[Bug 1790598] Re: metadata service calls to nova-api-metadata with IP based SAN's fails
Reviewed: https://review.opendev.org/599541 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=ae542f685466dc65967c6d74d38d8935685256f5 Submitter: Zuul Branch:stable/queens commit ae542f685466dc65967c6d74d38d8935685256f5 Author: James Page Date: Mon Aug 20 15:22:10 2018 +0100 metadata: use requests for comms with nova api httplib2 makes use of the ssl module provided by Python; under Python 2, the ssl module does not support IP addresses as subject alternate names (SAN's) which although an optional part of the associated RFC, is awkward to work with in environments where certificate management approaches rely on use of IP addresses in SAN's. The requests module is more than happy to deal with this scenario; switch to requests in preference of httplib2 for metadata proxy calls. httplib2 is retained as its used elsewhere in the codebase. Closes-Bug: 1790598 Change-Id: Ife4adf09ddbf7116da2f8596c80aed53fb6790df (cherry picked from commit 7e0dd2f18d4919964655cfce7a282d1c5c131fc4) ** Tags added: in-stable-queens -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1790598 Title: metadata service calls to nova-api-metadata with IP based SAN's fails To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1790598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1790598] Re: metadata service calls to nova-api-metadata with IP based SAN's fails
** Tags removed: neutron-proactive-backport-potential -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1790598 Title: metadata service calls to nova-api-metadata with IP based SAN's fails To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1790598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1790598] Re: metadata service calls to nova-api-metadata with IP based SAN's fails
** Tags added: neutron-proactive-backport-potential -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1790598 Title: metadata service calls to nova-api-metadata with IP based SAN's fails To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1790598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1790598] Re: metadata service calls to nova-api-metadata with IP based SAN's fails
This bug was fixed in the package neutron - 2:12.0.5-0ubuntu1 --- neutron (2:12.0.5-0ubuntu1) bionic; urgency=medium * New stable point release for OpenStack Queens (LP: #1795424). * d/p/metadata-use-requests-for-comms-with-nova-api.patch: Cherry-picked from https://review.openstack.org/#/c/599541/ to enable cert management where IP addresses are used in subject alternate names (LP: #1790598). -- Corey Bryant Tue, 06 Nov 2018 11:43:51 -0500 ** Changed in: neutron (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1790598 Title: metadata service calls to nova-api-metadata with IP based SAN's fails To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1790598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1790598] Re: metadata service calls to nova-api-metadata with IP based SAN's fails
Sorry the first set of testing above was against bionic-proposed not xenial-proposed. ** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-done verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1790598 Title: metadata service calls to nova-api-metadata with IP based SAN's fails To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1790598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1790598] Re: metadata service calls to nova-api-metadata with IP based SAN's fails
Regression testing was successful against xenial-proposed: == Totals == Ran: 92 tests in 1034.1765 sec. - Passed: 84 - Skipped: 8 - Expected Fail: 0 - Unexpected Success: 0 - Failed: 0 Sum of execute time for each test: 465.6833 sec. Regression testing was successful against queens-proposed: == Totals == Ran: 92 tests in 1106.9986 sec. - Passed: 84 - Skipped: 8 - Expected Fail: 0 - Unexpected Success: 0 - Failed: 0 Sum of execute time for each test: 548.8946 sec. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1790598 Title: metadata service calls to nova-api-metadata with IP based SAN's fails To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1790598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1790598] Re: metadata service calls to nova-api-metadata with IP based SAN's fails
Hello James, or anyone else affected, Accepted neutron into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/neutron/2:12.0.5-0ubuntu1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Tags removed: verification-done verification-done-bionic ** Tags added: verification-needed verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1790598 Title: metadata service calls to nova-api-metadata with IP based SAN's fails To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1790598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1790598] Re: metadata service calls to nova-api-metadata with IP based SAN's fails
I checked with jamespage and he said regression is enough for verifying this. Tagged as verified. ** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-done verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1790598 Title: metadata service calls to nova-api-metadata with IP based SAN's fails To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1790598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1790598] Re: metadata service calls to nova-api-metadata with IP based SAN's fails
