Merge "Doc update to enable HTTPS in Glance and Ironic comm"

This commit is contained in:
Jenkins 2016-03-25 00:38:17 +00:00 committed by Gerrit Code Review
commit 630063cc31
2 changed files with 83 additions and 17 deletions

View File

@ -2033,6 +2033,72 @@ of the following ways:
<http://docs.openstack.org/developer/swift/deployment_guide.html>`_ <http://docs.openstack.org/developer/swift/deployment_guide.html>`_
(recommended only for testing purpose by swift). (recommended only for testing purpose by swift).
.. _EnableHTTPSinGlance:
Enabling HTTPS in Image service
===============================
Ironic drivers usually use Image service during node provisioning. By default,
image service does not use HTTPS, but it is required for secure communication.
It can be enabled by making the following changes to ``/etc/glance/glance-api.conf``:
#. `Configuring SSL support
<http://docs.openstack.org/developer/glance/configuring.html#configuring-ssl-support>`_
#. Restart the glance-api service::
Fedora/RHEL7/CentOS7:
sudo systemctl restart openstack-glance-api
Debian/Ubuntu:
sudo service glance-api restart
See the `Glance <http://docs.openstack.org/developer/glance/>`_ documentation,
for more details on the Image service.
Enabling HTTPS communication between Image service and Object storage
=====================================================================
This section describes the steps needed to enable secure HTTPS communication between
Image service and Object storage when Object storage is used as the Backend.
To enable secure HTTPS communication between Image service and Object storage follow these steps:
#. :ref:`EnableHTTPSinSwift`.
#. `Configure Swift Storage Backend
<http://docs.openstack.org/developer/glance/configuring.html#configuring-the-swift-storage-backend>`_
#. :ref:`EnableHTTPSinGlance`
Enabling HTTPS communication between Image service and Bare Metal service
=========================================================================
This section describes the steps needed to enable secure HTTPS communication between
Image service and Bare Metal service.
To enable secure HTTPS communication between Bare Metal service and Image service follow these steps:
#. Edit ``/etc/ironic/ironic.conf``::
[glance]
...
glance_cafile=/path/to/certfile
glance_protocol=https
glance_api_insecure=False
.. note::
'glance_cafile' is a optional path to a CA certificate bundle to be used to validate the SSL certificate
served by Image service.
#. Restart ironic-conductor service::
Fedora/RHEL7/CentOS7:
sudo systemctl restart openstack-ironic-conductor
Debian/Ubuntu:
sudo service ironic-conductor restart
Using Bare Metal service as a standalone service Using Bare Metal service as a standalone service
================================================ ================================================

View File

@ -207,12 +207,12 @@ Target Users
security enhanced PXE-less deployment mechanism. security enhanced PXE-less deployment mechanism.
The PXE driver passes management information in clear-text to the The PXE driver passes management information in clear-text to the
bare metal node. However, if swift proxy server has an HTTPS bare metal node. However, if swift proxy server and glance have HTTPS
endpoint (See :ref:`EnableHTTPSinSwift` for more information), the endpoints (See :ref:`EnableHTTPSinSwift`, :ref:`EnableHTTPSinGlance` for more
``iscsi_ilo`` driver provides enhanced security by passing information), the ``iscsi_ilo`` driver provides enhanced security by
management information to and from swift endpoint over HTTPS. The exchanging management information with swift and glance endpoints over HTTPS.
management information, deploy ramdisk and boot images for the instance will The management information, deploy ramdisk and boot images for the instance
be retrieved over encrypted management network via iLO virtual media. will be retrieved over encrypted management network via iLO virtual media.
Tested Platforms Tested Platforms
~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~
@ -240,11 +240,11 @@ Features
* UEFI Boot Support * UEFI Boot Support
* UEFI Secure Boot Support * UEFI Secure Boot Support
* Passing management information via secure, encrypted management network * Passing management information via secure, encrypted management network
(virtual media) if swift proxy server has an HTTPS endpoint. See (virtual media) if swift proxy server and glance have HTTPS endpoints. See
:ref:`EnableHTTPSinSwift` for more info. User image provisioning is done :ref:`EnableHTTPSinSwift`, :ref:`EnableHTTPSinGlance` for more info. User
using iSCSI over data network, so this driver has the benefit image provisioning is done using iSCSI over data network, so this driver has
of security enhancement with the same performance. It segregates management the benefit of security enhancement with the same performance. It segregates
info from data channel. management info from data channel.
* Support for out-of-band cleaning operations. * Support for out-of-band cleaning operations.
* Remote Console * Remote Console
* HW Sensors * HW Sensors
@ -351,12 +351,12 @@ Target Users
want to have a security enhanced PXE-less deployment mechanism. want to have a security enhanced PXE-less deployment mechanism.
The PXE based agent drivers pass management information in clear-text to The PXE based agent drivers pass management information in clear-text to
the bare metal node. However, if swift proxy server has an HTTPS the bare metal node. However, if swift proxy server and glance have HTTPS
endpoint (See :ref:`EnableHTTPSinSwift` for more information), endpoints (See :ref:`EnableHTTPSinSwift`, :ref:`EnableHTTPSinGlance` for more
the ``agent_ilo`` driver provides enhanced security by passing authtoken information), the ``agent_ilo`` driver provides enhanced security by
and management information to and from swift endpoint over HTTPS. The exchanging authtoken and management information with swift and glance
management information and deploy ramdisk will be retrieved over encrypted endpoints over HTTPS. The management information and deploy ramdisk will be
management network via iLO. retrieved over encrypted management network via iLO.
Tested Platforms Tested Platforms
~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~