From 2e62675f82dabc069986d4f82e63f5e3f8d04347 Mon Sep 17 00:00:00 2001 From: Aparna Date: Tue, 16 Feb 2016 05:31:21 +0000 Subject: [PATCH] Doc update to enable HTTPS in Glance and Ironic comm Added the documentation to enable HTTPS endpoint in glance for enabling secure communication between Ironic and Glance. Related-Bug: #1548086 Change-Id: I7e7f98e6d5281ef030a35f29a10eab753e8a8568 --- doc/source/deploy/install-guide.rst | 66 +++++++++++++++++++++++++++++ doc/source/drivers/ilo.rst | 34 +++++++-------- 2 files changed, 83 insertions(+), 17 deletions(-) diff --git a/doc/source/deploy/install-guide.rst b/doc/source/deploy/install-guide.rst index a05fe332bd..fefef1f1e3 100644 --- a/doc/source/deploy/install-guide.rst +++ b/doc/source/deploy/install-guide.rst @@ -2019,6 +2019,72 @@ of the following ways: `_ (recommended only for testing purpose by swift). +.. _EnableHTTPSinGlance: + +Enabling HTTPS in Image service +=============================== + +Ironic drivers usually use Image service during node provisioning. By default, +image service does not use HTTPS, but it is required for secure communication. +It can be enabled by making the following changes to ``/etc/glance/glance-api.conf``: + +#. `Configuring SSL support + `_ + +#. Restart the glance-api service:: + + Fedora/RHEL7/CentOS7: + sudo systemctl restart openstack-glance-api + + Debian/Ubuntu: + sudo service glance-api restart + +See the `Glance `_ documentation, +for more details on the Image service. + +Enabling HTTPS communication between Image service and Object storage +===================================================================== + +This section describes the steps needed to enable secure HTTPS communication between +Image service and Object storage when Object storage is used as the Backend. + +To enable secure HTTPS communication between Image service and Object storage follow these steps: + +#. :ref:`EnableHTTPSinSwift`. + +#. `Configure Swift Storage Backend + `_ + +#. :ref:`EnableHTTPSinGlance` + +Enabling HTTPS communication between Image service and Bare Metal service +========================================================================= + +This section describes the steps needed to enable secure HTTPS communication between +Image service and Bare Metal service. + +To enable secure HTTPS communication between Bare Metal service and Image service follow these steps: + +#. Edit ``/etc/ironic/ironic.conf``:: + + [glance] + ... + glance_cafile=/path/to/certfile + glance_protocol=https + glance_api_insecure=False + + .. note:: + 'glance_cafile' is a optional path to a CA certificate bundle to be used to validate the SSL certificate + served by Image service. + +#. Restart ironic-conductor service:: + + Fedora/RHEL7/CentOS7: + sudo systemctl restart openstack-ironic-conductor + + Debian/Ubuntu: + sudo service ironic-conductor restart + Using Bare Metal service as a standalone service ================================================ diff --git a/doc/source/drivers/ilo.rst b/doc/source/drivers/ilo.rst index 14dd7daf72..ff85b6ef47 100644 --- a/doc/source/drivers/ilo.rst +++ b/doc/source/drivers/ilo.rst @@ -206,12 +206,12 @@ Target Users security enhanced PXE-less deployment mechanism. The PXE driver passes management information in clear-text to the - bare metal node. However, if swift proxy server has an HTTPS - endpoint (See :ref:`EnableHTTPSinSwift` for more information), the - ``iscsi_ilo`` driver provides enhanced security by passing - management information to and from swift endpoint over HTTPS. The - management information, deploy ramdisk and boot images for the instance will - be retrieved over encrypted management network via iLO virtual media. + bare metal node. However, if swift proxy server and glance have HTTPS + endpoints (See :ref:`EnableHTTPSinSwift`, :ref:`EnableHTTPSinGlance` for more + information), the ``iscsi_ilo`` driver provides enhanced security by + exchanging management information with swift and glance endpoints over HTTPS. + The management information, deploy ramdisk and boot images for the instance + will be retrieved over encrypted management network via iLO virtual media. Tested Platforms ~~~~~~~~~~~~~~~~ @@ -239,11 +239,11 @@ Features * UEFI Boot Support * UEFI Secure Boot Support * Passing management information via secure, encrypted management network - (virtual media) if swift proxy server has an HTTPS endpoint. See - :ref:`EnableHTTPSinSwift` for more info. User image provisioning is done - using iSCSI over data network, so this driver has the benefit - of security enhancement with the same performance. It segregates management - info from data channel. + (virtual media) if swift proxy server and glance have HTTPS endpoints. See + :ref:`EnableHTTPSinSwift`, :ref:`EnableHTTPSinGlance` for more info. User + image provisioning is done using iSCSI over data network, so this driver has + the benefit of security enhancement with the same performance. It segregates + management info from data channel. * Support for out-of-band cleaning operations. * Remote Console * HW Sensors @@ -350,12 +350,12 @@ Target Users want to have a security enhanced PXE-less deployment mechanism. The PXE based agent drivers pass management information in clear-text to - the bare metal node. However, if swift proxy server has an HTTPS - endpoint (See :ref:`EnableHTTPSinSwift` for more information), - the ``agent_ilo`` driver provides enhanced security by passing authtoken - and management information to and from swift endpoint over HTTPS. The - management information and deploy ramdisk will be retrieved over encrypted - management network via iLO. + the bare metal node. However, if swift proxy server and glance have HTTPS + endpoints (See :ref:`EnableHTTPSinSwift`, :ref:`EnableHTTPSinGlance` for more + information), the ``agent_ilo`` driver provides enhanced security by + exchanging authtoken and management information with swift and glance + endpoints over HTTPS. The management information and deploy ramdisk will be + retrieved over encrypted management network via iLO. Tested Platforms ~~~~~~~~~~~~~~~~