Openstack的Heat服務api支援HTTPS
背景Openstack Queens版本
需要Openstack的Heat服務api支援HTTPS,首先Openstack各服務預設支援HTTP要能正常訪問,然後支援HTTPS首先要有證照,證照的製作過程參考本人的另一篇部落格。
建立endpoint
$ openstack endpoint create --region RegionOne \
orchestration public https://controller:8004/v1/%\(tenant_id\)s
配置
將生成好的證照複製一份並且賦予許可權
$ cp /root/ssl/self/* /etc/heat/self/
$ chown -R heat:heat /etc/heat/self/
修改/etc/heat/heat.conf
[heat_api]
bind_port = 8004
cert_file = /etc/heat/self/server.crt
key_file = /etc/heat/self/server.key
[clients_heat]
endpoint_type = publicURL
insecure = True
url = https://10.175.183.15:8004/v1/%(tenant_id)s
重啟服務
systemctl restart openstack-heat-api.service openstack-heat-api-cfn.service openstack-heat-engine.service
檢視/var/log/heat/heat-api.log
看到請求變成https就可以了
eventlet.wsgi.server [-] (9705) wsgi starting up on https://0.0.0.0:8004
INFO heat.common.wsgi [-] Started child 9706
INFO eventlet.wsgi.server [-] (9706) wsgi starting up on https://0.0.0.0:8004
INFO heat.common.wsgi [-] Started child 9707
INFO eventlet.wsgi.server [-] (9707) wsgi starting up on https://0.0.0.0:8004
修改dashboard配置檔案
正當得意之時發現dashboard訪問不了了,好奇怪,也沒有報錯
# 監控
journalctl -xf
# 發現如下報錯
Feb 20 03:14:27 controller heat-api[38517]: Traceback (most recent call last):
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib/python2.7/site-packages/eventlet/greenpool.py", line 88, in _spawn_n_impl
Feb 20 03:14:27 controller heat-api[38517]: func(*args, **kwargs)
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib/python2.7/site-packages/eventlet/wsgi.py", line 734, in process_request
Feb 20 03:14:27 controller heat-api[38517]: proto.__init__(sock, address, self)
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib64/python2.7/SocketServer.py", line 649, in __init__
Feb 20 03:14:27 controller heat-api[38517]: self.handle()
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib64/python2.7/BaseHTTPServer.py", line 340, in handle
Feb 20 03:14:27 controller heat-api[38517]: self.handle_one_request()
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib/python2.7/site-packages/eventlet/wsgi.py", line 339, in handle_one_request
Feb 20 03:14:27 controller heat-api[38517]: self.raw_requestline = self.rfile.readline(self.server.url_length_limit)
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib64/python2.7/socket.py", line 476, in readline
Feb 20 03:14:27 controller heat-api[38517]: data = self._sock.recv(self._rbufsize)
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib/python2.7/site-packages/eventlet/green/ssl.py", line 194, in recv
Feb 20 03:14:27 controller heat-api[38517]: return self._base_recv(buflen, flags, into=False)
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib/python2.7/site-packages/eventlet/green/ssl.py", line 227, in _base_recv
Feb 20 03:14:27 controller heat-api[38517]: read = self.read(nbytes)
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib/python2.7/site-packages/eventlet/green/ssl.py", line 139, in read
Feb 20 03:14:27 controller heat-api[38517]: super(GreenSSLSocket, self).read, *args, **kwargs)
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib/python2.7/site-packages/eventlet/green/ssl.py", line 113, in _call_trampolining
Feb 20 03:14:27 controller heat-api[38517]: return func(*a, **kw)
Feb 20 03:14:27 controller heat-api[38517]: File "/usr/lib64/python2.7/ssl.py", line 651, in read
Feb 20 03:14:27 controller heat-api[38517]: v = self._sslobj.read(len or 1024)
Feb 20 03:14:27 controller heat-api[38517]: SSLError: [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1822)
問題很清楚,heat-api改成https了,dashboard認證失敗,於是開始研究httpd,嘗試了很多地方配證照都失敗了,最好在dashboard的配置檔案中找到了問題解決辦法。
首先要先確認有沒有安裝mod_ssl服務
$ vi /etc/openstack-dashboard/local_settings
# 修改
# Disable SSL certificate checks (useful for self-signed certificates):
OPENSTACK_SSL_NO_VERIFY = True
$ systemctl restart httpd.service
測試
在環境變數~/adminrc中加入,然後source一下
export OS_CACERT=/root/ssl/self/server.crt
CLI命令測試,正常輸出就可以把HEAT過去的http的8004相關的endpoint刪除了
$ openstack stack list
$ tail -f /var/log/heat/heat-api.log
相關文章
- OpenStack的Heat元件詳解元件
- OpenStack計費服務
- OpenStack中的服務型別型別
- openstack 啟動認證服務錯誤
- OpenStack容器服務Zun初探與原理分析
- Caddy 服務-- 自動httpsHTTP
- 本地https服務搭建指南HTTP
- Laravel 5 API 服務端支援簽名授權認證LaravelAPI服務端
- 閒聊雲服務計算技術–OpenStack
- openstack基礎構架以及服務方式解析
- centos使用node搭建https服務CentOSHTTP
- Node.js搭建Https服務Node.jsHTTP
- Node.js + Nginx 部署 HTTPS 服務Node.jsNginxHTTP
- LINUX(紅帽8)搭建https服務LinuxHTTP
- 使用OpenSSL自建一個HTTPS服務HTTP
- 用 OpenStack Designate 構建一個 DNS 即服務(DNSaaS)DNS
- Nginx常用的配置 多臺服務 跨域 HTTPSNginx跨域HTTP
- phoenix API服務釋出API
- 當API成為服務API
- 支援remote write和exemplar的prometheus服務REMPrometheus
- Centos7安裝部署openstack--nova計算服務CentOS
- 雲端計算管理平臺之OpenStack映象服務glance
- 如何控制開放HTTPS服務的weblogic伺服器HTTPWeb伺服器
- 外網如何透過https訪問自己的服務HTTP
- 谷歌服務:Google Maps JavaScript API谷歌GoJavaScriptAPI
- 谷歌宣佈 DNS Over HTTPS 服務普遍可用谷歌DNSHTTP
- nginx配置SSL證書實現https服務NginxHTTP
- 雲端計算管理平臺之OpenStack認證服務Keystone
- 雲端計算管理平臺之OpenStack網路服務neutron
- 雲端計算管理平臺之OpenStack計算服務nova
- 雲端計算管理平臺之OpenStack塊儲存服務cinder
- 搭建一個大模型API服務大模型API
- Flask框架搭建REST-API服務Flask框架RESTAPI
- 淺談NodeJS搭建GraphQL API服務NodeJSAPI
- gRPC(八)生態 grpc-gateway 應用:同一個服務端支援Rpc和Restful ApiRPCGateway服務端RESTAPI
- curl不能支援https問題HTTP
- 從 node服務部署,到https配置與nginx轉發HTTPNginx
- IT運維支援如何轉化為服務運維