-
Language:
English
-
Language:
English
7.8.4. Configuring the Required Services
A number of services must be started for the broker Rails application when Host 1 is booted up. Start these services using:
# chkconfig httpd on
# chkconfig network on
# chkconfig ntpd on
# chkconfig sshd on
Configure the firewall to allow access to these services:
# lokkit --nostart --service=ssh
# lokkit --nostart --service=https
# lokkit --nostart --service=http
Set the appropriate
ServerName
in the Apache configuration on the broker:
# sed -i -e "s/ServerName .*\$/ServerName `hostname`/" \
/etc/httpd/conf.d/000002_openshift_origin_broker_servername.conf
Note
If you use the kickstart or bash script, the
enable_services_on_broker
function performs these steps.
Configuring Inter-Host Access Keys
Generate a broker access key, which is used by Jenkins and other optional services. The access key is configured with the /etc/openshift/broker.conf
file. This includes the expected key file locations, which are configured in the lines shown in the sample screen output. The following AUTH_PRIV_KEY_FILE
and AUTH_PUB_KEY_FILE
settings show the default values, which can be changed as required. The AUTH_PRIV_KEY_PASS
setting can also be configured, but it is not required.
AUTH_PRIV_KEY_FILE="/etc/openshift/server_priv.pem" AUTH_PRIV_KEY_PASS="" AUTH_PUB_KEY_FILE="/etc/openshift/server_pub.pem"
Note
The
AUTH_PRIV_KEY_FILE
, AUTH_PRIV_KEY_PASS
and AUTH_PUB_KEY_FILE
settings must specify the same private key on all associated brokers for the Jenkins authentication to work.
The following commands generate the broker access key and assume the default key file locations are used. If you changed the
AUTH_PRIV_KEY_FILE
or AUTH_PRIV_KEY_PASS
settings, replace /etc/openshift/server_priv.pem or /etc/openshift/server_pub.pem in the following commands as necessary.
# openssl genrsa -out /etc/openshift/server_priv.pem 2048
# openssl rsa -in /etc/openshift/server_priv.pem -pubout > /etc/openshift/server_pub.pem
# chown apache:apache /etc/openshift/server_pub.pem
# chmod 640 /etc/openshift/server_pub.pem
The
AUTH_SALT
setting in the /etc/openshift/broker.conf
file must also be set. It must be secret and set to the same value across all brokers in a cluster, or scaling and Jenkins integration will not work. Create the random string using:
# openssl rand -base64 64
Important
If
AUTH_SALT
is changed after the broker is running, the broker service must be restarted:
# service openshift-broker restart
Further, if any gears are present when the value is changed again, run the
oo-admin-broker-auth
tool to recreate the broker authentication keys. Run the following command to rekey authentication tokens for all applicable gears:
# oo-admin-broker-auth --rekey-all
See the command's
--help
output and man page for additional options and more detailed use cases.
Configure the
SESSION_SECRET
setting in the /etc/openshift/broker.conf
file to sign the Rails sessions. Ensure it is the same across all brokers in a cluster. Create the random string using:
# openssl rand -hex 64
Similar to
AUTH_SALT
, if the SESSION_SECRET
setting is changed after the broker is running, the broker service must be restarted. Note that all sessions are dropped when the broker service is restarted.
Configure a suitable SSH key to share between the broker host and all node hosts to facilitate moving gears between nodes. Create the key and copy it to the appropriate directory with:
# ssh-keygen -t rsa -b 2048 -f ~/.ssh/rsync_id_rsa
# cp ~/.ssh/rsync_id_rsa* /etc/openshift/
As part of the node host configuration, copy this key to the appropriate directory on each node host. See Section 9.9, “Configuring SSH Keys on the Node Host” for more information.
Note
If you use the kickstart or bash script, the
configure_access_keys_on_broker
function performs these steps.