This doesn't look flexible for me. Glance and keystone could use different settings for SSL. I like current way to use session and config section for each separate client (like [1]).
[1] https://review.openstack.org/#/c/131098/ Thanks, Andrew. On Mon, Feb 9, 2015 at 6:19 PM, Matt Riedemann <[email protected]> wrote: > > > On 2/9/2015 5:40 PM, Andrew Lazarev wrote: > >> Hi Nova experts, >> >> Some time ago I figured out that devstack fails to stack with >> USE_SSL=True option because it doesn't configure nova to work with >> secured glace [1]. Support of secured glance was added to nova in Juno >> cycle [2], but it looks strange for me. >> >> Glance client takes settings form '[ssl]' section. The same section is >> used to set up nova server SSL settings. Other clients have separate >> sections in the config file (and switching to session use now), e.g. >> related code for cinder - [3]. >> >> I've created quick fix for the devstack - [4], but it would be nice to >> shed a light on nova plans around glance config before merging a >> workaround for devstack. >> >> So, the questions are: >> 1. Is it normal that glance client reads from '[ssl]' config section? >> 2. Is there a plan to move glance client to sessions use and move >> corresponding config section to '[glance]'? >> 3. Are any plans to run CI for USE_SSL=True use case? >> >> [1] - https://bugs.launchpad.net/devstack/+bug/1405484 >> [2] - https://review.openstack.org/#/c/72974 >> [3] - >> https://github.com/openstack/nova/blob/2015.1.0b2/nova/ >> volume/cinder.py#L73 >> [4] - https://review.openstack.org/#/c/153737 >> >> Thanks, >> Andrew. >> >> >> ____________________________________________________________ >> ______________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: [email protected]?subject: >> unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > This came up in another -dev thread at one point which prompted a series > from Matthew Gilliard [1] to use [ssl] globally or project-specific options > since both glance and keystone are currently getting their ssl options from > the global [ssl] group in nova right now. > > I've been a bad citizen and haven't gotten back to the series review yet. > > [1] https://review.openstack.org/#/q/status:open+project: > openstack/nova+branch:master+topic:ssl-config-options,n,z > > -- > > Thanks, > > Matt Riedemann > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
