Ceilometer

For SSL communication to Glance, Ceilometer does not use cert when creating a glanceclient object

Bug #1245602 reported by Sameer Adhikari on 2013-10-28

This bug report is a duplicate of: Bug #1278973: cacert and insecure flags not propagated to glanceclient. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ceilometer	Confirmed	Medium	Sameer Adhikari

Bug Description

Our glance endpoint is set up to allow only SSL connections. In image/glance.py when ceilometer creates an instance of the glance client, it uses the call glanceclient.Client('1', endpoint, token=ksclient.auth_token) in the get_glance_client(ksclient) function.

I have modified the code to make it work in our production environment.

from oslo.config import cfg
...

      if cfg.CONF.kombu_ssl_ca_certs:
             return glanceclient.Client('1', endpoint, token=ksclient.auth_token, cacert=cfg.CONF.kombu_ssl_ca_certs)
         else:
             return glanceclient.Client('1', endpoint, token=ksclient.auth_token)

Now I am able to connect using SSL.

If this is accepted as a valid bug, I can submit my code change for git review.

Thanks,
Sameer

Tags:

Revision history for this message

Julien Danjou (jdanjou) wrote on 2013-10-29:

This is a valid bug, but your fix isn't a correct one. There should be a different set of CA for this, maybe the one from Keystone.

Changed in ceilometer:
status:	New → Confirmed
importance:	Undecided → Medium
tags:	added: havana-backport-potential

Revision history for this message

Sameer Adhikari (tri2sing) wrote on 2013-10-29:

I think the Keystone certs are used at the service endpoint, and the kombu_ca_cert is used by the client of any of the service. I have seen this approach, where a user app uses the ca_cert, work when it talks to Horizon using SSL.

Changed in ceilometer:
assignee:	nobody → Sameer Adhikari (tri2sing)

Revision history for this message

Sameer Adhikari (tri2sing) wrote on 2013-10-29:

Forgot to add, I did try using the the Keystone cert first. Without the ca_cert, Ceilometer was not even able to talk to Rabbit. This is what is in our config file for certs.

use_ssl = True
ssl_cert_file = /opt/openstack/ssl/cert.pem
ssl_key_file = /opt/openstack/ssl/key.pem
kombu_ssl_ca_certs=/etc/ssl/certs/ca-certificates.crt

Revision history for this message

Sameer Adhikari (tri2sing) wrote on 2013-10-29:

Here is a snippet of a script that I use in a script that uses the novaclient.
The value I set for OS_CACERT in my .bashrc is
export OS_CACERT=/etc/ssl/certs/ca-certificates.crt

This is the same config as what I set for kombu_ssl_ca_certs in ceilometer.conf

#!/usr/bin/env python

from keystoneclient.v2_0 import client as ksc
from novaclient import client as nc
from novaclient import exceptions as nexc

import datetime
import os
import sys

today = datetime.datetime.utcnow()
today = today.replace (hour=0, minute=0, second=0, microsecond=0)

# Need an OS account that has admin access to all tenants
VERSION = 2

def get_kston_info():
    d = {}
    d['username'] = os.environ['OS_USERNAME']
    d['password'] = os.environ['OS_PASSWORD']
    d['tenant_name'] = os.environ['OS_TENANT_NAME']
    d['auth_url'] = os.environ['OS_AUTH_URL']
    d['cacert'] = os.environ['OS_CACERT']
    return d

def get_nova_info():
    d = {}
    d['username'] = os.environ['OS_USERNAME']
    d['api_key'] = os.environ['OS_PASSWORD']
    d['project_id'] = os.environ['OS_TENANT_NAME']
    d['auth_url'] = os.environ['OS_AUTH_URL']
    d['cacert'] = os.environ['OS_CACERT']
    d['service_type'] = 'compute'
    d['no_cache'] = True
    return d

# Get the list of tenants from OpenStack
kstone = ksc.Client (**get_kston_info())
tenants = kstone.tenants.list ()
tenantsdict = {tenant.id: tenant.name for tenant in tenants}
users = kstone.users.list ()
usersdict = {user.id: {'name': user.name} for user in users}

nova = nc.Client (VERSION, **get_nova_info())

Revision history for this message

gordon chung (chungg) wrote on 2014-09-18:

this was resolved here: https://review.openstack.org/#/c/72703