Containerized Horizon: expose "DocumentRoot" on host

Bug #1768519 reported by Cédric Jeanneret deactivated
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Cédric Jeanneret deactivated

Bug Description

Dear Stackers,

In order to proceed the webroot validation for Let's Encrypt, we have to allow horizon container access the validation token.

Currently, horizon httpd vhost has a "DocumentRoot" set to /var/www - this location is empty, except two directories, cgi-bin and html. They are also empty.

The validation process will be as follow:
on the host, certbot will be launched, with the right options, in order to either create or renew the certificate.
It will create a directory, /var/www/.well-known/ with some content in it (mainly, a subdirectory, and a file), and LE validation will make a simple GET request in order to fetch the token.

Exposing the container's /var/www directory tree on the host, in the same location, with a read-only flag, should be sufficient in order to get the validation working.

In order to do that, adding the following line:
- /var/www/:/var/www/:ro
in openstack-tripleo-heat-templates/docker/services/horizon.yaml "step_3" block should be sufficient.

Care to validate this idea, as well as the modification location? I'm testing it on my lab in parallel, but of course having some insight will be nice :)

Thank you!

Cheers,

C.

Changed in tripleo:
status: New → Triaged
importance: Undecided → Medium
milestone: none → rocky-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/565753

Changed in tripleo:
assignee: nobody → Cédric Jeanneret (cjeanneret-c2c)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/565753
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=4f2c29e83fd7f96482b1f4a32e144b61d69d653f
Submitter: Zuul
Branch: master

commit 4f2c29e83fd7f96482b1f4a32e144b61d69d653f
Author: Cédric Jeanneret <email address hidden>
Date: Wed May 2 15:15:31 2018 +0200

    Expose Horizon "DocumentRoot" on host

    This will allow webroot plugin for Let's Encrypt to actually work.
    The container has no need to write in this location.

    Change-Id: Ia76a0cc007abfdec6f25e1371eb696864f2925fd
    Closes-Bug: 1768519

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/566276

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/566277

tags: added: pike-backport-potential queens-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/queens)

Reviewed: https://review.openstack.org/566276
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=2b9f05b57f5b130e2af355e4769e69b010937422
Submitter: Zuul
Branch: stable/queens

commit 2b9f05b57f5b130e2af355e4769e69b010937422
Author: Cédric Jeanneret <email address hidden>
Date: Wed May 2 15:15:31 2018 +0200

    Expose Horizon "DocumentRoot" on host

    This will allow webroot plugin for Let's Encrypt to actually work.
    The container has no need to write in this location.

    Change-Id: Ia76a0cc007abfdec6f25e1371eb696864f2925fd
    Closes-Bug: 1768519
    (cherry picked from commit 4f2c29e83fd7f96482b1f4a32e144b61d69d653f)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 8.0.3

This issue was fixed in the openstack/tripleo-heat-templates 8.0.3 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 9.0.0.0b3

This issue was fixed in the openstack/tripleo-heat-templates 9.0.0.0b3 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/pike)

Reviewed: https://review.openstack.org/566277
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=f42321eb2882742efded21afe65ca4f1779074a3
Submitter: Zuul
Branch: stable/pike

commit f42321eb2882742efded21afe65ca4f1779074a3
Author: Cédric Jeanneret <email address hidden>
Date: Wed May 2 15:15:31 2018 +0200

    Expose Horizon "DocumentRoot" on host

    This will allow webroot plugin for Let's Encrypt to actually work.
    The container has no need to write in this location.

    Change-Id: Ia76a0cc007abfdec6f25e1371eb696864f2925fd
    Closes-Bug: 1768519
    (cherry picked from commit 4f2c29e83fd7f96482b1f4a32e144b61d69d653f)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 7.0.15

This issue was fixed in the openstack/tripleo-heat-templates 7.0.15 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.