<p dir="ltr">I want to know which method you are currently using for VM management in bare metal(ironic) hypervisor. Can I get the code or algorithm.<br>
</p>
<div class="gmail_quote">On Dec 3, 2014 5:35 PM, <<a href="mailto:openstack-request@lists.openstack.org">openstack-request@lists.openstack.org</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Openstack mailing list submissions to<br>
<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:openstack-request@lists.openstack.org">openstack-request@lists.openstack.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:openstack-owner@lists.openstack.org">openstack-owner@lists.openstack.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Openstack digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. SSL Configuration (Georgios Dimitrakakis)<br>
2. Horizon + vncproxy: ports 443+6080, and restrictive<br>
firewalls: best practise? (Don Waterloo)<br>
3. Re: SSL Configuration (Robert van Leeuwen)<br>
4. Re: SSL Configuration (Muhammed Salehi)<br>
5. Re: SSL Configuration (Georgios Dimitrakakis)<br>
6. Re: SSL Configuration (Rob Crittenden)<br>
7. Re: SSL Configuration (Georgios Dimitrakakis)<br>
8. (Juno) Swift Dashboard error (Amit Anand)<br>
9. Re: SSL Configuration (Rob Crittenden)<br>
10. Final Call for Participation: UCC 2014 London UK (Ashiq Anjum)<br>
11. Re: (Juno) Swift Dashboard error (Don Waterloo)<br>
12. nova missing network, neutron shows it ok (Don Waterloo)<br>
13. Re: SSL Configuration (Ryan O'Hara)<br>
14. Flat provider_network with vlan tagged interface or vlan<br>
provider_network with untagged interface (Abhijeet Rastogi)<br>
15. Re: Poll: What are the top 3 topics for new OpenStack users<br>
and developers? (Stefano Maffulli)<br>
16. Re: Flat provider_network with vlan tagged interface or vlan<br>
provider_network with untagged interface (Kevin Benton)<br>
17. Re: Flat provider_network with vlan tagged interface or vlan<br>
provider_network with untagged interface (Abhijeet Rastogi)<br>
18. nova compute service fail to start due to "Connection to the<br>
hypervisor is broken on host" (Du Jun)<br>
19. Re: nova compute service fail to start due to "Connection to<br>
the hypervisor is broken on host" (Du Jun)<br>
20. [openstack][icehouse][monitoring]-open source monitoring<br>
tools (Chinasubbareddy M)<br>
21. Re: nova compute service fail to start due to "Connection to<br>
the hypervisor is broken on host" (Du Jun)<br>
22. [Ceilometer] looking for alarm best practice - please help<br>
(Rao Dingyuan)<br>
23. Re: [openstack][icehouse][monitoring]-open source monitoring<br>
tools (Venu Murthy)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Tue, 02 Dec 2014 15:52:52 +0200<br>
From: Georgios Dimitrakakis <<a href="mailto:giorgis@acmac.uoc.gr">giorgis@acmac.uoc.gr</a>><br>
To: <<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>><br>
Subject: [Openstack] SSL Configuration<br>
Message-ID: <<a href="mailto:e0e092c785b8a284e14a056a06937118@acmac.uoc.gr">e0e092c785b8a284e14a056a06937118@acmac.uoc.gr</a>><br>
Content-Type: text/plain; charset=UTF-8; format=flowed<br>
<br>
Hi!<br>
<br>
Can someone point me to the right direction on how to secure publicly<br>
available services (e.g. nova,keystone,glance) with an SSL certificate?<br>
<br>
<br>
<br>
Best regards,<br>
<br>
<br>
George<br>
<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Tue, 2 Dec 2014 08:54:37 -0500<br>
From: Don Waterloo <<a href="mailto:don.waterloo@gmail.com">don.waterloo@gmail.com</a>><br>
To: <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Subject: [Openstack] Horizon + vncproxy: ports 443+6080, and<br>
restrictive firewalls: best practise?<br>
Message-ID:<br>
<CAKrvkGepwsaa6uF+=<a href="mailto:CTaWQr8UHfEfcVAnt-LTvj3j%2BJ3mYXcCA@mail.gmail.com">CTaWQr8UHfEfcVAnt-LTvj3j+J3mYXcCA@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
So my setup is pretty vanilla. Horizon runs on port 443 front-ended by nginx<br>
(all services on my system are ssl).<br>
On the same host runs vncproxy on port 6080 (ssl).<br>
<br>
The problem I run into is, in some environments, the local firewall only<br>
allows<br>
port 443 out (e.g. some guest wifi locations). This means that generally<br>
horizon works, but the console times out.<br>
<br>
Now of course I could force the users to VPN to somewhere and then use<br>
it, but that adds latency and complexity. I would prefer if I could find a<br>
way<br>
to run vncproxy through the nginx.<br>
<br>
Is anybody doing this? announcing the vncproxy on the same port as<br>
horizon? If so, how?<br>
<br>
I see that nginx (e.g. <a href="http://nginx.com/blog/websocket-nginx/" target="_blank">http://nginx.com/blog/websocket-nginx/</a>) has some<br>
support<br>
for websocket proxy, but I was unsuccessful in getting this to work.<br>
<br>
Any suggestions from someone else who has hit this issue?<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openstack.org/pipermail/openstack/attachments/20141202/75b02399/attachment-0001.html" target="_blank">http://lists.openstack.org/pipermail/openstack/attachments/20141202/75b02399/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Tue, 2 Dec 2014 14:10:24 +0000<br>
From: Robert van Leeuwen <<a href="mailto:Robert.vanLeeuwen@spilgames.com">Robert.vanLeeuwen@spilgames.com</a>><br>
To: Georgios Dimitrakakis <<a href="mailto:giorgis@acmac.uoc.gr">giorgis@acmac.uoc.gr</a>>,<br>
"<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>" <<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>><br>
Subject: Re: [Openstack] SSL Configuration<br>
Message-ID:<br>
<79E00D9220302D448C1D59B5224ED12D8EC4F26F@EchoDB02.spil.local><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
> Can someone point me to the right direction on how to secure publicly<br>
> available services (e.g. nova,keystone,glance) with an SSL certificate?<br>
<br>
Hi,<br>
<br>
We offload this task to our load-balancer solution.<br>
(assuming you can live with unencrypted traffic between lb and the services)<br>
<br>
Makes management of ssl in general a lot easier since it is just one location to setup and maintain.<br>
Since you probably want a load balancer anyway to make the endpoints HA it makes sense to also use it for this.<br>
We use a commercial solution but a quick google tells me you can also do this with haproxy ;)<br>
<br>
Cheers,<br>
Robert van Leeuwen<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Tue, 2 Dec 2014 17:49:24 +0330<br>
From: Muhammed Salehi <<a href="mailto:salehi1994@gmail.com">salehi1994@gmail.com</a>><br>
To: Georgios Dimitrakakis <<a href="mailto:giorgis@acmac.uoc.gr">giorgis@acmac.uoc.gr</a>><br>
Cc: "<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>" <<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>><br>
Subject: Re: [Openstack] SSL Configuration<br>
Message-ID:<br>
<<a href="mailto:CANs1bxE0hooy9bWKfmRwNYDq6yij7302vSBvgdb2ajHjZRX_RA@mail.gmail.com">CANs1bxE0hooy9bWKfmRwNYDq6yij7302vSBvgdb2ajHjZRX_RA@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hi.<br>
Do you want to serve https instead http ? Or you want to encrypt all of the<br>
communications between these components?<br>
For the first problem the solution is : Search about how to serve and https<br>
with apache or passenger.<br>
<br>
On Tue, Dec 2, 2014 at 5:22 PM, Georgios Dimitrakakis <<a href="mailto:giorgis@acmac.uoc.gr">giorgis@acmac.uoc.gr</a>><br>
wrote:<br>
<br>
> Hi!<br>
><br>
> Can someone point me to the right direction on how to secure publicly<br>
> available services (e.g. nova,keystone,glance) with an SSL certificate?<br>
><br>
><br>
><br>
> Best regards,<br>
><br>
><br>
> George<br>
><br>
><br>
> _______________________________________________<br>
> Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/</a><br>
> openstack<br>
> Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
> Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/</a><br>
> openstack<br>
><br>
<br>
<br>
<br>
--<br>
-----BEGIN PGP PUBLIC KEY BLOCK-----<br>
Version: GnuPG v1<br>
<br>
mQENBFRX8IoBCADCn76BbNN5m/GwP1rWaOvZMYfdm4Tv9oJehK7zAAzrHPZOaV/i<br>
kdxG6LGadCGh/uTWoos441A8MKN/GufruEz1jvR+rgamD0oiTdRHTXz3Wkzcd62y<br>
+U9pNLmYZyLUM1ebXXoxgmdNMGHvYLbdTIFgmxfIthKzRx9vd5WQGnsg/gFLTcdY<br>
cWd5/THfkImJUHmjLAOepcewQcODijTp27xMwK354SG0BwbWroGAj5AVRqXqD6Qg<br>
vO5zIgfMUsoOTMVF5WhAAf1xAjjGjEDi9EqeV1EVyO83s54gfAH/pWYV0K0RZvRw<br>
h96wxZVVmCq9Ys8aU8D+hOjEvkjHZPAd3uNXABEBAAG0NFNleXllZCBNdWhhbW1l<br>
ZCBTYWRlZ2ggU2FsZWhpIDxzYWxlaGkxOTk0QGdtYWlsLmNvbT6JAT4EEwECACgF<br>
AlRX8IoCGwMFCQHhM4AGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEKs5CKNB<br>
Z6zv/JQIALd5MnRhvAatGl/HcTYrm/S2Vsp3LgvC6R/w2uNiTm9tfSf596+2flF7<br>
xgWUdROZ5O7s188oWiZRNb88XjdMMJtl0KpNpxLbYRyNPZL0klAps46Wlmy3fr8m<br>
7RdovLSy2QtmFtEAsXfYyXmLGB4PeexqYyfcXYhfP1W4kyTScBRUZ4SuFWDhBvvZ<br>
8vHHhWjiPVFvgi1cX3rwqtzp4eYFTHeH8QhKDeDk3760XVMk+jl+kvzqUzwh5V6+<br>
SJs63YoiTSXyk37844NOGvYDHsupDO0R4O+YBwcZLxah/nqfTodfAnsmOA6W6oOy<br>
lnVOH4IwrfcoVyjjqIlLWGws7BkPN6+5AQ0EVFfwigEIALLGTAxtT7lLuywmNTaq<br>
hqpUtYsOWx7Cxjj1tVfG3bN/PbW+nKFvfyJkURYVyjn4z7GHLVCrYIr9ixhBRFcz<br>
zmHuMkxMEr5u/m+H8CSsZ02V81v6+1uM2NvPxCYCUqDxEbcPrs8XrmPZGINY2Fya<br>
XLpljTh06s1vdBAk32Wxy2Vz6Ii6pQD5WDgrdgDOgpTTlPdIxg9eq6yZi+GMJj/4<br>
28Rt6HJhGaqGXN0bCPQ78tQygcY4EDQwpkToWxLCizsj1+9XFwwjnOQON/FNsAT7<br>
g+XsVQJKfGmRe2QuRJ9oqSK6pi16O7VXg6bAw1dLsEmNoSto1ofy7DVTqqSlEG2o<br>
N0MAEQEAAYkBJQQYAQIADwUCVFfwigIbDAUJAeEzgAAKCRCrOQijQWes7xemB/92<br>
1PRHt24/hfCKR86aCnZk8bzNP+HDeewHXmFLEk9Hk7k2kuo6zVLjPnMA4M9rgOwh<br>
W5EYhyVpNWKnzzhMwyCGz0J7doK2HYRXJKez1RErLW4GPLzM+4sfY5pWBAjDY62e<br>
1Tz1ay+fS3CLh4zCCZYqraHKa6PJYYp9Bz3NRj3xkFtkcLspNq4DkiEBPJVLIPko<br>
OkVOpBuNpj1YDSZZXwM8HzDMvJc1qgAVxWk56BjePrx8SHfDah1UQqZst4dWeepJ<br>
0E2xj4H+WMrIW/3btSTVdlr4zPFwGQ9qE2CcbDJJhH68U9eve3njEPDFiu1TS/f5<br>
Tt1scwgVintCWdVX9BS2<br>
=cxjk<br>
-----END PGP PUBLIC KEY BLOCK-----<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openstack.org/pipermail/openstack/attachments/20141202/f44d254b/attachment-0001.html" target="_blank">http://lists.openstack.org/pipermail/openstack/attachments/20141202/f44d254b/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 5<br>
Date: Tue, 02 Dec 2014 17:01:10 +0200<br>
From: Georgios Dimitrakakis <<a href="mailto:giorgis@acmac.uoc.gr">giorgis@acmac.uoc.gr</a>><br>
To: <<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>><br>
Subject: Re: [Openstack] SSL Configuration<br>
Message-ID: <<a href="mailto:c68ab1e623c60faddcadccec9c57dcad@acmac.uoc.gr">c68ab1e623c60faddcadccec9c57dcad@acmac.uoc.gr</a>><br>
Content-Type: text/plain; charset=UTF-8; format=flowed<br>
<br>
@Robert: I don't have a load-balancer for this deployment. Just<br>
controller, cinder and compute nodes.<br>
<br>
<br>
<br>
What I would like to do is to secure the public endpoints for Keystone,<br>
Glance, Nova, Cinder with SSL and the EC2 API.<br>
<br>
That would be sufficient for the moment.<br>
<br>
Is it OK if I just change the respective *.conf files or should I do<br>
something more? Should the changes at the *.conf files be propagated on<br>
all nodes?<br>
<br>
<br>
All the best,<br>
<br>
George<br>
<br>
<br>
<br>
On Tue, 2 Dec 2014 17:49:24 +0330, Muhammed Salehi wrote:<br>
> Hi.<br>
> Do you want to serve https instead http ? Or you want to encrypt all<br>
> of the communications between these components?<br>
> For the first problem the solution is : Search about how to serve and<br>
> https with apache or passenger.<br>
><br>
> On Tue, Dec 2, 2014 at 5:22 PM, Georgios Dimitrakakis wrote:<br>
><br>
>> Hi!<br>
>><br>
>> Can someone point me to the right direction on how to secure<br>
>> publicly available services (e.g. nova,keystone,glance) with an SSL<br>
>> certificate?<br>
>><br>
>> Best regards,<br>
>><br>
>> George<br>
>><br>
>> _______________________________________________<br>
>> Mailing list:<br>
>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a> [1]<br>
