[openstack-dev] [TripleO] FreeIPA integration

Adam Young ayoung at redhat.com
Wed Apr 6 02:02:58 UTC 2016

On 04/05/2016 11:42 AM, Fox, Kevin M wrote:
> Yeah, and they just deprecated vendor data plugins too, which 
> eliminates my other workaround. :/
> We need to really discuss this problem at the summit and get a viable 
> path forward. Its just getting worse. :/
> Thanks,
> Kevin
> ------------------------------------------------------------------------
> *From:* Juan Antonio Osorio [jaosorior at gmail.com]
> *Sent:* Tuesday, April 05, 2016 5:16 AM
> *To:* OpenStack Development Mailing List (not for usage questions)
> *Subject:* Re: [openstack-dev] [TripleO] FreeIPA integration
> On Tue, Apr 5, 2016 at 2:45 PM, Fox, Kevin M <Kevin.Fox at pnnl.gov 
> <mailto:Kevin.Fox at pnnl.gov>> wrote:
>     This sounds suspiciously like, "how do you get a secret to the
>     instance to get a secret from the secret store" issue.... :)
> Yeah, sounds pretty familiar. We were using the nova hooks mechanism 
> for this means, but it was deprecated recently. So bummer :/
>     Nova instance user spec again?
>     Thanks,
>     Kevin

Yep, and we need a solution.  I think the right solution is a keypair 
generated on the instance, public key posted by the instace to the 
hypervisor and stored with the instance data in the database.  I wrote 
that to the mailing list earlier today.

A basic rule of a private key is that it never leaves the machine on 
which it is generated.  The rest falls out from there.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160405/6371fc95/attachment.html>

More information about the OpenStack-dev mailing list