encoded slashes being blocked by Apache

Bug #1717615 reported by Graham Burgess on 2017-09-15
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Charm Helpers
Undecided
Unassigned
OpenStack Heat
Undecided
Unassigned
OpenStack heat charm
Undecided
Unassigned
Ubuntu Cloud Archive
High
Unassigned
Mitaka
High
Unassigned
Newton
High
Unassigned
Ocata
High
Unassigned
python-heatclient (Ubuntu)
High
Unassigned
Xenial
High
Unassigned
Zesty
High
Unassigned

Bug Description

[Impact]
We came across a situation where we were unable to view resources in a stack inside Horizon. We traced it down to a communication problem with the Heat Apache frontend and Heat. After adjusting the log level for Apache, we came across the following error in the logs:

[client 213.173.193.177:33920] AH00026: found %2f (encoded '/') in URI (decoded='/v1/c064a39d602d4f42bc49e09057c97683/stacks/heat_test_foo/b5c125a3-d452-49a1- a12e-03e098fbb38c/resources/foo_vm-01'), returning 404

As a workaround, we currently added the following line to the /etc/apache/sites-enabled/openstack-https_frontend.conf on our Heat instance:

AllowEncodedSlashes On

It is worth noting we tried to use the NoDecode option as well and that is didn't resolve the problem.

[Test Case]
1. Deploy OpenStack with Juju
2. Enable Keystone v3: juju config keystone preferred-api-version=3
3. Enable SSL: juju config keystone https-service-endpoints=True
4. Add heat:
   - juju deploy heat
   - juju add-relation heat keystone
   - juju add-relation heat percona-cluster
   - juju add-relation heat rabbitmq-server
   - juju run-action heat/0 domain-setup
5. Deploy a stack:
    openstack stack create --parameter admin_pass=Ubuntu \
                           --parameter image=cirros-0.4.0 \
                           --parameter key_name=test \
                           --parameter network=network \
                           -t heat-basic.yaml heat_basic
6. Verify that it deploys: openstack stack list
7. Verify that heat works in OpenStack Dashboard
8. Verify that displaying Heat resources tab in OpenStack Dashboard does
   NOT work.

[Regression Potential]
Low. The patch being backported is from the upstream stable/pike branch. There were some minor adjustments required to apply the patch to earlier releases, but the patches are nearly identical.

tags: added: canonical-sysadmin
tags: added: canonical-bootstack
removed: canonical-sysadmin
Liam Young (gnuoy) wrote :

The OpenStack infra team appear to have hit the same issue: http://lists.openstack.org/pipermail/openstack-dev/2017-May/117312.html

Changed in charm-heat:
status: New → Confirmed
status: Confirmed → Triaged
importance: Undecided → High
Xav Paice (xavpaice) wrote :

I've added Heat and the Ubuntu Cloud Archive packages to this bug since the actual Apache config appears to be coming from the package itself. The charm cowboy applied to make the manual change stick was a charmhelpers change.

In charm/hooks/charmhelpers/contrib/openstack/templates, add:

{% if ext == "7994" %} AllowEncodedSlashes On {% endif %}

FWIW, Xenial, Mitaka.

Xav Paice (xavpaice) on 2017-09-18
affects: cloud-archive → charm-helpers
Rabi Mishra (rabi) wrote :

Historically heat needed 'AllowEncodedSlashes On' for httpd deployment. Howerver, this was changed in pike heat (i.e you don't need to set that flag). python-heatclient 1.10.0[1] includes the relevant fix. Not sure what version of heat and python-heatclient you're using.

[1] https://github.com/openstack/python-heatclient/commit/a625d3bb93a18193058a09cb7887e9cfa4ea9df0

Xav Paice (xavpaice) wrote :

This is Mitaka heat, so we won't have that change in place. That's a much better fix than working around it in charms though.

Any chance of a backport?

Corey Bryant (corey.bryant) wrote :

This appears to be completely fixed in python-heatclient by reverting to the default safe parameter for urllib quote calls [0] (default value is '/' - ie. specifies that '/' should not be quoted).

