Reviewed: https://review.openstack.org/557508
Committed:
https://git.openstack.org/cgit/openstack/nova/commit/?id=20eaaee2334957eb8739ecca524a1c4aa9f246e9
Submitter: Zuul
Branch: master
commit 20eaaee2334957eb8739ecca524a1c4aa9f246e9
Author: Eric Fried <efr...@us.ibm.com>
Date: Wed Mar 28 15:45:26 2018 -0500
Use ksa session for cinder microversion check
[1] added a method to validate availability of a desired version of the
cinder API. This method called into
cinderclient.client.get_highest_client_server_version to
(unsurprisingly) discover the highest available version to compare
against. However, that routine uses a raw requests.get to access the
version document from the server. This breaks when the endpoint URL is
using HTTPS, because nothing sets up the cert info for that call.
With this change, we work around the issue by duplicating the logic from
get_highest_client_server_version, but doing the version discovery via
the same keystoneauth1 session that's configured for use with the client
itself, thus inheriting any SSL configuration as appropriate.
[1] https://review.openstack.org/#/c/469579/
Change-Id: I4de355195281009a5979710d7f14ae8ea11d10e0
Closes-Bug: #1752152
** Changed in: nova
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1752152
Title:
Attach Volume Fails with secure call to cinder
Status in OpenStack Compute (nova):
Fix Released
Status in OpenStack Compute (nova) queens series:
In Progress
Status in python-cinderclient:
Invalid
Bug description:
It is found that when cinder endpoint is configured to use https,
attach volume flow fails with the stack trace seen below (seen in nova
api log) because it fails to make a secure call from nova to cinder.
Secure calls perform certificate validation and in this particular
flow, certificate validation is completely skipped
File "/usr/lib/python2.7/site-packages/nova/compute/api.py", line 3971, in
attach_volume
2018-02-27 08:16:51.338 1324 ERROR
cinder.is_microversion_supported(context, '3.44')
2018-02-27 08:16:51.338 1324 ERROR File
"/usr/lib/python2.7/site-packages/nova/volume/cinder.py", line 138, in
is_microversion_supported
2018-02-27 08:16:51.338 1324 ERROR _check_microversion(url, microversion)
2018-02-27 08:16:51.338 1324 ERROR File
"/usr/lib/python2.7/site-packages/nova/volume/cinder.py", line 86, in
_check_microversion
2018-02-27 08:16:51.338 1324 ERROR max_api_version =
cinder_client.get_highest_client_server_version(url)
2018-02-27 08:16:51.338 1324 ERROR File
"/usr/lib/python2.7/site-packages/cinderclient/client.py", line 126, in
get_highest_client_server_version
2018-02-27 08:16:51.338 1324 ERROR min_server, max_server =
get_server_version(url)
2018-02-27 08:16:51.338 1324 ERROR File
"/usr/lib/python2.7/site-packages/cinderclient/client.py", line 109, in
get_server_version
2018-02-27 08:16:51.338 1324 ERROR response = requests.get(version_url)
2018-02-27 08:16:51.338 1324 ERROR File
"/usr/lib/python2.7/site-packages/requests/api.py", line 72, in get
2018-02-27 08:16:51.338 1324 ERROR return request('get', url,
params=params, **kwargs)
2018-02-27 08:16:51.338 1324 ERROR File
"/usr/lib/python2.7/site-packages/requests/api.py", line 58, in request
2018-02-27 08:16:51.338 1324 ERROR return session.request(method=method,
url=url, **kwargs)
2018-02-27 08:16:51.338 1324 ERROR File
"/usr/lib/python2.7/site-packages/requests/sessions.py", line 502, in request
2018-02-27 08:16:51.338 1324 ERROR resp = self.send(prep, **send_kwargs)
2018-02-27 08:16:51.338 1324 ERROR File
"/usr/lib/python2.7/site-packages/requests/sessions.py", line 612, in send
2018-02-27 08:16:51.338 1324 ERROR r = adapter.send(request, **kwargs)
2018-02-27 08:16:51.338 1324 ERROR File
"/usr/lib/python2.7/site-packages/requests/adapters.py", line 504, in send
2018-02-27 08:16:51.338 1324 ERROR raise ConnectionError(e,
request=request)
2018-02-27 08:16:51.338 1324 ERROR ConnectionError:
HTTPSConnectionPool(host='ipx-x-x-x.xxx.xxx.xxx.com', port=9000): Max retries
exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL
routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",),))
This is a regression bug introduced as part of changeset
https://review.openstack.org/#/c/469579/, which was merged way back in
June 2017. As part of this changeset, a new function namely
_check_microversion was introduced, which then makes a cinderclient
call , which finally makes a cinder https REST api call without
passing the certificate. This leads to the problem listed above.
https://github.com/openstack/nova/blob/stable/queens/nova/volume/cinder.py#L75
https://github.com/openstack/nova/blob/stable/queens/nova/volume/cinder.py#L86
https://github.com/openstack/python-cinderclient/blob/stable/queens/cinderclient/client.py#L126
https://github.com/openstack/python-cinderclient/blob/stable/queens/cinderclient/client.py#L109
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1752152/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
