Regression in manila-netapp-dataontap driver TLS handling in Ussuri
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Shared File Systems Service (Manila) |
Fix Released
|
Medium
|
Felipe Rodrigues |
Bug Description
Description
===========
As is common in deployments we have an internal root CA used for TLS certificates. We inject trust for this root into the kolla containers running OpenStack per normal kolla-ansible methods. in Train the Manila NetApp DataONTAP driver uses the system TLS trusted CAs and communication is fine (to the NetApp filers).
While testing our upgrade to Ussuri we noticed that manila driver could no longer communicate to the NetApp filers. Upon investigation it looks like it is now overriding the system trust store causing trust to fail
Steps to reproduce
==================
- put our introotCA.crt in /etc/kolla/
- did cert,manila configs in /etc/kolla/
kolla_copy_
enable_manila: "yes"
enable_
- enabled the netapp driver in /etc/kolla/
[DEFAULT]
default_share_type = default_share_type
enabled_
[cdotSingleSVM]
share_backend_
share_driver = manila.
...
- do the manila component reconfigure
kolla-ansible -i /etc/kolla/
Expected result
===============
NetApp driver would come up and be an available service
sample 'manila service-list output':
| 28 | manila-share | control01@
| 31 | manila-share | control02@
| 34 | manila-share | control03@
Actual result
=============
NetApp driver is unavailable.
snip of 'manila service-list output':
| 28 | manila-share | control01@
| 31 | manila-share | control02@
| 34 | manila-share | control03@
TLS trust errors in the manila-share log
Environment
===========
1. Exact version of OpenStack Manila you are running. See the following
manila: openstack-
kolla-ansible: 10.1.0
container OS: CentOS 8
2. Which storage backend did you use?
NetApp DataONTAP 9.7
3. Which networking type did you use?
Neutron with OpenVSwitch
Analysis & Additional Information
=======
Did a bit of debugging on this...
in:
/usr/lib/
Noticed it is overriding the system and python system defaults to this value:
SSL_CERT_DEFAULT = "/etc/ssl/certs/"
It looks like this is likely related to this change:
https:/
That /etc/ssl location (at least on RedHat/CentOS servers) is a legacy location. the new location is /etc/pki/tls/. The OS does make /etc/ssl/certs be a symlink to /etc/pki/tls/certs.
However when you specify the SSL_CERT_DEFAULT (aka in the python code self._session.
We did find that if SSL_CERT_DEFAULT is set to 'True' the python code again uses the OS method for CA trust and it works fine.
as an interim we have applied this patch to api.py and injected the updated code into the manila-share containers and have access to the NetApp driver again.
--- orig/api.py 2020-07-30 05:48:45.000000000 +0000
+++ patched/api.py 2020-10-07 22:54:28.107592418 +0000
@@ -62,7 +62,8 @@
TRANSPORT_
TRANSPORT_
- SSL_CERT_DEFAULT = "/etc/ssl/certs/"
+ #SSL_CERT_DEFAULT = "/etc/ssl/certs/"
+ SSL_CERT_DEFAULT = True
SERVER_
SERVER_
URL_FILER = 'servlets/
FYI to ibject we made a copy of the /usr/lib/
manila_
- "/etc/ussuri-
tags: | added: driver netapp |
Changed in manila: | |
assignee: | nobody → Felipe Rodrigues (felipefutty) |
milestone: | none → wallaby-1 |
Changed in manila: | |
importance: | Undecided → Medium |
Fix proposed to branch: master /review. opendev. org/758641
Review: https:/