OpenStack + Chef

[dashboard] Non-ssl configuration is horribly broken

Bug #1445047 reported by Timothy Foreman on 2015-04-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack + Chef	Fix Released	Medium	Mark Vanderwiel	OpenStack + Chef kilo-rc1

Bug Description

If you want to run the dashboard without ssl - for example behind a load balancer that does ssl termination - the cookbook does not work correctly.

The only thing setting 'default['openstack']['dashboard']['use_ssl'] = false' does is turn off the port 80 redirect in the apache config file.

The cookbook still requires you to have ssl certs, even though you don't need them. The apache config file still puts everything in the port 443 virtual host.

Many more things need to be conditional on the 'use_ssl' flag.

Tags:

Mark Vanderwiel (vanderwl) on 2015-04-16

tags:

added: dashboard

Revision history for this message

Mark Vanderwiel (vanderwl) wrote on 2015-04-16:

Just wondering out loud, since the cookbook provides basic ssl certs, is that part really an issue? It's only going to copy the provided files.

If you can provide sample hacked config files for what your looking for, I can try to go after the conditionals within the conf files.

Changed in openstack-chef:
status:	New → Confirmed

Revision history for this message

Timothy Foreman (twforeman) wrote on 2015-04-16:

The certs might not be an issue since there are files in the cookbook.

But the virt host that gets built by the template still runs on node['openstack']['dashboard']['https_port']

You can set https_port = 80 and http_port = 443 and make it work, but that seems wrong.

Revision history for this message

Mark Vanderwiel (vanderwl) wrote on 2015-04-16:

Yup, agreed that is wrong and ugly.

So, it looks like that 'default['openstack']['dashboard']['use_ssl'] = false' flag is used here:
https://github.com/stackforge/cookbook-openstack-dashboard/blob/master/templates/default/dash-site.erb#L11
to create only one VirtualHost section in the dash-site.erb.

It's used again herehttps://github.com/stackforge/cookbook-openstack-dashboard/blob/master/templates/default/dash-site.erb#L66 to remove the cert entries.

For the local_setting file, it used here: https://github.com/stackforge/cookbook-openstack-dashboard/blob/master/templates/default/local_settings.py.erb#L42

but might also need to be used around this more completeness: https://github.com/stackforge/cookbook-openstack-dashboard/blob/master/templates/default/local_settings.py.erb#L165 to 173

It's also used here https://github.com/stackforge/cookbook-openstack-dashboard/blob/master/recipes/apache2-server.rb#L47
to allow the new Common dashboard endpoints to be used.

k, I played with this a bit, and came up with a patch that I think covers it. Please review and/or test with it, thx.

Changed in openstack-chef:
assignee:	nobody → Mark Vanderwiel (vanderwl)
milestone:	none → kilo-rc1
importance:	Undecided → Medium

OpenStack Infra (hudson-openstack) on 2015-04-16

Changed in openstack-chef:
status:	Confirmed → In Progress

Revision history for this message

Timothy Foreman (twforeman) wrote on 2015-04-16:

I actually think the template may be working as intended and I'm just bad at parsing them by looking. I'm still playing with this.

Revision history for this message

Mark Vanderwiel (vanderwl) wrote on 2015-04-16:

you'll see in the patch, the one issue is that we're still including mod_ssl in the recipe which forces the setup of port 443.
So, the patch does 3 things to help make non-ssl cleaner:
- don't include apache2 mod_ssl recipe
- don't mess with cert files in recipe
- don't setup cert files in local_settings

fairly minor tweaks, but works better now.

https://review.openstack.org/#/c/174507/

Revision history for this message

Timothy Foreman (twforeman) wrote on 2015-04-16:

Yes, my testing shows the template working as expected.

Your patch looks pretty good at a glance, but I have not tested it.

Thanks for looking at this so quickly.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-22: Fix merged to cookbook-openstack-dashboard (master)

Reviewed: https://review.openstack.org/174507
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-dashboard/commit/?id=3d4d7bc49de835c13250e760bbb87fb6fbc49dcd
Submitter: Jenkins
Branch: master

commit 3d4d7bc49de835c13250e760bbb87fb6fbc49dcd
Author: Mark Vanderwiel <email address hidden>
Date: Thu Apr 16 12:56:20 2015 -0500

Allow non-ssl to work correctly

when use_ssl is false, several ssl related items are still
in play, notably including mod_ssl.

Closes-Bug: #1445047

Change-Id: Iafd26f8eddfd74a90b6a8bde579bf53af57b5893

Changed in openstack-chef:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-08-25: Fix included in openstack/cookbook-openstack-dashboard ocata-eol

This issue was fixed in the openstack/cookbook-openstack-dashboard ocata-eol release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.