Cinder

cinder-api lost SSL in oslo.service wsgi move for M

Bug #1590901 reported by Martin Millnert
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
High
Justin A Wilson
Cinder newton-rc1 "RC1"
Fedora
New
Undecided
Justin A Wilson

Bug Description

Following the move to wsgi eventlet server from oslo.service, cinder-api lost the ability to run the wsgi eventlet server with SSL on, that existed in Liberty:

liberty: 2016-06-09 18:54:21.663 4708 INFO eventlet.wsgi.server [-] (4708) wsgi starting up on https://0.0.0.0:8776
mitaka: 2016-06-09 18:25:28.911 26920 INFO eventlet.wsgi.server [-] (26920) wsgi starting up on http://0.0.0.0:8776

With otherwise identical config, including SSL options, etc. The change that migrated to oslo.service, was https://github.com/openstack/cinder/commit/b4c8bb3912972a4417c9efa93cb209f5efe76a14 .

It's probably merely a question of picking up the config options and passing them along?

Tags: cinder-api ssl
Martin Millnert (r-martin-5)
summary: - oslo.service wsgi move in Mitaka lost SSL
+ cinder-api lost SSL in oslo.service wsgi move for M
Sean McGinnis (sean-mcginnis)
Changed in cinder:
status: New → Confirmed
importance: Undecided → High
milestone: none → newton-3
Justin A Wilson (justin-wilson)
Changed in cinder:
assignee: nobody → Justin A Wilson (justin-wilson)
Revision history for this message
Justin A Wilson (justin-wilson) wrote :

The code for turning on SSL for the Cinder API is there, even though there is no option to turn it on via the config file. I managed to enable it, but it caused issues with the Cinder client's and the Openstack client's ability to connect to the endpoint. Furthermore, the Openstack Security Guide (http://docs.openstack.org/security-guide/secure-communication/secure-reference-architectures.html) recommends that you encrypt the traffic by using a SSL/TLS enabled proxy in between it anyways.

Changed in cinder:
status: Confirmed → In Progress
Revision history for this message
dyyang@cn.ibm.com (dyyang) wrote :

We just met the same issue when enabling SSL for cinder-api in Newton release, any progress or plan on fixing this?

Revision history for this message
Justin A Wilson (justin-wilson) wrote :

I'm still working at it. The cinder client seems to be using the wrong protocol (http). I'm currently looking into how it selects which protocol should be used.

Revision history for this message
Justin A Wilson (justin-wilson) wrote :

I was able to get SSL working, though you must modify the Cinder API endpoint and supply the CA file to the client each time you want to use it. Horizon's configuration must be updated as well, because it isn't aware that SSL is enabled for the cinder endpoint by default. So, a the location of the CA file must be assigned to OPENSTACK_SSL_CACERT somewhere in local_settings.py so that Horizon can supply that to the Cinder client.

Revision history for this message
Justin A Wilson (justin-wilson) wrote :

https://review.openstack.org/#/c/352958/10

Revision history for this message
Nicolas Bock (nicolasbock) wrote :

Justin, are you planning on backporting your fix for Mitaka?

Sean McGinnis (sean-mcginnis)
Changed in cinder:
milestone: newton-3 → newton-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.openstack.org/352958
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=19544f781eadce8ad86fd4dab80f5e5439b3418a
Submitter: Jenkins
Branch: master

commit 19544f781eadce8ad86fd4dab80f5e5439b3418a
Author: Justin A Wilson <email address hidden>
Date: Tue Aug 9 17:59:59 2016 +0300

    Added config option to enable SSL

    Added option, osapi_volume_use_ssl, to the Cinder configuration that restores
    its capability of utilizing SSL to encrypt the traffic to and from
    the endpoint.

    Change-Id: I6ecd6eda1eb0300e53b3088cd36c7e22dc79240d
    Closes-Bug: 1590901

Changed in cinder:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 9.0.0.0rc1

This issue was fixed in the openstack/cinder 9.0.0.0rc1 release candidate.

Revision history for this message
Radoslav (radoslav-milanov) wrote :

Is this going to be fixed in Mitaka?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

This issue was fixed in the openstack/cinder 9.0.0.0rc1 release candidate.

Revision history for this message
Edgar Magana (emagana) wrote :

We would like have this back-ported to Mitaka. We are using https://repos.fedorapeople.org/repos/openstack/openstack-mitaka/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/395159

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on cinder (stable/mitaka)

Change abandoned by Justin A Wilson (<email address hidden>) on branch: stable/mitaka
Review: https://review.openstack.org/395159
Reason: Messed up commit

Revision history for this message
Justin A Wilson (justin-wilson) wrote :

Successfully backported after screwing up the commands the first time

https://review.openstack.org/#/c/395159/

Changed in fedora:
assignee: nobody → Justin A Wilson (justin-wilson)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Justin A Wilson (<email address hidden>) on branch: stable/mitaka
Review: https://review.openstack.org/395159

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.