OpenStack Compute (nova)

Nova compute interprets rabbitmq passwords

Bug #1474933 reported by Nigel Metheringham on 2015-07-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Invalid	Undecided	Unassigned
	oslo.messaging	Fix Released	Undecided	Davanum Srinivas (DIMS)	oslo.messaging 2.1.0 "2.1.0"

Bug Description

Using the kilo rpms - openstack-nova-compute-2015.1.0-3.el7.noarch

If the rabbit_password (set in [Default] section - this is how the Ansible role I am using sets it) includes a slash character - "/" - then the service fails to start.

In the log - /var/log/nova/nova-compute.log
the following error is seen:-

CRITICAL nova [req-72c0fe29-f2d6-4164-95de-e9e8f50fa7bc - - - - -] ValueError: invalid literal for int() with base 10: 'prefix'

where prefix is the first part of the password - ie
rabbit_password = 'prefix/suffix'

Traceback enclosed below.

If the Rabbit password is changed to not include a / then the service starts up OK

This could have security implications, but I am not currently flagging it as a security issue....

2015-07-15 16:28:50.824 9670 TRACE nova Traceback (most recent call last):
2015-07-15 16:28:50.824 9670 TRACE nova File "/usr/bin/nova-compute", line 10, in <module>
2015-07-15 16:28:50.824 9670 TRACE nova sys.exit(main())
2015-07-15 16:28:50.824 9670 TRACE nova File "/usr/lib/python2.7/site-packages/nova/cmd/compute.py", line 72, in main
2015-07-15 16:28:50.824 9670 TRACE nova db_allowed=CONF.conductor.use_local)
2015-07-15 16:28:50.824 9670 TRACE nova File "/usr/lib/python2.7/site-packages/nova/service.py", line 277, in create
2015-07-15 16:28:50.824 9670 TRACE nova db_allowed=db_allowed)
2015-07-15 16:28:50.824 9670 TRACE nova File "/usr/lib/python2.7/site-packages/nova/service.py", line 157, in __init__
2015-07-15 16:28:50.824 9670 TRACE nova self.conductor_api.wait_until_ready(context.get_admin_context())
2015-07-15 16:28:50.824 9670 TRACE nova File "/usr/lib/python2.7/site-packages/nova/conductor/api.py", line 292, in wait_until_ready
2015-07-15 16:28:50.824 9670 TRACE nova timeout=timeout)
2015-07-15 16:28:50.824 9670 TRACE nova File "/usr/lib/python2.7/site-packages/nova/baserpc.py", line 62, in ping
2015-07-15 16:28:50.824 9670 TRACE nova return cctxt.call(context, 'ping', arg=arg_p)
2015-07-15 16:28:50.824 9670 TRACE nova File "/usr/lib/python2.7/site-packages/oslo_messaging/rpc/client.py", line 156, in call
2015-07-15 16:28:50.824 9670 TRACE nova retry=self.retry)
2015-07-15 16:28:50.824 9670 TRACE nova File "/usr/lib/python2.7/site-packages/oslo_messaging/transport.py", line 90, in _send
2015-07-15 16:28:50.824 9670 TRACE nova timeout=timeout, retry=retry)
2015-07-15 16:28:50.824 9670 TRACE nova File "/usr/lib/python2.7/site-packages/oslo_messaging/_drivers/amqpdriver.py", line 350, in send
2015-07-15 16:28:50.824 9670 TRACE nova retry=retry)
2015-07-15 16:28:50.824 9670 TRACE nova File "/usr/lib/python2.7/site-packages/oslo_messaging/_drivers/amqpdriver.py", line 312, in _send
2015-07-15 16:28:50.824 9670 TRACE nova msg.update({'_reply_q': self._get_reply_q()})
2015-07-15 16:28:50.824 9670 TRACE nova File "/usr/lib/python2.7/site-packages/oslo_messaging/_drivers/amqpdriver.py", line 283, in _get_reply_q
2015-07-15 16:28:50.824 9670 TRACE nova conn = self._get_connection(rpc_amqp.PURPOSE_LISTEN)
2015-07-15 16:28:50.824 9670 TRACE nova File "/usr/lib/python2.7/site-packages/oslo_messaging/_drivers/amqpdriver.py", line 274, in _get_connection
2015-07-15 16:28:50.824 9670 TRACE nova purpose=purpose)
2015-07-15 16:28:50.824 9670 TRACE nova File "/usr/lib/python2.7/site-packages/oslo_messaging/_drivers/amqp.py", line 121, in __init__
2015-07-15 16:28:50.824 9670 TRACE nova self.connection = connection_pool.create(purpose)
2015-07-15 16:28:50.824 9670 TRACE nova File "/usr/lib/python2.7/site-packages/oslo_messaging/_drivers/amqp.py", line 93, in create
2015-07-15 16:28:50.824 9670 TRACE nova return self.connection_cls(self.conf, self.url, purpose)
2015-07-15 16:28:50.824 9670 TRACE nova File "/usr/lib/python2.7/site-packages/oslo_messaging/_drivers/impl_rabbit.py", line 664, in __init__
2015-07-15 16:28:50.824 9670 TRACE nova heartbeat=self.driver_conf.heartbeat_timeout_threshold)
2015-07-15 16:28:50.824 9670 TRACE nova File "/usr/lib/python2.7/site-packages/kombu/connection.py", line 180, in __init__
2015-07-15 16:28:50.824 9670 TRACE nova params.update(parse_url(hostname))
2015-07-15 16:28:50.824 9670 TRACE nova File "/usr/lib/python2.7/site-packages/kombu/utils/url.py", line 34, in parse_url
2015-07-15 16:28:50.824 9670 TRACE nova scheme, host, port, user, password, path, query = _parse_url(url)
2015-07-15 16:28:50.824 9670 TRACE nova File "/usr/lib/python2.7/site-packages/kombu/utils/url.py", line 22, in _parse_url
2015-07-15 16:28:50.824 9670 TRACE nova port = scheme != 'mongodb' and parts.port or None
2015-07-15 16:28:50.824 9670 TRACE nova File "/usr/lib64/python2.7/urlparse.py", line 112, in port
2015-07-15 16:28:50.824 9670 TRACE nova port = int(port, 10)

Tags:

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2015-07-16:

Any idea why there's a mongodb in your trace? Can you please post more of your nova.conf?

Markus Zoeller (markus_z) (mzoeller) on 2015-07-16

tags:

added: compute configuration

Revision history for this message

Nigel Metheringham (nigel-r) wrote on 2015-07-16:

nova.conf config file Edit (1.6 KiB, text/plain)

No idea where mongodb comes into it - not using it anywhere in this test bed. However the context in the trace looks as though there is a decision being made based on whether nova is using it, rather than actually involving mongodb.

I have attached the complete nova.conf other than the passwords (which were generated using openssl rand -base64 15 )

This is a fresh installation of Openstack kilo done for learning purposes onto a freshish Centos 7 install. The other components are on VMware VMs, this is on a physical blade. Deployment is being done using the ansible roles available at https://github.com/dguerri

The nova compute config is simply

[libvirt]
virt_type = kvm

Davanum Srinivas (DIMS) (dims-v) on 2015-07-18

Changed in nova:
status:	New → Invalid
Changed in oslo.messaging:
status:	New → Invalid
Changed in nova:
status:	Invalid → In Progress
Changed in oslo.messaging:
status:	Invalid → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-07-18: Fix proposed to oslo.messaging (master)

Fix proposed to branch: master
Review: https://review.openstack.org/203309

Changed in oslo.messaging:
assignee:	nobody → Davanum Srinivas (DIMS) (dims-v)

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2015-07-18:

Should have marked invalid only in Nova as the correct fix is in oslo.messaging

Changed in nova:
status:	In Progress → Invalid

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2015-07-18:

https://review.openstack.org/203309

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-07-22: Fix merged to oslo.messaging (master)

Reviewed: https://review.openstack.org/203309
Committed: https://git.openstack.org/cgit/openstack/oslo.messaging/commit/?id=adcd0807d66ef58649d245a3231738ed698fdeb2
Submitter: Jenkins
Branch: master

commit adcd0807d66ef58649d245a3231738ed698fdeb2
Author: Davanum Srinivas <email address hidden>
Date: Fri Jul 17 22:25:48 2015 -0400

Allow a forward slash as a part of the user/password

    quote method has a safe parameter which is set to '/' so when
    the end user has a / in the rabbit_password then we end up leaving
    that in the url which ends up looking like:

amqp://stackrabbit:pass/word@10.0.0.9:5672//

    Which is clearly invalid, so we should set safe parameter to '' which
    allows the url to be constructed properly (see transport.py
    TransportURL.__str__ method works this work)

Closes-Bug: #1474933
Change-Id: I14fb54440d0925f3676e18d13182ed0fa9c34ca2