On 03/14/2014 07:14 AM, Jiří Stránský wrote:
On 14.3.2014 14:42, Steven Dake wrote:
On 03/14/2014 06:33 AM, Jiří Stránský wrote:
On 12.3.2014 17:03, Jiří Stránský wrote:
Thanks for all the replies everyone :)
I'm leaning towards going the way Robert suggested on the review [1] -
upload pre-created signing cert, signing key and CA cert to controller
nodes using Heat. This seems like a much cleaner approach to
initializing overcloud than having to SSH into it, and it will solve
both problems i outlined in the initial e-mail.
It creates another problem though - for simple (think PoC) deployments
without external CA we'll need to create the keys/certs
somehow/somewhere anyway :) It shouldn't be hard because it's already
implemented in keystone-manage pki_setup but we should figure out a
way
to avoid copy-pasting the world. Maybe Tuskar calling pki_setup
locally
and passing a parameter to pki_setup to override default location
where
new keys/certs will be generated?
Thanks
Jirka
[1] https://review.openstack.org/#/c/78148/
I'm adding [Heat] to the subject. After some discussion on IRC it
seems that what we need to do with Heat is not totally straightforward.
Here's an attempt at a brief summary:
In TripleO we deploy OpenStack using Heat, the cloud is described in a
Heat template [1]. We want to externally generate and then upload 3
small binary files to the controller nodes (Keystone PKI key and
certificates [2]). We don't want to generate them in place or scp them
into the controller nodes, because that would require having ssh
access to the deployed controller nodes, which comes with drawbacks
[3].
It would be good if we could have the 3 binary files put into the
controller nodes as part of the Heat stack creation. Can we include
them in the template somehow? Or is there an alternative feasible
approach?
Jirka,
You can inject files via the heat-cfntools agents. Check out:
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-init.html#aws-resource-init-files
You could also use raw cloudinit data to inject a files section.
There may be a final option with software config, but I'm not certain if
software config has grown a feature to inject files yet.
Regards
-steve
Are these approaches subject to size limits? In the IRC discussion a
limit of 16 KB came up (i assumed total, not per-file), which could be
a problem in theory. The files `keystone-manage pki_setup` generated
for me were about 7.2 KB which gives about 10 KB when encoded as
base64. So we wouldn't be over the limit but it's not exactly
comfortable either (if that 16 KB limit still applies).
Thanks
Jirka
Jirka,
Yes these are limited by the metadata limit size, which on last
inspection of the nova db code was approximately 16kb.
If software config supports file injection, it may not be subject to
size limits. Steve baker would have a better handle on that.
Another option is to load the data in swift and access from inside the
vm on boot. I know that is kind of hacky. I think the default limit
for nova is too small, but the data consumption adds up per vm in the
database.
Regards
-steve
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
