When I do: [root@fed-cloud09 ~(keystone_admin)]# cinder type-list ERROR: Unable to establish connection: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Which just transit to: [root@fed-cloud09 ~(keystone_admin)]# curl -i https://fed-cloud09.cloud.fedoraproject.org/ curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
Is it time to get SSL cert signed by some CA? However I would swear I had not this problems yesterday. But it behaves this way even if I revert my work.
Comments are welcome.
On Wed, 04 Feb 2015 18:07:03 +0100 Miroslav Suchý msuchy@redhat.com wrote:
When I do: [root@fed-cloud09 ~(keystone_admin)]# cinder type-list ERROR: Unable to establish connection: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Which just transit to: [root@fed-cloud09 ~(keystone_admin)]# curl -i https://fed-cloud09.cloud.fedoraproject.org/ curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
Is it time to get SSL cert signed by some CA? However I would swear I had not this problems yesterday. But it behaves this way even if I revert my work.
Comments are welcome.
Odd. Wonder why it would complain now when it didn't before. ;(
In any case, I think it would be good to get a real cert, but fed-cloud09 seems kind of off to me.
Could we instead call it 'openstack.cloud.fedoraproject.org' or 'controller.cloud.fedoraproject.org' or something? Not sure if that needs us to rename/reinstall the node, or can just be done in the cert...
Along those same lines, how about we move the existing host playbooks to a group/openstack-controller.yml (currently just fed-cloud09, but I'd like to see if we can allocate one machine moving forward to be our test for the 'next' openstack) and group/openstack-compute.yml (fed-cloud10/11, but some more will be installed next week) to make them more generic and ready for more nodes?
kevin
On 02/05/2015 01:13 AM, Kevin Fenzi wrote:
Could we instead call it 'openstack.cloud.fedoraproject.org' or 'controller.cloud.fedoraproject.org' or something? Not sure if that needs us to rename/reinstall the node, or can just be done in the cert...
It can be just cname + name in cert. Reinstall is quite fast with ansible, that is no problem. I automated all but one workaround (there is still usually need one reboot).
Along those same lines, how about we move the existing host playbooks to a group/openstack-controller.yml (currently just fed-cloud09, but I'd like to see if we can allocate one machine moving forward to be our test for the 'next' openstack) and group/openstack-compute.yml (fed-cloud10/11, but some more will be installed next week) to make them more generic and ready for more nodes?
Compute node is already in roles/cloud_compute/tasks/main.yml so migration to groups should be easy (not my priority thou). I see no benefits in migrating controller playbook to group or roles. It is only one. I +1 to controller-next instance, because upgrade of OpenStack is not supported. However those playbook will be quite different and it does not have sense to have them in one playbook with "when" directives.
On Thu, 05 Feb 2015 10:05:22 +0100 Miroslav Suchý msuchy@redhat.com wrote:
On 02/05/2015 01:13 AM, Kevin Fenzi wrote:
Could we instead call it 'openstack.cloud.fedoraproject.org' or 'controller.cloud.fedoraproject.org' or something? Not sure if that needs us to rename/reinstall the node, or can just be done in the cert...
It can be just cname + name in cert. Reinstall is quite fast with ansible, that is no problem. I automated all but one workaround (there is still usually need one reboot).
Sure, true.
Along those same lines, how about we move the existing host playbooks to a group/openstack-controller.yml (currently just fed-cloud09, but I'd like to see if we can allocate one machine moving forward to be our test for the 'next' openstack) and group/openstack-compute.yml (fed-cloud10/11, but some more will be installed next week) to make them more generic and ready for more nodes?
Compute node is already in roles/cloud_compute/tasks/main.yml so migration to groups should be easy (not my priority thou).
Sure. Just makes more sense to me.
I see no benefits in migrating controller playbook to group or roles. It is only one. I +1 to controller-next instance, because upgrade of OpenStack is not supported. However those playbook will be quite different and it does not have sense to have them in one playbook with "when" directives.
Good point. So how about:
hosts/fed-cloud09.cloud.fedoraproject.org.yml -> hosts-> openstack-icehouse-controller.yml
hosts/fed-cloud* -> groups/openstack-icehouse-compute.yml
Of course this is all just somewhat cosmetic. I just wanted to do it before we added more compute nodes.
kevin
infrastructure@lists.fedoraproject.org