For an instance to properly work it needs an ldap host record. Currently that's all created by OpenStackManager, so we need a proper nova hook to do it instead so that instances can be started via Horizon.
...or... we could move off ldap entirely. Details here: https://wikitech.wikimedia.org/wiki/Ldap_hosts
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Andrew | T42525 Cant add a security group to an existing instance | |||
| Resolved | Andrew | T87279 Make OpenStack Horizon useful for production labs | |||
| Resolved | hashar | T96670 Instances created by Nodepool cant run puppet due to missing certificate | |||
| Resolved | Andrew | T97163 Support instance creation/deletion via nova commandline | |||
| Resolved | Andrew | T91987 Nova Instance creation hook for ldap | |||
| Duplicate | Andrew | T95910 Abolish use of ec2 ids | |||
| Resolved | Andrew | T95911 Remove puppet and salt keys on instance deletion | |||
| Resolved | Andrew | T95480 Abolish use of ec2id in cert names | |||
| Resolved | ArielGlenn | T95481 Fix monitor_labs_salt_keys.py to handle the new labs naming scheme | |||
| Resolved | Andrew | T95519 Automatically clean salt and puppet certs on instance deletion |
This is now happening. Designate-sink is running a custom plugin python-nova-ldap that creates ldap entries with new instances and deletes them when the instances are deleted.
It also cleans up puppet and salt certs of the form <hostname>.<project>.eqiad.wmflabs. Of course those certs don't exist at the moment, but they will.
Related patches:
https://gerrit.wikimedia.org/r/#/c/204547/
https://gerrit.wikimedia.org/r/#/c/204549/
Note that at the moment the ldap entries created are dummies, to prevent conflict with the live entries. After this process has proved itself a bit I'll switch things over and remove the ldap host creation code from OpenStackManager.