OpenStack Dashboard Charm

Fails to deploy when specifying secret from a file

Bug #1868645 reported by Yoshi Kadokawa
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard Charm
Fix Released
Undecided
Vern Hart
OpenStack Dashboard Charm 20.08

Bug Description

When specifying secret from a file, for example like this:

secret: include-file://openstack-dashboard-secret.txt

you will see the following error in juju logs and will fail to deploy.

2020-03-24 02:04:05 INFO juju-log shared-db:5: Wrote template /usr/share/openstack-dashboard/openstack_dashboard/enabled/_40_router.py.
2020-03-24 02:04:06 DEBUG shared-db-relation-changed Traceback (most recent call last):
2020-03-24 02:04:06 DEBUG shared-db-relation-changed File "/usr/share/openstack-dashboard/manage.py", line 25, in <module>
2020-03-24 02:04:06 DEBUG shared-db-relation-changed execute_from_command_line(sys.argv)
2020-03-24 02:04:06 DEBUG shared-db-relation-changed File "/usr/lib/python2.7/dist-packages/django/core/management/__init__.py", line 364, in execute_from_command_line
2020-03-24 02:04:06 DEBUG shared-db-relation-changed utility.execute()
2020-03-24 02:04:06 DEBUG shared-db-relation-changed File "/usr/lib/python2.7/dist-packages/django/core/management/__init__.py", line 308, in execute
2020-03-24 02:04:06 DEBUG shared-db-relation-changed settings.INSTALLED_APPS
2020-03-24 02:04:06 DEBUG shared-db-relation-changed File "/usr/lib/python2.7/dist-packages/django/conf/__init__.py", line 56, in __getattr__
2020-03-24 02:04:06 DEBUG shared-db-relation-changed self._setup(name)
2020-03-24 02:04:06 DEBUG shared-db-relation-changed File "/usr/lib/python2.7/dist-packages/django/conf/__init__.py", line 41, in _setup
2020-03-24 02:04:06 DEBUG shared-db-relation-changed self._wrapped = Settings(settings_module)
2020-03-24 02:04:06 DEBUG shared-db-relation-changed File "/usr/lib/python2.7/dist-packages/django/conf/__init__.py", line 110, in __init__
2020-03-24 02:04:06 DEBUG shared-db-relation-changed mod = importlib.import_module(self.SETTINGS_MODULE)
2020-03-24 02:04:06 DEBUG shared-db-relation-changed File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
2020-03-24 02:04:06 DEBUG shared-db-relation-changed __import__(name)
2020-03-24 02:04:06 DEBUG shared-db-relation-changed File "/usr/share/openstack-dashboard/openstack_dashboard/settings.py", line 382, in <module>
2020-03-24 02:04:06 DEBUG shared-db-relation-changed from local.local_settings import * # noqa: F403,H303
2020-03-24 02:04:06 DEBUG shared-db-relation-changed File "/usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.py", line 134
2020-03-24 02:04:06 DEBUG shared-db-relation-changed SECRET_KEY = "encryptcookieswithme
2020-03-24 02:04:06 DEBUG shared-db-relation-changed ^
2020-03-24 02:04:06 DEBUG shared-db-relation-changed SyntaxError: EOL while scanning string literal

This happens when you create openstack-dashboard-secret.txt with any editors I have checked(vim, nano, vscode, etc)

Here is the bundle that I have used to reproduce this issue.
https://pastebin.ubuntu.com/p/gxBdfwjFd4/

For now, you can workaround this issue by creating the file with printf to not have the breakline in the end.

$ printf "encryptcookieswithme" > openstack-dashboard-secret.txt

Revision history for this message
Vern Hart (vern) wrote :

The charm should definitely strip whitespace (or at least newlines) off the end of the secret config value.

Revision history for this message
Andre Ruiz (andre-ruiz) wrote :

It seems this option could be entirely omitted, since it generates a secret anyway:

"secret": config('secret') or pwgen()

Revision history for this message
Vern Hart (vern) wrote :

The charm config.yaml says:

    Secret for Horizon to use when securing internal data;
    set this when using multiple dashboard units.

And in the README when talking about HA methods, it says:

    Whichever method has been used to cluster the charm the 'secret'
    option should be set to ensure that the Django secret is
    consistent across all units.

I think that means it doesn't share the secret between units in a multi-unit scenario.

Revision history for this message
Vern Hart (vern) wrote :

From what I can discern, this could be resolved in a couple of different ways. We include secrets within the bundle for a few different charms.

1. Some charms will use .strip() to eliminate any errant newlines. (Like canonical-livepatch.)
2. Other charms don't quote the strings when rendering the templates. (Like keystone-ldap.) This causes an extra newline after the config value but blank lines are usually okay in most config files.

The latter might work fine in most situations (even when there are special characters in the secret) but it seems safer to have quotes.

Therefore, I propose stripping the string.

Revision history for this message
Vern Hart (vern) wrote :

Change submitted: https://review.opendev.org/738540

Vern Hart (vern)
Changed in charm-openstack-dashboard:
assignee: nobody → Vern Hart (vern)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-openstack-dashboard (master)

Reviewed: https://review.opendev.org/738540
Committed: https://git.openstack.org/cgit/openstack/charm-openstack-dashboard/commit/?id=9a84700110c3dea431ff7f041f0f4c5dcd2f888e
Submitter: Zuul
Branch: master

commit 9a84700110c3dea431ff7f041f0f4c5dcd2f888e
Author: Vern Hart <email address hidden>
Date: Mon Jun 29 20:09:26 2020 -0600

    strip newlines and whitespace from user-supplied secret
    Closes-Bug: 1868645

    Change-Id: Ie287553cd73b634961485dfcb067283bd48ad10b

Changed in charm-openstack-dashboard:
status: In Progress → Fix Committed
James Page (james-page)
Changed in charm-openstack-dashboard:
milestone: none → 20.08
Alex Kavanagh (ajkavanagh)
Changed in charm-openstack-dashboard:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.