)]}' { "log": [ { "commit": "3f28c272d0a3ae78329c81227a66c703d6a489d7", "tree": "45bc4dc0ee37b8298f2c0d0c62ffe458fae52ce4", "parents": [ "7de6e0b2eca9ac661a92badef4488d8d6380b06f" ], "author": { "name": "Jens Harbott", "email": "j.harbott@x-ion.de", "time": "Wed Oct 28 13:05:14 2020 +0000" }, "committer": { "name": "Jens Harbott", "email": "j.harbott@x-ion.de", "time": "Wed Oct 28 13:06:52 2020 +0000" }, "message": "Remove deprecated tail_log function\n\nThis function has been deprecated for a long time, let\u0027s finally\nremove it. It is only generating a warning anyway.\n\nChange-Id: I7bd440adf2ce8283e3ad3d5d09e6b2b877e2b42e\n" }, { "commit": "d3b41b528d6e84cc632fb780b85877e6ad1a4bef", "tree": "60e50c8a047a47d4d407d42b1497b602faee8330", "parents": [ "3e0960d78f040b0d6b593a5e2fa107d8fd26a41a", "0137703825ea5f493e7486e19c2d83b328ca2998" ], "author": { "name": "Zuul", "email": "zuul@review.opendev.org", "time": "Tue Jul 07 08:43:50 2020 +0000" }, "committer": { "name": "Gerrit Code Review", "email": "review@openstack.org", "time": "Tue Jul 07 08:43:50 2020 +0000" }, "message": "Merge \"Allow IP-based subject alt names\"" }, { "commit": "d7a82f41e469fc51fb021184c1fa6c98da428411", "tree": "8b0efcf039e29af25b4c70f7a842ae3b44cfbda6", "parents": [ "f6286cb586eb1f861866bfdf85c4f873c79fd592" ], "author": { "name": "Jens Harbott", "email": "j.harbott@x-ion.de", "time": "Tue Jun 23 10:21:09 2020 +0200" }, "committer": { "name": "Jens Harbott", "email": "j.harbott@x-ion.de", "time": "Fri Jun 26 15:27:32 2020 +0200" }, "message": "Drop support for python2\n\npython2 is EOL, let\u0027s move on and only support python3.\n\nChange-Id: Ieffda4edea9cc19484c04420ed703f7141ef9f15\n" }, { "commit": "3cd41019b048349b42ec62d5602beb89bed9e975", "tree": "817c2f03de7efe9c05e229009ef21b82125988f7", "parents": [ "ef4e75137d770a55482470ac9dc97a326f648c8a" ], "author": { "name": "Ian Wienand", "email": "iwienand@redhat.com", "time": "Thu Apr 16 13:06:07 2020 +1000" }, "committer": { "name": "Ian Wienand", "email": "iwienand@redhat.com", "time": "Wed Apr 22 14:01:53 2020 +1000" }, "message": "lib/tls: use python3 to run inline script\n\nWe only need to run this fixup for the active python now we are 3 only.\n\nChange-Id: I7616e5ee5693b2890fb7f6bd9052890a82904c22\n" }, { "commit": "0fe25e31a8ff40d76279e55c731fd31a93f0d21c", "tree": "498341c669dbdd2685fa708912ecd17ac9f35391", "parents": [ "f7302e1af10938a0ffc259ab9bfd3919693fe36b" ], "author": { "name": "Julia Kreger", "email": "jkreger@gmail.com", "time": "Thu Jun 20 20:39:53 2019 -0700" }, "committer": { "name": "Dmitry Tantsur", "email": "dtantsur@protonmail.com", "time": "Mon Aug 12 08:46:56 2019 +0200" }, "message": "Add the IPv6 IP to the TLS cert\n\nFor some crazy reason, we\u0027ve forgotten about trying\nto use IPv6 addresses directly with the SSL certificates.\n\nSo lets add some logic so clients can connect directly\nwith the v6 IP.\n\nChange-Id: Ie8b8a2d99945f028bebe805b83bfd863b7b72d57\n" }, { "commit": "e344c97c0eb93e1d96ca8ebe250bb08d227ef5ac", "tree": "a5ae10e73d706aa0b60509907b9a68a1e0c7b940", "parents": [ "2f11f6666657e9231b4b8a815efbe7d31814290c" ], "author": { "name": "Clark Boylan", "email": "clark.boylan@gmail.com", "time": "Fri Dec 07 14:49:15 2018 -0800" }, "committer": { "name": "Matt Riedemann", "email": "mriedem.os@gmail.com", "time": "Sat Dec 08 18:24:26 2018 +0000" }, "message": "Set apache proxy-initial-not-pooled env var\n\nWe\u0027ve run into what appears to be a race with apache trying to reuse a\npooled connection to a backend when that pool connection is closing.\nThis leads to errors like:\n\n [Fri Dec 07 21:44:10.752362 2018] [proxy_http:error] [pid 19073:tid 139654393218816] (20014)Internal error (specific information not available): [client 104.130.127.213:45408] AH01102: error reading status line from remote server 127.0.0.1:60999\n [Fri Dec 07 21:44:10.752405 2018] [proxy:error] [pid 19073:tid 139654393218816] [client 104.130.127.213:45408] AH00898: Error reading from remote server returned by /image/v2/images/ec31a4fd-e22b-4e97-8c6c-1ef330823fc1/file\n\nAccording to the internets this can be addressed (at the cost of some\nperformance) by setting the proxy-initial-not-pooled env var for mod\nproxy. From the mod_proxy docs:\n\n If this variable is set, no pooled connection will be reused if the client\n request is the initial request on the frontend connection. This avoids the\n \"proxy: error reading status line from remote server\" error message caused\n by the race condition that the backend server closed the pooled connection\n after the connection check by the proxy and before data sent by the proxy\n reached the backend. It has to be kept in mind that setting this variable\n downgrades performance, especially with HTTP/1.0 clients.\n\nCloses-Bug: #1807518\n\nChange-Id: I374deddefaa033de858b7bc15f893bf731ad7ff2\n" }, { "commit": "0137703825ea5f493e7486e19c2d83b328ca2998", "tree": "f93bffbe8e8f891be85ffabd188d61b126d1b7e4", "parents": [ "78a564bb0304b6f930e1491e7e116a0a0f6d9ab6" ], "author": { "name": "Tim Burke", "email": "tim.burke@gmail.com", "time": "Fri Nov 30 14:40:12 2018 -0800" }, "committer": { "name": "Tim Burke", "email": "tim.burke@gmail.com", "time": "Fri Nov 30 14:40:12 2018 -0800" }, "message": "Allow IP-based subject alt names\n\n... even when no other subject alt names provided\n\nPreviously, a non-voting job in barbican\u0027s gate would fail with something like\n\n X509 V3 routines:X509V3_parse_list:invalid null name:v3_utl.c:319:\n X509 V3 routines:DO_EXT_NCONF:invalid extension string:v3_conf.c:140:name\u003dsubjectAltName,section\u003dDNS:pykmip-server,,IP:198.72.124.103\n X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:95:name\u003dsubjectAltName, value\u003dDNS:pykmip-server,,IP:198.72.124.103\n\nbecause we\u0027d have an invalid empty string.\n\nChange-Id: I5459b8976539924cd6cc6c1e681b6753a76b804c\n" }, { "commit": "9a543a81acb808e4275765da7ff0f613109b6603", "tree": "7080c74347342c76fe148aac48ed1a8d3b6a3bca", "parents": [ "02ca8da102798608599f8e4adb7b1dc890a6f124" ], "author": { "name": "aojeagarcia", "email": "aojeagarcia@suse.com", "time": "Fri Sep 28 08:55:49 2018 +0200" }, "committer": { "name": "Antonio Ojea", "email": "itsuugo@gmail.com", "time": "Sun Oct 07 21:21:12 2018 +0000" }, "message": "Don\u0027t use ipv6 for DNS SAN fields with python3\n\nPython2 match routines for x509 fields are broken and have to use\nthe DNS field for ip addresses.\n\nThe problem is that if you use ipv6 addresses in the DNS field,\nurllib3 fails when trying to encode it.\n\nSince python3 match routines for x509 fields are correct, this patch\ndisables the hack for python3, encoding the ip address in the\ncorresponding field only of the certificate.\n\nPartial-Bug: #1794929\nDepends-On: https://review.openstack.org/#/c/608468\n\nChange-Id: I7b9cb15ccfa181648afb12be51ee48bed14f9156\nSigned-off-by: aojeagarcia \u003caojeagarcia@suse.com\u003e\n" }, { "commit": "dc7b4294632172d0b743f98448942fe260a8a3ff", "tree": "b3c4c6da9ba5624306e74e92e7868cf756f94a86", "parents": [ "a6a36d11d8ec39f6d782596469884559bc768d21" ], "author": { "name": "Jens Harbott", "email": "j.harbott@x-ion.de", "time": "Tue Sep 19 10:52:32 2017 +0000" }, "committer": { "name": "Jens Harbott", "email": "j.harbott@x-ion.de", "time": "Sun Mar 11 08:53:41 2018 +0000" }, "message": "Fix running with SERVICE_IP_VERSION\u003d6\n\n- There are some locations where we need the raw IPv6 address instead of the\n url-quoted version enclosed in brackets.\n- Make nova-api-metadata service listen on IPv6 when we need that.\n- Use SERVICE_HOST instead of HOST_IP for TLS_IP.\n\nChange-Id: Id074be38ee95754e88b7219de7d9beb06f796fad\nPartial-Bug: 1656329\n" }, { "commit": "9f71c4ad4eb7b122e4941e97f2f56a70e203b35c", "tree": "6c453ca21c62601a0f428587dd5d48d146420873", "parents": [ "fddf3430d8b3bb6bc60c6c69c344e7ae437ee894", "e9870eb18d19dbb807d4d312cf4aead23c6f8f40" ], "author": { "name": "Zuul", "email": "zuul@review.openstack.org", "time": "Tue Feb 20 09:39:19 2018 +0000" }, "committer": { "name": "Gerrit Code Review", "email": "review@openstack.org", "time": "Tue Feb 20 09:39:19 2018 +0000" }, "message": "Merge \"nova: add support for TLS between novnc proxy \u0026 compute nodes\"" }, { "commit": "1db9b5d3cab9ecfdc3505ea40ac4f504075fbea0", "tree": "9eca60af9b55ebb0d630b8cccfb948938ccd1dba", "parents": [ "2c9343e5db44fa7a41ca6924737331dd9088ef8f" ], "author": { "name": "Jens Harbott", "email": "j.harbott@x-ion.de", "time": "Fri Nov 03 08:37:21 2017 +0000" }, "committer": { "name": "Ian Wienand", "email": "iwienand@redhat.com", "time": "Fri Nov 10 10:43:19 2017 +1100" }, "message": "Remove apache tls-proxy sites when stopping\n\nCurrently doing a cycle of\n\n ./stack.sh; ./unstack.sh; ./stack.sh\n\nfails because the leftover tls-proxy sites will cause apache startup to\nfail on the second stack.sh run. So we need to disable these sites on\nrunning stop_tls_proxy.\n\nChange-Id: I03e6879be332289d19ca6a656f5f9f139dffff6f\nCloses-Bug: 1718189\n" }, { "commit": "e9870eb18d19dbb807d4d312cf4aead23c6f8f40", "tree": "866a8d3fad5408829aec2c062ecf85c2e26052ad", "parents": [ "9640d3bfbf55e74560677f9a13c241303666543a" ], "author": { "name": "Daniel P. Berrange", "email": "berrange@redhat.com", "time": "Thu Nov 10 13:03:32 2016 +0000" }, "committer": { "name": "melanie witt", "email": "melwittt@gmail.com", "time": "Thu Oct 19 18:32:51 2017 +0000" }, "message": "nova: add support for TLS between novnc proxy \u0026 compute nodes\n\nNova is gaining the ability to run TLS over the connection between the\nnovnc proxy service and the QEMU/KVM compute node VNC server.\n\nThis adds a new config param - \u0027NOVA_CONSOLE_PROXY_COMPUTE_TLS\u003dTrue\u0027 -\nwhich instructs devstack to configure libvirt/QEMU to enable TLS for the\nVNC server, and to configure the novncproxy to use TLS when connecting.\nNB this use of TLS is distinct from use of TLS for the public facing API\ncontrolled by USE_SSL, they can be enabled independently.\n\nThis is done in a generic manner so that it is easy to extend to cover\nuse of TLS with the SPICE and serial console proxy services too.\n\nChange-Id: Ib29d3f5f18533115b9c51e27b373e92fc0a28d1a\nDepends-on: I9cc9a380500715e60bd05aa5c29ee46bc6f8d6c2\nImplements bp: websocket-proxy-to-host-security\n" }, { "commit": "80021b8f9fff243b8edad6d9f1139bd080cea608", "tree": "cc0ef728e98064de812efc6f4c06617b43384323", "parents": [ "0f75c57ad6b0011561777ae95b53612051149518", "411c34da69f423059a04431a542be2b1b7a65f38" ], "author": { "name": "Jenkins", "email": "jenkins@review.openstack.org", "time": "Fri Sep 08 15:27:18 2017 +0000" }, "committer": { "name": "Gerrit Code Review", "email": "review@openstack.org", "time": "Fri Sep 08 15:27:18 2017 +0000" }, "message": "Merge \"Fix URLs when running with tls-proxy enabled\"" }, { "commit": "411c34da69f423059a04431a542be2b1b7a65f38", "tree": "0ba2887bdc4267484887e158b000a02fb48770aa", "parents": [ "c5aca3c99660a65f9e690b93f7f260ff7cf30c15" ], "author": { "name": "Jens Harbott", "email": "j.harbott@x-ion.de", "time": "Tue Aug 29 14:40:26 2017 +0000" }, "committer": { "name": "Jens Harbott", "email": "j.harbott@x-ion.de", "time": "Tue Aug 29 14:40:26 2017 +0000" }, "message": "Fix URLs when running with tls-proxy enabled\n\nVarious services are returning broken links when running behind\ntls-proxy. These issues can be fixed by setting the X-Forwarded-Proto\nheader in the apache config and letting oslo_middleware parse it.\n\nChange-Id: Ibe5dbdc4644ec812f0435f59319666fc336c195a\nPartial-Bug: 1713731\n" }, { "commit": "4639984b96a3ff7be28357ccbd7c8ffa60371c42", "tree": "6a01c2b7e93ff80100599295d73259d818e36227", "parents": [ "c5aca3c99660a65f9e690b93f7f260ff7cf30c15" ], "author": { "name": "Jens Harbott", "email": "j.harbott@x-ion.de", "time": "Mon Aug 28 11:43:37 2017 +0000" }, "committer": { "name": "Jens Harbott", "email": "j.harbott@x-ion.de", "time": "Mon Aug 28 11:43:37 2017 +0000" }, "message": "Update function description for start_tls_proxy\n\nIn [1] the definition of the function was changed, adding the service\nname as first parameter. Since this seems to have caused failures in\nsome plugins, at least update the function template accordingly.