OpenStack Compute (nova)

ironic driver does not support ssl cafile

Bug #1561796 reported by aeva black on 2016-03-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Medium	aeva black

Bug Description

Even though Ironic's python client supports SSL encrypted connections to the ironic service, and securing intra-service connections is a recommended practice, the nova.virt.Ironic driver currently lacks an option to specify a custom CA Certificate for validating the SSL connection to the Ironic service.

On the other hand, other OpenStack services which Nova connects to (eg, Glance, Neutron...) have support for this via a service-specific "cafile" config option.

Tags:

aeva black (tenbrae) on 2016-03-25

tags:	added: ironic
tags:	added: security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-25: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/297467

Changed in nova:
assignee:	nobody → Devananda van der Veen (devananda)
status:	New → In Progress

Sylvain Bauza (sylvain-bauza) on 2016-03-29

Changed in nova:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-29: Fix merged to nova (master)

Reviewed: https://review.openstack.org/297467
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=0230edd708eb961ad6f9afb88a778fe03320bf3e
Submitter: Jenkins
Branch: master

commit 0230edd708eb961ad6f9afb88a778fe03320bf3e
Author: Devananda van der Veen <email address hidden>
Date: Thu Mar 24 17:00:26 2016 -0700

Allow ironic driver to specify cafile

    This patch adds a config option to the [ironic] group, allowing the
    operator to specify a cacert file with which to connect to the
    ironic-api service.

This corresponds with the way encrypted connections to other OpenStack
services are configured.

Change-Id: Ice1d6c3f6fc911c4f35fe0283e3d1e9dd8b0e1a7
Closes-bug: #1561796

Changed in nova:
status:	In Progress → Fix Released

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2016-06-02: Fix included in openstack/nova 14.0.0.0b1

This issue was fixed in the openstack/nova 14.0.0.0b1 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.