Re: [openstack-dev] Nova SSL Apache2 Question
ib/python2.7/dist-packages/quantumclient/v2_0/client.py", line 87, in exception_handler_v20 [Wed Nov 27 16:50:35 2013] [error] 2013-11-27 16:50:35.617 31236 TRACE nova.api.openstack message=message) [Wed Nov 27 16:50:35 2013] [error] 2013-11-27 16:50:35.617 31236 TRACE nova.api.openstack QuantumClientException: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed [Wed Nov 27 16:50:35 2013] [error] 2013-11-27 16:50:35.617 31236 TRACE nova.api.openstack 10.1.184.2 - - [27/Nov/2013:16:50:35 -0600] "GET /v2/bf916cad55494d548b4a3a5de78b87a6/servers/detail?project_id=bf916cad55494d548b4a3a5de78b87a6 HTTP/1.1" 500 3120 "-" "python-novaclient" [Wed Nov 27 16:50:35 2013] [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSL negotiation finished successfully [Wed Nov 27 16:50:35 2013] [info] [client 10.1.184.2] Connection closed to child 3 with standard shutdown (server d00-50-56-8e-79-e7.cloudos.org:8774) Do you have any suggestions? I have also been unable to find any vhost templates for quantum. I have created my own CA and used it to sign server certificates. To enable using a single certificate for multiple IP addresses for the same server, I have implemented alt_names. Regards, Mark From: Jesse Pretorius [mailto:jesse.pretor...@gmail.com] Sent: Thursday, November 14, 2013 12:43 AM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] Nova SSL Apache2 Question On 13 November 2013 23:39, Miller, Mark M (EB SW Cloud - R&D - Corvallis) mailto:mark.m.mil...@hp.com>> wrote: I finally found a set of web pages that has a working set of configuration files for the major OpenStack services " http://andymc-stack.co.uk/2013/07/apache2-mod_wsgi-openstack-pt-2-nova-api-os-compute-nova-api-ec2/ " by Andy Mc. I skipped ceilometer and have the rest of the services working except quantum with self-signed certificates on a Grizzly-3 OpenStack instance. Now I am stuck trying to figure out how to get quantum to accept self-signed certificates. My goal is to harden my Grizzly-3 OpenStack instance using SSL and self-signed certificates. Later I will do the same for Havana bits and use real/valid certificates. I struggled with getting this all to work correctly for a few weeks, then eventually gave up and opted instead to use an Apache reverse proxy to front-end the native services. I just found that using an Apache/wsgi configuration doesn't completely work. It would certainly help if this configuration was implemented into the Openstack testing regime to help all the services become first-class citizens as a wsgi process behind Apache. I would suggest that you review the wsgi files and vhost templates in the rcbops chef cookbooks for each service. They include my updates to Andy's original blog items to make things work properly. I found that while Andy's stuff appears to work, it becomes noticeable that it works in a read-only fashion. I managed to get keystone/nova confirmed to work properly, but glance just would not work - I could never upload any images and if caching/management was turned off in the glance service then downloading images didn't work either. Good luck - if you do get a fully working config it'd be great to get feedback on the adjustments you had to make to get it working. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Nova SSL Apache2 Question
On 11/14/2013 03:42 AM, Jesse Pretorius wrote: On 13 November 2013 23:39, Miller, Mark M (EB SW Cloud - R&D - Corvallis) mailto:mark.m.mil...@hp.com>> wrote: I finally found a set of web pages that has a working set of configuration files for the major OpenStack services " http://andymc-stack.co.uk/2013/07/apache2-mod_wsgi-openstack-pt-2-nova-api-os-compute-nova-api-ec2/ " by Andy Mc. I skipped ceilometer and have the rest of the services working except quantum with self-signed certificates on a Grizzly-3 OpenStack instance. Now I am stuck trying to figure out how to get quantum to accept self-signed certificates. My goal is to harden my Grizzly-3 OpenStack instance using SSL and self-signed certificates. Later I will do the same for Havana bits and use real/valid certificates. I struggled with getting this all to work correctly for a few weeks, then eventually gave up and opted instead to use an Apache reverse proxy to front-end the native services. I just found that using an Apache/wsgi configuration doesn't completely work. It would certainly help if this configuration was implemented into the Openstack testing regime to help all the services become first-class citizens as a wsgi process behind Apache. Does Glance save the image to the local file system? I'd suspect SELinux, since it sounds like you were trying this on CentOS: