[openstack-dev] [Fuel] Distribution of keys for environments
Stanislaw Bogatkin
sbogatkin at mirantis.com
Wed Jan 28 16:04:43 UTC 2015
Hi.
I'm vote for second option, cause if we will want to implement some unified
hierarchy (like Fuel as CA for keys on controllers for different env's)
then it will fit better than other options. If we implement 3rd option then
we will reinvent the wheel with SSL in future. Bare rsync as storage for
private keys sounds pretty uncomfortable for me.
On Wed, Jan 28, 2015 at 6:44 PM, Dmitriy Shulyak <dshulyak at mirantis.com>
wrote:
> Hi folks,
>
> I want to discuss the way we are working with generated keys for
> nova/ceph/mongo and something else.
>
> Right now we are generating keys on master itself, and then distributing
> them by mcollective
> transport to all nodes. As you may know we are in the process of making
> this process described as
> task.
>
> There is a couple of options:
> 1. Expose keys in rsync server on master, in folder /etc/fuel/keys, and
> then copy them with rsync task (but it feels not very secure)
> 2. Copy keys from /etc/fuel/keys on master, to /var/lib/astute on target
> nodes. It will require additional
> hook in astute, smth like copy_file, which will copy data from file on
> master and put it on the node.
>
> Also there is 3rd option to generate keys right on primary-controller and
> then distribute them on all other nodes, and i guess it will be
> responsibility of controller to store current keys that are valid for
> cluster. Alex please provide more details about 3rd approach.
>
> Maybe there is more options?
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150128/dc913f39/attachment.html>
More information about the OpenStack-dev
mailing list