Magnum

[SRU]: check_hostname requires server_hostname when using container_infra endpoint with HTTPS

Bug #2091103 reported by Piotr Łodej on 2024-12-05

This bug affects 12 people

	Status	Importance	Assigned to
Magnum	Invalid	Undecided	Esmerlin Joel Mieses
Ubuntu Cloud Archive	Fix Released	Undecided	Unassigned
Caracal	New	Undecided	Unassigned
Dalmatian	New	Undecided	Unassigned
Epoxy	New	Undecided	Unassigned
python-magnumclient	Fix Released	Undecided	Unassigned
python-magnumclient (Ubuntu)	Fix Released	Undecided	Unassigned
Noble	Confirmed	Undecided	Unassigned
Plucky	Confirmed	Undecided	Unassigned
Questing	Fix Released	Undecided	Unassigned

Bug Description

Note: Original description below

[Impact]

* On Jammy Caracal, when endpoints are configured with TLS, the Magnum UI does not display any information about deployed resources, although they are created and visible using the command-line client. The dashboard displays errors about connecting to the backend

* This bug is introduced by a patch (d/p/0001-Update-VerifiedHTTPSConnection-for-Python-3.12.patch) [1], which was added to include Python 3.12 support by refactoring ssl context management but did not pass a server_hostname parameter to context.wrap_socket. This merged upstream during the Dalmatian cycle and was not backported to Caracal upstream. Therefore, upstream Caracal doesn't hit this bug, but also doesn't have the fix that properly supports Python 3.12. Nevertheless, the patch [1] is included in the Ubuntu Cloud Archive for Jammy-Caracal and the distro package for Noble, so Ubuntu's Caracal packages are affected (distro and UCA).

* This bug was fixed upstream in [2], which merged during the Epoxy cycle, and was backported to Dalmatian (but not upstream Caracal, since upstream Caracal doesn't have [1] and, therefore, isn't affected by this bug). However, Ubuntu's Dalmatian and Epoxy packages (both distro packages and UCA) don't have this fix.

* Therefore, the affected Ubuntu packages are the python-magnumclient shipped as on Noble, Oracular (EOL) and Plucky, and then for the Ubuntu Cloud Archive (UCA) the affected packages are python-magnumclient for Jammy Caracal, Noble Dalmatian, and Noble-Epoxy.

[1] https://opendev.org/openstack/python-magnumclient/commit/83a10d4d49388fb680b450c728cd1e62d18e8672
[2] https://opendev.org/openstack/python-magnumclient/commit/ecdcc0697cd53592b54078175001755169436761

[Test Plan]

* Deploy Openstack by any method. I will use juju

* Deploy magnum services and setup relations

juju deploy magnum --channel=2024.1/stable magnum
juju relate magnum keystone
juju relate magnum vault
juju relate magnum:ampq rabbitmq-server:ampq
juju relate magnum:shared-db magnum-mysql-router:shared-db

juju deploy magnum-dashboard --channel=2024.1/stable magnum-dashboard
juju relate magnum-dashboard keystone
juju relate magnum-dashboard vault
juju relate magnum-dashboard openstack-dashboard

* Configure magnum
juju run magnum/0 domain-setup

* Open openstack dashboard, and go to the cluster management pane

* See error message and that there's observability of any magnum resources without the patch

* Upgrade to proposed, and see a properly populated dashboard

[What can go wrong]

* While this fixes an issue with SNI in TLS handshakes, in environments where SNI is not configured correctly or TLS certs are not distributed properly, this patch may break the environment and expose those issues.

====================================
Original description:

Openstack: 2024.2
Ubuntu: 22.04
Deployment Tool: Kolla Ansible

Steps to reproduce:
From version 2024.2 of Magnum when using Horizon (navigate to Project->Container Infra->Cluster or Cluster Templates) "/api/container_infra/*" endpoints return 500 Internal Server Error "check_hostname requires server_hostname". Container Infra Endpoint is using HTTPS

Horizon error log:
error invoking apiclient
Traceback (most recent call last):
  File "/var/lib/kolla/venv/lib/python3.12/site-packages/openstack_dashboard/api/rest/utils.py", line 128, in _wrapped
    data = function(self, request, *args, **kw)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnum_ui/api/rest/magnum.py", line 302, in get
    result = magnum.cluster_list(request)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnum_ui/api/magnum.py", line 193, in cluster_list
    return magnumclient(request).clusters.list(limit, marker, sort_key,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/v1/baseunit.py", line 82, in list
    return self._list(self._path(path), self.__class__.template_name)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/common/base.py", line 117, in _list
    resp, body = self.api.json_request('GET', url)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/common/httpclient.py", line 240, in json_request
    resp, body_iter = self._http_request(url, method, **kwargs)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/common/httpclient.py", line 187, in _http_request
    conn.request(method, conn_url, **kwargs)
  File "/usr/lib/python3.12/http/client.py", line 1336, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib/python3.12/http/client.py", line 1382, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.12/http/client.py", line 1331, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib/python3.12/http/client.py", line 1091, in _send_output
    self.send(msg)
  File "/usr/lib/python3.12/http/client.py", line 1035, in send
    self.connect()
  File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/common/httpclient.py", line 310, in connect
    self.sock = context.wrap_socket(sock)
                ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/ssl.py", line 455, in wrap_socket
    return self.sslsocket_class._create(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/ssl.py", line 970, in _create
    raise ValueError("check_hostname requires server_hostname")
ValueError: check_hostname requires server_hostname
Internal Server Error: /api/container_infra/clusters/

After analysis the problem exists in python-magnumclient from version 4.6.0 (https://opendev.org/openstack/python-magnumclient/commit/5d8fd3840052e07418e007f336deb99fd58b7e92)

According to documentation when using check_hostname with CERT_REQUIRED you must also pass server_hostname to wrap_socket
(Python 3.12 doc reference: https://docs.python.org/3.12/library/ssl.html#ssl.SSLContext.check_hostname

See original description

Tags:

Piotr Łodej (piotr-lodej) on 2024-12-09

description:

updated

Mr.R (mrr-tm) on 2024-12-11

Changed in magnum:
status:	New → Confirmed

Revision history for this message

Jake Yip (waipengyip) wrote on 2024-12-11:

I haven't had the chance to look at this yet. If you are able to fix this, can you send up a patch please?

Revision history for this message

Esmerlin Joel Mieses (symph0nic) wrote on 2024-12-11:

Changes propposed on https://review.opendev.org/c/openstack/python-magnumclient/+/937537

Esmerlin Joel Mieses (symph0nic) on 2024-12-13

Changed in magnum:
assignee:	nobody → Esmerlin Joel Mieses (symph0nic)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2025-03-06: Fix included in openstack/python-magnumclient 4.8.1

This issue was fixed in the openstack/python-magnumclient 4.8.1 Epoxy release.

Revision history for this message

Lars Erik Pedersen (pedersen-larserik) wrote on 2025-08-05:

Hi,

We're observing this in Caracal (2024.1) as well. Both on 22.04 and 24.04. python-magnumclient 4.4.0

Revision history for this message

Pravin Mohan (pravinm) wrote on 2025-10-15:

Hi,

Did the fix back ported to Jammy-Caracal release. We are still hitting this bug.

Bryan Fraschetti (bryanfraschetti) on 2025-12-01

description:	updated
summary:	- check_hostname requires server_hostname when using container_infra - endpoint with HTTPS (2024.2) + [SRU]: check_hostname requires server_hostname when using + container_infra endpoint with HTTPS
description:	updated

Bryan Fraschetti (bryanfraschetti) on 2025-12-01

Changed in magnum:
status:	Confirmed → Invalid
Changed in python-magnumclient:
status:	New → Confirmed

Revision history for this message

Nobuto Murata (nobuto) wrote on 2025-12-09:

#10

> This issue was fixed in the openstack/python-magnumclient 4.8.1 Epoxy release.

Isn't Ubuntu plucky the release that requires the fix first before backporting it to noble-epoxy, noble-dalmatian, noble, jammy-caracal?

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2025-12-10:

#11

The attachment "noble-lp2091103.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags:

added: patch

Revision history for this message

Nobuto Murata (nobuto) wrote on 2025-12-11:

#12

It's fixed in 4.9.0 and 4.8.1 in the upstream.
https://opendev.org/openstack/python-magnumclient/commit/ecdcc0697cd53592b54078175001755169436761

Changed in python-magnumclient:
status:	Confirmed → Fix Released

Bryan Fraschetti (bryanfraschetti) on 2025-12-11

Changed in python-magnumclient (Ubuntu Questing):
status:	New → Fix Released
Changed in cloud-archive:
status:	New → Fix Released
Changed in python-magnumclient (Ubuntu):
status:	New → Fix Released

Bryan Fraschetti (bryanfraschetti) on 2025-12-11

description:

updated

Bryan Fraschetti (bryanfraschetti) on 2025-12-11

description:

updated

Revision history for this message

Bryan Fraschetti (bryanfraschetti) wrote on 2025-12-11:

#13

plucky-lp2091103.debdiff Edit (3.3 KiB, text/plain)

Patch for python-magnumclient package in Plucky distro

Revision history for this message

Bryan Fraschetti (bryanfraschetti) wrote on 2025-12-11:

#14

noble-epoxy-lp2091103.debdiff Edit (3.3 KiB, text/plain)

Patch for python-magnumclient in Noble Epoxy in the UCA

Revision history for this message

Bryan Fraschetti (bryanfraschetti) wrote on 2025-12-11:

#15

noble-dalmatian-lp2091103.debdiff Edit (3.3 KiB, text/plain)

Patch for python-magnumclient in Noble Dalmatian in the UCA

Revision history for this message

Bryan Fraschetti (bryanfraschetti) wrote on 2025-12-11:

#16

noble-lp2091103.debdiff Edit (3.3 KiB, text/plain)

Patch for python-magnumclient for Noble distro

Revision history for this message

Bryan Fraschetti (bryanfraschetti) wrote on 2025-12-11:

#17

jammy-caracal-lp2091103.debdiff Edit (3.4 KiB, text/plain)

Patch for python-magnumclient in Jammy Caracal in the UCA

Bryan Fraschetti (bryanfraschetti) on 2025-12-11

description:

updated

Bryan Fraschetti (bryanfraschetti) on 2025-12-11

description:

updated

Bryan Fraschetti (bryanfraschetti) on 2025-12-11

description:

updated

Revision history for this message

Launchpad Janitor (janitor) wrote on 2025-12-12:

#18

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python-magnumclient (Ubuntu Noble):
status:	New → Confirmed
Changed in python-magnumclient (Ubuntu Plucky):
status:	New → Confirmed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.