\n\n[1] Ifcba410f5969521e8b3d30f02795541c1661f83a\n\nChange-Id: I4d03957f8d3a18625f06379fb21aa7ba55e32797\n" }, { "commit": "139837d69d8566088125d29739089aec7b2a9e7c", "tree": "bb98976d7d675b02790643d2144ec37f67924338", "parents": [ "dea3083d984569eac9647f1a28f10ae98afc42f7" ], "author": { "name": "Ian Wienand", "email": "iwienand@redhat.com", "time": "Tue Aug 08 17:51:29 2017 +1000" }, "committer": { "name": "Ian Wienand", "email": "iwienand@redhat.com", "time": "Wed Aug 09 06:30:22 2017 +1000" }, "message": "Make TLS logs more readable\n\nAfter looking at these for I9881f2e7d51fdd9fc0f7fb3e37179aa53171b531 I\nfound them not as useful as they could be.\n\nFix the CustomLog command, that wants the logfile then the format\nstring (or a nickname, which the LogFormat line wasn\u0027t setting). Use\nstandard micro-second timestamps, and trim the access log to have more\nrelevant info.\n\nChange-Id: I9f4c8ef38ab9e08aeced7b309d4a5276de07af4b\n" }, { "commit": "8f314400d8dd7113f828a7e53f1c37819fbe1c5f", "tree": "a758a909bfe743bf07bda03fb05dd42341d539cd", "parents": [ "02d8a0cd2196efa9675d117ccc3cf7e86e44ed3f", "f4dbd12f78236c7c98b68d7841783ed29d6e77d7" ], "author": { "name": "Jenkins", "email": "jenkins@review.openstack.org", "time": "Thu Jun 29 23:00:35 2017 +0000" }, "committer": { "name": "Gerrit Code Review", "email": "review@openstack.org", "time": "Thu Jun 29 23:00:35 2017 +0000" }, "message": "Merge \"Set specified header size when enabling tls-proxy\"" }, { "commit": "f4dbd12f78236c7c98b68d7841783ed29d6e77d7", "tree": "df6be669227e353e013c6ad158e01bd88ddc33ad", "parents": [ "a718b5ea9227ff55ca52dcd156f06b43fe2e3ca3" ], "author": { "name": "Clark Boylan", "email": "clark.boylan@gmail.com", "time": "Wed May 31 13:17:22 2017 -0700" }, "committer": { "name": "Clark Boylan", "email": "clark.boylan@gmail.com", "time": "Mon Jun 05 12:47:50 2017 -0700" }, "message": "Set specified header size when enabling tls-proxy\n\nAs part of getting swift\u0027s functional testing to work properly through\nthe tls-proxy we need to increase the allowed request header size in\napache. This was a non issue without tls proxy as requests hit the\neventlet webserver directly which was configured via the swift config\nwhich sets this relatively large limit (by default devstack configures\nswift to have a header size limit of 16384).\n\nNow we pass in an optional parameter to start_tls_proxy that includes\nthe desired header size. lib/swift then passes in the value it also\nconfigures in its swift.conf.\n\nIf not explicitly set we default to 8190 which is apache2\u0027s default.\n\nChange-Id: Ib2811c8d3cbb49cf94b70294788526b15a798edd\n" }, { "commit": "dc9ef55fc6be8eb7c83115ec19dfc39256c04302", "tree": "ec5bc36ed7409b75a655adc6fbbbb0f75a793691", "parents": [ "a718b5ea9227ff55ca52dcd156f06b43fe2e3ca3", "35649ae0d2a356c310fd92f16356bdd086cab290" ], "author": { "name": "Jenkins", "email": "jenkins@review.openstack.org", "time": "Wed May 31 20:48:10 2017 +0000" }, "committer": { "name": "Gerrit Code Review", "email": "review@openstack.org", "time": "Wed May 31 20:48:10 2017 +0000" }, "message": "Merge \"Make stack.sh work on SUSE\"" }, { "commit": "35649ae0d2a356c310fd92f16356bdd086cab290", "tree": "896b2dddcdd7e6884f7876dd20293d834e1833a6", "parents": [ "9b2a2fa55dbba724a781d2720546611a8add8936" ], "author": { "name": "Clark Boylan", "email": "clark.boylan@gmail.com", "time": "Sat May 27 17:52:55 2017 -0700" }, "committer": { "name": "Clark Boylan", "email": "clark.boylan@gmail.com", "time": "Sun May 28 09:58:51 2017 -0700" }, "message": "Make stack.sh work on SUSE\n\nThis adds packages to suse for systemd python linkages as well as\napache2 and which. And configures mod_proxy and mod_proxy_uwsgi with\na2enmod.\n\nWe also properly query if apache mods are enabled to avoid running\ninto systemd service restart limits. Enable mod_version across the board\nas we use it and it may not be enabled by default (like in SUSE).\n\nAlso in addition to enabling mod_ssl we enable the SSL flag so that TLS\nwill work...\n\nFinally we tell the system to trust the devstack CA.\n\nChange-Id: I3442cebfb2e7c2550733eb95a12fab42e1229ce7\n" }, { "commit": "4baac6572573945f49b3b3df7b7ea27f15955477", "tree": "c748271777e5815cb2b1f8e22fdbc8532caf22c6", "parents": [ "faffde1f970c0786d0256e4d51725fbe2ceda063" ], "author": { "name": "Clark Boylan", "email": "clark.boylan@gmail.com", "time": "Sat May 27 20:53:20 2017 -0700" }, "committer": { "name": "Clark Boylan", "email": "clark.boylan@gmail.com", "time": "Sat May 27 20:57:56 2017 -0700" }, "message": "Use proper python when configuring certs\n\nWe have to do silly overrides of cert locations for requests for\nreasons. If we are running under python3 then we were previously looking\nin the wrong location for the requests certs. Update the cert fixing\nfunction to properly use python3 to find the certs if python3 is\nenabled.\n\nChange-Id: Id1369da0d812edcf9b1204e9c567f8bfe77c48b2\n" }, { "commit": "faffde1f970c0786d0256e4d51725fbe2ceda063", "tree": "86cf143b35f4bf62cbec144a18e70c20e0f69d72", "parents": [ "a292c5068ce8b285afc1ecfd473c91c8789922d3" ], "author": { "name": "Clark Boylan", "email": "clark.boylan@gmail.com", "time": "Thu Apr 27 09:54:27 2017 -0700" }, "committer": { "name": "Clark Boylan", "email": "clark.boylan@gmail.com", "time": "Thu Apr 27 09:54:27 2017 -0700" }, "message": "Use string cert CA defaults\n\nSwitch from sha1 to sha256 and from 1024 bits to 2048 bits. Do this\nbecause things don\u0027t like the old inseucre sha1+1024bits combo.\n\nChange-Id: Iae2958969aed0cd880844e19e8055c8bdc7d064d\n" }, { "commit": "f6a2d2cd4edd06408690081d6207ff73b76f543a", "tree": "787b8f9837aadc464607276dae87c573b6c24c76", "parents": [ "2eb322ab2e16b017ba71cfcc4d2ce84be8e5869c" ], "author": { "name": "Ian Wienand", "email": "iwienand@redhat.com", "time": "Wed Apr 26 10:50:29 2017 +1000" }, "committer": { "name": "Ian Wienand", "email": "iwienand@redhat.com", "time": "Wed Apr 26 11:09:59 2017 +1000" }, "message": "Always restart apache\n\nAs described in [1], it seems that mod_wsgi is not \"graceful\" reload\nsafe. Upon re-init, it can end up in a segfault loop.