SELinux is very restrictive in what it lets Apache write. Again, I'd recopmmend running with SELinux in Permissive mode on this host and look at the avc's generated: Run audit2why. I would suggest that you review the wsgi files and vhost templates in the rcbops chef cookbooks for each service. They include my updates to Andy's original blog items to make things work properly. I found that while Andy's stuff appears to work, it becomes noticeable that it works in a read-only fashion. I managed to get keystone/nova confirmed to work properly, but glance just would not work - I could never upload any images and if caching/management was turned off in the glance service then downloading images didn't work either. Good luck - if you do get a fully working config it'd be great to get feedback on the adjustments you had to make to get it working. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Nova SSL Apache2 Question
I believe I found it under nova-network. Thanks, Mark From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) Sent: Thursday, November 14, 2013 9:31 AM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] Nova SSL Apache2 Question Hello Jesse, Thank you for the information. Would you be so kind as to provide a URL to the updated rcbops chef cookbooks for Quantum? Regards, Mark From: Jesse Pretorius [mailto:jesse.pretor...@gmail.com] Sent: Thursday, November 14, 2013 12:43 AM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] Nova SSL Apache2 Question On 13 November 2013 23:39, Miller, Mark M (EB SW Cloud - R&D - Corvallis) mailto:mark.m.mil...@hp.com>> wrote: I finally found a set of web pages that has a working set of configuration files for the major OpenStack services " http://andymc-stack.co.uk/2013/07/apache2-mod_wsgi-openstack-pt-2-nova-api-os-compute-nova-api-ec2/ " by Andy Mc. I skipped ceilometer and have the rest of the services working except quantum with self-signed certificates on a Grizzly-3 OpenStack instance. Now I am stuck trying to figure out how to get quantum to accept self-signed certificates. My goal is to harden my Grizzly-3 OpenStack instance using SSL and self-signed certificates. Later I will do the same for Havana bits and use real/valid certificates. I struggled with getting this all to work correctly for a few weeks, then eventually gave up and opted instead to use an Apache reverse proxy to front-end the native services. I just found that using an Apache/wsgi configuration doesn't completely work. It would certainly help if this configuration was implemented into the Openstack testing regime to help all the services become first-class citizens as a wsgi process behind Apache. I would suggest that you review the wsgi files and vhost templates in the rcbops chef cookbooks for each service. They include my updates to Andy's original blog items to make things work properly. I found that while Andy's stuff appears to work, it becomes noticeable that it works in a read-only fashion. I managed to get keystone/nova confirmed to work properly, but glance just would not work - I could never upload any images and if caching/management was turned off in the glance service then downloading images didn't work either. Good luck - if you do get a fully working config it'd be great to get feedback on the adjustments you had to make to get it working. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Nova SSL Apache2 Question
Hello Jesse, Thank you for the information. Would you be so kind as to provide a URL to the updated rcbops chef cookbooks for Quantum? Regards, Mark From: Jesse Pretorius [mailto:jesse.pretor...@gmail.com] Sent: Thursday, November 14, 2013 12:43 AM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] Nova SSL Apache2 Question On 13 November 2013 23:39, Miller, Mark M (EB SW Cloud - R&D - Corvallis) mailto:mark.m.mil...@hp.com>> wrote: I finally found a set of web pages that has a working set of configuration files for the major OpenStack services " http://andymc-stack.co.uk/2013/07/apache2-mod_wsgi-openstack-pt-2-nova-api-os-compute-nova-api-ec2/ " by Andy Mc. I skipped ceilometer and have the rest of the services working except quantum with self-signed certificates on a Grizzly-3 OpenStack instance. Now I am stuck trying to figure out how to get quantum to accept self-signed certificates. My goal is to harden my Grizzly-3 OpenStack instance using SSL and self-signed certificates. Later I will do the same for Havana bits and use real/valid certificates. I struggled with getting this all to work correctly for a few weeks, then eventually gave up and opted instead to use an Apache reverse proxy to front-end the native services. I just found that using an Apache/wsgi configuration doesn't completely work. It would certainly help if this configuration was implemented into the Openstack testing regime to help all the services become first-class citizens as a wsgi process behind Apache. I would suggest that you review the wsgi files and vhost templates in the rcbops chef cookbooks for each service. They include my updates to Andy's original blog items to make things work properly. I found that while Andy's stuff appears to work, it becomes noticeable that it works in a read-only fashion. I managed to get keystone/nova confirmed to work properly, but glance just would not work - I could never upload any images and if caching/management was turned off in the glance service then downloading images didn't work either. Good luck - if you do get a fully working config it'd be great to get feedback on the adjustments you had to make to get it working. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Nova SSL Apache2 Question
On 13 November 2013 23:39, Miller, Mark M (EB SW Cloud - R&D - Corvallis) < mark.m.mil...@hp.com> wrote: > I finally found a set of web pages that has a working set of configuration > files for the major OpenStack services " > http://andymc-stack.co.uk/2013/07/apache2-mod_wsgi-openstack-pt-2-nova-api-os-compute-nova-api-ec2/"; > by Andy Mc. I skipped ceilometer and have the rest of the services > working except quantum with self-signed certificates on a Grizzly-3 > OpenStack instance. Now I am stuck trying to figure out how to get quantum > to accept self-signed certificates. > > My goal is to harden my Grizzly-3 OpenStack instance using SSL and > self-signed certificates. Later I will do the same for Havana bits and use > real/valid certificates. > > I struggled with getting this all to work correctly for a few weeks, then eventually gave up and opted instead to use an Apache reverse proxy to front-end the native services. I just found that using an Apache/wsgi configuration doesn't completely work. It would certainly help if this configuration was implemented into the Openstack testing regime to help all the services become first-class citizens as a wsgi process behind Apache. I would suggest that you review the wsgi files and vhost templates in the rcbops chef cookbooks for each service. They include my updates to Andy's original blog items to make things work properly. I found that while Andy's stuff appears to work, it becomes noticeable that it works in a read-only fashion. I managed to get keystone/nova confirmed to work properly, but glance just would not work - I could never upload any images and if caching/management was turned off in the glance service then downloading images didn't work either. Good luck - if you do get a fully working config it'd be great to get feedback on the adjustments you had to make to get it working. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Nova SSL Apache2 Question
I finally found a set of web pages that has a working set of configuration files for the major OpenStack services " http://andymc-stack.co.uk/2013/07/apache2-mod_wsgi-openstack-pt-2-nova-api-os-compute-nova-api-ec2/ " by Andy Mc. I skipped ceilometer and have the rest of the services working except quantum with self-signed certificates on a Grizzly-3 OpenStack instance. Now I am stuck trying to figure out how to get quantum to accept self-signed certificates. My goal is to harden my Grizzly-3 OpenStack instance using SSL and self-signed certificates. Later I will do the same for Havana bits and use real/valid certificates. Mark > -Original Message- > From: Adam Young [mailto:ayo...@redhat.com] > Sent: Wednesday, November 13, 2013 10:27 AM > To: OpenStack Development Mailing List (not for usage questions) > Subject: Re: [openstack-dev] Nova SSL Apache2 Question > > On 11/06/2013 07:20 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis) > wrote: > > Hello, > > > > I am trying to front all of the Grizzly OpenStack services with > > Apache2 in order to enable SSL. I've got Horizon and Keystone working > > but am struggling with Nova. The only documentation I have been able > > to find is at URL > > http://www.rackspace.com/blog/enabling-ssl-for-the-openstack-api/ > > > > However, the Nova sample "osapi.wsgi" and "osapi" files are not working > with Grizzly. Does anyone have a set of these files for Nova? > > > > Thanks, > > > > Mark Miller > > > > ___ > > OpenStack-dev mailing list > > OpenStack-dev@lists.openstack.org > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > This was on my To Do list, but for Icehouse. What are you seeing as the > failure? > > The original article was written a while ago, so I am not surprised things > have > changed out from underneath it. In particular, there are some times where > Eventlet code gets monkey patched in that you won't want when working in > HTTPD. In Keystone, we isolated the Monkeypatching into a single function, > to ensure the same logic was done in both starting the App and the unit > tests. I suspect we'll need to something comparable in Nova. > > There are also potential SELinux issues. I'd run with SELinux in Permissive > mode until you get things sorted. > > > > > > ___ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Nova SSL Apache2 Question
