Sahara

Doesn't deal with configured certfile parameter correctly.

Bug #1359432 reported by Sudarshan on 2014-08-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Sahara	Fix Released	High	Andrew Lazarev	Sahara 2015.1.0 "kilo"

Bug Description

When running sahara cluster-list behind a mitm proxy, ssl certs aren't handled appropriately by the server.
I get this error in sahara.log:
NetworkError: Unable to communicate with keystone

This also occurs when running sahara cluster-create, when sahara encounters errors communicating with nova.

I was able to workaround this by modifying sahara/main.py and /sahara/utils/openstack/nova.py

I added the line "cafile=CONF.ssl.ca_file" here in order to store the cacert info https://github.com/openstack/sahara/blob/stable/icehouse/sahara/main.py#L148

Also, I added the line "cacert=ca_file" here in order to pass the cacert parameter into novaclient:
https://github.com/openstack/sahara/blob/stable/icehouse/sahara/utils/openstack/nova.py#L32

For me, this allowed the sahara-api server to correctly use the cacert file when making queries to keystone or nova.

What is the intended way to use a cacert file? Is this a bug, or am I missing the correct way to configure sahara?

Revision history for this message

Andrew Lazarev (alazarev) wrote on 2014-12-22:

It looks like this is a bug. Other projects pass cacert to all clients.

Changed in sahara:
status:	New → Confirmed
importance:	Undecided → High
assignee:	nobody → Andrew Lazarev (alazarev)

Sergey Reshetnyak (sreshetniak) on 2014-12-23

Changed in sahara:
milestone:	none → kilo-2
status:	Confirmed → Triaged

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-06: Fix proposed to sahara (master)

Fix proposed to branch: master
Review: https://review.openstack.org/145336

Changed in sahara:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-01-15: Fix merged to sahara (master)

Reviewed: https://review.openstack.org/145336
Committed: https://git.openstack.org/cgit/openstack/sahara/commit/?id=62525aa4fc2896955324c349b9266b770172612f
Submitter: Jenkins
Branch: master

commit 62525aa4fc2896955324c349b9266b770172612f
Author: Andrew Lazarev <email address hidden>
Date: Tue Jan 6 12:51:54 2015 -0800

Added ability to use other services via HTTPS

Introduce config section for each of clients.
Pass cacert and insecure parameter to all clients.

Change-Id: I53a7f5d822a7c8db017341a05056060867bda936
Closes-Bug: #1359432

Changed in sahara:
status:	In Progress → Fix Committed

Sergey Lukjanov (slukjanov) on 2015-02-03

Changed in sahara:
milestone:	kilo-2 → kilo-3
milestone:	kilo-3 → none
milestone:	none → kilo-2

Thierry Carrez (ttx) on 2015-02-04

Changed in sahara:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in sahara:
milestone:	kilo-2 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.