\n\nThe \"reload\" (not *restart*) after setting up uwsgi was added with\nI1d89be1f1b36f26eaf543b99bde6fdc5701474fe but not causing an issue\nuntil uwsgi was enabled.\n\nWe do not notice in the gate, because the TLS setup ends up doing a\nrestart after this setup. In the period between the\nwrite_uwsgi_config and that restart, Apache is sitting in a segfault\nloop, but we never noticed because we don\u0027t try talking to it. Other\njobs that don\u0027t do any further apache configuration have started\nfailing, however.\n\nLooking at the original comments around \"reload_apache_server\" I\u0027m not\nsure if it is still necessary. [2] shows it is not used outside these\ntwo calls.\n\n[1] https://bugzilla.redhat.com/show_bug.cgi?id\u003d1445540\n[2] http://codesearch.openstack.org/?q\u003dreload_apache_server\u0026i\u003dnope\u0026files\u003d\u0026repos\u003d\n\nCloses-Bug: #1686210\nChange-Id: I5234bae0595efdcd30305a32bf9c121072a3625e\n" }, { "commit": "a1446b960fa7c21bc1e7141921d6fc95c6e212d2", "tree": "99228554cfa7342e82deae920762cbc2ea5a7f36", "parents": [ "f3b2f4c85307b14f115a020f5eaf6c92026b55b4" ], "author": { "name": "Sean Dague", "email": "sean@dague.net", "time": "Mon Apr 17 14:31:21 2017 -0400" }, "committer": { "name": "Sean Dague", "email": "sean@dague.net", "time": "Mon Apr 17 14:31:21 2017 -0400" }, "message": "always retry proxy errors\n\nWhen an apache worker gets a proxy error, it will not retry talking to\nthe backend server until the retry timeout expires. We bring up the\nproxy server *before* the backend server, and poll it. If we are\nrunning a small number of workers, there is a likely chance that we\u0027re\ngoing to hit one that errored before the backend was up, thus failing\nfor now real reason.\n\nSet this to 0 instead to mean always retry failed connections.\n\nChange-Id: I9e584f087bd375f71ddf0c70f83205c425094a17\nRef: https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass\n" }, { "commit": "f3b2f4c85307b14f115a020f5eaf6c92026b55b4", "tree": "1f9180b6b7271a9b232bf08145ad37308fbee219", "parents": [ "2f8c88e0532b6b712cc386a9c15d833d3629b19a" ], "author": { "name": "Sean Dague", "email": "sean@dague.net", "time": "Thu Apr 13 10:11:48 2017 -0400" }, "committer": { "name": "Sean Dague", "email": "sean@dague.net", "time": "Mon Apr 17 07:27:32 2017 -0400" }, "message": "Remove USE_SSL support\n\ntls-proxy is the way we\u0027re now doing a standard install using https\nbetween services. There is a lot more work to make services directly\nhandle https, and having python daemons do that directly is a bit of\nan anti pattern. Nothing currently tests this in project-config from\nmy recent grepping, so in the interest of long term maintenance,\ndelete it all.\n\nChange-Id: I910df4ceab6f24f3d9c484e0433c93b06f17d6e1\n" }, { "commit": "8cf9acd577a30bf9e6a54a9d82b9b7fc9ae769fb", "tree": "24a6c114fc0917e42a3f0788fe0a0b6152c67b2b", "parents": [ "07d612e4609367aa820d519a2ca7100b087bd25e" ], "author": { "name": "Clark Boylan", "email": "clark.boylan@gmail.com", "time": "Thu Mar 16 14:06:58 2017 -0700" }, "committer": { "name": "Clark Boylan", "email": "clark.boylan@gmail.com", "time": "Fri Mar 17 11:42:41 2017 -0700" }, "message": "Tune apache connection limits down\n\nWe are facing memory pressure in gate testing. Apache is fairly large so\ntune its connection limits down to try and squeeze out more useable\nmemory. THis should be fine for dev envs, also tlsproxy is not enabled\nby default so we can check that this tuning works well on a subset of\njobs before making it default everywhere.\n\nData comparisons done with gate-tempest-dsvm-neutron-full-ubuntu-xenial\njobs.\n\nOld: http://logs.openstack.org/37/447037/2/check/gate-tempest-dsvm-neutron-full-ubuntu-xenial/721fc6f/logs/screen-peakmem_tracker.txt.gz\n PID %MEM RSS PPID TIME NLWP WCHAN COMMAND\n 20504 0.2 16660 19589 00:00:00 34 - /usr/sbin/apache2 -k start\n 20505 0.2 16600 19589 00:00:00 34 - /usr/sbin/apache2 -k start\n 20672 0.2 16600 19589 00:00:00 34 - /usr/sbin/apache2 -k start\n 20503 0.1 14388 19589 00:00:00 34 - /usr/sbin/apache2 -k start\n 19589 0.1 9964 1 00:00:00 1 - /usr/sbin/apache2 -k start\nTotal RSS: 74212\n\nNew: http://logs.openstack.org/41/446741/1/check/gate-tempest-dsvm-neutron-full-ubuntu-xenial/fa4d2e6/logs/screen-peakmem_tracker.txt.gz\n PID %MEM RSS PPID TIME NLWP WCHAN COMMAND\n 8036 0.1 15316 8018 00:00:01 34 - /usr/sbin/apache2 -k start\n 8037 0.1 15228 8018 00:00:01 34 - /usr/sbin/apache2 -k start\n 8018 0.1 8584 1 00:00:00 1 - /usr/sbin/apache2 -k start\nTotal RSS: 39128\n\nNote RSS here is in KB. Total difference is 35084KB or about\n34MB. Not the biggest change, but we seem to be functional and it\nalmost halves the apache overhead.\n\nChange-Id: If82fa347db140021197a215113df4ce38fb4fd17\n" }, { "commit": "42a914cadfb3ea63dc87d3b5f9a17cf6265728cb", "tree": "416108f11eb53ef775f9f1df56b7ef278d0a57ca", "parents": [ "0b259c3abdafa99e7194e62c9a47483ddcf6b65a", "bc3d01c8ec4f79c852b9cd2b0a7d679b2a777aa6" ], "author": { "name": "Jenkins", "email": "jenkins@review.openstack.org", "time": "Tue Feb 21 21:02:03 2017 +0000" }, "committer": { "name": "Gerrit Code Review", "email": "review@openstack.org", "time": "Tue Feb 21 21:02:03 2017 +0000" }, "message": "Merge \"Revert \"tls proxy: immediately close a connection to the backend\"\"" }, { "commit": "437092518172770c549dabafaf9f81e3766719ce", "tree": "7940b17d8f12da7c25410dc26f91c9c151afc88b", "parents": [ "6bd3561e9db3175f07299818ddb46a8ac7c72a12" ], "author": { "name": "Jordan Pittier", "email": "jordan.pittier@scality.com", "time": "Tue Feb 14 16:48:20 2017 +0100" }, "committer": { "name": "Jordan Pittier", "email": "jordan.pittier@scality.com", "time": "Tue Feb 14 16:59:07 2017 +0100" }, "message": "TLS proxy: disable HTTP KeepAlive\n\nThere\u0027s a race condition when a client makes a request \"at the same\ntime\" the HTTP connection is being closed by Apache because the\n`KeepAliveTimeout` is expired.