glance CLI doesn'tconsider anymore OS_CACERT

Bug #1697163 reported by massimo.sgaravatto on 2017-06-10
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Glance
Undecided
Dou Rui Yuan

Bug Description

Not sure if the glance cli is still supported, but it looks like glance CLI provided with Ocata (the relavent RPM is python2-glanceclient-2.6.0-1.el7.noarch) doesn't read anymore the OS_CACERT, as it used to do.

Now it is necessary to use the "--os-cacert" option:

[root@controller-01 ~]# glance image-list
SSL exception connecting to https://cloud-areapd-test.pd.infn.it:35357/v3/auth/tokens: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)

[root@controller-01 ~]# glance --os-cacert ${OS_CACERT} image-list
+--------------------------------------+---------------+
| ID | Name |
+--------------------------------------+---------------+
| 940c4c27-bd2c-4a16-a751-5f725d6b12ef | |
| df7b5ac0-f9f3-42fb-9650-a2d3d863b042 | |
| 739dd37b-374b-40e3-9b2f-66b54aaa5670 | |
etc etc

"openstack image list" works as expected

Dou Rui Yuan (rydou) on 2017-08-08
Changed in glance:
assignee: nobody → Dou Rui Yuan (rydou)
status: New → Confirmed
status: Confirmed → In Progress
Kam Nasim (knasim-wrs) wrote :

Any plans to pull this fix back into PIKE?

Also seeing it on Pike for both the Glance and the Murano clients:

glance --debug image-list
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/glanceclient/shell.py", line 707, in main
    OpenStackImagesShell().main(argv)
  File "/usr/local/lib/python2.7/dist-packages/glanceclient/shell.py", line 564, in main
    client = self._get_versioned_client('2', args)
  File "/usr/local/lib/python2.7/dist-packages/glanceclient/shell.py", line 453, in _get_versioned_client
    region_name=args.os_region_name)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 947, in get_endpoint
    return auth.get_endpoint(self, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/identity/base.py", line 378, in get_endpoint
    allow_version_hack=allow_version_hack, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/identity/base.py", line 269, in get_endpoint_data
    service_catalog = self.get_access(session).service_catalog
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/identity/base.py", line 135, in get_access
    self.auth_ref = self.get_auth_ref(session)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/identity/v3/base.py", line 167, in get_auth_ref
    authenticated=False, log=False, **rkwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 853, in post
    return self.request(url, 'POST', **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/positional/__init__.py", line 108, in inner
    return wrapped(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 703, in request
    resp = send(**kwargs)
  File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/session.py", line 777, in _send_request
    raise exceptions.ConnectFailure(msg)
ConnectFailure: Unable to establish connection to https://128.224.150.89:5000/v3/auth/tokens: HTTPSConnectionPool(host='128.224.150.89', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
Unable to establish connection to https://128.224.150.89:5000/v3/auth/tokens: HTTPSConnectionPool(host='128.224.150.89', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

WORKAROUND: Pass the cacert with the cmd:
glance --debug --os-cacert /home/ubuntu/wrs-remote-clients-2.0.0/wrs-remote-clients-2.0.0/server-with-key.pem image-list

Pavlo Shchelokovskyy (pshchelo) wrote :

Kam Nasim,

I believe this can not be backported to stable/pike as the fix is effectively dropping several deprecated CLI options from glanceclient which is not OK for stable branch as it may be breaking existing users.

Pavlo Shchelokovskyy (pshchelo) wrote :

I believe we can close this, fix to glanceclient was merged >1y ago.

Changed in glance:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers