SERVICE_IP_VERSION=6 doesn't work in devstack

Bug #1656329 reported by Brian Haley
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
devstack
Fix Released
Medium
Dr. Jens Harbott

Bug Description

A couple of years ago, support for services running over IPv6 was added to devstack by adding SERVICE_IP_VERSION=6 to local.conf. Some changes have been added that have broken this, opening a bug to try and get some attention at fixing it.

I'll assign it to myself at first to try and get the ball rolling.

Changed in devstack:
assignee: nobody → Brian Haley (brian-haley)
Changed in devstack:
status: New → In Progress
Revision history for this message
Sean Dague (sdague) wrote :

No reviews found in this bug, unassigning. Please add a comment with active reviews before assigning an individual, or tag the bug in the gerrit review, which will do that automatically

Changed in devstack:
assignee: Brian Haley (brian-haley) → nobody
status: In Progress → New
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to devstack (master)

Fix proposed to branch: master
Review: https://review.openstack.org/505129

Changed in devstack:
assignee: nobody → Dr. Jens Harbott (j-harbott)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/505168

Revision history for this message
Dr. Jens Harbott (j-harbott) wrote :

If I'm not doing something really stupid, we need proper support in urllib3 first ... https://github.com/shazow/urllib3/issues/1269

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/505502

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to devstack (master)

Reviewed: https://review.openstack.org/505129
Committed: https://git.openstack.org/cgit/openstack-dev/devstack/commit/?id=b2330c89196c65662fcf98a2295b7e41b1652b28
Submitter: Jenkins
Branch: master

commit b2330c89196c65662fcf98a2295b7e41b1652b28
Author: Jens Harbott <email address hidden>
Date: Tue Sep 19 09:10:21 2017 +0000

    Fix memcached_servers setting

    By default memcached is bound to 127.0.0.1 and we have no code in place
    to change that. So instead of using the $SERVICE_HOST variable, we
    hardcode it to localhost, just as we do for the cache settings, see [1].

    This also avoids a bug that occurs when $SERVICE_HOST contains an IPv6
    address, as in that case it would have to be prefixed by "inet6:" [2].

    [1] I95d798d122e2a95e27eb1d2c4e786c3cd844440b
    [2] https://bugs.launchpad.net/swift/+bug/1610064

    Change-Id: I46bed8a048f4b0d669dfc65b28ddeb36963553e0
    Partial-Bug: 1656329

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/505502
Committed: https://git.openstack.org/cgit/openstack-dev/devstack/commit/?id=146332e349416ac0b3c9653b0ae68d55dbb3f9de
Submitter: Jenkins
Branch: master

commit 146332e349416ac0b3c9653b0ae68d55dbb3f9de
Author: Jens Harbott <email address hidden>
Date: Wed Sep 20 06:18:08 2017 +0000

    Make etcd3 setup work with IPv6 addresses

    The client are told to connect to SERVICE_HOST instead of HOST_IP, so
    we need to start etcd3 with matching listening parameters.

    Change-Id: I96389090180d21d25d72df8f9e8905b850bcaee9
    Partial-Bug: 1656329

Revision history for this message
Dr. Jens Harbott (j-harbott) wrote :

Ok, time for a small update I think. With the depending fixes in swift and tempest, [1] now passes all tests but one (excluding the expected grenade failure).

For the remaining failure, we are stuck a bit between a rock and a hard place. With the way we set up the certificates in [1], we trigger [2] which sadly hasn't been solved for python2.7 in a long time. We are fine when running with python3.5, though. The other option is leaving in place the non-RFC-compliant workaround for [2], but then we are triggering two new issues in cryptography and urllib3 [3][4]. These issues really should appear in IPv4 already, but sloppy parsing lets IPv4 addresses pass as valid DNS names, while the ':' in IPv6 addresses is triggering failures.

[1] https://review.openstack.org/505503
[2] https://bugs.python.org/issue23239
[3] https://github.com/pyca/cryptography/issues/3943
[4] https://github.com/shazow/urllib3/issues/1269

Changed in devstack:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/505168
Committed: https://git.openstack.org/cgit/openstack-dev/devstack/commit/?id=dc7b4294632172d0b743f98448942fe260a8a3ff
Submitter: Zuul
Branch: master

commit dc7b4294632172d0b743f98448942fe260a8a3ff
Author: Jens Harbott <email address hidden>
Date: Tue Sep 19 10:52:32 2017 +0000

    Fix running with SERVICE_IP_VERSION=6

    - There are some locations where we need the raw IPv6 address instead of the
      url-quoted version enclosed in brackets.
    - Make nova-api-metadata service listen on IPv6 when we need that.
    - Use SERVICE_HOST instead of HOST_IP for TLS_IP.

    Change-Id: Id074be38ee95754e88b7219de7d9beb06f796fad
    Partial-Bug: 1656329

Revision history for this message
Dr. Jens Harbott (j-harbott) wrote :

Thing should work now except when using tls-proxy at the same time. It may be possible to fix the latter issue by using a hostname-based cert instead of ip-based, but I think that would be another story.

Changed in devstack:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.