>> Post to? ? ?: <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a> [2]<br>
>> Unsubscribe :<br>
>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a> [3]<br>
><br>
> --<br>
><br>
> -----BEGIN PGP PUBLIC KEY BLOCK-----<br>
> Version: GnuPG v1<br>
><br>
> mQENBFRX8IoBCADCn76BbNN5m/GwP1rWaOvZMYfdm4Tv9oJehK7zAAzrHPZOaV/i<br>
> kdxG6LGadCGh/uTWoos441A8MKN/GufruEz1jvR+rgamD0oiTdRHTXz3Wkzcd62y<br>
> +U9pNLmYZyLUM1ebXXoxgmdNMGHvYLbdTIFgmxfIthKzRx9vd5WQGnsg/gFLTcdY<br>
> cWd5/THfkImJUHmjLAOepcewQcODijTp27xMwK354SG0BwbWroGAj5AVRqXqD6Qg<br>
> vO5zIgfMUsoOTMVF5WhAAf1xAjjGjEDi9EqeV1EVyO83s54gfAH/pWYV0K0RZvRw<br>
> h96wxZVVmCq9Ys8aU8D+hOjEvkjHZPAd3uNXABEBAAG0NFNleXllZCBNdWhhbW1l<br>
> ZCBTYWRlZ2ggU2FsZWhpIDxzYWxlaGkxOTk0QGdtYWlsLmNvbT6JAT4EEwECACgF<br>
> AlRX8IoCGwMFCQHhM4AGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEKs5CKNB<br>
> Z6zv/JQIALd5MnRhvAatGl/HcTYrm/S2Vsp3LgvC6R/w2uNiTm9tfSf596+2flF7<br>
> xgWUdROZ5O7s188oWiZRNb88XjdMMJtl0KpNpxLbYRyNPZL0klAps46Wlmy3fr8m<br>
> 7RdovLSy2QtmFtEAsXfYyXmLGB4PeexqYyfcXYhfP1W4kyTScBRUZ4SuFWDhBvvZ<br>
> 8vHHhWjiPVFvgi1cX3rwqtzp4eYFTHeH8QhKDeDk3760XVMk+jl+kvzqUzwh5V6+<br>
> SJs63YoiTSXyk37844NOGvYDHsupDO0R4O+YBwcZLxah/nqfTodfAnsmOA6W6oOy<br>
> lnVOH4IwrfcoVyjjqIlLWGws7BkPN6+5AQ0EVFfwigEIALLGTAxtT7lLuywmNTaq<br>
> hqpUtYsOWx7Cxjj1tVfG3bN/PbW+nKFvfyJkURYVyjn4z7GHLVCrYIr9ixhBRFcz<br>
> zmHuMkxMEr5u/m+H8CSsZ02V81v6+1uM2NvPxCYCUqDxEbcPrs8XrmPZGINY2Fya<br>
> XLpljTh06s1vdBAk32Wxy2Vz6Ii6pQD5WDgrdgDOgpTTlPdIxg9eq6yZi+GMJj/4<br>
> 28Rt6HJhGaqGXN0bCPQ78tQygcY4EDQwpkToWxLCizsj1+9XFwwjnOQON/FNsAT7<br>
> g+XsVQJKfGmRe2QuRJ9oqSK6pi16O7VXg6bAw1dLsEmNoSto1ofy7DVTqqSlEG2o<br>
> N0MAEQEAAYkBJQQYAQIADwUCVFfwigIbDAUJAeEzgAAKCRCrOQijQWes7xemB/92<br>
> 1PRHt24/hfCKR86aCnZk8bzNP+HDeewHXmFLEk9Hk7k2kuo6zVLjPnMA4M9rgOwh<br>
> W5EYhyVpNWKnzzhMwyCGz0J7doK2HYRXJKez1RErLW4GPLzM+4sfY5pWBAjDY62e<br>
> 1Tz1ay+fS3CLh4zCCZYqraHKa6PJYYp9Bz3NRj3xkFtkcLspNq4DkiEBPJVLIPko<br>
> OkVOpBuNpj1YDSZZXwM8HzDMvJc1qgAVxWk56BjePrx8SHfDah1UQqZst4dWeepJ<br>
> 0E2xj4H+WMrIW/3btSTVdlr4zPFwGQ9qE2CcbDJJhH68U9eve3njEPDFiu1TS/f5<br>
> Tt1scwgVintCWdVX9BS2<br>
> =cxjk<br>
> -----END PGP PUBLIC KEY BLOCK-----<br>
><br>
><br>
> Links:<br>
> ------<br>
> [1] <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> [2] mailto:<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
> [3] <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> [4] mailto:<a href="mailto:giorgis@acmac.uoc.gr">giorgis@acmac.uoc.gr</a><br>
<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 6<br>
Date: Tue, 02 Dec 2014 10:31:30 -0500<br>
From: Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
To: Georgios Dimitrakakis <<a href="mailto:giorgis@acmac.uoc.gr">giorgis@acmac.uoc.gr</a>>,<br>
<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Subject: Re: [Openstack] SSL Configuration<br>
Message-ID: <<a href="mailto:547DDB52.5030006@redhat.com">547DDB52.5030006@redhat.com</a>><br>
Content-Type: text/plain; charset=UTF-8<br>
<br>
Georgios Dimitrakakis wrote:<br>
> @Robert: I don't have a load-balancer for this deployment. Just<br>
> controller, cinder and compute nodes.<br>
><br>
><br>
><br>
> What I would like to do is to secure the public endpoints for Keystone,<br>
> Glance, Nova, Cinder with SSL and the EC2 API.<br>
><br>
> That would be sufficient for the moment.<br>
><br>
> Is it OK if I just change the respective *.conf files or should I do<br>
> something more? Should the changes at the *.conf files be propagated on<br>
> all nodes?<br>
<br>
It is a bit more complicated than that.<br>
<br>
You can either secure things natively or use a TLS proxy (hardware or<br>
something like haproxy or stud). Native SSL is generally frowned upon<br>
since the assumption is that performance will be terrible due to the<br>
python GIL.<br>
<br>
What you do with haproxy or stud is to modify the port that the services<br>
normally listen on (in devstack we simply add 1 to each of the ports)<br>
and configure the proxy to listen on the "standard" ports for each service.<br>
<br>
You also need secure endpoints defined in keystone for everything. If<br>
you've got an existing installation you'll need to try to convert it.<br>
<br>
I've been toying with SSL in devstack and documented some experiments I<br>
did including converting Keystone to use native SSL,<br>
<a href="http://blog-rcritten.rhcloud.com/?p=5" target="_blank">http://blog-rcritten.rhcloud.com/?p=5</a> and subsequently converting nova,<br>
glance and cinder in the same install <a href="http://blog-rcritten.rhcloud.com/?p=26" target="_blank">http://blog-rcritten.rhcloud.com/?p=26</a><br>
<br>
This is for native SSL, which as I said is generally frowned up, but I<br>
was just toying after all. The process should be similar for a proxy.<br>
<br>
rob<br>
<br>
><br>
><br>
> All the best,<br>
><br>
> George<br>
><br>
><br>
><br>
> On Tue, 2 Dec 2014 17:49:24 +0330, Muhammed Salehi wrote:<br>
>> Hi.<br>
>> Do you want to serve https instead http ? Or you want to encrypt all<br>
>> of the communications between these components?<br>
>> For the first problem the solution is : Search about how to serve and<br>
>> https with apache or passenger.<br>
>><br>
>> On Tue, Dec 2, 2014 at 5:22 PM, Georgios Dimitrakakis wrote:<br>
>><br>
>>> Hi!<br>
>>><br>
>>> Can someone point me to the right direction on how to secure<br>
>>> publicly available services (e.g. nova,keystone,glance) with an SSL<br>
>>> certificate?<br>
>>><br>
>>> Best regards,<br>
>>><br>
>>> George<br>
>>><br>
>>> _______________________________________________<br>
>>> Mailing list:<br>
>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a> [1]<br>
>>> Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a> [2]<br>
>>> Unsubscribe :<br>
>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a> [3]<br>
>><br>
>> --<br>
>><br>
>> -----BEGIN PGP PUBLIC KEY BLOCK-----<br>
>> Version: GnuPG v1<br>
>><br>
>> mQENBFRX8IoBCADCn76BbNN5m/GwP1rWaOvZMYfdm4Tv9oJehK7zAAzrHPZOaV/i<br>
>> kdxG6LGadCGh/uTWoos441A8MKN/GufruEz1jvR+rgamD0oiTdRHTXz3Wkzcd62y<br>
>> +U9pNLmYZyLUM1ebXXoxgmdNMGHvYLbdTIFgmxfIthKzRx9vd5WQGnsg/gFLTcdY<br>
>> cWd5/THfkImJUHmjLAOepcewQcODijTp27xMwK354SG0BwbWroGAj5AVRqXqD6Qg<br>
>> vO5zIgfMUsoOTMVF5WhAAf1xAjjGjEDi9EqeV1EVyO83s54gfAH/pWYV0K0RZvRw<br>
>> h96wxZVVmCq9Ys8aU8D+hOjEvkjHZPAd3uNXABEBAAG0NFNleXllZCBNdWhhbW1l<br>
>> ZCBTYWRlZ2ggU2FsZWhpIDxzYWxlaGkxOTk0QGdtYWlsLmNvbT6JAT4EEwECACgF<br>
>> AlRX8IoCGwMFCQHhM4AGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEKs5CKNB<br>
>> Z6zv/JQIALd5MnRhvAatGl/HcTYrm/S2Vsp3LgvC6R/w2uNiTm9tfSf596+2flF7<br>
>> xgWUdROZ5O7s188oWiZRNb88XjdMMJtl0KpNpxLbYRyNPZL0klAps46Wlmy3fr8m<br>
>> 7RdovLSy2QtmFtEAsXfYyXmLGB4PeexqYyfcXYhfP1W4kyTScBRUZ4SuFWDhBvvZ<br>
>> 8vHHhWjiPVFvgi1cX3rwqtzp4eYFTHeH8QhKDeDk3760XVMk+jl+kvzqUzwh5V6+<br>
>> SJs63YoiTSXyk37844NOGvYDHsupDO0R4O+YBwcZLxah/nqfTodfAnsmOA6W6oOy<br>
>> lnVOH4IwrfcoVyjjqIlLWGws7BkPN6+5AQ0EVFfwigEIALLGTAxtT7lLuywmNTaq<br>
>> hqpUtYsOWx7Cxjj1tVfG3bN/PbW+nKFvfyJkURYVyjn4z7GHLVCrYIr9ixhBRFcz<br>
>> zmHuMkxMEr5u/m+H8CSsZ02V81v6+1uM2NvPxCYCUqDxEbcPrs8XrmPZGINY2Fya<br>
>> XLpljTh06s1vdBAk32Wxy2Vz6Ii6pQD5WDgrdgDOgpTTlPdIxg9eq6yZi+GMJj/4<br>
>> 28Rt6HJhGaqGXN0bCPQ78tQygcY4EDQwpkToWxLCizsj1+9XFwwjnOQON/FNsAT7<br>
>> g+XsVQJKfGmRe2QuRJ9oqSK6pi16O7VXg6bAw1dLsEmNoSto1ofy7DVTqqSlEG2o<br>
>> N0MAEQEAAYkBJQQYAQIADwUCVFfwigIbDAUJAeEzgAAKCRCrOQijQWes7xemB/92<br>
>> 1PRHt24/hfCKR86aCnZk8bzNP+HDeewHXmFLEk9Hk7k2kuo6zVLjPnMA4M9rgOwh<br>
>> W5EYhyVpNWKnzzhMwyCGz0J7doK2HYRXJKez1RErLW4GPLzM+4sfY5pWBAjDY62e<br>
>> 1Tz1ay+fS3CLh4zCCZYqraHKa6PJYYp9Bz3NRj3xkFtkcLspNq4DkiEBPJVLIPko<br>
>> OkVOpBuNpj1YDSZZXwM8HzDMvJc1qgAVxWk56BjePrx8SHfDah1UQqZst4dWeepJ<br>
>> 0E2xj4H+WMrIW/3btSTVdlr4zPFwGQ9qE2CcbDJJhH68U9eve3njEPDFiu1TS/f5<br>
>> Tt1scwgVintCWdVX9BS2<br>
>> =cxjk<br>
>> -----END PGP PUBLIC KEY BLOCK-----<br>
>><br>
>><br>
>> Links:<br>
>> ------<br>
>> [1] <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
>> [2] mailto:<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
>> [3] <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
>> [4] mailto:<a href="mailto:giorgis@acmac.uoc.gr">giorgis@acmac.uoc.gr</a><br>
><br>
><br>
> _______________________________________________<br>
> Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
> Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 7<br>
Date: Tue, 02 Dec 2014 18:07:03 +0200<br>
From: Georgios Dimitrakakis <<a href="mailto:giorgis@acmac.uoc.gr">giorgis@acmac.uoc.gr</a>><br>
To: Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
Cc: <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Subject: Re: [Openstack] SSL Configuration<br>
Message-ID: <<a href="mailto:e7b1301361cb49ec55553942be3732b5@acmac.uoc.gr">e7b1301361cb49ec55553942be3732b5@acmac.uoc.gr</a>><br>
Content-Type: text/plain; charset=UTF-8; format=flowed<br>
<br>
Hi Rob!<br>
<br>
Thanks for you detailed explanation.<br>
Just a few more questions to clarify things....<br>
<br>
So if I decide to go natively is it sufficient to follow the steps on<br>
the two blog posts? Do I have to do anything more than that? I am<br>
specifically interested in EC2 which is excluded.....Can we foresee the<br>
impact on the performance and why is that?<br>
<br>
<br>
If I decide to go with HAProxy (no hardware proxy available) do I still<br>
have to change the endpoints to httpS or changing the ports is<br>
sufficient? Do you happen to know where can I find more info regarding<br>
this?<br>
<br>
<br>
All the best,<br>
<br>
<br>
George<br>
<br>
<br>
<br>
On Tue, 02 Dec 2014 10:31:30 -0500, Rob Crittenden wrote:<br>
> Georgios Dimitrakakis wrote:<br>
>> @Robert: I don't have a load-balancer for this deployment. Just<br>
>> controller, cinder and compute nodes.<br>
>><br>
>><br>
>><br>
>> What I would like to do is to secure the public endpoints for<br>
>> Keystone,<br>
>> Glance, Nova, Cinder with SSL and the EC2 API.<br>
>><br>
>> That would be sufficient for the moment.<br>
>><br>
>> Is it OK if I just change the respective *.conf files or should I do<br>
>> something more? Should the changes at the *.conf files be propagated<br>
>> on<br>
>> all nodes?<br>
><br>
> It is a bit more complicated than that.<br>
><br>
> You can either secure things natively or use a TLS proxy (hardware or<br>
> something like haproxy or stud). Native SSL is generally frowned upon<br>
> since the assumption is that performance will be terrible due to the<br>
> python GIL.<br>
><br>
> What you do with haproxy or stud is to modify the port that the<br>
> services<br>
> normally listen on (in devstack we simply add 1 to each of the ports)<br>
> and configure the proxy to listen on the "standard" ports for each<br>
> service.<br>
><br>
> You also need secure endpoints defined in keystone for everything. If<br>
> you've got an existing installation you'll need to try to convert it.<br>
><br>
> I've been toying with SSL in devstack and documented some experiments<br>
> I<br>
> did including converting Keystone to use native SSL,<br>
> <a href="http://blog-rcritten.rhcloud.com/?p=5" target="_blank">http://blog-rcritten.rhcloud.com/?p=5</a> and subsequently converting<br>
> nova,<br>
> glance and cinder in the same install<br>
> <a href="http://blog-rcritten.rhcloud.com/?p=26" target="_blank">http://blog-rcritten.rhcloud.com/?p=26</a><br>
><br>
> This is for native SSL, which as I said is generally frowned up, but<br>
> I<br>
> was just toying after all. The process should be similar for a proxy.<br>
><br>
> rob<br>
><br>
>><br>
>><br>
>> All the best,<br>
>><br>
>> George<br>
>><br>
>><br>
>><br>
>> On Tue, 2 Dec 2014 17:49:24 +0330, Muhammed Salehi wrote:<br>
>>> Hi.<br>
>>> Do you want to serve https instead http ? Or you want to encrypt<br>
>>> all<br>
>>> of the communications between these components?<br>
>>> For the first problem the solution is : Search about how to serve<br>
>>> and<br>
>>> https with apache or passenger.<br>
>>><br>
>>> On Tue, Dec 2, 2014 at 5:22 PM, Georgios Dimitrakakis wrote:<br>
>>><br>
>>>> Hi!<br>
>>>><br>
>>>> Can someone point me to the right direction on how to secure<br>
>>>> publicly available services (e.g. nova,keystone,glance) with an<br>
>>>> SSL<br>
>>>> certificate?<br>
>>>><br>
>>>> Best regards,<br>
>>>><br>
>>>> George<br>
>>>><br>
>>>> _______________________________________________<br>
>>>> Mailing list:<br>
>>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a> [1]<br>
>>>> Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a> [2]<br>
>>>> Unsubscribe :<br>
>>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a> [3]<br>
>>><br>
>>> --<br>
>>><br>
>>> -----BEGIN PGP PUBLIC KEY BLOCK-----<br>
>>> Version: GnuPG v1<br>
>>><br>
>>> mQENBFRX8IoBCADCn76BbNN5m/GwP1rWaOvZMYfdm4Tv9oJehK7zAAzrHPZOaV/i<br>
>>> kdxG6LGadCGh/uTWoos441A8MKN/GufruEz1jvR+rgamD0oiTdRHTXz3Wkzcd62y<br>
>>> +U9pNLmYZyLUM1ebXXoxgmdNMGHvYLbdTIFgmxfIthKzRx9vd5WQGnsg/gFLTcdY<br>
>>> cWd5/THfkImJUHmjLAOepcewQcODijTp27xMwK354SG0BwbWroGAj5AVRqXqD6Qg<br>
>>> vO5zIgfMUsoOTMVF5WhAAf1xAjjGjEDi9EqeV1EVyO83s54gfAH/pWYV0K0RZvRw<br>
>>> h96wxZVVmCq9Ys8aU8D+hOjEvkjHZPAd3uNXABEBAAG0NFNleXllZCBNdWhhbW1l<br>
>>> ZCBTYWRlZ2ggU2FsZWhpIDxzYWxlaGkxOTk0QGdtYWlsLmNvbT6JAT4EEwECACgF<br>
>>> AlRX8IoCGwMFCQHhM4AGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEKs5CKNB<br>
>>> Z6zv/JQIALd5MnRhvAatGl/HcTYrm/S2Vsp3LgvC6R/w2uNiTm9tfSf596+2flF7<br>
>>> xgWUdROZ5O7s188oWiZRNb88XjdMMJtl0KpNpxLbYRyNPZL0klAps46Wlmy3fr8m<br>
>>> 7RdovLSy2QtmFtEAsXfYyXmLGB4PeexqYyfcXYhfP1W4kyTScBRUZ4SuFWDhBvvZ<br>
>>> 8vHHhWjiPVFvgi1cX3rwqtzp4eYFTHeH8QhKDeDk3760XVMk+jl+kvzqUzwh5V6+<br>
>>> SJs63YoiTSXyk37844NOGvYDHsupDO0R4O+YBwcZLxah/nqfTodfAnsmOA6W6oOy<br>
>>> lnVOH4IwrfcoVyjjqIlLWGws7BkPN6+5AQ0EVFfwigEIALLGTAxtT7lLuywmNTaq<br>
>>> hqpUtYsOWx7Cxjj1tVfG3bN/PbW+nKFvfyJkURYVyjn4z7GHLVCrYIr9ixhBRFcz<br>
>>> zmHuMkxMEr5u/m+H8CSsZ02V81v6+1uM2NvPxCYCUqDxEbcPrs8XrmPZGINY2Fya<br>
>>> XLpljTh06s1vdBAk32Wxy2Vz6Ii6pQD5WDgrdgDOgpTTlPdIxg9eq6yZi+GMJj/4<br>
>>> 28Rt6HJhGaqGXN0bCPQ78tQygcY4EDQwpkToWxLCizsj1+9XFwwjnOQON/FNsAT7<br>
>>> g+XsVQJKfGmRe2QuRJ9oqSK6pi16O7VXg6bAw1dLsEmNoSto1ofy7DVTqqSlEG2o<br>
>>> N0MAEQEAAYkBJQQYAQIADwUCVFfwigIbDAUJAeEzgAAKCRCrOQijQWes7xemB/92<br>
>>> 1PRHt24/hfCKR86aCnZk8bzNP+HDeewHXmFLEk9Hk7k2kuo6zVLjPnMA4M9rgOwh<br>
>>> W5EYhyVpNWKnzzhMwyCGz0J7doK2HYRXJKez1RErLW4GPLzM+4sfY5pWBAjDY62e<br>
>>> 1Tz1ay+fS3CLh4zCCZYqraHKa6PJYYp9Bz3NRj3xkFtkcLspNq4DkiEBPJVLIPko<br>
>>> OkVOpBuNpj1YDSZZXwM8HzDMvJc1qgAVxWk56BjePrx8SHfDah1UQqZst4dWeepJ<br>
>>> 0E2xj4H+WMrIW/3btSTVdlr4zPFwGQ9qE2CcbDJJhH68U9eve3njEPDFiu1TS/f5<br>
>>> Tt1scwgVintCWdVX9BS2<br>
>>> =cxjk<br>
>>> -----END PGP PUBLIC KEY BLOCK-----<br>
>>><br>
>>><br>
>>> Links:<br>
>>> ------<br>
>>> [1] <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
>>> [2] mailto:<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
>>> [3] <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
>>> [4] mailto:<a href="mailto:giorgis@acmac.uoc.gr">giorgis@acmac.uoc.gr</a><br>
>><br>
>><br>
>> _______________________________________________<br>
>> Mailing list:<br>
>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
>> Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
>> Unsubscribe :<br>
>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br>
--<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 8<br>
Date: Tue, 2 Dec 2014 11:50:46 -0500<br>
From: Amit Anand <<a href="mailto:aanand@viimed.com">aanand@viimed.com</a>><br>
To: <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Subject: [Openstack] (Juno) Swift Dashboard error<br>
Message-ID:<br>
<CAAvmQasGgG0iPWEzvOah9mpV2oSb4OXaCG5Lh8A_2M8+T=<a href="mailto:JjoQ@mail.gmail.com">JjoQ@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hi all,<br>
<br>
Thank you all for your help earlier getting through my issues - it looks<br>
like I have more or less a functioning environment! I do have one error<br>
which Im getting and have no idea why as I do not see anything in<br>
/var/log/messages on why this is occurring. Basically when I click on "View<br>
Details" on an Object I get this popup error from the Dashboard:<br>
<br>
"Danger: An error has occurred. Please try again later." (screenshot below)<br>
<br>
But if I click on the View Details of the container all comes up fine. I<br>
can then take the URL and add the name of the file im trying to access and<br>
works just fine. Anyone have any ideas?<br>
<br>
[image: Inline image 4]<br>
<br>
<br>
Thanks! Also I as you can see we are trying video streaming from our<br>
development stack so any pointers on that would be very much appreciated!!<br>
<br>
Amit<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openstack.org/pipermail/openstack/attachments/20141202/a3028b1f/attachment-0001.html" target="_blank">http://lists.openstack.org/pipermail/openstack/attachments/20141202/a3028b1f/attachment-0001.html</a>><br>
-------------- next part --------------<br>
A non-text attachment was scrubbed...<br>
Name: image.png<br>
Type: image/png<br>
Size: 148167 bytes<br>
Desc: not available<br>
URL: <<a href="http://lists.openstack.org/pipermail/openstack/attachments/20141202/a3028b1f/attachment-0001.png" target="_blank">http://lists.openstack.org/pipermail/openstack/attachments/20141202/a3028b1f/attachment-0001.png</a>><br>
<br>
------------------------------<br>
<br>
Message: 9<br>
Date: Tue, 02 Dec 2014 13:31:39 -0500<br>
From: Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
To: Georgios Dimitrakakis <<a href="mailto:giorgis@acmac.uoc.gr">giorgis@acmac.uoc.gr</a>><br>
Cc: <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Subject: Re: [Openstack] SSL Configuration<br>
Message-ID: <<a href="mailto:547E058B.5040304@redhat.com">547E058B.5040304@redhat.com</a>><br>
Content-Type: text/plain; charset=UTF-8<br>
<br>
Georgios Dimitrakakis wrote:<br>
> Hi Rob!<br>
><br>
> Thanks for you detailed explanation.<br>
> Just a few more questions to clarify things....<br>
><br>
> So if I decide to go natively is it sufficient to follow the steps on<br>
> the two blog posts? Do I have to do anything more than that? I am<br>
> specifically interested in EC2 which is excluded.....Can we foresee the<br>
> impact on the performance and why is that?<br>
<br>
I haven't done much with EC2 so I can't say with any authority. You<br>
might check how it is configured in devstack for some pointers.<br>
<br>
The presumed problem with native SSL is that due to the GIL only one<br>
request can effectively be served at a time. I don't know that anyone<br>
has actually tested that but at the Atlanta summit whenever I brought up<br>
native SSL most everyone recoiled. Things will be different if/when all<br>
services run in Apache.<br>
<br>
> If I decide to go with HAProxy (no hardware proxy available) do I still<br>
> have to change the endpoints to httpS or changing the ports is<br>
> sufficient? Do you happen to know where can I find more info regarding<br>
> this?<br>
<br>
By my understanding, yes. If anything looks up the endpoints in Keystone<br>
and they get back http endpoints then you get an in-the-clear request to<br>
your proxy listening on SSL, so nothing will work. I don't know how the<br>
guys with hardware handle it.<br>
<br>
I'd recommend toying with this in devstack to get a feel for how things<br>
would work. You can add ENABLED_SERVICES+=,tls-proxy to local.conf and<br>
it will set things up using stud as the proxy. You'll be able to see how<br>
the endpoints get set up and what the configuration files will look like.<br>
<br>
The biggest pain right now with using SSL is distributing and using the<br>
CA certificate. You'll be tempted to use --insecure. Avoid that<br>
temptation if at all possible. Ubuntu/Fedora/RHEL/CentOS (and perhaps<br>
Debian, I didn't check) all have a way of publishing the CA certificate<br>
centrally. That can alleviate many of the problems on the server and<br>
clients.<br>
<br>
rob<br>
<br>
><br>
><br>
> All the best,<br>
><br>
><br>
> George<br>
><br>
><br>
><br>
> On Tue, 02 Dec 2014 10:31:30 -0500, Rob Crittenden wrote:<br>
>> Georgios Dimitrakakis wrote:<br>
>>> @Robert: I don't have a load-balancer for this deployment. Just<br>
>>> controller, cinder and compute nodes.<br>
>>><br>
>>><br>
>>><br>
>>> What I would like to do is to secure the public endpoints for Keystone,<br>
>>> Glance, Nova, Cinder with SSL and the EC2 API.<br>
>>><br>
>>> That would be sufficient for the moment.<br>
>>><br>
>>> Is it OK if I just change the respective *.conf files or should I do<br>
>>> something more? Should the changes at the *.conf files be propagated on<br>
>>> all nodes?<br>
>><br>
>> It is a bit more complicated than that.<br>
>><br>
>> You can either secure things natively or use a TLS proxy (hardware or<br>
>> something like haproxy or stud). Native SSL is generally frowned upon<br>
>> since the assumption is that performance will be terrible due to the<br>
>> python GIL.<br>
>><br>
>> What you do with haproxy or stud is to modify the port that the services<br>
>> normally listen on (in devstack we simply add 1 to each of the ports)<br>
>> and configure the proxy to listen on the "standard" ports for each<br>
>> service.<br>
>><br>
>> You also need secure endpoints defined in keystone for everything. If<br>
>> you've got an existing installation you'll need to try to convert it.<br>
>><br>
>> I've been toying with SSL in devstack and documented some experiments I<br>
>> did including converting Keystone to use native SSL,<br>
>> <a href="http://blog-rcritten.rhcloud.com/?p=5" target="_blank">http://blog-rcritten.rhcloud.com/?p=5</a> and subsequently converting nova,<br>
>> glance and cinder in the same install<br>
>> <a href="http://blog-rcritten.rhcloud.com/?p=26" target="_blank">http://blog-rcritten.rhcloud.com/?p=26</a><br>
>><br>
>> This is for native SSL, which as I said is generally frowned up, but I<br>
>> was just toying after all. The process should be similar for a proxy.<br>
>><br>
>> rob<br>
>><br>
>>><br>
>>><br>
>>> All the best,<br>
>>><br>
>>> George<br>
>>><br>
>>><br>
>>><br>
>>> On Tue, 2 Dec 2014 17:49:24 +0330, Muhammed Salehi wrote:<br>
>>>> Hi.<br>
>>>> Do you want to serve https instead http ? Or you want to encrypt all<br>
>>>> of the communications between these components?<br>
>>>> For the first problem the solution is : Search about how to serve and<br>
>>>> https with apache or passenger.<br>
>>>><br>
>>>> On Tue, Dec 2, 2014 at 5:22 PM, Georgios Dimitrakakis wrote:<br>
>>>><br>
>>>>> Hi!<br>
>>>>><br>
>>>>> Can someone point me to the right direction on how to secure<br>
>>>>> publicly available services (e.g. nova,keystone,glance) with an SSL<br>
>>>>> certificate?<br>
>>>>><br>
>>>>> Best regards,<br>
>>>>><br>
>>>>> George<br>
>>>>><br>
>>>>> _______________________________________________<br>
>>>>> Mailing list:<br>
>>>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a> [1]<br>
>>>>> Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a> [2]<br>
>>>>> Unsubscribe :<br>
>>>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a> [3]<br>
>>>><br>
>>>> --<br>
>>>><br>
>>>> -----BEGIN PGP PUBLIC KEY BLOCK-----<br>
>>>> Version: GnuPG v1<br>
>>>><br>
>>>> mQENBFRX8IoBCADCn76BbNN5m/GwP1rWaOvZMYfdm4Tv9oJehK7zAAzrHPZOaV/i<br>
>>>> kdxG6LGadCGh/uTWoos441A8MKN/GufruEz1jvR+rgamD0oiTdRHTXz3Wkzcd62y<br>
>>>> +U9pNLmYZyLUM1ebXXoxgmdNMGHvYLbdTIFgmxfIthKzRx9vd5WQGnsg/gFLTcdY<br>
>>>> cWd5/THfkImJUHmjLAOepcewQcODijTp27xMwK354SG0BwbWroGAj5AVRqXqD6Qg<br>
>>>> vO5zIgfMUsoOTMVF5WhAAf1xAjjGjEDi9EqeV1EVyO83s54gfAH/pWYV0K0RZvRw<br>
>>>> h96wxZVVmCq9Ys8aU8D+hOjEvkjHZPAd3uNXABEBAAG0NFNleXllZCBNdWhhbW1l<br>
>>>> ZCBTYWRlZ2ggU2FsZWhpIDxzYWxlaGkxOTk0QGdtYWlsLmNvbT6JAT4EEwECACgF<br>
>>>> AlRX8IoCGwMFCQHhM4AGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEKs5CKNB<br>
>>>> Z6zv/JQIALd5MnRhvAatGl/HcTYrm/S2Vsp3LgvC6R/w2uNiTm9tfSf596+2flF7<br>
>>>> xgWUdROZ5O7s188oWiZRNb88XjdMMJtl0KpNpxLbYRyNPZL0klAps46Wlmy3fr8m<br>