Looks like this bug is verified but not marked as verification-done- bionic. Is there any more testing you want to perform on this bug before release? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1790598 Title: metadata service calls to nova-api-metadata with IP based SAN's fails To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1790598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1790598] Re: metadata service calls to nova-api-metadata with IP based SAN's fails
Regression testing successful for queens-proposed (tempest results): == Totals == Ran: 92 tests in 1000.6584 sec. - Passed: 84 - Skipped: 8 - Expected Fail: 0 - Unexpected Success: 0 - Failed: 0 Sum of execute time for each test: 465.0920 sec. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1790598 Title: metadata service calls to nova-api-metadata with IP based SAN's fails To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1790598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1790598] Re: metadata service calls to nova-api-metadata with IP based SAN's fails
Regression testing successful for bionic-proposed (tempest results): == Totals == Ran: 92 tests in 1318.6413 sec. - Passed: 84 - Skipped: 8 - Expected Fail: 0 - Unexpected Success: 0 - Failed: 0 Sum of execute time for each test: 494.8999 sec. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1790598 Title: metadata service calls to nova-api-metadata with IP based SAN's fails To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1790598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1790598] Re: metadata service calls to nova-api-metadata with IP based SAN's fails
Hello James, or anyone else affected, Accepted neutron into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/neutron/2:12.0.4-0ubuntu1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: neutron (Ubuntu Bionic) Status: Triaged => Fix Committed ** Tags added: verification-needed verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1790598 Title: metadata service calls to nova-api-metadata with IP based SAN's fails To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1790598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1790598] Re: metadata service calls to nova-api-metadata with IP based SAN's fails
** Description changed: [Impact] If the nova-api-metadata service is secured with a certificate that makes use of IP based SAN's, under Python 2 certificate validation will fail as the ssl module does not support use of IP addresses in cert SAN fields (and httplib2 which is used to make the request uses ssl directly). Master branch of neutron has switched (see [0]) to using requests to make these calls, supporting use of certs with IP address based SAN's (via urllib3 which does support IP address based SAN's under Python 2). [0] https://github.com/openstack/neutron/commit/7e0dd2f18d4919964655cfce7a282d1c5c131fc4 [Test Case] Deploy OpenStack, securing metadata service using certs with IPAddress based SAN's (openstack charms + vault can do this). Boot instance - instance will fail to get metadata due to neutron->nova cert verification failure. [Regression Potential] - Minimal; patch accepted into stable/rocky branch upstream and part of the Rocky release of OpenStack for Ubuntu. + Patch switches communication between neutron and nova for metadata queries to use requests over httplib2; so its a fairly like-for-like switch - both are used across openstack for various purposes. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1790598 Title: metadata service calls to nova-api-metadata with IP based SAN's fails To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1790598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1790598] Re: metadata service calls to nova-api-metadata with IP based SAN's fails
Neutron 2:12.0.4-0ubuntu1 is now ready for review in the unapproved queue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1790598 Title: metadata service calls to nova-api-metadata with IP based SAN's fails To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1790598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1790598] Re: metadata service calls to nova-api-metadata with IP based SAN's fails
As an FYI the "Regression Potential" part of the SRU description is supposed to be about how things can go wrong not a statement regarding the chances of their being a regression. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1790598 Title: metadata service calls to nova-api-metadata with IP based SAN's fails To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1790598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1790598] Re: metadata service calls to nova-api-metadata with IP based SAN's fails
