Fuel for OpenStack

Ostf fail to start if plain http is disabled on master node

Bug #1530318 reported by Tatyanka
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Fix Released
High
Artem Roma
Fuel for OpenStack 9.0
8.0.x
Fix Released
High
Artem Roma
Fuel for OpenStack 8.0

Bug Description

Steps:
1.Deploy master node
2. Disable plain http by:
add to the /etc/fuel/astute.yaml
"SSL":
      "force_https": "true"
3. Restart nginx container

Actual result:
OSTF continue to use http to communication to nailgun api, as result it failed to start:

2015-12-31 11:30:54 ERROR (hooks) Pecan state <pecan.core.RoutingState object at 0x3948890>
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/pecan/core.py", line 678, in __call__
    self.invoke_controller(controller, args, kwargs, state)
  File "/usr/lib/python2.7/site-packages/pecan/core.py", line 572, in invoke_controller
    result = controller(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/fuel_plugin/ostf_adapter/wsgi/controllers.py", line 58, in get
    mixins.discovery_check(request.session, cluster, request.token)
  File "/usr/lib/python2.7/site-packages/fuel_plugin/ostf_adapter/mixins.py", line 68, in discovery_check
    cluster_attrs = _get_cluster_attrs(cluster_id, token=token)
  File "/usr/lib/python2.7/site-packages/fuel_plugin/ostf_adapter/mixins.py", line 127, in _get_cluster_attrs
    response = REQ_SES.get(request_url).json()
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 477, in get
    return self.request('GET', url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 465, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 594, in send
    history = [resp for resp in gen] if allow_redirects else []
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 196, in resolve_redirects
    **adapter_kwargs
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 431, in send
    raise SSLError(e, request=request)
SSLError: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

VERSION:
  feature_groups:
    - mirantis
  production: "docker"
  release: "8.0"
  api: "1.0"
  build_number: "361"
  build_id: "361"
  fuel-nailgun_sha: "53c72a9600158bea873eec2af1322a716e079ea0"
  python-fuelclient_sha: "4f234669cfe88a9406f4e438b1e1f74f1ef484a5"
  fuel-agent_sha: "7463551bc74841d1049869aaee777634fb0e5149"
  fuel-nailgun-agent_sha: "92ebd5ade6fab60897761bfa084aefc320bff246"
  astute_sha: "c7ca63a49216744e0bfdfff5cb527556aad2e2a5"
  fuel-library_sha: "ba8063d34ff6419bddf2a82b1de1f37108d96082"
  fuel-ostf_sha: "889ddb0f1a4fa5f839fd4ea0c0017a3c181aa0c1"
  fuel-mirror_sha: "8adb10618bb72bb36bb018386d329b494b036573"
  fuelmenu_sha: "824f6d3ebdc10daf2f7195c82a8ca66da5abee99"
  shotgun_sha: "63645dea384a37dde5c01d4f8905566978e5d906"
  network-checker_sha: "9f0ba4577915ce1e77f5dc9c639a5ef66ca45896"
  fuel-upgrade_sha: "616a7490ec7199f69759e97e42f9b97dfc87e85b"
  fuelmain_sha: "07d5f1c3e1b352cb713852a3a96022ddb8fe2676"

Tatyanka (tatyana-leontovich)
Changed in fuel:
assignee: Fuel QA Team (fuel-qa) → Fuel Python Team (fuel-python)
Artem Roma (aroma-x)
Changed in fuel:
status: New → Confirmed
Dmitry Pyzhov (dpyzhov)
tags: added: team-bugfix
removed: area-qa
Artem Roma (aroma-x)
Changed in fuel:
assignee: Fuel Python Team (fuel-python) → Artem Roma (aroma-x)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-ostf (master)

Fix proposed to branch: master
Review: https://review.openstack.org/269163

Changed in fuel:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-ostf (master)

Reviewed: https://review.openstack.org/269163
Committed: https://git.openstack.org/cgit/openstack/fuel-ostf/commit/?id=50095b1bdc82bbf5d2eeab0a90d4f6afa2ed65b3
Submitter: Jenkins
Branch: master

commit 50095b1bdc82bbf5d2eeab0a90d4f6afa2ed65b3
Author: Artem Roma <email address hidden>
Date: Mon Jan 18 18:04:32 2016 +0200

    Disable ssl certificate verification for ostf_adapter utils

    Now there is possibility to enable ssl for nginx by adding 'flat_https'
    option to fuel settings (/etc/fuel/astute.yaml on the master node).
    Since ostf adapter performs http requests to nailgun in order to obtain
    particular info from it, ssl cerificate that is used by nginx should be
    processed in the case, but since the certificate is self-signed, its
    verification has to be disabled, otherwise this action will fail.

    Change-Id: I98733ba57e87c3b59aeddc4f1e601a5518aeb439
    Closes-Bug: #1530318

Changed in fuel:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-ostf (stable/8.0)

Fix proposed to branch: stable/8.0
Review: https://review.openstack.org/270722

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-ostf (stable/8.0)

Reviewed: https://review.openstack.org/270722
Committed: https://git.openstack.org/cgit/openstack/fuel-ostf/commit/?id=5ce101d641ecdb31679c9e12b2a2bca21bfcd124
Submitter: Jenkins
Branch: stable/8.0

commit 5ce101d641ecdb31679c9e12b2a2bca21bfcd124
Author: Artem Roma <email address hidden>
Date: Mon Jan 18 18:04:32 2016 +0200

    Disable ssl certificate verification for ostf_adapter utils

    Now there is possibility to enable ssl for nginx by adding 'flat_https'
    option to fuel settings (/etc/fuel/astute.yaml on the master node).
    Since ostf adapter performs http requests to nailgun in order to obtain
    particular info from it, ssl cerificate that is used by nginx should be
    processed in the case, but since the certificate is self-signed, its
    verification has to be disabled, otherwise this action will fail.

    Change-Id: I98733ba57e87c3b59aeddc4f1e601a5518aeb439
    Closes-Bug: #1530318
    (cherry picked from commit 50095b1bdc82bbf5d2eeab0a90d4f6afa2ed65b3)

Dmitriy Kruglov (dkruglov)
tags: added: on-verification
Revision history for this message
Dmitriy Kruglov (dkruglov) wrote :

Verification is blocked by https://bugs.launchpad.net/fuel/+bug/1530318.

tags: removed: on-verification
Revision history for this message
Dmitriy Kruglov (dkruglov) wrote :

Mistakenly put an incorrect link to the blocker, the actual blocker is https://bugs.launchpad.net/fuel/+bug/1538977.

Revision history for this message
Dmitriy Kruglov (dkruglov) wrote :

Verified on MOS 8.0, build 515. The issue is fixed.

ISO details:
VERSION:
  feature_groups:
    - mirantis
  production: "docker"
  release: "8.0"
  api: "1.0"
  build_number: "515"
  build_id: "515"
  fuel-nailgun_sha: "c363c742bf3a7e7881239c8819ff5c6622f90625"
  python-fuelclient_sha: "4f234669cfe88a9406f4e438b1e1f74f1ef484a5"
  fuel-agent_sha: "658be72c4b42d3e1436b86ac4567ab914bfb451b"
  fuel-nailgun-agent_sha: "b2bb466fd5bd92da614cdbd819d6999c510ebfb1"
  astute_sha: "b81577a5b7857c4be8748492bae1dec2fa89b446"
  fuel-library_sha: "4a783e271a0c4b889d16b66dd8410766b2b00813"
  fuel-ostf_sha: "5fe41945c2a49f26c849df1fd46329f6db1ab6b0"
  fuel-mirror_sha: "eea143f2c6ed91dcaf55bc0911677f6fdc5a9133"
  fuelmenu_sha: "12227354aec1d38f7f51042df64cca59fa7a95f1"
  shotgun_sha: "63645dea384a37dde5c01d4f8905566978e5d906"
  network-checker_sha: "a43cf96cd9532f10794dce736350bf5bed350e9d"
  fuel-upgrade_sha: "616a7490ec7199f69759e97e42f9b97dfc87e85b"
  fuelmain_sha: "c5aac6c0b8d2a37147fdd6e6b78df4ad2ad90e31"

Revision history for this message
Mikhail Samoylov (msamoylov) wrote :

Verification passed in fuel version 9.0 (fuel-9.0-97-2016-03-22_08-00-00.iso)

1. Disable plain http for nailgun
          Add to the /etc/fuel/astute.yaml
         "SSL":
             "force_https": "true"

2. Apply puppet job puppet apply /etc/puppet/liberty-9.0/modules/fuel/examples/nginx_services.pp
3. create cluster :
       Ubuntu
       neutron vlab
       1 controller
       1 compute
       1 cinder

        and deploy it
3 Go to ostf tab in UI
4. Run OSTF

Changed in fuel:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.