>>>> 7RdovLSy2QtmFtEAsXfYyXmLGB4PeexqYyfcXYhfP1W4kyTScBRUZ4SuFWDhBvvZ<br>
>>>> 8vHHhWjiPVFvgi1cX3rwqtzp4eYFTHeH8QhKDeDk3760XVMk+jl+kvzqUzwh5V6+<br>
>>>> SJs63YoiTSXyk37844NOGvYDHsupDO0R4O+YBwcZLxah/nqfTodfAnsmOA6W6oOy<br>
>>>> lnVOH4IwrfcoVyjjqIlLWGws7BkPN6+5AQ0EVFfwigEIALLGTAxtT7lLuywmNTaq<br>
>>>> hqpUtYsOWx7Cxjj1tVfG3bN/PbW+nKFvfyJkURYVyjn4z7GHLVCrYIr9ixhBRFcz<br>
>>>> zmHuMkxMEr5u/m+H8CSsZ02V81v6+1uM2NvPxCYCUqDxEbcPrs8XrmPZGINY2Fya<br>
>>>> XLpljTh06s1vdBAk32Wxy2Vz6Ii6pQD5WDgrdgDOgpTTlPdIxg9eq6yZi+GMJj/4<br>
>>>> 28Rt6HJhGaqGXN0bCPQ78tQygcY4EDQwpkToWxLCizsj1+9XFwwjnOQON/FNsAT7<br>
>>>> g+XsVQJKfGmRe2QuRJ9oqSK6pi16O7VXg6bAw1dLsEmNoSto1ofy7DVTqqSlEG2o<br>
>>>> N0MAEQEAAYkBJQQYAQIADwUCVFfwigIbDAUJAeEzgAAKCRCrOQijQWes7xemB/92<br>
>>>> 1PRHt24/hfCKR86aCnZk8bzNP+HDeewHXmFLEk9Hk7k2kuo6zVLjPnMA4M9rgOwh<br>
>>>> W5EYhyVpNWKnzzhMwyCGz0J7doK2HYRXJKez1RErLW4GPLzM+4sfY5pWBAjDY62e<br>
>>>> 1Tz1ay+fS3CLh4zCCZYqraHKa6PJYYp9Bz3NRj3xkFtkcLspNq4DkiEBPJVLIPko<br>
>>>> OkVOpBuNpj1YDSZZXwM8HzDMvJc1qgAVxWk56BjePrx8SHfDah1UQqZst4dWeepJ<br>
>>>> 0E2xj4H+WMrIW/3btSTVdlr4zPFwGQ9qE2CcbDJJhH68U9eve3njEPDFiu1TS/f5<br>
>>>> Tt1scwgVintCWdVX9BS2<br>
>>>> =cxjk<br>
>>>> -----END PGP PUBLIC KEY BLOCK-----<br>
>>>><br>
>>>><br>
>>>> Links:<br>
>>>> ------<br>
>>>> [1] <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
>>>> [2] mailto:<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
>>>> [3] <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
>>>> [4] mailto:<a href="mailto:giorgis@acmac.uoc.gr">giorgis@acmac.uoc.gr</a><br>
>>><br>
>>><br>
>>> _______________________________________________<br>
>>> Mailing list:<br>
>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
>>> Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
>>> Unsubscribe :<br>
>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
><br>
> --<br>
<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 10<br>
Date: Tue, 2 Dec 2014 20:04:51 +0000<br>
From: Ashiq Anjum <<a href="mailto:Ashiq.Anjum@cern.ch">Ashiq.Anjum@cern.ch</a>><br>
To: "<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>" <<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>>,<br>
"<a href="mailto:openstack-hpc@lists.openstack.org">openstack-hpc@lists.openstack.org</a>"<br>
<<a href="mailto:openstack-hpc@lists.openstack.org">openstack-hpc@lists.openstack.org</a>><br>
Subject: [Openstack] Final Call for Participation: UCC 2014 London UK<br>
Message-ID:<br>
<<a href="mailto:38B80DE7DF51A943BD4434E10300831491A001BA@CERNXCHG74.cern.ch">38B80DE7DF51A943BD4434E10300831491A001BA@CERNXCHG74.cern.ch</a>><br>
Content-Type: text/plain; charset="Windows-1252"<br>
<br>
Dear All,<br>
<br>
The final conference programme for UCC 2014, being held in London from December 8-11 2014, is available at:<br>
<br>
<a href="http://computing.derby.ac.uk/ucc2014/conference-programme/" target="_blank">http://computing.derby.ac.uk/ucc2014/conference-programme/</a><br>
<a href="http://computing.derby.ac.uk/ucc2014/wp-content/uploads/2014/12/UCC-2014-Conference-Foldout-Programme.pdf" target="_blank">http://computing.derby.ac.uk/ucc2014/wp-content/uploads/2014/12/UCC-2014-Conference-Foldout-Programme.pdf</a><br>
<br>
We have some very interesting keynote speakers, tutorials and workshops this year.<br>
<br>
The notable names and their talks include the following:<br>
<br>
1. Enabling Cloud Computing at Hyper-Scale: Kenji Takeda, Microsoft<br>
2. Cloud Native Cost Optimization: Adrian Cockcroft, Battery Ventures (prev. Netflix, eBay, Sun)<br>
3. A Few Control Issues in Warehouse-scale Computing: John Wilkes, Google<br>
4. Rack-Scale Computers and the Cloud: Ant Rowstron, Microsoft<br>
5. Joe Baguley, Chief Technology Officer, EMEA, VMware<br>
6. Professor Yike Guo, Imperial College London<br>
7. Actors in the Cloud: Supporting Security, Scalability and Availability , Gul Agha, University of Illinois at Urbana-Champaign, USA<br>
8. Clinical Intelligence & Integration: Tackling Large Data Analytics in Real-Time, Oliver Vettel and Andreas Koop, Roche Diagnostics<br>
<br>
Panel Discussion: How adaptive should our infrastructure (networks, data centres etc.) be to support next generation Clouds?<br>
<br>
Alan Sill; Open Grid Forum (OGF)<br>
Joe Baguley; VMWare<br>
John Wilken; Google<br>
Erik Elmroth; Ume? University (UMU)<br>
Gul Agha; University of Illinois at Urbana-Champaign<br>
<br>
UCC 2014 Tutorials<br>
1. Azure Machine Learning for Research, Kenji Takeda<br>
2. Model-Driven Management of Multi-Cloud Applications, Danilo Ardagna<br>
3. The Intercloud Architecture and Project, David R. Bernstein<br>
4. Distributed Data Storage: From Dispersed Files to Stealth Databases, Josef Spillner, Johannes M?ller,<br>
5. Software Development in Cloud: An Experiential Study with CMS, Chandra Sekaran K,<br>
6. Data Analysis with R, Shruti Kohli, Shruti Kohli<br>
6. Microsoft Azure for Research, Kenji Takeda<br>
7. Autonomic Clouds, Omer Rana and Manish Parashar, Omer F. Rana<br>
8. Help Clinical Intelligence take the next step using state-of-the art in-memory analytics, Oliver Vettel and Andreas Koop<br>
9. CRISTAL : Designing Traceable Cloud-based Systems, Richard McClatchey, Andrew Branson<br>
<br>
UCC 2014 Workshops<br>
1. International Symposium on Big Data Computing 2014 ? BDC 2014<br>
2. 6th Cloud Control Workshop ? CloudControl6<br>
3. Cloud Federation Management: Identity, Resources and Applications Workshop ? CFM 2014<br>
4. Workshops on Standards and Pre-Standards Topics in Clouds, Big Data and Data Analytics ? SCBDA 2014<br>
5. ITaaU Network+ Symposium ? ITaaU 2014<br>
6. Clouds and eScience Applications Management Workshop ? CloudAM 2014<br>
7. Crowdsourcing and Gamification in the Cloud Workshop ? CGCloud 2014<br>
8. Re-computability in the Cloud Workshop ? Re-computability 2014<br>
9. Advances in CC Legislation, Accountability, Security and Privacy Workshop ? CLASP 2014<br>
10. Trust in Cloud Computing Workshop ? IWTCC 2014<br>
11. Green Cloud Computing Workshop ? GCC 2014<br>
12. Smart City Clouds: Technologies, Systems and Applications Workshop ? SCCTSA 2014<br>
13. Cloud Automation, Intelligent Management and Scalability Workshop ? CAIMS 2014<br>
14. Cyber-physical Cloud Computing Workshop ? CPCC 2014<br>
15. Network Virtualization and SDN for Cloud Data Centres Workshop<br>
16. Big Data, Intelligence Management and Analytics Workshop ? BDIMA<br>
17. Big Data and Social Networking Management and Security Workshop<br>
18. Education in the Cloud Workshop ? EC 2014<br>
19. EGI Federated Cloud Workshop<br>
20. Plugfest: Cloud Interoperability Event<br>
<br>
UCC 2014 Registration<br>
<br>
To register please visit: <a href="http://www.derby.ac.uk/enterprisecentre/events/ucc/book/" target="_blank">http://www.derby.ac.uk/enterprisecentre/events/ucc/book/</a><br>
<br>
Best regards<br>
Ashiq Anjum<br>
<br>
<br>
Organising Chair UCC 2014 -- <a href="http://computing.derby.ac.uk/ucc2014/" target="_blank">http://computing.derby.ac.uk/ucc2014/</a><br>
<br>
Dr. Ashiq Anjum<br>
Reader in Distributed Computing<br>
Distributed and Intelligent Systems (DISYS) research centre<br>
School of Computing and Mathematics<br>
University of Derby<br>
Room E510<br>
Kedleston Road<br>
Derby, UK<br>
DE22 1GB<br>
<a href="mailto:ashiq.anjum@cern.ch">ashiq.anjum@cern.ch</a> & <a href="mailto:a.anjum@derby.ac.uk">a.anjum@derby.ac.uk</a><br>
+44 (0) 1332 591881 & 44 (0) 772 4017071<br>
<a href="http://www.derby.ac.uk/staff/ashiq-anjum/" target="_blank">http://www.derby.ac.uk/staff/ashiq-anjum/</a><br>
<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 11<br>
Date: Tue, 2 Dec 2014 18:43:01 -0500<br>
From: Don Waterloo <<a href="mailto:don.waterloo@gmail.com">don.waterloo@gmail.com</a>><br>
To: Amit Anand <<a href="mailto:aanand@viimed.com">aanand@viimed.com</a>><br>
Cc: <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Subject: Re: [Openstack] (Juno) Swift Dashboard error<br>
Message-ID:<br>
<<a href="mailto:CAKrvkGdkBP15ag%2BjFVoeMMdT8oc4y0n8Ouz2rmxvfMA9%2B9qAig@mail.gmail.com">CAKrvkGdkBP15ag+jFVoeMMdT8oc4y0n8Ouz2rmxvfMA9+9qAig@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
On 2 December 2014 at 11:50, Amit Anand <<a href="mailto:aanand@viimed.com">aanand@viimed.com</a>> wrote:<br>
<br>
> Hi all,<br>
><br>
> Thank you all for your help earlier getting through my issues - it looks<br>
> like I have more or less a functioning environment! I do have one error<br>
> which Im getting and have no idea why as I do not see anything in<br>
> /var/log/messages on why this is occurring. Basically when I click on "View<br>
> Details" on an Object I get this popup error from the Dashboard:<br>
><br>
> "Danger: An error has occurred. Please try again later." (screenshot below)<br>
><br>
> But if I click on the View Details of the container all comes up fine. I<br>
> can then take the URL and add the name of the file im trying to access and<br>
> works just fine. Anyone have any ideas?<br>
><br>
><br>
I had this problem. the 'danger' is a bootstrap thing, an error has occured<br>
(e.g. a 500 error) on an ajax call.<br>
<br>
for me, i turned on logging in horizon, and found that i was<br>
<br>
ERROR 2014-12-02 23:14:10,608 base 36395 140110630778624 Error while<br>
checking action permissions.<br>
Traceback (most recent call last):<br>
File "/usr/lib/python2.7/dist-packages/horizon/tables/base.py", line<br>
1234, in _filter_action<br>
return action._allowed(request, datum) and row_matched<br>
File "/usr/lib/python2.7/dist-packages/horizon/tables/actions.py", line<br>
136, in _allowed<br>
self.allowed(request, datum))<br>
File "./openstack_dashboard/dashboards/project/networks/tables.py", line<br>
94, in allowed<br>
if usages['networks']['available'] <= 0:<br>
KeyError: 'available'<br>
<br>
e.g. there was no key 'available' in the usages. usages['networks'] has<br>
only part of the quota. I modified the code to be<br>
" if 'networks' in usages and 'available' in usages['networks'] and<br>
usages['networks']['available'] <= 0:"<br>
instead of<br>
" if usages['networks']['available'] <= 0:"<br>
<br>
but u can find your specific problem by enabling the horizon logging.<br>
<br>
I enabled logging as below in local_settings.py<br>
(/etc/openstack-dashboard/local_settings.py on Ubuntu).<br>
<br>
LOGGING = {<br>
...<br>
'file': {<br>
'level': 'ERROR',<br>
'class': 'logging.FileHandler',<br>
'formatter': 'verbose',<br>
'filename': '/var/log/horizon.log'<br>
},<br>
},<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openstack.org/pipermail/openstack/attachments/20141202/38032547/attachment-0001.html" target="_blank">http://lists.openstack.org/pipermail/openstack/attachments/20141202/38032547/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 12<br>
Date: Tue, 2 Dec 2014 19:12:01 -0500<br>
From: Don Waterloo <<a href="mailto:don.waterloo@gmail.com">don.waterloo@gmail.com</a>><br>
To: <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Subject: [Openstack] nova missing network, neutron shows it ok<br>
Message-ID:<br>
<CAKrvkGfH2oaUOWra8yHAgDnd0+Y5FBpV6yeP11K7wLZ942q=<a href="mailto:4g@mail.gmail.com">4g@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
I have an issue where nova is 'missing' the networks that are on some<br>
instances (they are really there, they work, I can see them in horizon<br>
topology)<br>
<br>
$ nova list<br>
+--------------------------------------+------------+--------+------------+-------------+----------------------------------+<br>
| ID | Name | Status | Task State |<br>
Power State | Networks |<br>
+--------------------------------------+------------+--------+------------+-------------+----------------------------------+<br>
| 4599b917-7b86-4195-a82a-e733bd8b041c | xxxxxx-pts | ACTIVE | - |<br>
Running | |<br>
| 4859d4ac-e2a5-4e5d-8f98-12ce2d3fd36d | xxxxxx-sde | ACTIVE | - |<br>
Running | |<br>
| c40f7e59-02a0-4c16-9544-c3a9940358d6 | xxxxxx-spb | ACTIVE | - |<br>
Running | xxxxxx-data-ctrl-net=172.16.1.10 |<br>
| 28b7a632-4f12-41fc-a917-3b19233701c2 | xxxxxx-vpn | ACTIVE | - |<br>
Running | |<br>
+--------------------------------------+------------+--------+------------+-------------+----------------------------------+<br>
<br>
<br>
Doing a 'neutron port-list' the port shows up:<br>
+--------------------------------------+-----------------+-------------------+------------------------------------------------------------------------------------+<br>
| id | name | mac_address<br>
| fixed_ips<br>
|<br>
+--------------------------------------+-----------------+-------------------+------------------------------------------------------------------------------------+<br>
| adc3b59f-e73c-4c94-9765-7c9fc2d210a3 | justin-pts-port |<br>
fa:16:3e:b2:3c:f7 | {"subnet_id": "994123b2-0386-49e4-b8b0-d952d925dff5",<br>
"ip_address": "172.16.1.13"} |<br>
<br>
...<br>
<br>
I presume this indicates some problem on the api-pass-through that nova<br>
does to neutron (I am running neutron network, juno, ubuntu 14.10)<br>
<br>
the only clue to the mystery is found in the log file:<br>
2014-12-02 23:57:37.787 20876 WARNING keystonemiddleware.auth_token [-]<br>
Authorization failed for token<br>
in nova-api.log<br>
<br>
why it would fail for one and not another i don't know.<br>
<br>
can someone suggest how to debug this? enabling verbose/debug in nova<br>
didn't really provide more info.<br>
in keystone-all.log, there is an awful lot of stuff about RBAC, its not<br>
obvious which line<br>
matters.<br>
<br>
something that surprises me, when i run 'neutron --debug net-list', i see<br>
it re-use my existing token.<br>
When i run 'nova --debug list', i see it get a new token *every time i run<br>
it* on the command<br>
line.<br>
<br>
a) why would nova not remember my token but neutron would?<br>
b) is this related to my problem?<br>
c) if you had this issue (and i have it for more than one user, and its not<br>
intermittent on a given instance), what would you look for?<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openstack.org/pipermail/openstack/attachments/20141202/922ba7d4/attachment-0001.html" target="_blank">http://lists.openstack.org/pipermail/openstack/attachments/20141202/922ba7d4/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 13<br>
Date: Tue, 2 Dec 2014 18:27:06 -0600<br>
From: "Ryan O'Hara" <<a href="mailto:rohara@redhat.com">rohara@redhat.com</a>><br>
To: Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
Cc: <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Subject: Re: [Openstack] SSL Configuration<br>
Message-ID: <<a href="mailto:20141203002706.GD32479@redhat.com">20141203002706.GD32479@redhat.com</a>><br>
Content-Type: text/plain; charset=us-ascii<br>
<br>
On Tue, Dec 02, 2014 at 01:31:39PM -0500, Rob Crittenden wrote:<br>
> Georgios Dimitrakakis wrote:<br>
> > Hi Rob!<br>
> ><br>
> > Thanks for you detailed explanation.<br>
> > Just a few more questions to clarify things....<br>
> ><br>
> > So if I decide to go natively is it sufficient to follow the steps on<br>
> > the two blog posts? Do I have to do anything more than that? I am<br>
> > specifically interested in EC2 which is excluded.....Can we foresee the<br>
> > impact on the performance and why is that?<br>
><br>
> I haven't done much with EC2 so I can't say with any authority. You<br>
> might check how it is configured in devstack for some pointers.<br>
><br>
> The presumed problem with native SSL is that due to the GIL only one<br>
> request can effectively be served at a time. I don't know that anyone<br>
> has actually tested that but at the Atlanta summit whenever I brought up<br>
> native SSL most everyone recoiled. Things will be different if/when all<br>
> services run in Apache.<br>
><br>
> > If I decide to go with HAProxy (no hardware proxy available) do I still<br>
> > have to change the endpoints to httpS or changing the ports is<br>
> > sufficient? Do you happen to know where can I find more info regarding<br>
> > this?<br>
><br>
> By my understanding, yes. If anything looks up the endpoints in Keystone<br>
> and they get back http endpoints then you get an in-the-clear request to<br>
> your proxy listening on SSL, so nothing will work. I don't know how the<br>
> guys with hardware handle it.<br>
<br>
This sounds about right. If you are terminating SSL in haproxy, the<br>
backend connection (from haproxy to the service) is still<br>
unencrypted. However, you can very easily tell haproxy to force HTTPS<br>
for any HTTP connection. In other words, if you connect to the service<br>
over HTTP, redirect to HTTPS.<br>
<br>
> I'd recommend toying with this in devstack to get a feel for how things<br>
> would work. You can add ENABLED_SERVICES+=,tls-proxy to local.conf and<br>
> it will set things up using stud as the proxy. You'll be able to see how<br>
> the endpoints get set up and what the configuration files will look like.<br>
><br>
> The biggest pain right now with using SSL is distributing and using the<br>
> CA certificate. You'll be tempted to use --insecure. Avoid that<br>
> temptation if at all possible. Ubuntu/Fedora/RHEL/CentOS (and perhaps<br>
> Debian, I didn't check) all have a way of publishing the CA certificate<br>
> centrally. That can alleviate many of the problems on the server and<br>
> clients.<br>
<br>
Agreed.<br>
<br>
Ryan<br>
<br>
> rob<br>
><br>
> ><br>
> ><br>
> > All the best,<br>
> ><br>
> ><br>
> > George<br>
> ><br>
> ><br>
> ><br>
> > On Tue, 02 Dec 2014 10:31:30 -0500, Rob Crittenden wrote:<br>
> >> Georgios Dimitrakakis wrote:<br>
> >>> @Robert: I don't have a load-balancer for this deployment. Just<br>
> >>> controller, cinder and compute nodes.<br>
> >>><br>
> >>><br>
> >>><br>
> >>> What I would like to do is to secure the public endpoints for Keystone,<br>
> >>> Glance, Nova, Cinder with SSL and the EC2 API.<br>
> >>><br>
> >>> That would be sufficient for the moment.<br>
> >>><br>
> >>> Is it OK if I just change the respective *.conf files or should I do<br>
> >>> something more? Should the changes at the *.conf files be propagated on<br>
> >>> all nodes?<br>
> >><br>
> >> It is a bit more complicated than that.<br>
> >><br>
> >> You can either secure things natively or use a TLS proxy (hardware or<br>
> >> something like haproxy or stud). Native SSL is generally frowned upon<br>
> >> since the assumption is that performance will be terrible due to the<br>
> >> python GIL.<br>
> >><br>
> >> What you do with haproxy or stud is to modify the port that the services<br>
> >> normally listen on (in devstack we simply add 1 to each of the ports)<br>
> >> and configure the proxy to listen on the "standard" ports for each<br>
> >> service.<br>
> >><br>
> >> You also need secure endpoints defined in keystone for everything. If<br>
> >> you've got an existing installation you'll need to try to convert it.<br>
> >><br>
> >> I've been toying with SSL in devstack and documented some experiments I<br>
> >> did including converting Keystone to use native SSL,<br>
> >> <a href="http://blog-rcritten.rhcloud.com/?p=5" target="_blank">http://blog-rcritten.rhcloud.com/?p=5</a> and subsequently converting nova,<br>
> >> glance and cinder in the same install<br>
> >> <a href="http://blog-rcritten.rhcloud.com/?p=26" target="_blank">http://blog-rcritten.rhcloud.com/?p=26</a><br>
> >><br>
> >> This is for native SSL, which as I said is generally frowned up, but I<br>
> >> was just toying after all. The process should be similar for a proxy.<br>
> >><br>
> >> rob<br>
> >><br>
> >>><br>
> >>><br>
> >>> All the best,<br>
> >>><br>
> >>> George<br>
> >>><br>
> >>><br>
> >>><br>
> >>> On Tue, 2 Dec 2014 17:49:24 +0330, Muhammed Salehi wrote:<br>
> >>>> Hi.<br>
> >>>> Do you want to serve https instead http ? Or you want to encrypt all<br>
> >>>> of the communications between these components?<br>
> >>>> For the first problem the solution is : Search about how to serve and<br>
> >>>> https with apache or passenger.<br>
> >>>><br>
> >>>> On Tue, Dec 2, 2014 at 5:22 PM, Georgios Dimitrakakis wrote:<br>
> >>>><br>
> >>>>> Hi!<br>
> >>>>><br>
> >>>>> Can someone point me to the right direction on how to secure<br>
> >>>>> publicly available services (e.g. nova,keystone,glance) with an SSL<br>
> >>>>> certificate?<br>
> >>>>><br>
> >>>>> Best regards,<br>
> >>>>><br>
> >>>>> George<br>
> >>>>><br>
> >>>>> _______________________________________________<br>
> >>>>> Mailing list:<br>
> >>>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a> [1]<br>
> >>>>> Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a> [2]<br>
> >>>>> Unsubscribe :<br>
> >>>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a> [3]<br>
> >>>><br>
> >>>> --<br>
> >>>><br>
> >>>> -----BEGIN PGP PUBLIC KEY BLOCK-----<br>
> >>>> Version: GnuPG v1<br>
> >>>><br>
> >>>> mQENBFRX8IoBCADCn76BbNN5m/GwP1rWaOvZMYfdm4Tv9oJehK7zAAzrHPZOaV/i<br>
> >>>> kdxG6LGadCGh/uTWoos441A8MKN/GufruEz1jvR+rgamD0oiTdRHTXz3Wkzcd62y<br>
> >>>> +U9pNLmYZyLUM1ebXXoxgmdNMGHvYLbdTIFgmxfIthKzRx9vd5WQGnsg/gFLTcdY<br>
> >>>> cWd5/THfkImJUHmjLAOepcewQcODijTp27xMwK354SG0BwbWroGAj5AVRqXqD6Qg<br>
> >>>> vO5zIgfMUsoOTMVF5WhAAf1xAjjGjEDi9EqeV1EVyO83s54gfAH/pWYV0K0RZvRw<br>
> >>>> h96wxZVVmCq9Ys8aU8D+hOjEvkjHZPAd3uNXABEBAAG0NFNleXllZCBNdWhhbW1l<br>
> >>>> ZCBTYWRlZ2ggU2FsZWhpIDxzYWxlaGkxOTk0QGdtYWlsLmNvbT6JAT4EEwECACgF<br>
> >>>> AlRX8IoCGwMFCQHhM4AGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEKs5CKNB<br>
> >>>> Z6zv/JQIALd5MnRhvAatGl/HcTYrm/S2Vsp3LgvC6R/w2uNiTm9tfSf596+2flF7<br>
> >>>> xgWUdROZ5O7s188oWiZRNb88XjdMMJtl0KpNpxLbYRyNPZL0klAps46Wlmy3fr8m<br>
> >>>> 7RdovLSy2QtmFtEAsXfYyXmLGB4PeexqYyfcXYhfP1W4kyTScBRUZ4SuFWDhBvvZ<br>
> >>>> 8vHHhWjiPVFvgi1cX3rwqtzp4eYFTHeH8QhKDeDk3760XVMk+jl+kvzqUzwh5V6+<br>
> >>>> SJs63YoiTSXyk37844NOGvYDHsupDO0R4O+YBwcZLxah/nqfTodfAnsmOA6W6oOy<br>
> >>>> lnVOH4IwrfcoVyjjqIlLWGws7BkPN6+5AQ0EVFfwigEIALLGTAxtT7lLuywmNTaq<br>
> >>>> hqpUtYsOWx7Cxjj1tVfG3bN/PbW+nKFvfyJkURYVyjn4z7GHLVCrYIr9ixhBRFcz<br>
> >>>> zmHuMkxMEr5u/m+H8CSsZ02V81v6+1uM2NvPxCYCUqDxEbcPrs8XrmPZGINY2Fya<br>
> >>>> XLpljTh06s1vdBAk32Wxy2Vz6Ii6pQD5WDgrdgDOgpTTlPdIxg9eq6yZi+GMJj/4<br>
> >>>> 28Rt6HJhGaqGXN0bCPQ78tQygcY4EDQwpkToWxLCizsj1+9XFwwjnOQON/FNsAT7<br>
> >>>> g+XsVQJKfGmRe2QuRJ9oqSK6pi16O7VXg6bAw1dLsEmNoSto1ofy7DVTqqSlEG2o<br>
> >>>> N0MAEQEAAYkBJQQYAQIADwUCVFfwigIbDAUJAeEzgAAKCRCrOQijQWes7xemB/92<br>
> >>>> 1PRHt24/hfCKR86aCnZk8bzNP+HDeewHXmFLEk9Hk7k2kuo6zVLjPnMA4M9rgOwh<br>
> >>>> W5EYhyVpNWKnzzhMwyCGz0J7doK2HYRXJKez1RErLW4GPLzM+4sfY5pWBAjDY62e<br>
> >>>> 1Tz1ay+fS3CLh4zCCZYqraHKa6PJYYp9Bz3NRj3xkFtkcLspNq4DkiEBPJVLIPko<br>
> >>>> OkVOpBuNpj1YDSZZXwM8HzDMvJc1qgAVxWk56BjePrx8SHfDah1UQqZst4dWeepJ<br>
> >>>> 0E2xj4H+WMrIW/3btSTVdlr4zPFwGQ9qE2CcbDJJhH68U9eve3njEPDFiu1TS/f5<br>
> >>>> Tt1scwgVintCWdVX9BS2<br>
> >>>> =cxjk<br>
> >>>> -----END PGP PUBLIC KEY BLOCK-----<br>
> >>>><br>
> >>>><br>
> >>>> Links:<br>
> >>>> ------<br>
> >>>> [1] <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> >>>> [2] mailto:<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
> >>>> [3] <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> >>>> [4] mailto:<a href="mailto:giorgis@acmac.uoc.gr">giorgis@acmac.uoc.gr</a><br>
> >>><br>
> >>><br>
> >>> _______________________________________________<br>
> >>> Mailing list:<br>
> >>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> >>> Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
> >>> Unsubscribe :<br>
> >>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> ><br>
> > --<br>
><br>
><br>
> _______________________________________________<br>
> Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
> Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 14<br>
Date: Wed, 3 Dec 2014 08:02:23 +0530<br>
From: Abhijeet Rastogi <<a href="mailto:abhijeet.1989@gmail.com">abhijeet.1989@gmail.com</a>><br>
To: "<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>" <<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>><br>
Subject: [Openstack] Flat provider_network with vlan tagged interface<br>
or vlan provider_network with untagged interface<br>
Message-ID:<br>
<<a href="mailto:CACXxYfx8mjwyGvMEGYo1YNqtKnEnL1HurZ-pKbk_0Xov0haJmQ@mail.gmail.com">CACXxYfx8mjwyGvMEGYo1YNqtKnEnL1HurZ-pKbk_0Xov0haJmQ@mail.gmail.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
Hi everyone,<br>
<br>
This is a very basic doubt and I'm trying to understand this<br>
fundamental thing about creating networks in neutron. My ultimate goal<br>
is to have all instances contain just one interface and a public IP on<br>
them. Now, this public IP can only exist in a specific VLAN, lets say,<br>
they'll only exist on eth0.123 (the is a vlan tagged interface on the<br>
host and I can directly bind public IPs to them and they work<br>
perfectly). I'm using linux bridge + ML2 as the plugin for neutron.<br>
<br>
So, the ultimate goal will be something like:<br>
<br>
[root@compute1 ~]# brctl show<br>
bridge name bridge id STP enabled interfaces<br>
brq732eb7f9-16 8000.002590c6438e no eth0.123<br>
<br>
tap81474f06-29<br>
<br>
<br>
Now, with my limited knowledge, there are 2 ways of doing this:-<br>
<br>
1. Create the vlan tagged interface manually and then setup "flat"<br>
provider networking with physical_interface_mappings set with<br>
eth0.123.<br>
2. Use a "vlan" provider network and mention "123" as the vlan id in that.<br>
<br>
I observed that, both of these approaches eventually create the same<br>
kind of bridge configuration. Can anyone explain what's going on and<br>
when to use what? I'm sure I'm missing a key concept and I'll be glad<br>
if someone can clear that for me.<br>
<br>
<br>
--<br>
Cheers,<br>
Abhijeet Rastogi (shadyabhi)<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 15<br>
Date: Tue, 02 Dec 2014 18:55:13 -0800<br>
From: Stefano Maffulli <<a href="mailto:stefano@openstack.org">stefano@openstack.org</a>><br>
To: <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Subject: Re: [Openstack] Poll: What are the top 3 topics for new<br>
OpenStack users and developers?<br>
Message-ID: <<a href="mailto:547E7B91.9090903@openstack.org">547E7B91.9090903@openstack.org</a>><br>
Content-Type: text/plain; charset=UTF-8<br>
<br>
On 12/02/2014 12:56 AM, Venu Murthy wrote:<br>
> Great Initiative Mark,<br>
><br>
> In the beginning of my openstack journey, being able to ssh/connect to<br>
> the VMs/Instances was the greatest challenge. After having spent several<br>
> months to debug such issues, I've posted one of the solutions here.<br>
> <a href="http://thenewstack.io/solving-a-common-beginners-problem-when-pinging-from-an-openstack-instance/" target="_blank">http://thenewstack.io/solving-a-common-beginners-problem-when-pinging-from-an-openstack-instance/</a><br>
<br>
Indeed, networking issues in guests are quite common by looking at the<br>
frequency of questions asked on <a href="https://ask.openstack.org" target="_blank">https://ask.openstack.org</a>.<br>
<br>
You can browse the most popular tags as a proxy of interesting topics:<br>
<br>
<a href="http://activity.openstack.org/dash/browser/qaforums-tags.html?page=2" target="_blank">http://activity.openstack.org/dash/browser/qaforums-tags.html?page=2</a><br>
<br>
Venu: nice tutorial you have written. Have you considered adding it as<br>
an answer on Ask OpenStack?<br>
<br>
For example, a quite generic question like the one below would benefit<br>
from a detailed step by step tutorial like yours:<br>
<br>
<a href="https://ask.openstack.org/en/question/9183/cannot-login-ping-or-ssh-to-cirros-test-image/" target="_blank">https://ask.openstack.org/en/question/9183/cannot-login-ping-or-ssh-to-cirros-test-image/</a><br>
<br>
> <a href="http://www.venumurthy.com/2014/07/openstack-dashboard-horizon-error.html" target="_blank">http://www.venumurthy.com/2014/07/openstack-dashboard-horizon-error.html</a><br>
<br>
same here :) The advantage of Ask OpenStack is that its pages show up<br>
quite high on search engines.<br>
<br>
Thanks,<br>
Stef<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 16<br>
Date: Tue, 2 Dec 2014 20:03:07 -0800<br>
From: Kevin Benton <<a href="mailto:blak111@gmail.com">blak111@gmail.com</a>><br>
To: Abhijeet Rastogi <<a href="mailto:abhijeet.1989@gmail.com">abhijeet.1989@gmail.com</a>><br>
Cc: "<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>" <<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>><br>
Subject: Re: [Openstack] Flat provider_network with vlan tagged<br>
interface or vlan provider_network with untagged interface<br>
Message-ID:<br>
<CAO_F6JNG0pGE7+-XNQ=pXjDGbq8_Lf7o=<a href="mailto:BcidT676ALNRyBBcA@mail.gmail.com">BcidT676ALNRyBBcA@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Setting up the interfaces manually and using a flat network doesn't scale<br>
well when you want to do it hundreds of times. Using ML2+linuxbridge will<br>
do the same thing in an automated fashion.<br>
<br>
On Tue, Dec 2, 2014 at 6:32 PM, Abhijeet Rastogi <<a href="mailto:abhijeet.1989@gmail.com">abhijeet.1989@gmail.com</a>><br>
wrote:<br>
<br>
> Hi everyone,<br>
><br>
> This is a very basic doubt and I'm trying to understand this<br>
> fundamental thing about creating networks in neutron. My ultimate goal<br>
> is to have all instances contain just one interface and a public IP on<br>
> them. Now, this public IP can only exist in a specific VLAN, lets say,<br>
> they'll only exist on eth0.123 (the is a vlan tagged interface on the<br>
> host and I can directly bind public IPs to them and they work<br>
> perfectly). I'm using linux bridge + ML2 as the plugin for neutron.<br>
><br>
> So, the ultimate goal will be something like:<br>
><br>
> [root@compute1 ~]# brctl show<br>
> bridge name bridge id STP enabled interfaces<br>
> brq732eb7f9-16 8000.002590c6438e no eth0.123<br>
><br>
> tap81474f06-29<br>
><br>
><br>
> Now, with my limited knowledge, there are 2 ways of doing this:-<br>
><br>
> 1. Create the vlan tagged interface manually and then setup "flat"<br>
> provider networking with physical_interface_mappings set with<br>
> eth0.123.<br>
> 2. Use a "vlan" provider network and mention "123" as the vlan id in that.<br>
><br>
> I observed that, both of these approaches eventually create the same<br>
> kind of bridge configuration. Can anyone explain what's going on and<br>
> when to use what? I'm sure I'm missing a key concept and I'll be glad<br>
> if someone can clear that for me.<br>
><br>
><br>
> --<br>
> Cheers,<br>
> Abhijeet Rastogi (shadyabhi)<br>
><br>
> _______________________________________________<br>
> Mailing list:<br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
> Unsubscribe :<br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
><br>
<br>
<br>
<br>
--<br>
Kevin Benton<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openstack.org/pipermail/openstack/attachments/20141202/17ce7445/attachment-0001.html" target="_blank">http://lists.openstack.org/pipermail/openstack/attachments/20141202/17ce7445/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 17<br>
Date: Wed, 3 Dec 2014 09:40:36 +0530<br>
From: Abhijeet Rastogi <<a href="mailto:abhijeet.1989@gmail.com">abhijeet.1989@gmail.com</a>><br>
To: Kevin Benton <<a href="mailto:blak111@gmail.com">blak111@gmail.com</a>><br>
Cc: "<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>" <<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>><br>
Subject: Re: [Openstack] Flat provider_network with vlan tagged<br>
interface or vlan provider_network with untagged interface<br>
Message-ID:<br>
<<a href="mailto:CACXxYfxn%2BpTTL_jsRf%2BWRFrmCLziE-4ofGS7-ximomzXvOf4bg@mail.gmail.com">CACXxYfxn+pTTL_jsRf+WRFrmCLziE-4ofGS7-ximomzXvOf4bg@mail.gmail.com</a>><br>
Content-Type: text/plain; charset=ISO-8859-1<br>
<br>
Hey Kevin,<br>
<br>
Thanks for clearing that out. So, I essentially achieve the same<br>
thing. To summarize, if provider networks need vlan, it mostly makes<br>
sense to just use vlan and ditch trying to setup "flat" provider<br>
network.<br>
<br>
On Wed, Dec 3, 2014 at 9:33 AM, Kevin Benton <<a href="mailto:blak111@gmail.com">blak111@gmail.com</a>> wrote:<br>
> Setting up the interfaces manually and using a flat network doesn't scale<br>
> well when you want to do it hundreds of times. Using ML2+linuxbridge will do<br>
> the same thing in an automated fashion.<br>
><br>
> On Tue, Dec 2, 2014 at 6:32 PM, Abhijeet Rastogi <<a href="mailto:abhijeet.1989@gmail.com">abhijeet.1989@gmail.com</a>><br>
> wrote:<br>
>><br>
>> Hi everyone,<br>
>><br>
>> This is a very basic doubt and I'm trying to understand this<br>
>> fundamental thing about creating networks in neutron. My ultimate goal<br>
>> is to have all instances contain just one interface and a public IP on<br>
>> them. Now, this public IP can only exist in a specific VLAN, lets say,<br>
>> they'll only exist on eth0.123 (the is a vlan tagged interface on the<br>
>> host and I can directly bind public IPs to them and they work<br>
>> perfectly). I'm using linux bridge + ML2 as the plugin for neutron.<br>
>><br>
>> So, the ultimate goal will be something like:<br>
>><br>
>> [root@compute1 ~]# brctl show<br>
>> bridge name bridge id STP enabled interfaces<br>
>> brq732eb7f9-16 8000.002590c6438e no eth0.123<br>
>><br>
>> tap81474f06-29<br>
>><br>
>><br>
>> Now, with my limited knowledge, there are 2 ways of doing this:-<br>
>><br>
>> 1. Create the vlan tagged interface manually and then setup "flat"<br>
>> provider networking with physical_interface_mappings set with<br>
>> eth0.123.<br>
>> 2. Use a "vlan" provider network and mention "123" as the vlan id in that.<br>
>><br>
>> I observed that, both of these approaches eventually create the same<br>
>> kind of bridge configuration. Can anyone explain what's going on and<br>
>> when to use what? I'm sure I'm missing a key concept and I'll be glad<br>
>> if someone can clear that for me.<br>
>><br>
>><br>
>> --<br>
>> Cheers,<br>
>> Abhijeet Rastogi (shadyabhi)<br>
>><br>
>> _______________________________________________<br>
>> Mailing list:<br>
>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
>> Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
>> Unsubscribe :<br>
>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
><br>
><br>
><br>
><br>
> --<br>
> Kevin Benton<br>
<br>
<br>
<br>
--<br>
Cheers,<br>
Abhijeet Rastogi (shadyabhi)<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 18<br>
Date: Wed, 3 Dec 2014 13:48:48 +0800<br>
From: Du Jun <<a href="mailto:dj199008@gmail.com">dj199008@gmail.com</a>><br>
To: "<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>" <<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>><br>
Subject: [Openstack] nova compute service fail to start due to<br>
"Connection to the hypervisor is broken on host"<br>
Message-ID:<br>
<CABvddo7Lx747Vr95nUNMX4i=<a href="mailto:MFj%2B9QX6N5crSg0i5BJv6UQ1KA@mail.gmail.com">MFj+9QX6N5crSg0i5BJv6UQ1KA@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hi all,<br>
<br>
I install devstack in ubuntu12.04 and upgrade libvirt 0.9.8 to 1.2.2. The<br>
libvirt version in my linux box is:<br>
<br>
dujun@dujun-OptiPlex-3020:~/devstack$ virsh -v<br>
1.2.2<br>
<br>
And the error message in nova-cpu.log is such like that:<br>
<br>
2014-12-03 11:00:13.007 ERROR nova.openstack.common.threadgroup [-]<br>
Connection to the hypervisor is broken on host: dujun-OptiPlex-3020<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup Traceback<br>
(most recent call last):<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
"/opt/stack/nova/nova/openstack/common/threadgroup.py", line 145, in wait<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup x.wait()<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
"/opt/stack/nova/nova/openstack/common/threadgroup.py", line 47, in wait<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup return<br>
self.thread.wait()<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
"/usr/local/lib/python2.7/dist-packages/eventlet/greenthread.py", line 173,<br>
in wait<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup return<br>
self._exit_event.wait()<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
"/usr/local/lib/python2.7/dist-packages/eventlet/event.py", line 121, in<br>
wait<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup return<br>
hubs.get_hub().switch()<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
"/usr/local/lib/python2.7/dist-packages/eventlet/hubs/hub.py", line 293, in<br>
switch<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup return<br>
self.greenlet.switch()<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
"/usr/local/lib/python2.7/dist-packages/eventlet/greenthread.py", line 212,<br>
in main<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup result<br>
= function(*args, **kwargs)<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
"/opt/stack/nova/nova/openstack/common/service.py", line 492, in run_service<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
service.start()<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
"/opt/stack/nova/nova/service.py", line 164, in start<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
self.manager.init_host()<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
"/opt/stack/nova/nova/compute/manager.py", line 1124, in init_host<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
self.driver.init_host(host=self.host)<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
"/opt/stack/nova/nova/virt/libvirt/driver.py", line 507, in init_host<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
self._do_quality_warnings()<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
"/opt/stack/nova/nova/virt/libvirt/driver.py", line 486, in<br>
_do_quality_warnings<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup caps =<br>
self._get_host_capabilities()<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
"/opt/stack/nova/nova/virt/libvirt/driver.py", line 2991, in<br>
_get_host_capabilities<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup xmlstr<br>
= self._conn.getCapabilities()<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
"/opt/stack/nova/nova/virt/libvirt/driver.py", line 543, in _get_connection<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup raise<br>
exception.HypervisorUnavailable(host=CONF.host)<br>
2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
HypervisorUnavailable: Connection to the hypervisor is broken on host:<br>
dujun-OptiPlex-3020<br>
<br>
I wonder why nova can't find the libvirt hypervisor since I have added<br>
<br>
compute_driver = libvirt.LibvirtDriver<br>
<br>
in /etc/nova/nova.conf.<br>
<br>
--<br>
Regards,<br>
Frank<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openstack.org/pipermail/openstack/attachments/20141203/e7538280/attachment-0001.html" target="_blank">http://lists.openstack.org/pipermail/openstack/attachments/20141203/e7538280/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 19<br>
Date: Wed, 3 Dec 2014 13:50:03 +0800<br>
From: Du Jun <<a href="mailto:dj199008@gmail.com">dj199008@gmail.com</a>><br>
To: "<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>" <<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>><br>
Subject: Re: [Openstack] nova compute service fail to start due to<br>
"Connection to the hypervisor is broken on host"<br>
Message-ID:<br>
<CABvddo4S4Hehr0E=<a href="mailto:R9-s_ZNhOL5395EfLFFTZiC%2BM70Zuid3iw@mail.gmail.com">R9-s_ZNhOL5395EfLFFTZiC+M70Zuid3iw@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
dujun@dujun-OptiPlex-3020:~$ nova hypervisor-list<br>
+----+---------------------+-------+--------+<br>
| ID | Hypervisor hostname | State | Status |<br>
+----+---------------------+-------+--------+<br>
+----+---------------------+-------+--------+<br>
dujun@dujun-OptiPlex-3020:~$ nova service-list<br>
+----+------------------+---------------------+----------+---------+-------+----------------------------+-----------------+<br>
| Id | Binary | Host | Zone | Status | State<br>
| Updated_at | Disabled Reason |<br>
+----+------------------+---------------------+----------+---------+-------+----------------------------+-----------------+<br>
| 1 | nova-conductor | dujun-OptiPlex-3020 | internal | enabled | up<br>
| 2014-12-03T03:09:32.000000 | - |<br>
| 2 | nova-cert | dujun-OptiPlex-3020 | internal | enabled | up<br>
| 2014-12-03T03:09:35.000000 | - |<br>
| 3 | nova-network | dujun-OptiPlex-3020 | internal | enabled | up<br>
| 2014-12-03T03:09:38.000000 | - |<br>
| 4 | nova-scheduler | dujun-OptiPlex-3020 | internal | enabled | up<br>
| 2014-12-03T03:09:41.000000 | - |<br>
| 5 | nova-consoleauth | dujun-OptiPlex-3020 | internal | enabled | up<br>
| 2014-12-03T03:09:40.000000 | - |<br>
+----+------------------+---------------------+----------+---------+-------+----------------------------+-----------------+<br>
<br>
<br>
2014-12-03 13:48 GMT+08:00 Du Jun <<a href="mailto:dj199008@gmail.com">dj199008@gmail.com</a>>:<br>
<br>
> Hi all,<br>
><br>
> I install devstack in ubuntu12.04 and upgrade libvirt 0.9.8 to 1.2.2. The<br>
> libvirt version in my linux box is:<br>
><br>
> dujun@dujun-OptiPlex-3020:~/devstack$ virsh -v<br>
> 1.2.2<br>
><br>
> And the error message in nova-cpu.log is such like that:<br>
><br>
> 2014-12-03 11:00:13.007 ERROR nova.openstack.common.threadgroup [-]<br>
> Connection to the hypervisor is broken on host: dujun-OptiPlex-3020<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup Traceback<br>
> (most recent call last):<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
> "/opt/stack/nova/nova/openstack/common/threadgroup.py", line 145, in wait<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
> x.wait()<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
> "/opt/stack/nova/nova/openstack/common/threadgroup.py", line 47, in wait<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup return<br>
> self.thread.wait()<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
> "/usr/local/lib/python2.7/dist-packages/eventlet/greenthread.py", line 173,<br>
> in wait<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup return<br>
> self._exit_event.wait()<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
> "/usr/local/lib/python2.7/dist-packages/eventlet/event.py", line 121, in<br>
> wait<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup return<br>
> hubs.get_hub().switch()<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
> "/usr/local/lib/python2.7/dist-packages/eventlet/hubs/hub.py", line 293, in<br>
> switch<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup return<br>
> self.greenlet.switch()<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
> "/usr/local/lib/python2.7/dist-packages/eventlet/greenthread.py", line 212,<br>
> in main<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup result<br>
> = function(*args, **kwargs)<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
> "/opt/stack/nova/nova/openstack/common/service.py", line 492, in run_service<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
> service.start()<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
> "/opt/stack/nova/nova/service.py", line 164, in start<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
> self.manager.init_host()<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
> "/opt/stack/nova/nova/compute/manager.py", line 1124, in init_host<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
> self.driver.init_host(host=self.host)<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
> "/opt/stack/nova/nova/virt/libvirt/driver.py", line 507, in init_host<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
> self._do_quality_warnings()<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
> "/opt/stack/nova/nova/virt/libvirt/driver.py", line 486, in<br>
> _do_quality_warnings<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup caps =<br>
> self._get_host_capabilities()<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
> "/opt/stack/nova/nova/virt/libvirt/driver.py", line 2991, in<br>
> _get_host_capabilities<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup xmlstr<br>
> = self._conn.getCapabilities()<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
> "/opt/stack/nova/nova/virt/libvirt/driver.py", line 543, in _get_connection<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup raise<br>
> exception.HypervisorUnavailable(host=CONF.host)<br>
> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
> HypervisorUnavailable: Connection to the hypervisor is broken on host:<br>
> dujun-OptiPlex-3020<br>
><br>
> I wonder why nova can't find the libvirt hypervisor since I have added<br>
><br>
> compute_driver = libvirt.LibvirtDriver<br>
><br>
> in /etc/nova/nova.conf.<br>
><br>
> --<br>
> Regards,<br>
> Frank<br>
><br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openstack.org/pipermail/openstack/attachments/20141203/98f0ef78/attachment-0001.html" target="_blank">http://lists.openstack.org/pipermail/openstack/attachments/20141203/98f0ef78/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 20<br>
Date: Wed, 3 Dec 2014 06:42:31 +0000<br>
From: Chinasubbareddy M <<a href="mailto:chinasubbareddy_m@persistent.com">chinasubbareddy_m@persistent.com</a>><br>
To: "<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>" <<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>><br>
Subject: [Openstack] [openstack][icehouse][monitoring]-open source<br>
monitoring tools<br>
Message-ID:<br>
<<a href="mailto:SINPR04MB347CD40DD9B440619F0F4FFE67B0@SINPR04MB347.apcprd04.prod.outlook.com">SINPR04MB347CD40DD9B440619F0F4FFE67B0@SINPR04MB347.apcprd04.prod.outlook.com</a>><br>
<br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
Hi ,<br>
<br>
We would like to enable monitoring for 15 node openstack production setup, want suggestions up on following open source monitoring tools. Please suggest,<br>
<br>
<br>
1. Nagios and Cacti<br>
<br>
2. AppDynamics<br>
<br>
3. Zabbix and graphite<br>
<br>
4. Ganglia<br>
<br>
It would be really helpful if you can suggest any other monitoring tools for openstack setup.<br>
<br>
Regards,<br>
Subbareddy,<br>
Persistent systems ltd.<br>
<br>
DISCLAIMER<br>
==========<br>
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.<br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openstack.org/pipermail/openstack/attachments/20141203/d0a41ee0/attachment-0001.html" target="_blank">http://lists.openstack.org/pipermail/openstack/attachments/20141203/d0a41ee0/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 21<br>
Date: Wed, 3 Dec 2014 15:43:32 +0800<br>
From: Du Jun <<a href="mailto:dj199008@gmail.com">dj199008@gmail.com</a>><br>
To: "<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>" <<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>><br>
Subject: Re: [Openstack] nova compute service fail to start due to<br>
"Connection to the hypervisor is broken on host"<br>
Message-ID:<br>
<<a href="mailto:CABvddo5K6OyGFmvo8csj4HukLvCTXg%2B9EeML7woBpMqNMiJDow@mail.gmail.com">CABvddo5K6OyGFmvo8csj4HukLvCTXg+9EeML7woBpMqNMiJDow@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Look at the log of libvirt or type the following command:<br>
<br>
virsh -c qemu:///system list<br>
<br>
Will get the error message:<br>
<br>
ERROR?authentication failed: polkit:<br>
polkit\56retains_authorization_after_challenge=1<br>
Authorization requires authentication but no agent is available.<br>
<br>
That's an issue of libvirt configuration.<br>
<br>
[SOLVED]<br>
<br>
uncomment<br>
<br>
auth_unix_rw = "none"<br>
<br>
in /etc/libvirt/libvirtd.conf and restart libvirt-bin.<br>
<br>
Hope this can be useful for those we have the same problem.<br>
<br>
<br>
<br>
<br>
2014-12-03 13:50 GMT+08:00 Du Jun <<a href="mailto:dj199008@gmail.com">dj199008@gmail.com</a>>:<br>
<br>
> dujun@dujun-OptiPlex-3020:~$ nova hypervisor-list<br>
> +----+---------------------+-------+--------+<br>
> | ID | Hypervisor hostname | State | Status |<br>
> +----+---------------------+-------+--------+<br>
> +----+---------------------+-------+--------+<br>
> dujun@dujun-OptiPlex-3020:~$ nova service-list<br>
><br>
> +----+------------------+---------------------+----------+---------+-------+----------------------------+-----------------+<br>
> | Id | Binary | Host | Zone | Status | State<br>
> | Updated_at | Disabled Reason |<br>
><br>
> +----+------------------+---------------------+----------+---------+-------+----------------------------+-----------------+<br>
> | 1 | nova-conductor | dujun-OptiPlex-3020 | internal | enabled | up<br>
> | 2014-12-03T03:09:32.000000 | - |<br>
> | 2 | nova-cert | dujun-OptiPlex-3020 | internal | enabled | up<br>
> | 2014-12-03T03:09:35.000000 | - |<br>
> | 3 | nova-network | dujun-OptiPlex-3020 | internal | enabled | up<br>
> | 2014-12-03T03:09:38.000000 | - |<br>
> | 4 | nova-scheduler | dujun-OptiPlex-3020 | internal | enabled | up<br>
> | 2014-12-03T03:09:41.000000 | - |<br>
> | 5 | nova-consoleauth | dujun-OptiPlex-3020 | internal | enabled | up<br>
> | 2014-12-03T03:09:40.000000 | - |<br>
><br>
> +----+------------------+---------------------+----------+---------+-------+----------------------------+-----------------+<br>
><br>
><br>
> 2014-12-03 13:48 GMT+08:00 Du Jun <<a href="mailto:dj199008@gmail.com">dj199008@gmail.com</a>>:<br>
><br>
>> Hi all,<br>
>><br>
>> I install devstack in ubuntu12.04 and upgrade libvirt 0.9.8 to 1.2.2. The<br>
>> libvirt version in my linux box is:<br>
>><br>
>> dujun@dujun-OptiPlex-3020:~/devstack$ virsh -v<br>
>> 1.2.2<br>
>><br>
>> And the error message in nova-cpu.log is such like that:<br>
>><br>
>> 2014-12-03 11:00:13.007 ERROR nova.openstack.common.threadgroup [-]<br>
>> Connection to the hypervisor is broken on host: dujun-OptiPlex-3020<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup Traceback<br>
>> (most recent call last):<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
>> "/opt/stack/nova/nova/openstack/common/threadgroup.py", line 145, in wait<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
>> x.wait()<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
>> "/opt/stack/nova/nova/openstack/common/threadgroup.py", line 47, in wait<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
>> return self.thread.wait()<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
>> "/usr/local/lib/python2.7/dist-packages/eventlet/greenthread.py", line 173,<br>
>> in wait<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
>> return self._exit_event.wait()<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
>> "/usr/local/lib/python2.7/dist-packages/eventlet/event.py", line 121, in<br>
>> wait<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
>> return hubs.get_hub().switch()<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
>> "/usr/local/lib/python2.7/dist-packages/eventlet/hubs/hub.py", line 293, in<br>
>> switch<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
>> return self.greenlet.switch()<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
>> "/usr/local/lib/python2.7/dist-packages/eventlet/greenthread.py", line 212,<br>
>> in main<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
>> result = function(*args, **kwargs)<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
>> "/opt/stack/nova/nova/openstack/common/service.py", line 492, in run_service<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
>> service.start()<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
>> "/opt/stack/nova/nova/service.py", line 164, in start<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
>> self.manager.init_host()<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
>> "/opt/stack/nova/nova/compute/manager.py", line 1124, in init_host<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
>> self.driver.init_host(host=self.host)<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
>> "/opt/stack/nova/nova/virt/libvirt/driver.py", line 507, in init_host<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
>> self._do_quality_warnings()<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
>> "/opt/stack/nova/nova/virt/libvirt/driver.py", line 486, in<br>
>> _do_quality_warnings<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup caps<br>
>> = self._get_host_capabilities()<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
>> "/opt/stack/nova/nova/virt/libvirt/driver.py", line 2991, in<br>
>> _get_host_capabilities<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
>> xmlstr = self._conn.getCapabilities()<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup File<br>
>> "/opt/stack/nova/nova/virt/libvirt/driver.py", line 543, in _get_connection<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup raise<br>
>> exception.HypervisorUnavailable(host=CONF.host)<br>
>> 2014-12-03 11:00:13.007 TRACE nova.openstack.common.threadgroup<br>
>> HypervisorUnavailable: Connection to the hypervisor is broken on host:<br>
>> dujun-OptiPlex-3020<br>
>><br>
>> I wonder why nova can't find the libvirt hypervisor since I have added<br>
>><br>
>> compute_driver = libvirt.LibvirtDriver<br>
>><br>
>> in /etc/nova/nova.conf.<br>
>><br>
>> --<br>
>> Regards,<br>
>> Frank<br>
>><br>
>><br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openstack.org/pipermail/openstack/attachments/20141203/87601387/attachment-0001.html" target="_blank">http://lists.openstack.org/pipermail/openstack/attachments/20141203/87601387/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 22<br>
Date: Wed, 3 Dec 2014 15:43:56 +0800<br>
From: "Rao Dingyuan" <<a href="mailto:raodingyuan@chinacloud.com.cn">raodingyuan@chinacloud.com.cn</a>><br>
To: <<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>><br>
Subject: [Openstack] [Ceilometer] looking for alarm best practice -<br>
please help<br>
Message-ID: <153501d00ecc$e4da1880$ae8e4980$@<a href="http://chinacloud.com.cn" target="_blank">chinacloud.com.cn</a>><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
Hi folks,<br>
<br>
<br>
<br>
I wonder if anyone could share some best practice regarding to the usage of<br>
ceilometer alarm. We are using the alarm evaluation/notification of<br>
ceilometer and we don't feel very well of the way we use it. Below is our<br>
problem:<br>
<br>
<br>
<br>
============================<br>
<br>
Scenario:<br>
<br>
When cpu usage or memory usage above a certain threshold, alerts should be<br>
displayed on admin's web page. There should be a 3 level alerts according to<br>
meter value, namely notice, warning, fatal. Notice means the meter value is<br>
between 50% ~ 70%, warning means between 70% ~ 85% and fatal means above 85%<br>
<br>
For example:<br>
<br>
* when one vm's cpu usage is 72%, an alert message should be displayed<br>
saying "Warning: vm[d9b7018b-06c4-4fba-8221-37f67f6c6b8c] cpu usage is above<br>
70%".<br>
<br>
* when one vm's memory usage is 90%, another alert message should be created<br>
saying "Fatal: vm[d9b7018b-06c4-4fba-8221-37f67f6c6b8c] memory usage is<br>
above 85%"<br>
<br>
<br>
<br>
Our current Solution:<br>
<br>
We used ceilometer alarm evaluation/notification to implement this. To<br>
distinguish which VM and which meter is above what value, we've created one<br>
alarm for each VM by each condition. So, to monitor 1 VM, 6 alarms will be<br>
created because there are 2 meters and for each meter there are 3 levels.<br>
That means, if there are 100 VMs to be monitored, 600 alarms will be<br>
created.<br>
<br>
<br>
<br>
Problems:<br>
<br>
* The first problem is, when the number of meters increases, the number of<br>
alarms will be multiplied. For example, customer may want alerts on disk and<br>
network IO rates, and if we do that, there will be 4*3=12 alarms for each<br>
VM.<br>
<br>
* The second problem is, when one VM is created, multiple alarms will be<br>
created, meaning multiple http requests will be fired. In the case above, 6<br>
HTTP requests will be needed once a VM is created. And this number also<br>
increases as the number of meters goes up.<br>
<br>
=============================<br>
<br>
<br>
<br>
Do anyone have any suggestions?<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Best Regards!<br>
<br>
Kurt Rao<br>
<br>
_____<br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openstack.org/pipermail/openstack/attachments/20141203/cd81abdd/attachment-0001.html" target="_blank">http://lists.openstack.org/pipermail/openstack/attachments/20141203/cd81abdd/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 23<br>
Date: Wed, 3 Dec 2014 13:25:03 +0530<br>
From: Venu Murthy <<a href="mailto:venu.murthy@thoughtworks.com">venu.murthy@thoughtworks.com</a>><br>
To: Chinasubbareddy M <<a href="mailto:chinasubbareddy_m@persistent.com">chinasubbareddy_m@persistent.com</a>><br>
Cc: "<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>" <<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>><br>
Subject: Re: [Openstack] [openstack][icehouse][monitoring]-open source<br>
monitoring tools<br>
Message-ID:<br>
<CAA52WSd8uwbM5KO7C6hm2=-<a href="mailto:1N0NdmrhwM2p%2BQx1uuzEVcWjJ_A@mail.gmail.com">1N0NdmrhwM2p+Qx1uuzEVcWjJ_A@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
While we wait for the experts to reply on the above, I wonder if Ceilometer<br>
at this point in time can monitor?<br>
<br>
<br>
Best regards,<br>
Venu<br>
<br>
[image: ThoughtWorks] <<a href="http://www.thoughtworks.com/" target="_blank">http://www.thoughtworks.com/</a>><br>
---<br>
*?Excellence is never an accident. It is always the result of high<br>
intention, sincere effort, and intelligent execution.... ? Aristotle*<br>
<br>
<br>
On Wed, Dec 3, 2014 at 12:12 PM, Chinasubbareddy M <<br>
<a href="mailto:chinasubbareddy_m@persistent.com">chinasubbareddy_m@persistent.com</a>> wrote:<br>
<br>
> Hi ,<br>
><br>
><br>
><br>
> We would like to enable monitoring for 15 node openstack production setup,<br>
> want suggestions up on following open source monitoring tools. Please<br>
> suggest,<br>
><br>
><br>
><br>
> 1. Nagios and Cacti<br>
><br>
> 2. AppDynamics<br>
><br>
> 3. Zabbix and graphite<br>
><br>
> 4. Ganglia<br>
><br>
><br>
><br>
> It would be really helpful if you can suggest any other monitoring tools<br>
> for openstack setup.<br>
><br>
><br>
><br>
> Regards,<br>
><br>
> Subbareddy,<br>
><br>
> Persistent systems ltd.<br>
><br>
> DISCLAIMER ========== This e-mail may contain privileged and confidential<br>
> information which is the property of Persistent Systems Ltd. It is intended<br>
> only for the use of the individual or entity to which it is addressed. If<br>
> you are not the intended recipient, you are not authorized to read, retain,<br>
> copy, print, distribute or use this message. If you have received this<br>
> communication in error, please notify the sender and delete all copies of<br>
> this message. Persistent Systems Ltd. does not accept any liability for<br>
> virus infected mails.<br>
><br>
> _______________________________________________<br>
> Mailing list:<br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
> Unsubscribe :<br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
><br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openstack.org/pipermail/openstack/attachments/20141203/bd48a223/attachment-0001.html" target="_blank">http://lists.openstack.org/pipermail/openstack/attachments/20141203/bd48a223/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
Openstack mailing list<br>
<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br>
<br>
End of Openstack Digest, Vol 18, Issue 3<br>
****************************************<br>
</blockquote></div>