De-conflicting Swift-Proxy with FreeIPA

Port 8080 is a popular port. Tomcat uses it as the default port for unencrypted traffic. FreeIA, installs Dogtag which runs in Tomcat. Swift proxy also chose that port number for its traffic. This means that if one is run on that port, the other cannot. Of the two, it is easier to change FreeIPA, as the port is only used for internal traffic, where as Swift’s port is in the service catalog and the documentation.

Changing the port in FreeIPA requires modifications in both the config directories for Dogtag and the Python code that contacts it.

The Python changes are in

/usr/lib/python2.7/site-packages/ipaplatform/base/services.py
/usr/lib/python2.7/site-packages/ipapython/dogtag.py

Look for any instance of 8080 and change them to another port that will not conflict. I chose 8181

The config changes for dogtag are in /etc/pki such as /etc/pki/pki-tomcat/ca/CS.cfg and again, change 8080 to 8181.

Restart the server with:

sudo systemctl status ipa.service

To confirm run a command that hits the CA:

 ipa cert-find

I have a ticket in with FreeIPA to try and get support for this in.

With these changes made, I tested out then installing the undercloud on the same node and it seems to work.

However, the IPA server is no longer running. The undercloud install seems to have cleared out the ipa config files from under /etc/httpd/conf.d. However, DOgtag is still running as shown by

curl localhost:8181

Next experiment will be to see if I can preserve the IPA configuration

2 thoughts on “De-conflicting Swift-Proxy with FreeIPA

  1. You shouldn’t install other stuff on IPA server. IPA is engineered as a appliance and that’s what enable most integration and seamless operations. Just get a dedicated VM for IPA.

  2. That is, unfortunately, a luxury I don’t have, nor do many people working in development have in a resource constrained environment. Openstack is made for managing Virtual machines, but, at the bottom, you need a physical machine to run them on. The current Tripleo setup requires 3, and dedicated hardware to run them on. Adding in a fourth for IPA means we can’t have IPA.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.