[0] https://docs.python.org/2/library/urllib.html#urllib.quote

The code base affected for python-heatclient seems to be very similar back to mitaka, so I think we can SRU this via the Ubuntu package.

Changed in python-heatclient (Ubuntu):
status: New → Triaged
importance: Undecided → High
Changed in python-heatclient (Ubuntu Artful):
status: Triaged → Fix Released
no longer affects: python-heatclient (Ubuntu Artful)
no longer affects: cloud-archive/pike
Changed in cloud-archive:
status: New → Invalid
status: Invalid → Fix Released
Changed in charm-helpers:
status: New → Invalid
Changed in heat:
status: New → Invalid
Changed in charm-heat:
status: Triaged → Invalid
importance: High → Undecided
Changed in cloud-archive:
importance: Undecided → High
Corey Bryant (corey.bryant) wrote :

Marked as invalid for charms and upstream heat since this looks to be limited to python-heatclient and is already fixed in upstream python-heatclient.

Changed in python-heatclient (Ubuntu Xenial):
importance: Undecided → High
status: New → Triaged
Changed in python-heatclient (Ubuntu Zesty):
importance: Undecided → High
status: New → Triaged
Corey Bryant (corey.bryant) wrote :

New python-heatclient package versions have been uploaded to the zesty and xenial review queues and are awaying SRU review, and have been uploaded to newton-staging awaiting promotion to newton-proposed:

https://launchpad.net/ubuntu/zesty/+queue?queue_state=1&queue_text=
https://launchpad.net/ubuntu/xenial/+queue?queue_state=1&queue_text=
https://launchpad.net/~ubuntu-cloud-archive/+archive/ubuntu/newton-staging

description: updated

Hello Graham, or anyone else affected,

Accepted python-heatclient into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python-heatclient/1.8.0-0ubuntu3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in python-heatclient (Ubuntu Zesty):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-zesty
Changed in python-heatclient (Ubuntu Xenial):
status: Triaged → Fix Committed
tags: added: verification-needed-xenial
Łukasz Zemczak (sil2100) wrote :

Hello Graham, or anyone else affected,

Accepted python-heatclient into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python-heatclient/1.1.0-2ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Corey Bryant (corey.bryant) wrote :

Hello Graham, or anyone else affected,

Accepted python-heatclient into ocata-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:ocata-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-ocata-needed to verification-ocata-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-ocata-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-ocata-needed
Corey Bryant (corey.bryant) wrote :

Hello Graham, or anyone else affected,

Accepted python-heatclient into mitaka-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:mitaka-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-mitaka-needed to verification-mitaka-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-mitaka-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-mitaka-needed
Corey Bryant (corey.bryant) wrote :

Regression testing with OpenStack tempest has completed successfully:

xenial-ocata proposed stable charms:

======
Totals
======
Ran: 102 tests in 1742.1837 sec.
 - Passed: 93
 - Skipped: 9
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 856.3288 sec.

xenial-ocata proposed dev charms:

======
Totals
======
Ran: 102 tests in 1987.3271 sec.
 - Passed: 93
 - Skipped: 9
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 1008.6304 sec.

zesty-ocata proposed stable charms:

======
Totals
======
Ran: 102 tests in 1604.2247 sec.
 - Passed: 93
 - Skipped: 9
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 843.3645 sec.

zesty-ocata proposed dev charms:

======
Totals
======
Ran: 102 tests in 1579.9423 sec.
 - Passed: 93
 - Skipped: 9
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 867.0801 sec.

Corey Bryant (corey.bryant) wrote :

Hello Graham, or anyone else affected,

Accepted python-heatclient into newton-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:newton-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-newton-needed to verification-newton-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-newton-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-newton-needed
Frode Nordahl (fnordahl) wrote :

Completed verification for xenial by following the steps in the test case and verifying that the error is visible before upgrading to the proposed package and subsequently verifying that the error is no longer visible after upgrading to the proposed package.

description: updated
tags: added: verification-done-xenial
removed: verification-needed-xenial
description: updated
Frode Nordahl (fnordahl) on 2017-11-27
description: updated
Frode Nordahl (fnordahl) on 2017-11-27
description: updated
Corey Bryant (corey.bryant) wrote :

Regression testing was successful for mitaka.

