Tripleo HA Federation Proof-of-Concept
Keystone has supported identity federation for several releases. I have been working on a proof-of-concept integration of identity federation in a TripleO deployment. I was able to successfully login...
View ArticleDiagnosing Tripleo Failures Redux
Hardy Steven has provided an invaluable reference with his troubleshooting blog post. However, I recently had a problem that didn’t quite match what he was showing. Zane Bitter got me oriented. Upon a...
View ArticleRBAC Policy Updates in Tripleo
Policy files contain the access control rules for an OpenStack deployment. The upstream policy files are conservative and restrictive; they are designed to be customized on the end users system....
View ArticleRunning Unit Tests on Old Versions of Keystone
Just because Icehouse is EOL does not mean no one is running it. One part of my job is back-porting patches to older versions of Keystone that my Company supports. A dirty secret is that we only...
View ArticleRunning Qemu/KVM without libvirt
When I booted a VM yesterda, I noticed that there was a huge command line that showed up if I ran ps. I tried to run that by hand. It is huge, so I wrapped it with a script, but the command is not too...
View ArticleDeploying Server on Ironic Node Baseline
My team is working on the ability to automatically enroll servers launched from Nova in FreeIPA. Debugging the process has proven challenging; when things fail, the node does not come up, and there is...
View ArticleDeploying Fernet on the Overcloud
Here is a proof of concept of deploying an OpenStack Tripleo Overcloud using the Fernet token Provider. I’m going to take the short cut of using the Keystone setup on the undercloud to generate the...
View ArticleGenerating Token Request JSON from Environment Variables
When working with New APIS we need to test them with curl prior to writing the python client. I’ve often had to hand create the JSON used for the token request, as I wrote about way back here. Here is...
View ArticleGetting the URLs out of the Service Catalog with jq
When you make a call to Keystone to get a token, you also get back the service catalog. While many of my scripts have used the $OS_AUTH_URL to make follow on calls, if the calls are administrative in...
View ArticleHierarchy of Isoltation
One way to understand threads, process, containers, and VMs is to look at what each level of abstraction provides for isolation. abstraction stack & instructions heap process IDs, filesystemn...
View ArticleClik here to view.
Mirroring Keystone Delegations in FreeIPA/389DS
This is more musing than a practical design. Most application servers have a means to query LDAP for the authorization information for a user. This is separate from, and follows after, authentication...
View ArticleDistinct RBAC Policy Rules
The ever elusive bug 968696 is still out there, due, in no small part, to the distributed nature of the policy mechanism. One Question I asked myself as I chased this beastie is “how many distinct...
View ArticleImporting a Public SSH Key
Rex was setting up a server and wanted some help. His hosting provider had set him up with a username and password for authentication. He wanted me to log in to the machine under his account to help...
View ArticleTranslating Between RDO/RHOS and upstream releases Redux
I posted this once before, but we’ve moved on a bit since then. So, an update. #!/usr/bin/python upstream = ['Austin', 'Bexar', 'Cactus', 'Diablo', 'Essex (Tag 2012.1)', 'Folsom (Tag 2012.2)', 'Grizzly...
View ArticleRunning the Cyrus SASL Sample Server and Client
When I start working on a new project, I usually start by writing a “Hello, World” program and going step by step from there. When trying to learn Cyrus SASL, I found I needed to something comparable,...
View ArticleSecuring the Cyrus SASL Sample Server and Client with Kerberos
Since running the Cyrus SASL sample server and client was not too bad, I figured I would see what happened when I tried to secure it using Kerberos. Table of contents Mechanisms Kerberos Keytabs...
View ArticleClik here to view.
Minecraft X Y Z
Minecraft uses the Cartesian coordinate system to locate and display blocks. That means that every block location in a Minecraft universe can be described using three values: X, Y, and Z. Even the...
View ArticleClik here to view.
Circles in Minecraft?
Minecraft is a land of Cubes. And yet, in this blockland, it turns out the circle is a very powerful tool. Using the basics of trigonometry, we can build all sorts of things. Table of contents BlockPos...
View ArticleKeystone Domains are Projects
Yesterday, someone asked me about inherited role assignments in Keystone projects. Here is what we worked out. For access control to resources in Nova or other remote services, all that matters is the...
View ArticleShowing Code
Jill Jubinski is a well known and respected community leader in OpenStack. When she says something, especially about recruiting, it is worth listening to her, and evaluating what she says. When she...
View Article