| 2024-01-08 11:21:46 |
Adam Rozman |
bug |
|
|
added bug |
| 2024-01-08 12:25:01 |
Adam Rozman |
description |
oslo.service powers WSGI functionality in IPA and in turn oslo.service uses eventlet. With the current dependecy chain there is no possibility to use TLS 1.3 with IPA thus even with IPA and Ironic endpoints are behind a TLS 1.3 capable proxy, outgoing calls from IPA can only initiate maximum TLS 1.2 connections thus registering, heartbeat, user image downloads, inspection result reporting all lack TLS 1.3.
As the TLS limitation is caused by the combination if multiple layers of dependencies, there are many approaches to solve this issue depending on which dependency layer would be touched.
The aim of this bug ticket is to track the TLS1.3 support status for IPA, but most likely the solution will
be implemented in oslo.service.
Possible solutions:
- Use a different WSGI provider for IPA instead of oslo.service
- Use something instead of eventlet in oslo.service
- Eventlet could be used together with PyOpenSSL https://eventlet.net/doc/ssl.html#pyopenssl
in oslo.service as OpenSSL supports TLS 1.3 |
oslo.service powers WSGI functionality in IPA and in turn oslo.service uses eventlet. With the current dependecy chain there is no possibility to use TLS 1.3 with IPA thus even with IPA and Ironic endpoints are behind a TLS 1.3 capable proxy, outgoing calls from IPA can only initiate maximum TLS 1.2 connections thus registering, heartbeat, user image downloads, inspection result reporting all lack TLS 1.3.
As the TLS limitation is caused by the combination if multiple layers of dependencies, there are many approaches to solve this issue depending on which dependency layer would be touched.
The aim of this bug ticket is to track the TLS1.3 support status for IPA, but most likely the solution will
be implemented in oslo.service.
Possible solutions:
- Use a different WSGI provider for IPA instead of oslo.service
- Use something instead of eventlet in oslo.service
- Eventlet could be used together with PyOpenSSL https://eventlet.net/doc/ssl.html#pyopenssl
in oslo.service as OpenSSL supports TLS 1.3
EDIT:
After some additional research to the OpenStack ML archives:
https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/thread/YO5CZDVAJ6QSF734ALWSGNOQDDAIOXKI/#RZFUTBFTUCSHKVA6SOCWWIXEH3QJHMYT
It has become clear that in the long term eventlet usage would be deprecated:
https://review.opendev.org/c/openstack/governance/+/902585 |
|
| 2024-01-08 12:49:40 |
Adam Rozman |
description |
oslo.service powers WSGI functionality in IPA and in turn oslo.service uses eventlet. With the current dependecy chain there is no possibility to use TLS 1.3 with IPA thus even with IPA and Ironic endpoints are behind a TLS 1.3 capable proxy, outgoing calls from IPA can only initiate maximum TLS 1.2 connections thus registering, heartbeat, user image downloads, inspection result reporting all lack TLS 1.3.
As the TLS limitation is caused by the combination if multiple layers of dependencies, there are many approaches to solve this issue depending on which dependency layer would be touched.
The aim of this bug ticket is to track the TLS1.3 support status for IPA, but most likely the solution will
be implemented in oslo.service.
Possible solutions:
- Use a different WSGI provider for IPA instead of oslo.service
- Use something instead of eventlet in oslo.service
- Eventlet could be used together with PyOpenSSL https://eventlet.net/doc/ssl.html#pyopenssl
in oslo.service as OpenSSL supports TLS 1.3
EDIT:
After some additional research to the OpenStack ML archives:
https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/thread/YO5CZDVAJ6QSF734ALWSGNOQDDAIOXKI/#RZFUTBFTUCSHKVA6SOCWWIXEH3QJHMYT
It has become clear that in the long term eventlet usage would be deprecated:
https://review.opendev.org/c/openstack/governance/+/902585 |
oslo.service powers WSGI functionality in IPA and in turn oslo.service uses eventlet. With the current dependecy chain there is no possibility to use TLS 1.3 with IPA thus even with IPA and Ironic endpoints are behind a TLS 1.3 capable proxy, outgoing calls from IPA can only initiate maximum TLS 1.2 connections thus registering, heartbeat, user image downloads, inspection result reporting all lack TLS 1.3.
As the TLS limitation is caused by the combination if multiple layers of dependencies, there are many approaches to solve this issue depending on which dependency layer would be touched.
The aim of this bug ticket is to track the TLS1.3 support status for IPA, but most likely the solution will
be implemented in oslo.service.
Possible solutions:
- Use a different WSGI provider for IPA instead of oslo.service
- Use something instead of eventlet in oslo.service
- Eventlet could be used together with PyOpenSSL https://eventlet.net/doc/ssl.html#pyopenssl
in oslo.service as OpenSSL supports TLS 1.3
EDIT:
After some additional research to the OpenStack ML archives:
https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/thread/YO5CZDVAJ6QSF734ALWSGNOQDDAIOXKI/#RZFUTBFTUCSHKVA6SOCWWIXEH3QJHMYT
It has become clear that in the long term eventlet usage would be deprecated:
https://review.opendev.org/c/openstack/governance/+/902585
Given the current governance plans and discussion oslo libraries will be gradually moved to use aiohub (eventlet + asyncio) then eventlet would be gradually phased out in favor of asyncio but as far as I can estimate this process would end at some point in 2026 the earliest and I would like to see TLS 1.3 support in Ironic much earlier. |
|
| 2024-01-08 13:06:29 |
Adam Rozman |
description |
oslo.service powers WSGI functionality in IPA and in turn oslo.service uses eventlet. With the current dependecy chain there is no possibility to use TLS 1.3 with IPA thus even with IPA and Ironic endpoints are behind a TLS 1.3 capable proxy, outgoing calls from IPA can only initiate maximum TLS 1.2 connections thus registering, heartbeat, user image downloads, inspection result reporting all lack TLS 1.3.
As the TLS limitation is caused by the combination if multiple layers of dependencies, there are many approaches to solve this issue depending on which dependency layer would be touched.
The aim of this bug ticket is to track the TLS1.3 support status for IPA, but most likely the solution will
be implemented in oslo.service.
Possible solutions:
- Use a different WSGI provider for IPA instead of oslo.service
- Use something instead of eventlet in oslo.service
- Eventlet could be used together with PyOpenSSL https://eventlet.net/doc/ssl.html#pyopenssl
in oslo.service as OpenSSL supports TLS 1.3
EDIT:
After some additional research to the OpenStack ML archives:
https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/thread/YO5CZDVAJ6QSF734ALWSGNOQDDAIOXKI/#RZFUTBFTUCSHKVA6SOCWWIXEH3QJHMYT
It has become clear that in the long term eventlet usage would be deprecated:
https://review.opendev.org/c/openstack/governance/+/902585
Given the current governance plans and discussion oslo libraries will be gradually moved to use aiohub (eventlet + asyncio) then eventlet would be gradually phased out in favor of asyncio but as far as I can estimate this process would end at some point in 2026 the earliest and I would like to see TLS 1.3 support in Ironic much earlier. |
oslo.service powers WSGI functionality in IPA and in turn oslo.service uses eventlet. With the current dependecy chain there is no possibility to use TLS 1.3 with IPA thus even with IPA and Ironic endpoints are behind a TLS 1.3 capable proxy, outgoing calls from IPA can only establish maximum TLS 1.2 connections.
As the TLS limitation is caused by the combination if multiple layers of dependencies, there are many approaches to solve this issue depending on which dependency layer would be touched.
The aim of this bug ticket is to track the TLS1.3 support status for IPA, but most likely the solution will
be implemented in oslo.service.
Possible solutions:
- Use a different WSGI provider for IPA instead of oslo.service
- Use something instead of eventlet in oslo.service
- Eventlet could be used together with PyOpenSSL https://eventlet.net/doc/ssl.html#pyopenssl
in oslo.service as OpenSSL supports TLS 1.3
EDIT:
After some additional research to the OpenStack ML archives:
https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/thread/YO5CZDVAJ6QSF734ALWSGNOQDDAIOXKI/#RZFUTBFTUCSHKVA6SOCWWIXEH3QJHMYT
It has become clear that in the long term eventlet usage would be deprecated:
https://review.opendev.org/c/openstack/governance/+/902585
Given the current governance plans and discussion oslo libraries will be gradually moved to use aiohub (eventlet + asyncio) then eventlet would be gradually phased out in favor of asyncio but as far as I can estimate this process would end at some point in 2026 the earliest and I would like to see TLS 1.3 support in Ironic much earlier. |
|
| 2024-01-08 15:07:45 |
Dmitry Tantsur |
ironic-python-agent: status |
New |
Incomplete |
|
| 2024-01-08 15:34:46 |
Adam Rozman |
ironic-python-agent: status |
Incomplete |
Invalid |
|
