openstack/ironic
Code Issues Proposed changes
ironic/doc/source/install/enabling-https.rst
Pavlo Shchelokovskyy 5ff1e90e93 Update the documentation links - install guide 
This patch updates the old links existing in install guide.

Change-Id: I3a9b4d896ecd7dff2cdc118d3612d5fbd4d32fc9
Co-Authored-By: Chason Chan <chen.xing@99cloud.net>
2017-08-15 09:46:59 +03:00

3.0 KiB
Raw Blame History

Enabling HTTPS

Enabling HTTPS in Swift

The drivers using virtual media use swift for storing boot images and node configuration information (contains sensitive information for Ironic conductor to provision bare metal hardware). By default, HTTPS is not enabled in swift. HTTPS is required to encrypt all communication between swift and Ironic conductor and swift and bare metal (via virtual media). It can be enabled in one of the following ways:

Enabling HTTPS in Image service

Ironic drivers usually use Image service during node provisioning. By default, image service does not use HTTPS, but it is required for secure communication. It can be enabled by making the following changes to /etc/glance/glance-api.conf:

  1. Configuring SSL support

  2. Restart the glance-api service:

    Fedora/RHEL7/CentOS7/SUSE:
    sudo systemctl restart openstack-glance-api

Debian/Ubuntu:
    sudo service glance-api restart

See the Glance documentation, for more details on the Image service.

Enabling HTTPS communication between Image service and Object storage

This section describes the steps needed to enable secure HTTPS communication between Image service and Object storage when Object storage is used as the Backend.

To enable secure HTTPS communication between Image service and Object storage follow these steps:

  1. EnableHTTPSinSwift
  2. Configure Swift Storage Backend
  3. EnableHTTPSinGlance

Enabling HTTPS communication between Image service and Bare Metal service

This section describes the steps needed to enable secure HTTPS communication between Image service and Bare Metal service.

To enable secure HTTPS communication between Bare Metal service and Image service follow these steps:

  1. Edit /etc/ironic/ironic.conf:

    [glance]
...
glance_cafile=/path/to/certfile
glance_protocol=https
glance_api_insecure=False

    Note

    'glance_cafile' is a optional path to a CA certificate bundle to be used to validate the SSL certificate served by Image service.

  2. Restart ironic-conductor service:

    Fedora/RHEL7/CentOS7/SUSE:
    sudo systemctl restart openstack-ironic-conductor

Debian/Ubuntu:
    sudo service ironic-conductor restart