[openstack-dev] [TripleO] [Heat] os-cloud-config ssh access to cloud

Steven Dake sdake at redhat.com
Fri Mar 14 13:42:35 UTC 2014

On 03/14/2014 06:33 AM, Jiří Stránský wrote:
> On 12.3.2014 17:03, Jiří Stránský wrote:
>> Thanks for all the replies everyone :)
>> I'm leaning towards going the way Robert suggested on the review [1] -
>> upload pre-created signing cert, signing key and CA cert to controller
>> nodes using Heat. This seems like a much cleaner approach to
>> initializing overcloud than having to SSH into it, and it will solve
>> both problems i outlined in the initial e-mail.
>> It creates another problem though - for simple (think PoC) deployments
>> without external CA we'll need to create the keys/certs
>> somehow/somewhere anyway :) It shouldn't be hard because it's already
>> implemented in keystone-manage pki_setup but we should figure out a way
>> to avoid copy-pasting the world. Maybe Tuskar calling pki_setup locally
>> and passing a parameter to pki_setup to override default location where
>> new keys/certs will be generated?
>> Thanks
>> Jirka
>> [1] https://review.openstack.org/#/c/78148/
> I'm adding [Heat] to the subject. After some discussion on IRC it 
> seems that what we need to do with Heat is not totally straightforward.
> Here's an attempt at a brief summary:
> In TripleO we deploy OpenStack using Heat, the cloud is described in a 
> Heat template [1]. We want to externally generate and then upload 3 
> small binary files to the controller nodes (Keystone PKI key and 
> certificates [2]). We don't want to generate them in place or scp them 
> into the controller nodes, because that would require having ssh 
> access to the deployed controller nodes, which comes with drawbacks [3].
> It would be good if we could have the 3 binary files put into the 
> controller nodes as part of the Heat stack creation. Can we include 
> them in the template somehow? Or is there an alternative feasible 
> approach?

You can inject files via the heat-cfntools agents.  Check out:

You could also use raw cloudinit data to inject a files section.

There may be a final option with software config, but I'm not certain if 
software config has grown a feature to inject files yet.


> Thank you
> Jirka
> [1] 
> https://github.com/openstack/tripleo-heat-templates/blob/0490dd665899d3265a72965aeaf3a342275f4328/overcloud-source.yaml
> [2] 
> http://docs.openstack.org/developer/keystone/configuration.html#install-external-signing-certificate
> [3] 
> http://lists.openstack.org/pipermail/openstack-dev/2014-March/029327.html
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list