0ba5358865
* Add a connection-string based workflow to MicroStack; * microstack add-compute command can be run at the Control node in order to generate a connection string (an ASCII blob for the user); * the connection string contains: * an address of the control node; * a sha256 fingerprint of the TLS certificate used by the clustering service at the control node (which is used during verification similar to the Certificate Pinning approach); * an application credential id; * an application credential secret (short expiration time, reader role on the service project, restricted to listing the service catalog); * a MicroStack admin is expected to have ssh access to all nodes that will participate in a cluster - prior trust establishment is on them to figure out which is normal since they provision the nodes; * a MicroStack admin is expected to securely copy a connection string to a compute node via ssh. Since it is short-lived and does not carry service secrets, there is no risk of a replay at a later time; * If the compute role is specified during microstack.init, a connection string is requested and used to perform a request to the clustering service and validate the certificate fingerprint. The credential ID and secret are POSTed for verification to the clustering service which responds with the necessary config data for the compute node upon successful authorization. * Set up TLS termination for the clustering service; * run the flask app as a UWSGI daemon behind nginx; * configure nginx to use a TLS certificate; * generate a self-signed TLS certificate. This setup does not require PKI to be present for its own purposes of joining compute nodes to the cluster. However, this does not mean that PKI will not be used for TLS termination of the OpenStack endpoints. Control node init workflow (non-interactive): sudo microstack init --auto --control microstack add-compute <the connection string to be used at the compute node> Compute node init workflow (non-interactive): sudo microstack init --auto --compute --join <connection-string> Change-Id: I9596fe1e6e5c1a325cc71fd3bf0c78b660b9a83e
26 lines
652 B
Bash
Executable File
26 lines
652 B
Bash
Executable File
#!/bin/bash
|
|
|
|
set -e
|
|
|
|
export OVN_LOGDIR=${SNAP_COMMON}/log/ovn
|
|
export OVN_RUNDIR=${SNAP_COMMON}/run/ovn
|
|
export OVN_SYSCONFDIR=${SNAP_COMMON}/etc
|
|
export OVN_PKGDATADIR=${SNAP}/usr/local/share/ovn
|
|
export OVN_BINDIR=${SNAP}/bin
|
|
export OVN_SBINDIR=${SNAP}/sbin
|
|
|
|
|
|
mkdir -p ${OVN_LOGDIR}
|
|
mkdir -p ${OVN_RUNDIR}
|
|
mkdir -p ${OVN_SYSCONFDIR}/ovn
|
|
|
|
if [ `basename $1` = 'ovn-ctl' -a `snapctl get config.is-clustered` == 'true' ]
|
|
then
|
|
# TODO: replace this with a secure alternative once TLS is supported.
|
|
# Create an SB TCP socket to be used by remote ovn-controller and neutron-ovn-metadata
|
|
# agents.
|
|
exec $@ --db-sb-create-insecure-remote=yes
|
|
else
|
|
exec $@
|
|
fi
|