\n\nThis is explained in detail and can be reproduce using\nhttps://github.com/mikem23/keepalive-race or\nhttps://github.com/JordanP/openstack-snippets/blob/master/keepalive-race/keep-alive-race.py\n\nJust disable KeepAlive to fix the\n(\u0027Connection aborted.\u0027, BadStatusLine(\"\u0027\u0027\",)) error we are seeing.\n\nChange-Id: I46e9f70ee740ec7996c98d386d5289c1491e9436\n" }, { "commit": "bc3d01c8ec4f79c852b9cd2b0a7d679b2a777aa6", "tree": "52a8a6e5d41f4cd469805887df67a7f86c2a900a", "parents": [ "e0a37cf21e43fbb4ba3f9f8fa5321a0a0e1bedf1" ], "author": { "name": "Jordan Pittier", "email": "jordan.pittier@scality.com", "time": "Tue Feb 14 15:35:59 2017 +0000" }, "committer": { "name": "Jordan Pittier", "email": "jordan.pittier@scality.com", "time": "Tue Feb 14 15:46:03 2017 +0000" }, "message": "Revert \"tls proxy: immediately close a connection to the backend\"\n\nThis reverts commit e0a37cf21e43fbb4ba3f9f8fa5321a0a0e1bedf1.\n\nThis didn\u0027t help fixing bug #1630664. Issue seems to be between\nclient\u003c---\u003eApache2, not between Apache2\u003c---\u003eeventlet\n\nChange-Id: I092c1bbf0c5848b50fc9e491d1e9211451208a89\n" }, { "commit": "e0a37cf21e43fbb4ba3f9f8fa5321a0a0e1bedf1", "tree": "b8b09c1216328f1cc409f642d854bed500b8816f", "parents": [ "999dd7e989ae850bec7158a0058c0d38893ecdae" ], "author": { "name": "Jordan Pittier", "email": "jordan.pittier@scality.com", "time": "Fri Feb 10 15:01:37 2017 +0100" }, "committer": { "name": "Jordan Pittier", "email": "jordan.pittier@scality.com", "time": "Fri Feb 10 15:04:52 2017 +0100" }, "message": "tls proxy: immediately close a connection to the backend\n\nForce mod_proxy to immediately close a connection to the backend\nafter being used, and thus, disable its persistent connection and\npool for that backend.\n\nLet\u0027s see if that helps fixing bug #1630664 (the\nConnection aborted/ BadStatusLine thing).\n\nWe already have an ER query (in queries/1630664.yaml) that should show\nwhether this is effective.\n\nChange-Id: I03b09f7df5c6e134ec4091a2f8dfe8ef614d1951\n" }, { "commit": "cfb9f057ea5896687d95cdcc5aa5216ef32b87f8", "tree": "4a93106d96e79a8720454f959d1d02df50ae7eda", "parents": [ "84fb7731787a1665ca541ff3e350949bee31685d" ], "author": { "name": "Clark Boylan", "email": "clark.boylan@gmail.com", "time": "Tue Nov 29 10:43:05 2016 -0800" }, "committer": { "name": "Clark Boylan", "email": "clark.boylan@gmail.com", "time": "Tue Nov 29 10:43:05 2016 -0800" }, "message": "Tune apache connections for tls proxy\n\nWe are seeing connection errors to the proxy occasionally. These errors\ndo not result in a logged http request or error to the backends,\nresulting in a theory that the proxy itself may just not be able to\nhandle the number of connections. More than double the total number of\nconnections that will be accepted by the proxy in an attempt to fix\nthis.\n\nChange-Id: Iefa6c43451dd1f95927528d2ce0003c84248847f\nRelated-bug: 1630664\n" }, { "commit": "c30b8def82c14e161c0242307e117697e24e1ece", "tree": "6226ccb7655ef26916b42f0f4f5b7fe91fb790ba", "parents": [ "319abcaf85791961baaed0019fa67c79c26047e0" ], "author": { "name": "Daniel P. Berrange", "email": "berrange@redhat.com", "time": "Mon Nov 14 13:23:14 2016 +0000" }, "committer": { "name": "Daniel P. Berrange", "email": "berrange@redhat.com", "time": "Tue Nov 15 11:24:04 2016 +0000" }, "message": "Move certificate setup earlier in deployment\n\nCurrently the x509 certificate setup is done after all the\nopenstack services have been deployed. This is OK because\nnone of the services require that the x509 certs exist\nwhen they are being deployed. With the integration of TLS\ninto the nova novnc proxy (and later spice \u0026 serial proxy)\nservice, x509 certs will need to exist before Nova is\ndeployed.\n\nThe CA setup must thus be moved earlier in the devstack\ndeployment flow, prior to the setup of any services. One\npart of the CA setup, however, fixes up the global cert\nbundle locations and this can only be done after the\npython requests module is install, thus must remain in\nits current location.\n\nChange-Id: Idcd264fb73bb88dc2f4280c53c013dfe4364afff\n" }, { "commit": "f06455e1b55b5419b6546a0d85ebfa734bf3c6b4", "tree": "27c0250bb5d50574bdce50c16931b754c530d44d", "parents": [ "ec498cd0619805c409b28f81c6a7bcd3a01136ed" ], "author": { "name": "Sean Dague", "email": "sean@dague.net", "time": "Fri Oct 07 06:57:03 2016 -0400" }, "committer": { "name": "Sean Dague", "email": "sean@dague.net", "time": "Fri Oct 07 06:57:03 2016 -0400" }, "message": "Add a screen session for tls logs\n\nWhen tls is enabled, we aren\u0027t bringing the logs to the forefront,\nwhich makes it hard to debug when things go wrong. This does that.\n\nChange-Id: I7c6c7e324e16da6b9bfa44f4bad17401ca4ed7e3\n" }, { "commit": "66ce5c257ae32e269ede901f1737d04e194a6457", "tree": "5d2037566f3d0b28a436d4fda63160c94fc61e5c", "parents": [ "91d8a38e16d5dea09df13aa8063a00e31b42efae" ], "author": { "name": "Clark Boylan", "email": "clark.boylan@gmail.com", "time": "Wed Oct 05 12:11:05 2016 -0700" }, "committer": { "name": "Clark Boylan", "email": "clark.boylan@gmail.com", "time": "Wed Oct 05 16:25:53 2016 -0700" }, "message": "Update apache tls proxy logs\n\nThis creates log files per proxy vhost and sets the log level to info to\nhelp debug potential issues with tls proxying.\n\nChange-Id: I02a62224662b021b35c293909ba045b4b74e1df8\n" }, { "commit": "e75d5044f40b8de53e2a5bb0fd0d3ef666eb232a", "tree": "26277b53c89f739fff1878198e0255de0c154972", "parents": [ "71afa252500b73a03abc046fbcc0c13d9847cfc5", "69e3c0aac99981f17c76c22111e5c397824b8428" ], "author": { "name": "Jenkins", "email": "jenkins@review.openstack.org", "time": "Tue Sep 27 11:26:47 2016 +0000" }, "committer": { "name": "Gerrit Code Review", "email": "review@openstack.org", "time": "Tue Sep 27 11:26:47 2016 +0000" }, "message": "Merge \"Update certificate creation for urllib3\"" }, { "commit": "69e3c0aac99981f17c76c22111e5c397824b8428", "tree": "5161ff84adf40accaccb94041a2a19a9869ec259", "parents": [ "9cea4e8570f6a7e1d022bf9eae09223d3144c695" ], "author": { "name": "Ian Cordasco", "email": "graffatcolmingov@gmail.com", "time": "Mon Sep 26 12:53:14 2016 -0500" }, "committer": { "name": "Clark Boylan", "email": "clark.boylan@gmail.com", "time": "Mon Sep 26 12:21:41 2016 -0700" }, "message": "Update certificate creation for urllib3\n\nurllib3 1.18 was released today and contains new more correct hostname\nmatching that takes into account the ipAddress portion of a certificate\nand disallows matching an IP Address against a DNS hostname.