glance_store

Failure to upload to swift when keystone uses "insecure" SSL

Bug #1606268 reported by Vincent Untz
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
glance_store
Fix Released
Undecided
Unassigned
Queens
Fix Released
Undecided
Unassigned

Bug Description

I get this:

2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data [req-014d52e1-348b-4ae0-8613-e0b09c4f3bbc 284da4f3fda54753bf62f25f7b638e92 7850f21ce6234a52ab097eb108f1d870 - - -] Failed to upload image data due to internal error
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data Traceback (most recent call last):
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data File "/usr/lib/python2.7/site-packages/glance/api/v2/image_data.py", line 114, in upload
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data image.set_data(data, size)
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data File "/usr/lib/python2.7/site-packages/glance/domain/proxy.py", line 195, in set_data
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data self.base.set_data(data, size)
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data File "/usr/lib/python2.7/site-packages/glance/notifier.py", line 449, in set_data
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data _send_notification(notify_error, 'image.upload', msg)
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data File "/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 220, in __exit__
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data self.force_reraise()
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data File "/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 196, in force_reraise
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data six.reraise(self.type_, self.value, self.tb)
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data File "/usr/lib/python2.7/site-packages/glance/notifier.py", line 396, in set_data
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data self.repo.set_data(data, size)
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data File "/usr/lib/python2.7/site-packages/glance/api/policy.py", line 192, in set_data
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data return self.image.set_data(*args, **kwargs)
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data File "/usr/lib/python2.7/site-packages/glance/quota/__init__.py", line 298, in set_data
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data self.image.set_data(data, size=size)
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data File "/usr/lib/python2.7/site-packages/glance/location.py", line 426, in set_data
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data verifier=verifier)
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data File "/usr/lib/python2.7/site-packages/glance_store/backend.py", line 371, in add_to_backend
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data verifier)
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data File "/usr/lib/python2.7/site-packages/glance_store/backend.py", line 344, in store_add_to_backend
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data verifier=verifier)
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data File "/usr/lib/python2.7/site-packages/glance_store/capabilities.py", line 226, in op_checker
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data return store_op_fun(store, *args, **kwargs)
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data File "/usr/lib/python2.7/site-packages/glance_store/_drivers/swift/store.py", line 532, in add
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data allow_reauth=need_chunks) as manager:
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data File "/usr/lib/python2.7/site-packages/glance_store/_drivers/swift/store.py", line 1170, in get_manager_for_store
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data store, store_location, context, allow_reauth)
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data File "/usr/lib/python2.7/site-packages/glance_store/_drivers/swift/connection_manager.py", line 64, in __init__
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data self.storage_url = self._get_storage_url()
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data File "/usr/lib/python2.7/site-packages/glance_store/_drivers/swift/connection_manager.py", line 160, in _get_storage_url
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data raise exceptions.BackendException(msg)
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data BackendException: Cannot find swift service endpoint : SSL exception connecting to https://controller:5000/v3/auth/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
2016-07-25 13:52:04.314 25738 ERROR glance.api.v2.image_data
2016-07-25 13:52:04.340 25738 ERROR glance.common.wsgi [req-014d52e1-348b-4ae0-8613-e0b09c4f3bbc 284da4f3fda54753bf62f25f7b638e92 7850f21ce6234a52ab097eb108f1d870 - - -] Caught error: Cannot find swift service endpoint : SSL exception connecting to https://controller:5000/v3/auth/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

Tags: swift
Revision history for this message
Ian Cordasco (icordasc) wrote :

The connection to the server can be made without verification by setting

    swift_store_auth_insecure = True

Or you can provide a certificate bundle with the certificate chain using

    swift_store_cacert = /path/to/bundle.pem

tags: added: swift
Changed in glance-store:
status: New → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance_store (master)

Reviewed: https://review.openstack.org/346873
Committed: https://git.openstack.org/cgit/openstack/glance_store/commit/?id=54b7ccbb9b3cc53dacb368c9953fc2677690d878
Submitter: Zuul
Branch: master

commit 54b7ccbb9b3cc53dacb368c9953fc2677690d878
Author: Vincent Untz <email address hidden>
Date: Mon Jul 25 16:51:42 2016 +0200

    Disable verification for Keystone session in Swift

    The swift backend did not make use of the insecure option in
    the config when creating a Keystone session, enable or disable
    verification based on it.

    Co-Authored-By: Steve Kowalik <email address hidden>
    Change-Id: Ic783afde7ae8af522480996fdf91ed54e02e72d2
    Closes-Bug: #1606268

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/glance_store 0.25.0

This issue was fixed in the openstack/glance_store 0.25.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance_store (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/637870

Erno Kuvaja (jokke)
no longer affects: glance-store/rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance_store (stable/queens)

Reviewed: https://review.openstack.org/637870
Committed: https://git.openstack.org/cgit/openstack/glance_store/commit/?id=39b092d8355f25f35d739f831a25b878d05abe16
Submitter: Zuul
Branch: stable/queens

commit 39b092d8355f25f35d739f831a25b878d05abe16
Author: Vincent Untz <email address hidden>
Date: Mon Jul 25 16:51:42 2016 +0200

    Disable verification for Keystone session in Swift

    The swift backend did not make use of the insecure option in
    the config when creating a Keystone session, enable or disable
    verification based on it.

    Co-Authored-By: Steve Kowalik <email address hidden>
    Change-Id: Ic783afde7ae8af522480996fdf91ed54e02e72d2
    Closes-Bug: #1606268
    (cherry picked from commit 54b7ccbb9b3cc53dacb368c9953fc2677690d878)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/glance_store queens-eol

This issue was fixed in the openstack/glance_store queens-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.