In the previous post, I described the setup for installing FreeIPA on a VM parallel to the undercloud VM setup by Tripleo Quickstart. The network on the undercloud VM has been setup up by Ironic and Neutron to listen on a network defined for the overcloud. I want to reproduce this on a second machine that is not enrolled in the undercloud. How can I reproduce the steps?
I’ve been talking about using FreeIPA to secure OpenStack since the Havana summit in Portland. I’m now working with Tripleo to install OpenStack. To get the IPA server installed along with Tripleo Quickstart requires a VM accessible from the Ansible playbook.
Certmonger is split into 3 parts
- getcert or comparable helper app which the user calls to make requests. The request is put on dbus and and sent to
- The certmonger binary. This reads the request off of dbus and makes a call to
- The help application which makes calls to the remote service.
Debugging this process is much easier if you run the certmonger service from the command line and tell it to log debugging output. Make sure no certmonger-session processes are running:
Not the way to do it long term, but this will give you a chance to play with it.
From the controller node:
sudo keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone sudo crudini --set /etc/keystone/keystone.conf token provider fernet sudo systemctl restart httpd.service
$ openstack token issue -f shell expires="2016-05-05T05:21:44Z" id="gAAAAABXKspYhz7Ti5ldwi0mU4D69NqTINEU_t-e8MoxqVkVhR40w1E7GOmgai-9lanr2Z6bnoyQSgNWIhD63UOm1Mlsm9_hw5oTCqVO_pWJZwTomlWM2BrG5LqTOyp6PNqYz2pZ0DIaSTOnOQPeVqKp4ot8S3B6oA4Xy1JZo3305DPiApCzOyQ" project_id="b383d314cc344639939f2a9a381a6945" user_id="4e154e7d166d4bd6b8199dfd3a6f2468"
The Newton Summit is behind us, and we have six months to prepare for the next release in both upstream OpenStack and RDO. Here is my attempt to build a prioritized list of the large tasks I want to tackle in this release.
It is really hard to make remote calls securely without a minimal Public Key Infrastructure. For a single server development deployment, you can use a self-signed certificate, but once you have multiple servers that need to intercommunicate, you want to have a single signing cert used for all the services. I’m investigating an approach which chains multiple Certmonger instances together.
Just because upstrem is no longer supporting Essix doesn’t mean that someone out there is not running it. So, if you need to back port a patch, you might find yourself in the position of having to run unit tests against an older version of Keystone (or other) that does not run cleanly against the files installed by tox. For example, I tried running against an Icehouse era checkout and got a slew of errors like this:
Tripleo uses Puppet to manage the resources in a deployment. Puppet has a command line tool to look at resources.
Rust is Pedantic. I’m Pedantic. We get along wonderfully. Since HTTP is way too overdone, I wanted to try something at the Byte twiddling level. I got a very, very basic TFTP server to run and fetch a larger binary file without corrupting it. Time to celebrate with a bragpost.