Description of problem: $ nova x509-get-root-cert ERROR (ConnectionRefused): Unable to establish connection to http://192.0.2.9:8774/v2/b6f0c76d61d747bda43e578e09ecc0b3/os-certificates/root # Actually the connection can be established, but it does not sends a response. Version-Release number of selected component (if applicable): openstack-tripleo-heat-templates-0.8.6-44.el7ost.noarch How reproducible: always Steps to Reproduce: 1. openstack overcloud deploy --plan `openstack management plan list | awk '/overcloud/{print $2}'` --control-scale 1 --compute-scale 1 2. source /home/stack/overcloudrc 3. nova x509-get-root-cert ERROR (ConnectionRefused): Unable to establish connection to http://192.0.2.9:8774/v2/b6f0c76d61d747bda43e578e09ecc0b3/os-certificates/root Actual results: ERROR (ConnectionRefused): Unable to establish connection to http://192.0.2.9:8774/v2/b6f0c76d61d747bda43e578e09ecc0b3/os-certificates/root Expected results: [stack@instack ~]$ nova x509-get-root-cert Wrote x509 root cert to cacert.pem Additional info: The service just need to started and enabled on the controller, it should be the default behaviour. My grep on the templates does not indicates even on option for this.
What is this actually used for? I need a little context around how this is used and why it should be enabled by default?
It is mainly used for image signing with ec2. The nova client just timeouts on the requests, so if it is not installed nova has to provide a way for immediate failure for example as an 501 response. I just ran my usual test user creation script and it was failed.: https://raw.githubusercontent.com/openstack-dev/devstack/master/tools/create_userrc.sh
I can confirm nova-cert is not started on a pacemaker setup. This review fixes that https://review.openstack.org/#/c/223027 However when running the non-pacemaker setup the service is running. Based on the ref-arch[1] I can see no constraint that applies to this resource. I don't know if that is correct or something missing. I think it would be good to have someone from HA involve here. [1] https://github.com/beekhof/osp-ha-deploy/blob/master/pcmk/nova.scenario
You may want to keep in sync the CA and keyfiles, they might be stored on shared filesystem, otherwise no restriction known regarding to run them on multiple nodes. decrypt_text() needs to be able to find the project keys. nova contains code for revocation handling, but nova does not have http frontend for those calls, the `rpc` frontend also does not seams to be in use. The possible reason for making the n-cert as dedicated service to allow you to store the key files on dedicated node(s).
This was discussed extensively during OSP 6 with the Installer. It was decided that it was not part of the refarch and should not be enabled. The only thing to fix here would be to not install the package. The need for shared storage makes this a significant RFE if we want to add support.
Jarda, Basil, I think we've discussed this before, but can we get an official PM answer on inclusion/setup/etc of openstack-nova-cert? Previously, it's been "no" in OSP 6, etc.
*** This bug has been marked as a duplicate of bug 1217093 ***
To clear needinfo request.