2d4e617a52
This commit addresses multiple potential vulnerabilities in
Magnum. It makes the following changes:
* Permissions for /etc/sysconfig/heat-params inside Magnum
created instances are tightened to 0600 (used to be 0755).
* Certificate retrieval is modified to work without the need
for a Keystone trust.
* The cluster's Keystone trust id is only passed into
instances for clusters where that is actually needed. This
prevents the trustee user from consuming the trust in cases
where it is not needed.
* The configuration setting trust/cluster_user_trust (False by
default) is introduced. It needs to be explicitely enabled
by the cloud operator to allow clusters that need the
trust_id to be passed into instances to work. Without this
setting, attempts to create such clusters will fail.
Please note, that none of these changes apply to existing
clusters. They will have to be deleted and rebuilt to benefit
from these changes.
(cherry picked from commit
|
||
---|---|---|
.. | ||
lib | ||
README.rst | ||
plugin.sh | ||
settings |
README.rst
DevStack Integration
This directory contains the files necessary to integrate magnum with devstack.
Refer the quickstart guide at http://docs.openstack.org/developer/magnum/dev/dev-quickstart.html for more information on using devstack and magnum.
Running devstack with magnum for the first time may take a long time as it needs to download the Fedora Atomic qcow2 image (see http://www.projectatomic.io/download/).
To install magnum into devstack, add the following settings to enable the magnum plugin:
cat > /opt/stack/devstack/local.conf << END
[[local|localrc]]
enable_plugin heat https://github.com/openstack/heat master
enable_plugin magnum https://github.com/openstack/magnum master
END
Additionally, you might need additional Neutron configurations for your environment. Please refer to the devstack documentation1 for details.
Then run devstack normally:
cd /opt/stack/devstack
./stack.sh