[openstack-dev] [nova] [devstack] configuring https for glance client

Andrew Lazarev alazarev at mirantis.com
Tue Feb 10 17:53:56 UTC 2015


This doesn't look flexible for me. Glance and keystone could use different
settings for SSL. I like current way to use session and config section for
each separate client (like [1]).

[1] https://review.openstack.org/#/c/131098/

Thanks,
Andrew.

On Mon, Feb 9, 2015 at 6:19 PM, Matt Riedemann <mriedem at linux.vnet.ibm.com>
wrote:

>
>
> On 2/9/2015 5:40 PM, Andrew Lazarev wrote:
>
>> Hi Nova experts,
>>
>> Some time ago I figured out that devstack fails to stack with
>> USE_SSL=True option because it doesn't configure nova to work with
>> secured glace [1]. Support of secured glance was added to nova in Juno
>> cycle [2], but it looks strange for me.
>>
>> Glance client takes settings form '[ssl]' section. The same section is
>> used to set up nova server SSL settings. Other clients have separate
>> sections in the config file (and switching to session use now),  e.g.
>> related code for cinder - [3].
>>
>> I've created quick fix for the devstack - [4], but it would be nice to
>> shed a light on nova plans around glance config before merging a
>> workaround for devstack.
>>
>> So, the questions are:
>> 1. Is it normal that glance client reads from '[ssl]' config section?
>> 2. Is there a plan to move glance client to sessions use and move
>> corresponding config section to '[glance]'?
>> 3. Are any plans to run CI for USE_SSL=True use case?
>>
>> [1] - https://bugs.launchpad.net/devstack/+bug/1405484
>> [2] - https://review.openstack.org/#/c/72974
>> [3] -
>> https://github.com/openstack/nova/blob/2015.1.0b2/nova/
>> volume/cinder.py#L73
>> [4] - https://review.openstack.org/#/c/153737
>>
>> Thanks,
>> Andrew.
>>
>>
>> ____________________________________________________________
>> ______________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:
>> unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
> This came up in another -dev thread at one point which prompted a series
> from Matthew Gilliard [1] to use [ssl] globally or project-specific options
> since both glance and keystone are currently getting their ssl options from
> the global [ssl] group in nova right now.
>
> I've been a bad citizen and haven't gotten back to the series review yet.
>
> [1] https://review.openstack.org/#/q/status:open+project:
> openstack/nova+branch:master+topic:ssl-config-options,n,z
>
> --
>
> Thanks,
>
> Matt Riedemann
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150210/52734020/attachment.html>


More information about the OpenStack-dev mailing list