** Description changed: [Impact] If the nova-api-metadata service is secured with a certificate that makes use of IP based SAN's, under Python 2 certificate validation will fail as the ssl module does not support use of IP addresses in cert SAN fields (and httplib2 which is used to make the request uses ssl directly). Master branch of neutron has switched (see [0]) to using requests to make these calls, supporting use of certs with IP address based SAN's (via urllib3 which does support IP address based SAN's under Python 2). [0] https://github.com/openstack/neutron/commit/7e0dd2f18d4919964655cfce7a282d1c5c131fc4 [Test Case] + Deploy OpenStack, securing metadata service using certs with IPAddress based SAN's (openstack charms + vault can do this). + Boot instance - instance will fail to get metadata due to neutron->nova cert verification failure. [Regression Potential] + Minimal; patch accepted into stable/rocky branch upstream and part of the Rocky release of OpenStack for Ubuntu. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1790598 Title: metadata service calls to nova-api-metadata with IP based SAN's fails To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1790598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1790598] Re: metadata service calls to nova-api-metadata with IP based SAN's fails
The stable/queens fix has been included in neutron 2:12.0.4-0ubuntu1, currently in the bionic unapproved queue awaiting SRU team review. ** Description changed: - If the nova-api-metadata service is secured with a certificate that - makes use of IP based SAN's, under Python 2 certificate validation will - fail as the ssl module does not support use of IP addresses in cert SAN - fields (and httplib2 which is used to make the request uses ssl - directly). + [Impact] + If the nova-api-metadata service is secured with a certificate that makes use of IP based SAN's, under Python 2 certificate validation will fail as the ssl module does not support use of IP addresses in cert SAN fields (and httplib2 which is used to make the request uses ssl directly). Master branch of neutron has switched (see [0]) to using requests to make these calls, supporting use of certs with IP address based SAN's (via urllib3 which does support IP address based SAN's under Python 2). [0] https://github.com/openstack/neutron/commit/7e0dd2f18d4919964655cfce7a282d1c5c131fc4 + + [Test Case] + + [Regression Potential] -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1790598 Title: metadata service calls to nova-api-metadata with IP based SAN's fails To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1790598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1790598] Re: metadata service calls to nova-api-metadata with IP based SAN's fails
Reviewed: https://review.openstack.org/599537 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=c28e4963b75414f093e432c9934f8658a4e56b98 Submitter: Zuul Branch:stable/rocky commit c28e4963b75414f093e432c9934f8658a4e56b98 Author: James Page Date: Mon Aug 20 15:22:10 2018 +0100 metadata: use requests for comms with nova api httplib2 makes use of the ssl module provided by Python; under Python 2, the ssl module does not support IP addresses as subject alternate names (SAN's) which although an optional part of the associated RFC, is awkward to work with in environments where certificate management approaches rely on use of IP addresses in SAN's. The requests module is more than happy to deal with this scenario; switch to requests in preference of httplib2 for metadata proxy calls. httplib2 is retained as its used elsewhere in the codebase. Closes-Bug: 1790598 Change-Id: Ife4adf09ddbf7116da2f8596c80aed53fb6790df (cherry picked from commit 7e0dd2f18d4919964655cfce7a282d1c5c131fc4) ** Tags added: in-stable-rocky -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1790598 Title: metadata service calls to nova-api-metadata with IP based SAN's fails To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1790598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1790598] Re: metadata service calls to nova-api-metadata with IP based SAN's fails
This bug was fixed in the package neutron - 2:13.0.0-0ubuntu2 --- neutron (2:13.0.0-0ubuntu2) cosmic; urgency=medium * d/p/metadata-use-requests-for-comms-with-nova-api.patch: Cherry pick of fix to support use of certs with IP based SAN's on Nova API endpoints when making metadata service calls (LP: #1790598). * d/control: Bump minimum requests version inline with above patch. -- James Page Tue, 04 Sep 2018 14:59:36 +0100 ** Changed in: neutron (Ubuntu Cosmic) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1790598 Title: metadata service calls to nova-api-metadata with IP based SAN's fails To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1790598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1790598] Re: metadata service calls to nova-api-metadata with IP based SAN's fails
** Changed in: neutron (Ubuntu Xenial) Importance: High => Low -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1790598 Title: metadata service calls to nova-api-metadata with IP based SAN's fails To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1790598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1790598] Re: metadata service calls to nova-api-metadata with IP based SAN's fails
** Changed in: neutron (Ubuntu Cosmic) Status: Triaged => In Progress ** Changed in: neutron (Ubuntu Cosmic) Assignee: (unassigned) => James Page (james-page) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1790598 Title: metadata service calls to nova-api-metadata with IP based SAN's fails To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1790598/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs