4 Commits

Author SHA1 Message Date
Miguel Grinberg
f28e412db7 Put horizon in its own process
This change makes mod_wsgi create standalone processes for horizon. This
avoids obscure start up errors when mod_wsgi needs to spawn a new
process or thread. These restarts occur, for example, when mod_wsgi
receives a request from a client that is accessing the service through a
non-standard SSL port that is mapped to the port mod_wsgi is listening
on.

Change-Id: I5907b5c06cef0272ee145c277f79f23ba37741a4
Closes-Bug: #1499073
2015-09-23 21:02:02 +00:00
Jesse Pretorius
3a14a988b9 Fix Horizon SSL certificate management and distribution
This patch revises the SSL certificate management and
distribution with something that is more consistent with how
it's done everywhere else in the project. It also repairs the
current user provided certificate distribution which was broken.

* The server key/certificate (and optionally a CA cert) are
  distributed to all horizon containers.

* Two new variables have been implemented for a user-provided
  server key and certificate:
  - horizon_user_ssl_cert: <path to cert on deployment host>
  - horizon_user_ssl_key: <path to cert on deployment host>
  If either of these is not defined, then the missing cert/key
  will be self generated on the first Horizon container and
  distributed to the other containers.

* A new variable has been implemented for a user-provided CA
  certificate:
  - horizon_user_ssl_ca_cert: <path to cert on deployment host>

* A new variable called 'horizon_ssl_self_signed_subject' has
  been implemented to allow the user to override the self-signed
  certificate properties, such as the CN and subjectAltName.

Upgrade notes:

* The Apache configuration appropriately implements the
  'SSLCACertificateFile' instead of the 'SSLCACertificatePath'
  directive in order to ensure that the appropriate signing
  certificate is provided to the browser.

* The variable 'horizon_self_signed' (which defaulted to true)
  has been removed. The decision of whether to generate a
  self-signed certificate has been made based on whether a
  user provided key/cert pair has been provided.

* The 'horizon_self_signed_regen' variable has been renamed
  to 'horizon_ssl_self_signed_regen'.

* The default names for the deployed keys/certificates have been
  changed:
  - /etc/ssl/certs/apache.cert  > /etc/ssl/certs/horizon.pem
  - /etc/ssl/private/apache.key > /etc/ssl/private/horizon.key

DocImpact
UpgradeImpact
Closes-Bug: #1475578

Change-Id: I7089abbd81ce422b21ce65488e8bc32053ba32ca
2015-07-17 13:19:13 +01:00
Ian Cordasco
f2c5ffe7b1 Genericize how we update SSL settings for Apache
In I4456bc1a0056da051947977a26dd6d57c549e421 we hardened Keystone's
Apache SSL settings. In order to keep all Apache SSL settings uniformly
configured, we also need to update Horizon's settings and centralize
where we define the cipher suite that the server supports and the
preferred protocol versions.

We also explicitly disable SSLCompression even though we tend to only
test against versions of Apache that have this off by default. If
someone uses a version after 2.2.24 or uses 2.4.3, they would otherwise
have to explicitly turn this off. Preferring security by default, we
disable it explicitly to prevent insecure installations anywhere.

We also document how users can override specific service SSL settings in
the event one service needs to support older clients that require
certain protocols or ciphers. For example, it's very plausible that an
organization may need to enable RC4 and SSLv3 for Horizon since their
users are still using XP and an old version of Internet Explorer.

Related-Bug: 1437481
Change-Id: I85843452935710083253847d6e11f85e9d6d2e84
2015-04-10 15:02:53 +00:00
Kevin Carter
8e6dbd01c9 Convert existing roles into galaxy roles
This change implements the blueprint to convert all roles and plays into
a more generic setup, following upstream ansible best practices.

Items Changed:
* All tasks have tags.
* All roles use namespaced variables.
* All redundant tasks within a given play and role have been removed.
* All of the repetitive plays have been removed in-favor of a more
  simplistic approach. This change duplicates code within the roles but
  ensures that the roles only ever run within their own scope.
* All roles have been built using an ansible galaxy syntax.
* The `*requirement.txt` files have been reformatted follow upstream
  Openstack practices.
* Dynamically generated inventory is now more organized, this should assist
  anyone who may want or need to dive into the JSON blob that is created.
  In the inventory a properties field is used for items that customize containers
  within the inventory.
* The environment map has been modified to support additional host groups to
  enable the seperation of infrastructure pieces. While the old infra_hosts group
  will still work this change allows for groups to be divided up into seperate
  chunks; eg: deployment of a swift only stack.
* The LXC logic now exists within the plays.
* etc/openstack_deploy/user_variables.yml has all password/token
  variables extracted into the separate file
  etc/openstack_deploy/user_secrets.yml in order to allow seperate
  security settings on that file.

Items Excised:
* All of the roles have had the LXC logic removed from within them which
  should allow roles to be consumed outside of the `os-ansible-deployment`
  reference architecture.

Note:
* the directory rpc_deployment still exists and is presently pointed at plays
  containing a deprecation warning instructing the user to move to the standard
  playbooks directory.
* While all of the rackspace specific components and variables have been removed
  and or were refactored the repository still relies on an upstream mirror of
  Openstack built python files and container images. This upstream mirror is hosted
  at rackspace at "http://rpc-repo.rackspace.com" though this is
  not locked to and or tied to rackspace specific installations. This repository
  contains all of the needed code to create and/or clone your own mirror.

DocImpact
Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Closes-Bug: #1403676
Implements: blueprint galaxy-roles
Change-Id: I03df3328b7655f0cc9e43ba83b02623d038d214e
2015-02-18 10:56:25 +00:00