Glance

glance CLI doesn'tconsider anymore OS_CACERT

Bug #1697163 reported by massimo.sgaravatto on 2017-06-10

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Glance	Fix Released	Undecided	Dou Rui Yuan

Bug Description

Not sure if the glance cli is still supported, but it looks like glance CLI provided with Ocata (the relavent RPM is python2-glanceclient-2.6.0-1.el7.noarch) doesn't read anymore the OS_CACERT, as it used to do.

Now it is necessary to use the "--os-cacert" option:

[root@controller-01 ~]# glance image-list
SSL exception connecting to https://cloud-areapd-test.pd.infn.it:35357/v3/auth/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

[root@controller-01 ~]# glance --os-cacert ${OS_CACERT} image-list
+--------------------------------------+---------------+
| ID | Name |
+--------------------------------------+---------------+
| 940c4c27-bd2c-4a16-a751-5f725d6b12ef | |
| df7b5ac0-f9f3-42fb-9650-a2d3d863b042 | |
| 739dd37b-374b-40e3-9b2f-66b54aaa5670 | |
etc etc

"openstack image list" works as expected

Dou Rui Yuan (rydou) on 2017-08-08

Changed in glance:
assignee:	nobody → Dou Rui Yuan (rydou)
status:	New → Confirmed
status:	Confirmed → In Progress

Revision history for this message

Dou Rui Yuan (rydou) wrote on 2017-08-09:

Fix patch: https://review.openstack.org/491656

Revision history for this message

Kam Nasim (knasim-wrs) wrote on 2018-01-29:

Any plans to pull this fix back into PIKE?

Also seeing it on Pike for both the Glance and the Murano clients:

glance --debug image-list
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/glanceclient/shell.py", line 707, in main
    OpenStackImagesShell().main(argv)
  File "/usr/local/lib/python2.7/dist-packages/glanceclient/shell.py", line 564, in main
    client = self._get_versioned_client('2', args)
  File "/usr/local/lib/python2.7/dist-packages/glanceclient/shell.py", line 453, in _get_versioned_client
    region_name=args.os_region_name)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 947, in get_endpoint
    return auth.get_endpoint(self, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/identity/base.py", line 378, in get_endpoint
    allow_version_hack=allow_version_hack, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/identity/base.py", line 269, in get_endpoint_data
    service_catalog = self.get_access(session).service_catalog
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/identity/base.py", line 135, in get_access
    self.auth_ref = self.get_auth_ref(session)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/identity/v3/base.py", line 167, in get_auth_ref
    authenticated=False, log=False, **rkwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 853, in post
    return self.request(url, 'POST', **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/positional/__init__.py", line 108, in inner
    return wrapped(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 703, in request
    resp = send(**kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 777, in _send_request
    raise exceptions.ConnectFailure(msg)
ConnectFailure: Unable to establish connection to https://128.224.150.89:5000/v3/auth/tokens: HTTPSConnectionPool(host='128.224.150.89', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
Unable to establish connection to https://128.224.150.89:5000/v3/auth/tokens: HTTPSConnectionPool(host='128.224.150.89', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

WORKAROUND: Pass the cacert with the cmd:
glance --debug --os-cacert /home/ubuntu/wrs-remote-clients-2.0.0/wrs-remote-clients-2.0.0/server-with-key.pem image-list

Any plans to pull this fix back into PIKE?

Also seeing it on Pike for both the Glance and the Murano clients:

glance --debug image-list 
Traceback (most recent call last): 
  File "/usr/local/lib/python2.7/dist-packages/glanceclient/shell.py", line 707, in main 
    OpenStackImagesShell().main(argv) 
  File "/usr/local/lib/python2.7/dist-packages/glanceclient/shell.py", line 564, in main 
    client = self._get_versioned_client('2', args) 
  File "/usr/local/lib/python2.7/dist-packages/glanceclient/shell.py", line 453, in _get_versioned_client 
    region_name=args.os_region_name) 
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 947, in get_endpoint 
    return auth.get_endpoint(self, **kwargs) 
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/identity/base.py", line 378, in get_endpoint 
    allow_version_hack=allow_version_hack, **kwargs) 
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/identity/base.py", line 269, in get_endpoint_data 
    service_catalog = self.get_access(session).service_catalog 
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/identity/base.py", line 135, in get_access 
    self.auth_ref = self.get_auth_ref(session) 
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/identity/v3/base.py", line 167, in get_auth_ref 
    authenticated=False, log=False, **rkwargs) 
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 853, in post 
    return self.request(url, 'POST', **kwargs) 
  File "/usr/local/lib/python2.7/dist-packages/positional/__init__.py", line 108, in inner 
    return wrapped(*args, **kwargs) 
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 703, in request 
    resp = send(**kwargs) 
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 777, in _send_request 
    raise exceptions.ConnectFailure(msg) 
ConnectFailure: Unable to establish connection to https://128.224.150.89:5000/v3/auth/tokens: HTTPSConnectionPool(host='128.224.150.89', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),)) 
Unable to establish connection to https://128.224.150.89:5000/v3/auth/tokens: HTTPSConnectionPool(host='128.224.150.89', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

WORKAROUND: Pass the cacert with the cmd: 
glance --debug --os-cacert /home/ubuntu/wrs-remote-clients-2.0.0/wrs-remote-clients-2.0.0/server-with-key.pem image-list

Revision history for this message

Pavlo Shchelokovskyy (pshchelo) wrote on 2019-03-19:

Kam Nasim,

I believe this can not be backported to stable/pike as the fix is effectively dropping several deprecated CLI options from glanceclient which is not OK for stable branch as it may be breaking existing users.

Revision history for this message

Pavlo Shchelokovskyy (pshchelo) wrote on 2019-03-19:

I believe we can close this, fix to glanceclient was merged >1y ago.

Changed in glance:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.