cinder-api lost SSL in oslo.service wsgi move for M
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | Cinder |
High
|
Justin A Wilson | ||
| | Fedora |
New
|
Undecided
|
Justin A Wilson | |
Bug Description
Following the move to wsgi eventlet server from oslo.service, cinder-api lost the ability to run the wsgi eventlet server with SSL on, that existed in Liberty:
liberty: 2016-06-09 18:54:21.663 4708 INFO eventlet.
mitaka: 2016-06-09 18:25:28.911 26920 INFO eventlet.
With otherwise identical config, including SSL options, etc. The change that migrated to oslo.service, was https:/
It's probably merely a question of picking up the config options and passing them along?
| summary: |
- oslo.service wsgi move in Mitaka lost SSL + cinder-api lost SSL in oslo.service wsgi move for M |
| Changed in cinder: | |
| status: | New → Confirmed |
| importance: | Undecided → High |
| milestone: | none → newton-3 |
| Changed in cinder: | |
| assignee: | nobody → Justin A Wilson (justin-wilson) |
| dyyang@cn.ibm.com (dyyang) wrote : | #2 |
We just met the same issue when enabling SSL for cinder-api in Newton release, any progress or plan on fixing this?
| Justin A Wilson (justin-wilson) wrote : | #3 |
I'm still working at it. The cinder client seems to be using the wrong protocol (http). I'm currently looking into how it selects which protocol should be used.
| Justin A Wilson (justin-wilson) wrote : | #4 |
I was able to get SSL working, though you must modify the Cinder API endpoint and supply the CA file to the client each time you want to use it. Horizon's configuration must be updated as well, because it isn't aware that SSL is enabled for the cinder endpoint by default. So, a the location of the CA file must be assigned to OPENSTACK_
| Nicolas Bock (nicolasbock) wrote : | #6 |
Justin, are you planning on backporting your fix for Mitaka?
| Changed in cinder: | |
| milestone: | newton-3 → newton-rc1 |
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit 19544f781eadce8
Author: Justin A Wilson <email address hidden>
Date: Tue Aug 9 17:59:59 2016 +0300
Added config option to enable SSL
Added option, osapi_volume_
its capability of utilizing SSL to encrypt the traffic to and from
the endpoint.
Change-Id: I6ecd6eda1eb030
Closes-Bug: 1590901
| Changed in cinder: | |
| status: | In Progress → Fix Released |
This issue was fixed in the openstack/cinder 9.0.0.0rc1 release candidate.
| Radoslav (radoslav-milanov) wrote : | #9 |
Is this going to be fixed in Mitaka?
This issue was fixed in the openstack/cinder 9.0.0.0rc1 release candidate.
| Edgar Magana (emagana) wrote : | #11 |
We would like have this back-ported to Mitaka. We are using https:/
Fix proposed to branch: stable/mitaka
Review: https:/
Change abandoned by Justin A Wilson (<email address hidden>) on branch: stable/mitaka
Review: https:/
Reason: Messed up commit
| Justin A Wilson (justin-wilson) wrote : | #14 |
Successfully backported after screwing up the commands the first time
| Changed in fedora: | |
| assignee: | nobody → Justin A Wilson (justin-wilson) |
Change abandoned by Justin A Wilson (<email address hidden>) on branch: stable/mitaka
Review: https:/
The code for turning on SSL for the Cinder API is there, even though there is no option to turn it on via the config file. I managed to enable it, but it caused issues with the Cinder client's and the Openstack client's ability to connect to the endpoint. Furthermore, the Openstack Security Guide (http://