Tempest results for trusty-mitaka-proposed:

======
Totals
======
Ran: 102 tests in 973.8648 sec.
 - Passed: 93
 - Skipped: 9
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 542.0364 sec.

Tempest results for xenial-mitaka-proposed:

======
Totals
======
Ran: 102 tests in 965.9171 sec.
 - Passed: 93
 - Skipped: 9
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 566.4337 sec.

tags: added: verification-done-zesty verification-ocata-done
removed: verification-needed-zesty verification-ocata-needed
tags: added: verification-mitaka-done
removed: verification-mitaka-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-heatclient - 1.1.0-2ubuntu1

---------------
python-heatclient (1.1.0-2ubuntu1) xenial; urgency=medium

  * d/p/dont-encode-path-separators.patch: Cherry-pick patch from upstream
    stable/pike branch to stop encoding of path separators as the are
    refused by Apache with 404s (LP: #1717615).

 -- Corey Bryant <email address hidden> Thu, 05 Oct 2017 14:08:55 -0400

Changed in python-heatclient (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for python-heatclient has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-heatclient - 1.8.0-0ubuntu3

---------------
python-heatclient (1.8.0-0ubuntu3) zesty; urgency=medium

  * d/p/dont-encode-path-separators.patch: Cherry-pick patch from upstream
    stable/pike branch to stop encoding of path separators as the are
    refused by Apache with 404s (LP: #1717615).

 -- Corey Bryant <email address hidden> Thu, 05 Oct 2017 13:56:03 -0400

Changed in python-heatclient (Ubuntu Zesty):
status: Fix Committed → Fix Released
Corey Bryant (corey.bryant) wrote :

The verification of the Stable Release Update for python-heatclient has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Corey Bryant (corey.bryant) wrote :

This bug was fixed in the package python-heatclient - 1.8.0-0ubuntu3~cloud0
---------------

 python-heatclient (1.8.0-0ubuntu3~cloud0) xenial-ocata; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 python-heatclient (1.8.0-0ubuntu3) zesty; urgency=medium
 .
   * d/p/dont-encode-path-separators.patch: Cherry-pick patch from upstream
     stable/pike branch to stop encoding of path separators as the are
     refused by Apache with 404s (LP: #1717615).

Corey Bryant (corey.bryant) wrote :

Regression testing has completed successfully.

xenial-newton proposed with dev charms:

======
Totals
======
Ran: 102 tests in 1453.8196 sec.
 - Passed: 93
 - Skipped: 9
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 787.9013 sec.

xenial-newton proposed with stable charms:

======
Totals
======
Ran: 102 tests in 1571.3430 sec.
 - Passed: 93
 - Skipped: 9
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 832.8255 sec.

tags: added: verification-newton-done
removed: verification-newton-needed
Corey Bryant (corey.bryant) wrote :

The verification of the Stable Release Update for python-heatclient has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Corey Bryant (corey.bryant) wrote :

This bug was fixed in the package python-heatclient - 1.4.0-0ubuntu1~cloud1
---------------

 python-heatclient (1.4.0-0ubuntu1~cloud1) xenial-newton; urgency=medium
 .
   * d/p/dont-encode-path-separators.patch: Cherry-pick patch from upstream
     stable/pike branch to stop encoding of path separators as the are
     refused by Apache with 404s (LP: #1717615).

Corey Bryant (corey.bryant) wrote :

The verification of the Stable Release Update for python-heatclient has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Corey Bryant (corey.bryant) wrote :

This bug was fixed in the package python-heatclient - 1.1.0-2ubuntu1~cloud0
---------------

 python-heatclient (1.1.0-2ubuntu1~cloud0) trusty-mitaka; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 python-heatclient (1.1.0-2ubuntu1) xenial; urgency=medium
 .
   * d/p/dont-encode-path-separators.patch: Cherry-pick patch from upstream
     stable/pike branch to stop encoding of path separators as the are
     refused by Apache with 404s (LP: #1717615).

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers