Mirantis OpenStack

[Sahara][SSL] Sahara uses public url to access swift binaries

Bug #1535276 reported by Evgeny Sikachev
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Fix Released
High
Vitalii Gridnev
Mirantis OpenStack 8.0
9.x
Fix Released
High
Vitalii Gridnev
Mirantis OpenStack 9.0

Bug Description

ENVIRONMENT: MOS 8.0 ISO 429

STEPS TO REPRODUCE:
1. Create environment with sahara
2. Deploy environment with sahara
3. Create cluster from TEMPLATE
4. Run any job with job binaries from swift

EXPECTED RESULT:
Job passed

ACTUAL RESULT:
Job has KILLED state

TEMPLATE:
clusters:
  - plugin_name: vanilla
    plugin_version: 2.7.1
    image: ${vanilla_two_seven_one_image}
    node_group_templates:
      - name: worker-dn-nm
        flavor: ${ci_flavor_id}
        node_processes:
          - datanode
          - nodemanager
        volumes_per_node: 2
        volumes_size: 2
        auto_security_group: true
      - name: worker-nm
        flavor: ${ci_flavor_id}
        node_processes:
          - nodemanager
        auto_security_group: true
      - name: worker-dn
        flavor: ${ci_flavor_id}
        node_processes:
          - datanode
        volumes_per_node: 2
        volumes_size: 2
        auto_security_group: true
      - name: master-rm-nn-hvs
        flavor: ${ci_flavor_id}
        node_processes:
          - namenode
          - resourcemanager
          - hiveserver
          - nodemanager
        auto_security_group: true
      - name: master-oo-hs-sn
        flavor: ${ci_flavor_id}
        node_processes:
          - oozie
          - historyserver
          - secondarynamenode
          - nodemanager
        auto_security_group: true
        is_proxy_gateway: ${is_proxy_gateway}
    cluster_template:
      name: vanilla271
      node_group_templates:
        master-rm-nn-hvs: 1
        master-oo-hs-sn: 1
        worker-dn-nm: 2
        worker-dn: 1
        worker-nm: 1
      cluster_configs:
        HDFS:
          dfs.replication: 1

Sahara always uses keystone public auth url to access swift objects. So, there is no override this value causing the issues in cases when it's required to use internalUrl auth url. Links for reference:

[0] https://github.com/openstack/sahara/blob/master/sahara/utils/openstack/swift.py#L69
[1] https://github.com/openstack/sahara/blob/master/sahara/swift/utils.py#L36

Upstream-bug: https://bugs.launchpad.net/sahara/+bug/1535105

Tags: area-sahara
Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :

Hmm, and why is using of publicURL an issue here? Isn't keystone available on publicURL?

tags: removed: sahara
Changed in mos:
status: New → Incomplete
Revision history for this message
Vitalii Gridnev (vgridnev) wrote :

Roman, publicURL secured by SSL. Also with other services sahara communicate on internalURL

summary: - [Sahara] Sahara uses public url to access swift binaries
+ [Sahara][SSL] Sahara uses public url to access swift binaries
Changed in mos:
status: Incomplete → New
Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :

It *can* be secured by the means of SSL, but so can internalURL. So maybe we are fixing symptoms instead of fixing the root cause her.

I'm not against changing of the URL to the internal one, but I think the bigger questions is why SSL communication was broken in the first place.

Changed in mos:
status: New → Incomplete
Revision history for this message
Vitalii Gridnev (vgridnev) wrote :

It was broken because there no reference to valid certificates in sahara. So, there is two ways to fix issue: use internal keystone url or links to certificates should be added to sahara.conf sample.

Changed in mos:
status: Incomplete → New
Revision history for this message
Sergey Reshetnyak (sreshetniak) wrote :

We have two ways for fixing bug:
1. Use internalURL
2. Use SSL certificate for public endpoint

Changed in mos:
status: New → Triaged
importance: Undecided → High
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/sahara (openstack-ci/fuel-8.0/liberty)

Fix proposed to branch: openstack-ci/fuel-8.0/liberty
Change author: Vitaly Gridnev <email address hidden>
Review: https://review.fuel-infra.org/16284

Changed in mos:
status: Triaged → In Progress
Revision history for this message
Vitalii Gridnev (vgridnev) wrote :

upstream commit: https://review.openstack.org/#/c/269001/

Revision history for this message
Roman Podoliaka (rpodolyaka) wrote :

FWIW, I think that's two different problems here:

1) broken SSL client without certificates

2) usage of publicURL between services *within* the cloud

We are trying to workaround the former by fixing the latter. IMO, what we should be doing is fixing both separately, and this particular bug is about 1) . And we could probably postpone fixing of 2) for latter.

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix merged to openstack/sahara (openstack-ci/fuel-8.0/liberty)

Reviewed: https://review.fuel-infra.org/16284
Submitter: Pkgs Jenkins <email address hidden>
Branch: openstack-ci/fuel-8.0/liberty

Commit: da2a385c5ab31a4a04ff2f923176a57b822b1216
Author: Vitaly Gridnev <email address hidden>
Date: Wed Jan 20 08:20:57 2016

Use internal auth url to comminicate with swift

Change-Id: Ie482c006531bc1b31ee9ac380834b88d748b3557
Closes-bug: 1535276
(cherry picked from commit edd4fd9d7f462b714b9a810ee6205f5ca70d0d56)

Vitalii Gridnev (vgridnev)
Changed in mos:
status: In Progress → Fix Committed
Revision history for this message
Evgeny Sikachev (esikachev) wrote :

verified on 496 iso

Changed in mos:
status: Fix Committed → Fix Released
Revision history for this message
Evgeny Sikachev (esikachev) wrote :

verified on iso 201 mos 9.0

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.