\n\nChange-Id: I37d247b68911dc85f55adec6a7952ed321c1b1d8\n" }, { "commit": "323b726783d6d4ef24a0c9f0d7c77b9e8b152c61", "tree": "08a38b4634868ed613ec280ab8fdc0967ced9ef8", "parents": [ "a2d18484195e700f28e0b7cca1a29e20d9d369b0" ], "author": { "name": "Clark Boylan", "email": "clark.boylan@gmail.com", "time": "Fri Sep 23 13:33:40 2016 -0700" }, "committer": { "name": "Sean Dague", "email": "sean@dague.net", "time": "Mon Sep 26 11:37:18 2016 +0000" }, "message": "Don\u0027t make root CA if it exists\n\nTo support multinode testing where we just copy the CA to all the\ninstances don\u0027t remake the CA if it already exists.\n\nThe end result is that you can trusty a single chain and all your\nclients will be happy regardless of which host they are talking to.\n\nChange-Id: I90892e6828a59fa37af717361a2f1eed15a87ae4\n" }, { "commit": "4b49e409f853104dae021dfca1a9342ec9ac4709", "tree": "dc27f7ff83839baa55b459ca4aa2230c4ed19439", "parents": [ "fb1e1cc7e3de4483de48661b03a4417e2d24957a" ], "author": { "name": "Gregory Haynes", "email": "greg@greghaynes.net", "time": "Wed Aug 31 18:19:51 2016 -0700" }, "committer": { "name": "Clark Boylan", "email": "clark.boylan@gmail.com", "time": "Tue Sep 20 08:14:11 2016 -0700" }, "message": "Use apache for tls-proxy ssl termination\n\nStud is now abandonware (see https://github.com/bumptech/stud) and is\nnot packaged in xenial. Lets use Apache for SSL termination since its\nthere already.\n\nChange-Id: Ifcba410f5969521e8b3d30f02795541c1661f83a\n" }, { "commit": "be00e95da5ae57c6aaa547ee01a5cab9a13862ca", "tree": "d84545169430f7e6e3a361da48ec7545e43f6ed8", "parents": [ "11b111fd7a064985a3c3ca20830d09ed613094a4" ], "author": { "name": "Rob Crittenden", "email": "rcritten@redhat.com", "time": "Thu Mar 24 18:09:22 2016 -0400" }, "committer": { "name": "Rob Crittenden", "email": "rcritten@redhat.com", "time": "Mon Mar 28 10:00:52 2016 -0400" }, "message": "Add OS_CACERT to userrc_early and ensure SERVICE_HOST is SAN\n\nOS_CACERT was being added directly to the environment rather\nthan usercc_early. This caused an untrusted CA error to be\nthrown.\n\nEnsure that SERVICE_HOST is in the Subject Alt. Names of the\nissued TLS server cert. The gate sets it to 127.0.0.1 which\nwasn\u0027t being handled. Only the FQDN of the host and actual\nIP address of the machine were being added.\n\nChange-Id: I8a91dffe1a5263d2bcc99ea406a8556045b52be2\n" }, { "commit": "ada886dd43ccc07f48d3a82d8d3d840fe5096c03", "tree": "93d62f1c82edc08d813b7f9f7eb9270e7024e055", "parents": [ "433a9b10ddd6fa67d7459c4943a92ce4f488cebc" ], "author": { "name": "Ian Wienand", "email": "iwienand@redhat.com", "time": "Wed Oct 07 14:06:26 2015 +1100" }, "committer": { "name": "Ian Wienand", "email": "iwienand@redhat.com", "time": "Wed Oct 07 17:03:32 2015 +1100" }, "message": "Don\u0027t mix declaration and set of locals\n\nIa0957b47187c3dcadd46154b17022c4213781112 proposes to have bashate\nfind instances of setting a local value. The issue is that \"local\"\nalways returns 0, thus hiding any failure in the commands running to\nset the variable.\n\nThis is an automated replacement of such instances\n\nDepends-On: I676c805e8f0401f75cc5367eee83b3d880cdef81\nChange-Id: I9c8912a8fd596535589b207d7fc553b9d951d3fe\n" }, { "commit": "1987fcc8a31478911d6c815eb0a94afcf9fa5788", "tree": "1d2e1354eb3dca6e6e98cf560b4a391ab4d2033d", "parents": [ "dae868fcb0c2a940e7add2d2f1e9ac7fd50feda1" ], "author": { "name": "Rob Crittenden", "email": "rcritten@redhat.com", "time": "Wed Jun 10 11:00:59 2015 -0400" }, "committer": { "name": "Rob Crittenden", "email": "rcritten@redhat.com", "time": "Tue Jun 16 17:57:09 2015 -0400" }, "message": "Replace pip-installed requests CA bundle with link\n\nIf the version of python-requests required is higher than\nthat provided by the operating system, pip will install\nit from upstream.\n\nThe upstream version provides its own CA certificate bundle\nbased on the Mozilla bundle, and defaults to that in case\na CA certificate file is not specified for a request.\n\nThe distribution-specific packages point to the system-wide\nCA bundle that can be managed by tools such as\nupdate-ca-trust (Fedora/RHEL) and update-ca-certificates\n(Debian/Ubuntu).\n\nWhen installing in SSL/TLS mode, either with SSL\u003dTrue or by\nadding tls-proxy to ENABLED_SERVICES, if a non-systemwide\nCA bundle is used, then the CA generated by devstack will\nnot be used causing the installation to fail.\n\nReplace the upstream-provided bundle with a link to the\nsystem bundle when possible.\n\nChange-Id: I651aec93398d583dcdc8323503792df7ca05a7e7\nCloses-Bug: #1459789\n" }, { "commit": "dc97cb71e85fc807d2cce6f054c785922d322eb9", "tree": "86affcfbc7054c209c2ab0a4c3f7955d5e1bf16f", "parents": [ "9720239618189c13734aa32aabee9252707f2db9" ], "author": { "name": "Dean Troyer", "email": "dtroyer@gmail.com", "time": "Sat Mar 28 08:20:50 2015 -0500" }, "committer": { "name": "Dean Troyer", "email": "dtroyer@gmail.com", "time": "Sat Mar 28 14:35:12 2015 -0500" }, "message": "Mostly docs cleanups\n\nFix documentation build errors and RST formatting\n\nChange-Id: Id93153400c5b069dd9d772381558c7085f64c207\n" }, { "commit": "e263c82e48a431e502bd6baceb6dfcfdc1750cbb", "tree": "5ca592e668dedb4debc6c7170f3abf37cc4bc0c6", "parents": [ "2f8e08b5728f4272b415b1c0aab8ff62eae29b06" ], "author": { "name": "Sean Dague", "email": "sean@dague.net", "time": "Fri Dec 05 14:25:28 2014 -0500" }, "committer": { "name": "Sean Dague", "email": "sean@dague.net", "time": "Wed Dec 10 11:28:05 2014 -0500" }, "message": "add shebang lines to all lib files\n\nWith gerrit 2.8, and the new change screen, this will trigger syntax\nhighlighting in gerrit. Thus making reviewing code a lot nicer.\n\nChange-Id: Id238748417ffab53e02d59413dba66f61e724383\n" }, { "commit": "e5dbec252aac0ca665696a5b69267f13882478c2", "tree": "7a7fc675e9c6ef6cd725b7136ab68836d438ef7c", "parents": [ "f33e76bf9bd9a3bc39e8b3b99257a4ae98a10d25", "3324f19f5aeb3c8933447752dbc2c1b8c7f9b2de" ], "author": { "name": "Jenkins", "email": "jenkins@review.openstack.org", "time": "Wed Oct 08 22:14:51 2014 +0000" }, "committer": { "name": "Gerrit Code Review", "email": "review@openstack.org", "time": "Wed Oct 08 22:14:51 2014 +0000" }, "message": "Merge \"Fix docs build errors\"" }, { "commit": "3324f19f5aeb3c8933447752dbc2c1b8c7f9b2de", "tree": "84248dfdde0ce32a415c565db32dcb04776ea51e", "parents": [ "7672ad1dbc00ec5ff80f3aa670404e413e86e506" ], "author": { "name": "Dean Troyer", "email": "dtroyer@gmail.com", "time": "Thu Sep 18 09:26:39 2014 -0500" }, "committer": { "name": "Dean Troyer", "email": "dtroyer@gmail.com", "time": "Thu Oct 02 15:30:50 2014 -0500" }, "message": "Fix docs build errors\n\nFix shocco errors during docs generation\n\nCloses-Bug: 1362691\nChange-Id: I2b7fb008c89f0b4e7280b2d0a054320765e83e47\n" }, { "commit": "18d4778cf7bffa60eb2e996a13c129c64f83575f", "tree": "d6d934b05026d32d6942b34a5e3a359202b3996c", "parents": [ "d60c10d6dbe44445aaab9e3fcc0127e39e989f40" ], "author": { "name": "Rob Crittenden", "email": "rcritten@redhat.com", "time": "Wed Mar 19 17:47:42 2014 -0400" }, "committer": { "name": "Rob Crittenden", "email": "rcritten@redhat.com", "time": "Wed Sep 24 18:36:37 2014 -0400" }, "message": "Configure endpoints to use SSL natively or via proxy\n\nConfigure nova, cinder, glance, swift and neutron to use SSL\non the endpoints using either SSL natively or via a TLS proxy\nusing stud.\n\nTo enable SSL via proxy, in local.conf add\n\nENABLED_SERVICES+\u003d,tls-proxy\n\nThis will create a new test root CA, a subordinate CA and an SSL\nserver cert. It uses the value of hostname -f for the certificate\nsubject. The CA certicates are also added to the system CA bundle.\n\nTo enable SSL natively, in local.conf add:\n\nUSE_SSL\u003dTrue\n\nNative SSL by default will also use the devstack-generate root and\nsubordinate CA.\n\nYou can override this on a per-service basis by setting\n\n\u003cSERVICE\u003e_SSL_CERT\u003d/path/to/cert\n\u003cSERVICE\u003e_SSL_KEY\u003d/path/to/key\n\u003cSERVICE\u003e_SSL_PATH\u003d/path/to/ca\n\nYou should also set SERVICE_HOST to the FQDN of the host. This\nvalue defaults to the host IP address.\n\nChange-Id: I36fe56c063ca921131ad98439bd452cb135916ac\nCloses-Bug: 1328226\n" }, { "commit": "73ad94c9b4bc7d0bfa137cfddb9eb93d453d208e", "tree": "de987ac4950c0b985839e08032575348974d5bb2", "parents": [ "40564a2b3508f1653f5665f7b726f6d2e93f2668", "2f69c6b85387f85db63e0a087c8b3fac992bd04d" ], "author": { "name": "Jenkins", "email": "jenkins@review.openstack.org", "time": "Mon Aug 25 14:42:35 2014 +0000" }, "committer": { "name": "Gerrit Code Review", "email": "review@openstack.org", "time": "Mon Aug 25 14:42:35 2014 +0000" }, "message": "Merge \"Don\u0027t try to regenerate existing ssl certificates\"" }, { "commit": "b1e3d0f222da5e3edd68dd92020962beb1155e1e", "tree": "e44c9c6e84e8baf3459040264e85e889f3afcdf5", "parents": [ "b939caea45e2b43f36a831837821ad466451f7ed" ], "author": { "name": "Dean Troyer", "email": "dtroyer@gmail.com", "time": "Fri Jul 25 14:57:54 2014 -0500" }, "committer": { "name": "Dean Troyer", "email": "dtroyer@gmail.com", "time": "Tue Aug 19 19:14:04 2014 -0500" }, "message": "Clean up local variable usage - Remainder\n\nMinor cleanups in a couple ofplaces:\n* Config funtions\n* Stackforge\n* TLS\n\nCombined a couple of smaller changesets that are loosly related\n\nChange-Id: Ifa16f2e4c0eca0ef3401c0dfdc4f3d91809021a5\n" }, { "commit": "f0bd8dbe37bd855669ad4cddff0a49bccfd9b64e", "tree": "8c98548c656f2b72e592cad070a3a30d05842dde", "parents": [ "27eefd87298645b30972a0c0b5a32c3a699521b8" ], "author": { "name": "Sean Dague", "email": "sean@dague.net", "time": "Wed Jul 23 15:14:07 2014 -0400" }, "committer": { "name": "Sean Dague", "email": "sean@dague.net", "time": "Wed Jul 23 15:14:07 2014 -0400" }, "message": "stop leaking service as a global var\n\nthe tls code was leaking out $service as a global variable, which\nwas causing all manner of confusing errors in grenade trying to\nuse that variable name. All lower case vars should be localize.\n\nChange-Id: I74fa597f20ee7c714cab83490b42d874ea93db02\n" }, { "commit": "bd5dae0618ed697504a25a692a02e8372fc3d66c", "tree": "6f2e0544e611a610a0ddb2c46b28f78ab2427f2b", "parents": [ "e33379658ffc97ffa82117e5dc35f6eb01bde951" ], "author": { "name": "Stanislaw Pitucha", "email": "stanislaw.pitucha@hp.com", "time": "Wed Jun 25 15:29:43 2014 +0100" }, "committer": { "name": "Stanislaw Pitucha", "email": "stanislaw.pitucha@hp.com", "time": "Mon Jun 30 10:52:25 2014 +0100" }, "message": "Do a proper tls/ca cleanup in unstack\n\nCertificates and the index were left in the data directory after\nrunning unstack. That would break devstack on the next run.\n\npartial blueprint devstack-https\nChange-Id: I6eb552a76fb29addf4d02254c027e473d6805df1\n" }, { "commit": "2e0f0544ec0af0af31d923c2fc3e3fd08e60129b", "tree": "2f7aaffe84d4474f96e9678bff529dd0363135a8", "parents": [ "bfa5817c5085d84b2d6b821f000c8f028c61f565" ], "author": { "name": "Stanislaw Pitucha", "email": "stanislaw.pitucha@hp.com", "time": "Fri Jun 27 16:05:53 2014 +0100" }, "committer": { "name": "Stanislaw Pitucha", "email": "stanislaw.pitucha@hp.com", "time": "Fri Jun 27 16:10:55 2014 +0100" }, "message": "Comment fix - correct function names\n\nChange-Id: Idecc6cd9bc255ab20d3bc8f4b3a3e7f248b585f0\n" }, { "commit": "2f69c6b85387f85db63e0a087c8b3fac992bd04d", "tree": "8ba778d0ba2b981eb31870d814d188f49750f1f0", "parents": [ "c6dc3deb2571f08b224c9a11eac975da2ef59f5a" ], "author": { "name": "Stanislaw Pitucha", "email": "stanislaw.pitucha@hp.com", "time": "Wed Jun 25 15:07:48 2014 +0100" }, "committer": { "name": "Stanislaw Pitucha", "email": "stanislaw.pitucha@hp.com", "time": "Wed Jun 25 15:07:48 2014 +0100" }, "message": "Don\u0027t try to regenerate existing ssl certificates\n\nRerunning stack.sh after some failure unrelated to ssl setup will fail\ndue to certificates already existing in the CA index. Don\u0027t regenerate\nthem instead. This is a workaround making devstack development easier\nrather than something typical user would run into.