openstack-manuals

Documentation needed to clarify how to configure auth_endpoint for image signing

Bug #1623488 reported by Darren
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Confirmed
Undecided
Kaitlin Farr
openstack-manuals
Opinion
High
Kaitlin Farr

Bug Description

Description
===========
By default Barbican uses http://localhost:5000/v3 for the auth_endpoint (where keystone is). Users should know that this can be changed in nova.conf. This will solve the issue of Barbican being unable to connect to Keystone.

Steps to reproduce
==================
If keystone is not on localhost then Barbican will not being able to connect to Keystone. Also, using this documentation to create a signed image:

https://github.com/openstack/glance/blob/master/doc/source/signature.rst

Then booting the image using 'nova boot'.

Note: verify_glance_signatures must be set to true in nova.conf

Expected result
===============
Barbican should connect to Keystone to authorize credentials when booting a signed image.

Actual result
=============
Barbican cannot connect to Keystone and booting a signed image fails.

Environment
===========
This is using the mitaka branch.

This also happens in Glance: https://bugs.launchpad.net/glance/+bug/1620539

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

Basically it's really non-obvious to figure out what needs to be configured to get image signing to work in Nova.

Glance has some documentation:

https://review.openstack.org/#/c/333209/

which tries to help users/admins through the process.

It would be great to see something equivalent for nova.

Revision history for this message
Darren (darrenswhite95) wrote :

To solve this problem I added this to nova.conf:

auth_endpoint = https://padawan-ccp-vip-KEY-API-mgmt:5000/v3

Revision history for this message
Sylvain Bauza (sylvain-bauza) wrote :

I'm unclear, was the problem fixed by modifying the configuration ?

Changed in nova:
status: New → Incomplete
Revision history for this message
Darren (darrenswhite95) wrote :

Yes but it should have documentation added so users now that barbican can be configured to change where it thinks keystone is. That's what this bug is for.

Revision history for this message
Augustina Ragwitz (auggy) wrote :

I agree that if this is a use case that needs to be documented then this is a valid bug. I've also added the openstack-manuals project to get someone from the docs team to make sure there isn't anything in the admin guide or anywhere else that would also benefit from this information.

summary: - Image signature documentation modify barbican auth_endpoint
+ Documentation needed to clarify how to configure auth_endpoint for image
+ signing
Changed in nova:
status: Incomplete → Confirmed
tags: added: doc
Revision history for this message
Joseph Robinson (joseph-r-email) wrote :

Currently, there is no Barbican content in the Administrator and the User guide. This change most likely affects the Installation Guide docs.

Changed in openstack-manuals:
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Alexandra Settle (alexandra-settle) wrote :

The documentation for Barbican resides within their own repo.

This does not currently affect the OpenStack manuals project.

I recommend the documentation is updated here: http://docs.openstack.org/project-install-guide/key-manager/draft/

Changed in openstack-manuals:
status: Confirmed → Opinion
Dave McCowan (dave-mccowan)
Changed in barbican:
importance: Undecided → High
milestone: none → pike-1
Kaitlin Farr (kaitlin-farr)
Changed in barbican:
assignee: nobody → Kaitlin Farr (kaitlin-farr)
Revision history for this message
Sean Dague (sdague) wrote :

Automatically discovered version mitaka in description. If this is incorrect, please update the description to include 'nova version: ...'

tags: added: openstack-version.mitaka
Kaitlin Farr (kaitlin-farr)
Changed in nova:
assignee: nobody → Kaitlin Farr (kaitlin-farr)
Changed in openstack-manuals:
assignee: nobody → Kaitlin Farr (kaitlin-farr)
Dave McCowan (dave-mccowan)
no longer affects: barbican
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.