Xmlrpc encryption

Thank you atodorov!

I had a misconfiguration on when to integrate the reverse proxy.

In case there are any lurkers out there:

  1. ONe uses libcurl to post against the XMLRPC port.
  2. Set up the nginx reverse proxy for ssl termination before this step: OpenNebula HA Setup — OpenNebula 5.10.5 documentation
  3. Add the initial server with “onezone server-add 0 --name server-0 --rpc https://IP:2634/RPC2”
  4. Step through the rest of the HA config and add other nodes similarly ( I found I had to restart opennebula after starting the service on an added node to get it to function).
  5. oned.conf does not use proxy port, keep default xmlrpc ip and port.
  6. sunstone-server.conf will need to use https://cluster_leader_ip:2634/RPC2 EDIT Sunstone on cluster leader threw ssl verification error, changed to localhost.

No env change

My nginx is similar to the link in my op.

I did end up editing oned.conf raft hooks like the following:

RAFT_LEADER_HOOK = [
    COMMAND = "raft/vip.sh",
    ARGUMENTS = "leader eth0 {{ one_a_leader_ip }}/19 eth2 {{ one_b_leader_ip }}/19"
]

And then editing vip.sh to pass in the extra args:

INTERFACE2="$4"
IFADDR2="$5"
IP2="${IFADDR2%%/*}"

Editing vip.sh further to add the extra ip to if (and similar remove to case follower):

case $ACTION in
leader)
    sudo ip address add $IFADDR dev $INTERFACE
    #####################
    #   Add second FIP  #
    #####################
    sudo ip address add $IFADDR2 dev $INTERFACE2
    #####################

This interface addition allows a separation between the webserver and the api for firewall security etc.