<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11/14/2013 03:42 AM, Jesse Pretorius
wrote:<br>
</div>
<blockquote
cite="mid:CAGSrQvwnrpBHzoKo2abomP_bHZQuHQZfT7PS_ApAUhKidd9Hzw@mail.gmail.com"
type="cite">
<div dir="ltr">On 13 November 2013 23:39, Miller, Mark M (EB SW
Cloud - R&D - Corvallis) <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:mark.m.miller@hp.com"
target="_blank">mark.m.miller@hp.com</a>></span> wrote:<br>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">I
finally found a set of web pages that has a working set of
configuration files for the major OpenStack services " <a
moz-do-not-send="true"
href="http://andymc-stack.co.uk/2013/07/apache2-mod_wsgi-openstack-pt-2-nova-api-os-compute-nova-api-ec2/"
target="_blank">http://andymc-stack.co.uk/2013/07/apache2-mod_wsgi-openstack-pt-2-nova-api-os-compute-nova-api-ec2/</a>
" by Andy Mc. I skipped ceilometer and have the rest of
the services working except quantum with self-signed
certificates on a Grizzly-3 OpenStack instance. Now I am
stuck trying to figure out how to get quantum to accept
self-signed certificates.<br>
<br>
My goal is to harden my Grizzly-3 OpenStack instance using
SSL and self-signed certificates. Later I will do the same
for Havana bits and use real/valid certificates.<br>
<br>
</blockquote>
<div><br>
</div>
<div>I struggled with getting this all to work correctly for
a few weeks, then eventually gave up and opted instead to
use an Apache reverse proxy to front-end the native
services. I just found that using an Apache/wsgi
configuration doesn't completely work. It would certainly
help if this configuration was implemented into the
Openstack testing regime to help all the services become
first-class citizens as a wsgi process behind Apache.<br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Does Glance save the image to the local file system? I'd suspect
SELinux, since it sounds like you were trying this on CentOS:
SELinux is very restrictive in what it lets Apache write. Again,
I'd recopmmend running with SELinux in Permissive mode on this host
and look at the avc's generated: Run audit2why.<br>
<br>
<blockquote
cite="mid:CAGSrQvwnrpBHzoKo2abomP_bHZQuHQZfT7PS_ApAUhKidd9Hzw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>
</div>
<div><br>
</div>
<div>I would suggest that you review the wsgi files and
vhost templates in the rcbops chef cookbooks for each
service. They include my updates to Andy's original blog
items to make things work properly.</div>
<div><br>
</div>
<div>I found that while Andy's stuff appears to work, it
becomes noticeable that it works in a read-only fashion. I
managed to get keystone/nova confirmed to work properly,
but glance just would not work - I could never upload any
images and if caching/management was turned off in the
glance service then downloading images didn't work either.</div>
<div><br>
</div>
<div>Good luck - if you do get a fully working config it'd
be great to get feedback on the adjustments you had to
make to get it working.</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>