\n\nChange-Id: Icfd4cb5132c8c9297eb73159e592b7006295184f\n" }, { "commit": "66115e532350840272293ead8d211f26af5c8c23", "tree": "681f8f06b1ff59fa97dee2a1472dc7ab712132e4", "parents": [ "116023f8e4a6857321a0ea245e91695e203541b0" ], "author": { "name": "Solly Ross", "email": "sross@redhat.com", "time": "Tue Mar 18 15:12:05 2014 -0400" }, "committer": { "name": "Solly Ross", "email": "sross@redhat.com", "time": "Mon Mar 24 14:05:08 2014 -0400" }, "message": "Fix broken if statement in lib/tls on ZSH\n\nWhen using ZSH, the line `if [[ (!$cert \u0026\u0026 !$key \u0026\u0026 $ca) ]]` fails\ndue to a syntax error. Instead of checking the variables as a boolean,\nwe can simply check if they have a non-zero length. This works in ZSH.\n\nChange-Id: I171ed10a8c0af354e82bd6119508a0c44b6bcd9c\n" }, { "commit": "aee18c749b0e3a1a3a6907a33db76ae83b8d41d9", "tree": "01a8ab5abb9867986f3e848918abd9e749b691cd", "parents": [ "0ed4af02da0bd4a0f757dd8c2156913e6c7a724c" ], "author": { "name": "Ian Wienand", "email": "iwienand@redhat.com", "time": "Fri Feb 21 15:35:08 2014 +1100" }, "committer": { "name": "Ian Wienand", "email": "iwienand@redhat.com", "time": "Fri Feb 28 07:59:03 2014 +1100" }, "message": "Enforce function declaration format in bash8\n\nCheck that function calls look like ^function foo {$ in bash8, and fix\nall existing failures of that check. Add a note to HACKING.rst\n\nChange-Id: Ic19eecb39e0b20273d1bcd551a42fe400d54e938\n" }, { "commit": "bd24a8d0f884d27f47834c917c047b54271c1179", "tree": "a2fc27d5b90c224c65283dc6bb87cb563d8c4eca", "parents": [ "99da4af55ef0c451983bcc5d7f97e1e22da168ea" ], "author": { "name": "Jamie Lennox", "email": "jamielennox@redhat.com", "time": "Fri Sep 20 16:26:42 2013 +1000" }, "committer": { "name": "Gerrit Code Review", "email": "review@openstack.org", "time": "Mon Nov 25 22:27:51 2013 +0000" }, "message": "Allow deploying keystone with SSL certificates\n\nAllow providing certificates through environment variables to be used\nfor keystone, and provide the basis for doing this for other services.\nIt cannot be used in conjunction with tls-proxy as the service provides\nit\u0027s own encrypted endpoint.\n\nImpletmenting: blueprint devstack-https\nChange-Id: I8cf4c9c8c8a6911ae56ebcd14600a9d24cca99a0\n" }, { "commit": "6a5aa7c6a20435bbd276a0f1823396b52a8f0daf", "tree": "d5137f132a359469f1225d61850466feb4658297", "parents": [ "cb961597cc30f9d8ece17529f09a8291454827e3" ], "author": { "name": "Adam Spiers", "email": "aspiers@suse.com", "time": "Thu Oct 24 11:27:02 2013 +0100" }, "committer": { "name": "Adam Spiers", "email": "aspiers@suse.com", "time": "Thu Oct 24 17:38:19 2013 +0100" }, "message": "Fix some Markdown formatting issues\n\nAddress miscellaneous issues with Markdown formatting in comments which\nare consumed by shocco when generating the online documentation.\n\nChange-Id: I953075cdbddbf1f119c6c7e35f039e2e54b79078\n" }, { "commit": "cc6b4435458b5db6aed17631e4789c43d21ee8e5", "tree": "a8460f062f571849a7a9a547c85771d625828b34", "parents": [ "2e75ff1a41e741ee77926a1262e1e9410701b4e1" ], "author": { "name": "Dean Troyer", "email": "dtroyer@gmail.com", "time": "Mon Apr 08 15:38:03 2013 -0500" }, "committer": { "name": "Dean Troyer", "email": "dtroyer@gmail.com", "time": "Tue Apr 09 14:05:32 2013 -0500" }, "message": "Formatting cleanups, doc updates and whatnot\n\nChange-Id: Ica8298353be22f947c8e8a03d8dc29ded9cb26dd\n" }, { "commit": "584d90ec56e18cbb9c0f15fe6af35504c02ea4bd", "tree": "6d2027aed2ab0e2e44be06ce906c7083493aab3d", "parents": [ "a173376ea1b838d420384c2946b7e66859b6335b" ], "author": { "name": "Sean Dague", "email": "sdague@linux.vnet.ibm.com", "time": "Fri Mar 29 14:34:53 2013 -0400" }, "committer": { "name": "Sean Dague", "email": "sdague@linux.vnet.ibm.com", "time": "Fri Mar 29 14:36:49 2013 -0400" }, "message": "add emacs shell-script tagging\n\nfor files that don\u0027t start with a #! or end in .sh, the added tags\nare nice for emacs users to automatically switch to the right mode.\n\nChange-Id: If4b93e106191bc744ccad8420cef20e751cdf902\n" }, { "commit": "ca8021712325dd4d4ac7185a287cb81cb10fd23d", "tree": "94e4be60c4e0c814a4276bada65846f5e1db0baa", "parents": [ "db89a8189e9425720ba64afb0bffe2bc357831a1" ], "author": { "name": "Dean Troyer", "email": "dtroyer@gmail.com", "time": "Wed Jan 09 19:08:02 2013 -0600" }, "committer": { "name": "Dean Troyer", "email": "dtroyer@gmail.com", "time": "Thu Jan 10 01:56:23 2013 -0600" }, "message": "Add tools/make_cert.sh\n\nThis allows use of either the DevStack CA or creating another CA\nindependent of stack.sh.\n\nChange-Id: I055679b5fd06e830c8e6d7d7331c52dd8782d0b6\n" }, { "commit": "c83a7e125fc1fea0370fffed37435097346befa6", "tree": "e60b26a6a27d9a940105754677da18743367999c", "parents": [ "00626a3186650fb111d9af5e2d69311aa5b3d3c2" ], "author": { "name": "Dean Troyer", "email": "dtroyer@gmail.com", "time": "Thu Nov 29 11:47:58 2012 -0600" }, "committer": { "name": "Dean Troyer", "email": "dtroyer@gmail.com", "time": "Tue Dec 11 17:08:54 2012 -0600" }, "message": "Add TLS support for keystone via proxy\n\n* Adds lib/tls to create test CA/certs\n* Start proxy if \u0027tls-proxy\u0027 is enabled\n* Configure keystone service catalog for TLS\n* Tear down proxy in unstack.sh\n* Set auth protocol and ca-cert chain in openrc\n* Add DATA_DIR to stackrc\n\nThis is the first in a series of patches to enable TLS support\nfor the service API endpoints.\n\nChange-Id: Ia1c91dc8f1aaf94fbec9dc71da322559a83d14b6\n" } ] }