no way to publish-image if nova uses keystone (no EC2_CERT)

Bug #903345 reported by Scott Moser on 2011-12-12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Vish Ishaya

Bug Description

prior to keystone, the user would get credentials via
  nova-manage project zipfile
and in the zip file was a .pem file there was a pk.pem, and cert.pem file. These could then be used wherever there was a need for 'EC2_CERT' and 'EC2_PRIVATE_KEY' respectively.

In EC2, almost everything has moved to using the REST api, which does authentication via secret key and access key. The one set of tools that still needs the cert and private key path is the ec2-api-tools. The only functionality that i'm aware of that *depends* on those is bundle-image (ec2-bundle-image, euca-bundle-image).

In a openstack system set up to use keystone, there is no way to get certificate and private key, and thus no way to publish an image via the bundle-image/upload-bundle path.

Tags: ec2 Edit Tag help
Thierry Carrez (ttx) wrote :

I think that asks the question of how badly we want to support bundle-image in Nova. Its interdependency with S3 makes it a bit of an oddball in EC2 too :)

Changed in nova:
importance: Undecided → Medium
status: New → Confirmed
Scott Moser (smoser) wrote :

It would be fairly easy to work around this in cloud-publish-image or cloud-publish-tarball. And that would serve at least some portion of the users. However, there is one issue that would block that.

At this point, if I upload an image to glance (with the glance client), there is no way to figure out what it's ami-id is. the glance name is not globally unique and afaik there is no way to turn the glance image-id that is returned into a ami-id.

Changed in nova:
assignee: nobody → Vish Ishaya (vishvananda)
status: Confirmed → In Progress

Fix proposed to branch: master

Submitter: Jenkins
Branch: master

commit 0c5273c85ea72d60e5907acb22398584ded0a077
Author: Vishvananda Ishaya <email address hidden>
Date: Wed Jan 18 21:04:47 2012 -0800

    Create nova cert worker for x509 support

     * Adds new worker for cert management
     * Makes decrypt use an rpc to the worker
     * Moves CA filesystem creation out of cloud.setup
     * Moves test for X509 into crypto
     * Adds test for encrypting and decrypting using cert
     * Cleans up extra code in cloudpipe
     * Fixes bug 918563
     * Prepares for a future patch that will fix bug 903345

    Change-Id: I4693c50c8f432706f97395af39e736f49d60e719

Changed in nova:
status: In Progress → Fix Committed
Changed in nova:
status: Fix Committed → In Progress

Submitter: Jenkins
Branch: master

commit 4fb1e8d34feafafe423e012c7031835024d85dcd
Author: Vishvananda Ishaya <email address hidden>
Date: Thu Jan 19 14:58:27 2012 -0800

    Adds extension for retrieving certificates

     * Makes euca-upload/euca-register work again
     * Provides means for novarc to be generated
     * Fixes bug 903345
     * Implements blueprint x509-cert-crud

    Change-Id: I0b2a42fe5436243da6925ba199936b49458d6f8c

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-01-25
Changed in nova:
milestone: none → essex-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-04-05
Changed in nova:
milestone: essex-3 → 2012.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related blueprints