On 11/06/2013 07:20 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis) wrote: Hello, I am trying to front all of the Grizzly OpenStack services with Apache2 in order to enable SSL. I've got Horizon and Keystone working but am struggling with Nova. The only documentation I have been able to find is at URL http://www.rackspace.com/blog/enabling-ssl-for-the-openstack-api/ However, the Nova sample "osapi.wsgi" and "osapi" files are not working with Grizzly. Does anyone have a set of these files for Nova? Thanks, Mark Miller ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev This was on my To Do list, but for Icehouse. What are you seeing as the failure? The original article was written a while ago, so I am not surprised things have changed out from underneath it. In particular, there are some times where Eventlet code gets monkey patched in that you won't want when working in HTTPD. In Keystone, we isolated the Monkeypatching into a single function, to ensure the same logic was done in both starting the App and the unit tests. I suspect we'll need to something comparable in Nova. There are also potential SELinux issues. I'd run with SELinux in Permissive mode until you get things sorted. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Nova SSL Apache2 Question
Hi Anne, Thanks for the pointer but I am looking for directions for Nova running on a different node than the rest of OpenStack so it needs to be standalone. Mark > -Original Message- > From: Anne Gentle [mailto:annegen...@justwriteclick.com] > Sent: Wednesday, November 06, 2013 4:41 PM > To: OpenStack Development Mailing List (not for usage questions) > Cc: OpenStack Development Mailing List; openstack...@lists.openstack.org > Subject: Re: [openstack-dev] Nova SSL Apache2 Question > > Hi Mark, try this and let us know. > > http://docs.openstack.org/grizzly/openstack- > compute/install/yum/content/installing-openstack-dashboard.html > > Anne Gentle > Content Stacker > a...@openstack.org > > > > On Nov 7, 2013, at 8:20 AM, "Miller, Mark M (EB SW Cloud - R&D - > Corvallis)" wrote: > > > > Hello, > > > > I am trying to front all of the Grizzly OpenStack services with Apache2 in > order to enable SSL. I've got Horizon and Keystone working but am struggling > with Nova. The only documentation I have been able to find is at URL > http://www.rackspace.com/blog/enabling-ssl-for-the-openstack-api/ > > > > However, the Nova sample "osapi.wsgi" and "osapi" files are not working > with Grizzly. Does anyone have a set of these files for Nova? > > > > Thanks, > > > > Mark Miller > > > > ___ > > OpenStack-dev mailing list > > OpenStack-dev@lists.openstack.org > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > ___ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Nova SSL Apache2 Question
Hi Mark, try this and let us know. http://docs.openstack.org/grizzly/openstack-compute/install/yum/content/installing-openstack-dashboard.html Anne Gentle Content Stacker a...@openstack.org > On Nov 7, 2013, at 8:20 AM, "Miller, Mark M (EB SW Cloud - R&D - Corvallis)" > wrote: > > Hello, > > I am trying to front all of the Grizzly OpenStack services with Apache2 in > order to enable SSL. I've got Horizon and Keystone working but am struggling > with Nova. The only documentation I have been able to find is at URL > http://www.rackspace.com/blog/enabling-ssl-for-the-openstack-api/ > > However, the Nova sample "osapi.wsgi" and "osapi" files are not working with > Grizzly. Does anyone have a set of these files for Nova? > > Thanks, > > Mark Miller > > ___ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] Nova SSL Apache2 Question
Hello, I am trying to front all of the Grizzly OpenStack services with Apache2 in order to enable SSL. I've got Horizon and Keystone working but am struggling with Nova. The only documentation I have been able to find is at URL http://www.rackspace.com/blog/enabling-ssl-for-the-openstack-api/ However, the Nova sample "osapi.wsgi" and "osapi" files are not working with Grizzly. Does anyone have a set of these files for Nova? Thanks, Mark Miller ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev