Re: Proper SSL cert for fed-cloud09?
On 02/05/2015 01:13 AM, Kevin Fenzi wrote: Could we instead call it 'openstack.cloud.fedoraproject.org' or 'controller.cloud.fedoraproject.org' or something? Not sure if that needs us to rename/reinstall the node, or can just be done in the cert... It can be just cname + name in cert. Reinstall is quite fast with ansible, that is no problem. I automated all but one workaround (there is still usually need one reboot). Along those same lines, how about we move the existing host playbooks to a group/openstack-controller.yml (currently just fed-cloud09, but I'd like to see if we can allocate one machine moving forward to be our test for the 'next' openstack) and group/openstack-compute.yml (fed-cloud10/11, but some more will be installed next week) to make them more generic and ready for more nodes? Compute node is already in roles/cloud_compute/tasks/main.yml so migration to groups should be easy (not my priority thou). I see no benefits in migrating controller playbook to group or roles. It is only one. I +1 to controller-next instance, because upgrade of OpenStack is not supported. However those playbook will be quite different and it does not have sense to have them in one playbook with when directives. -- Miroslav Suchy, RHCE, RHCDS Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Proper SSL cert for fed-cloud09?
On Thu, 05 Feb 2015 10:05:22 +0100 Miroslav Suchý msu...@redhat.com wrote: On 02/05/2015 01:13 AM, Kevin Fenzi wrote: Could we instead call it 'openstack.cloud.fedoraproject.org' or 'controller.cloud.fedoraproject.org' or something? Not sure if that needs us to rename/reinstall the node, or can just be done in the cert... It can be just cname + name in cert. Reinstall is quite fast with ansible, that is no problem. I automated all but one workaround (there is still usually need one reboot). Sure, true. Along those same lines, how about we move the existing host playbooks to a group/openstack-controller.yml (currently just fed-cloud09, but I'd like to see if we can allocate one machine moving forward to be our test for the 'next' openstack) and group/openstack-compute.yml (fed-cloud10/11, but some more will be installed next week) to make them more generic and ready for more nodes? Compute node is already in roles/cloud_compute/tasks/main.yml so migration to groups should be easy (not my priority thou). Sure. Just makes more sense to me. I see no benefits in migrating controller playbook to group or roles. It is only one. I +1 to controller-next instance, because upgrade of OpenStack is not supported. However those playbook will be quite different and it does not have sense to have them in one playbook with when directives. Good point. So how about: hosts/fed-cloud09.cloud.fedoraproject.org.yml - hosts- openstack-icehouse-controller.yml hosts/fed-cloud* - groups/openstack-icehouse-compute.yml Of course this is all just somewhat cosmetic. I just wanted to do it before we added more compute nodes. kevin pgpsNRHeMTPIX.pgp Description: OpenPGP digital signature ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Proper SSL cert for fed-cloud09?
When I do: [root@fed-cloud09 ~(keystone_admin)]# cinder type-list ERROR: Unable to establish connection: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Which just transit to: [root@fed-cloud09 ~(keystone_admin)]# curl -i https://fed-cloud09.cloud.fedoraproject.org/ curl: (60) Peer's certificate issuer has been marked as not trusted by the user. Is it time to get SSL cert signed by some CA? However I would swear I had not this problems yesterday. But it behaves this way even if I revert my work. Comments are welcome. -- Miroslav Suchy, RHCE, RHCDS Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure