[openstack-dev] [Ironic] File Injection (and the lack thereof)

Clint Byrum clint at fewbar.com
Fri Jan 24 23:09:56 UTC 2014


Simplest thing is for deployers and image builders to inject the CA that
they want to trust.  Another option would be to establish an OpenStack
community CA and ship that along with cloud-init by default.

There are lots of options that don't involve out of band.

Excerpts from Devananda van der Veen's message of 2014-01-24 14:41:44 -0800:
> Awesome! But, Ironic will still need a way to inject the SSL cert into the
> instance, eg. config-drive over virtual media, or something.
> 
> -D
>  On Jan 24, 2014 2:32 PM, "Clint Byrum" <clint at fewbar.com> wrote:
> 
> > Excerpts from Joshua Harlow's message of 2014-01-24 14:17:38 -0800:
> > > Cloud-init 0.7.5 (not yet released) will have the ability to read from an
> > > ec2-metadata server using SSL.
> > >
> > > In a recent change I did we now use requests which correctly does SSL for
> > > the ec2-metadata/ec2-userdata reading.
> > >
> > > -
> > http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/revision/910
> > >
> > > For ssl-certs that it will use by default (if not provided) will be
> > looked
> > > for in the following locations.
> > >
> > > - /var/lib/cloud/data/ssl
> > >    - cert.pem
> > >    - key
> > > - /var/lib/cloud/instance/data/ssl
> > >    - cert.pem
> > >    - key
> > > - ... Other custom paths (typically datasource dependent)
> > >
> > > So I think in 0.7.5 for cloud-init this support will be improved and as
> > > long as there is a supporting ssl ec2 metadata endpoint then this should
> > > all work out fine...
> >
> > \o/ my heroes! ;)
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >



More information about the OpenStack-dev mailing list