Reproducing an Open vSwitch Bridge Configuration

In the previous post, I described the setup for installing FreeIPA on a VM parallel to the undercloud VM setup by Tripleo Quickstart. The network on the undercloud VM has been setup up by Ironic and Neutron to listen on a network defined for the overcloud. I want to reproduce this on a second machine that is not enrolled in the undercloud. How can I reproduce the steps?

Continue reading

Certmonger logging for debugging

Certmonger is split into 3 parts

  1. getcert or comparable helper app which the user calls to make requests.  The request is put on dbus and and sent to
  2. The certmonger binary.  This reads the request off of dbus and makes a call to
  3. The help application which makes calls to the remote service.

Debugging this process is much easier if you run the certmonger service from the command line and tell it to log debugging output.  Make sure no certmonger-session processes are running:

Continue reading

Testing Fernet Tokens on Tripleo

Not the way to do it long term, but this will give you a chance to play with it.

From the controller node:

sudo keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
sudo crudini --set /etc/keystone/keystone.conf token provider fernet
sudo systemctl restart httpd.service

Test it

$ openstack  token issue -f shell
expires="2016-05-05T05:21:44Z"
id="gAAAAABXKspYhz7Ti5ldwi0mU4D69NqTINEU_t-e8MoxqVkVhR40w1E7GOmgai-9lanr2Z6bnoyQSgNWIhD63UOm1Mlsm9_hw5oTCqVO_pWJZwTomlWM2BrG5LqTOyp6PNqYz2pZ0DIaSTOnOQPeVqKp4ot8S3B6oA4Xy1JZo3305DPiApCzOyQ"
project_id="b383d314cc344639939f2a9a381a6945"
user_id="4e154e7d166d4bd6b8199dfd3a6f2468"

Remotely calling certmongers local signer

It is really hard to make remote calls securely without a minimal Public Key Infrastructure. For a single server development deployment, you can use a self-signed certificate, but once you have multiple servers that need to intercommunicate, you want to have a single signing cert used for all the services. I’m investigating an approach which chains multiple Certmonger instances together.
Continue reading

Running Keystone Unit Tests against older Versions of RDO Etc

Just because upstrem is no longer supporting Essix doesn’t mean that someone out there is not running it. So, if you need to back port a patch, you might find yourself in the position of having to run unit tests against an older version of Keystone (or other) that does not run cleanly against the files installed by tox. For example, I tried running against an Icehouse era checkout and got a slew of errors like this:
Continue reading