan Chavero 2014-06-09 15:33:12 UTC

it's intended, that doc-text shouln't be there. i can take it out if needed.

Note You need to log in before you can comment on or make changes to this bug.