OpenStack-Ansible

openrc --insecure aliases are broken with venvs

Bug #1553796 reported by Logan V on 2016-03-06

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack-Ansible	Invalid	Undecided	Travis Truman
	Liberty	Fix Released	Medium	Travis Truman	OpenStack-Ansible 12.0.8
	Trunk	Invalid	Undecided	Travis Truman

Bug Description

openrc_insecure: true is broken with some services using venvs, because of the way the openrc is implementing --insecure.

# Convenience Aliases for Self-Signed Certs
alias cinder='cinder --insecure'

However this task does not use the alias,
- name: Add in cinder devices types
  shell: |
    . {{ ansible_env.HOME }}/openrc
    {{ cinder_bin }}/cinder type-create "{{ item.0 }}"
    {{ cinder_bin }}/cinder type-key "{{ item.0 }}" set volume_backend_name="{{ item.1.volume_backend_name }}"

So when using self signed cert on keystone it will always fail:
ERROR: SSL exception connecting to https://int-lb.osdev.corp.lsn:5000/v3/auth/tokens: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Revision history for this message

Rahul U Nair (rahulunair) wrote on 2016-03-06:

#1

I could not find this snipped in the project, could you please provide a link to the same. In the project openstack-ansible-os_cinder,
there is a similar code, but it uses the --insecure option which enables keystone to use self signed certs. Please find:
https://github.com/openstack/openstack-ansible-os_cinder/blob/a20041d7da60eedc225d933c10ac572d84da20d0/tasks/cinder_backends.yml#L30

If it is something else, kindly give the link for the same.

Revision history for this message

Logan V (loganv) wrote on 2016-03-07:

#2

Appears to be fixed in master, however liberty is broken: https://github.com/openstack/openstack-ansible/blob/liberty/playbooks/roles/os_cinder/tasks/cinder_backends.yml#L30-L31

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-07: Fix proposed to openstack-ansible (liberty)

#3

Fix proposed to branch: liberty
Review: https://review.openstack.org/289615

Travis Truman (travis-truman) on 2016-03-07

Changed in openstack-ansible:
assignee:	nobody → Travis Truman (travis-truman)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-09: Fix merged to openstack-ansible (liberty)

#4

Reviewed: https://review.openstack.org/289615
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=d5a388068db0d987d6246bb27d71d999c082d704
Submitter: Jenkins
Branch: liberty

commit d5a388068db0d987d6246bb27d71d999c082d704
Author: Travis Truman <email address hidden>
Date: Mon Mar 7 18:08:14 2016 -0500

Fix cinder client --insecure call when adding device types

Change-Id: If56b955ed1234db6a11c0e82a42bb726e4bdfd9a
Closes-Bug: 1553796

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-03-18: Fix included in openstack/openstack-ansible 12.0.8

#5

This issue was fixed in the openstack/openstack-ansible 12.0.8 release.

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-03-30: Fix included in openstack/openstack-ansible 12.0.9

#6

This issue was fixed in the openstack/openstack-ansible 12.0.9 release.

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2016-05-03: Fix included in openstack/openstack-ansible 12.0.11

#7

This issue was fixed in the openstack/openstack-ansible 12.0.11 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-10: Fix included in openstack/openstack-ansible 12.0.8

#8

This issue was fixed in the openstack/openstack-ansible 12.0.8 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.