OVN metadata agent doesn't work while calling nova with TLS

Bug #1837870 reported by Maciej Jozefczyk on 2019-07-25
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
networking-ovn
Undecided
Maciej Jozefczyk

Bug Description

While instance is calling metadata request fails with error 500. That happens when nova endpoint is behind SSL.

2019-07-24 13:17:55.713 30924 DEBUG networking_ovn.agent.metadata.server [-] {'X-Forwarded-For': '10.10.220.197', 'X-Instance-ID': '38b61e91-6acf-48ce-b910-4090e9db58f5', 'X-Tenant-ID': 'fd4b142f32fc4188a0aca5213dbb8b2d', 'X-Instance-ID-Signature': '84d5218803fa55e1550497ad5dabd1a4cd0576c733f80a967a89a53f042e2b02'} _proxy_request /usr/lib/python3.6/site-packages/networking_ovn/agent/metadata/server.py:102
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server [-] Unexpected error.: ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:877)
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server Traceback (most recent call last):
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server File "/usr/lib/python3.6/site-packages/networking_ovn/agent/metadata/server.py", line 68, in __call__
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server return self._proxy_request(instance_id, project_id, req)
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server File "/usr/lib/python3.6/site-packages/networking_ovn/agent/metadata/server.py", line 119, in _proxy_request
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server body=req.body)
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server File "/usr/lib/python3.6/site-packages/httplib2/__init__.py", line 1324, in request
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server File "/usr/lib/python3.6/site-packages/httplib2/__init__.py", line 1074, in _request
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server (response, content) = self._conn_request(conn, request_uri, method, body, headers)
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server File "/usr/lib/python3.6/site-packages/httplib2/__init__.py", line 997, in _conn_request
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server conn.connect()
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server File "/usr/lib64/python3.6/http/client.py", line 1400, in connect
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server server_hostname=server_hostname)
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server File "/usr/lib/python3.6/site-packages/eventlet/green/ssl.py", line 426, in wrap_socket
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server return GreenSSLSocket(sock, *a, _context=self, **kw)
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server File "/usr/lib/python3.6/site-packages/eventlet/green/ssl.py", line 118, in __init__
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server self.do_handshake()
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server File "/usr/lib/python3.6/site-packages/eventlet/green/ssl.py", line 291, in do_handshake
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server super(GreenSSLSocket, self).do_handshake)
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server File "/usr/lib/python3.6/site-packages/eventlet/green/ssl.py", line 140, in _call_trampolining
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server return func(*a, **kw)
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server File "/usr/lib64/python3.6/ssl.py", line 1033, in do_handshake
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server self._sslobj.do_handshake()
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server File "/usr/lib64/python3.6/ssl.py", line 645, in do_handshake
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server self._sslobj.do_handshake()
2019-07-24 13:17:55.729 30924 ERROR networking_ovn.agent.metadata.server

Changed in networking-ovn:
assignee: nobody → Maciej Jozefczyk (maciej.jozefczyk)
status: New → Confirmed
Changed in networking-ovn:
status: Confirmed → In Progress

Reviewed: https://review.opendev.org/672689
Committed: https://git.openstack.org/cgit/openstack/networking-ovn/commit/?id=c3b9cdccd6422d22f904e6594b392131fff7ed98
Submitter: Zuul
Branch: master

commit c3b9cdccd6422d22f904e6594b392131fff7ed98
Author: Maciej Józefczyk <email address hidden>
Date: Thu Jul 25 10:28:13 2019 +0000

    Replace httplib2 with requests in metadata agent

    httplib2 uses PROTOCOL_TLSv1 which in fact restricts
    connection to TLS v1.0 only.
    This patch moves to use requests library that uses
    PROTOCOL_TLS, that supports all versions supported
    SSL library.
    Same change was made a while ago in neutron [0].

    [0] https://review.opendev.org/#/c/593641/

    Co-Authored-By: James Page <email address hidden>

    Change-Id: I0f57a1706d41836b35ffd33bb154af6a5667b7cd
    Closes-Bug: #1837870

Changed in networking-ovn:
status: In Progress → Fix Released

Reviewed: https://review.opendev.org/673499
Committed: https://git.openstack.org/cgit/openstack/networking-ovn/commit/?id=075f07b118674065b504824280e1c1024d6f2525
Submitter: Zuul
Branch: stable/stein

commit 075f07b118674065b504824280e1c1024d6f2525
Author: Maciej Józefczyk <email address hidden>
Date: Thu Jul 25 10:28:13 2019 +0000

    Replace httplib2 with requests in metadata agent

    httplib2 uses PROTOCOL_TLSv1 which in fact restricts
    connection to TLS v1.0 only.
    This patch moves to use requests library that uses
    PROTOCOL_TLS, that supports all versions supported
    SSL library.
    Same change was made a while ago in neutron [0].

    [0] https://review.opendev.org/#/c/593641/

    Co-Authored-By: James Page <email address hidden>

    Change-Id: I0f57a1706d41836b35ffd33bb154af6a5667b7cd
    Closes-Bug: #1837870
    (cherry picked from commit c3b9cdccd6422d22f904e6594b392131fff7ed98)

tags: added: in-stable-stein

Reviewed: https://review.opendev.org/673504
Committed: https://git.openstack.org/cgit/openstack/networking-ovn/commit/?id=64122cdc6865d9552dd0b015349d3b4998e511b2
Submitter: Zuul
Branch: stable/queens

commit 64122cdc6865d9552dd0b015349d3b4998e511b2
Author: Maciej Józefczyk <email address hidden>
Date: Thu Jul 25 10:28:13 2019 +0000

    Replace httplib2 with requests in metadata agent

    httplib2 uses PROTOCOL_TLSv1 which in fact restricts
    connection to TLS v1.0 only.
    This patch moves to use requests library that uses
    PROTOCOL_TLS, that supports all versions supported
    SSL library.
    Same change was made a while ago in neutron [0].

    [0] https://review.opendev.org/#/c/593641/

    Co-Authored-By: James Page <email address hidden>

    Change-Id: I0f57a1706d41836b35ffd33bb154af6a5667b7cd
    Closes-Bug: #1837870
    (cherry picked from commit c3b9cdccd6422d22f904e6594b392131fff7ed98)

tags: added: in-stable-queens

Reviewed: https://review.opendev.org/673503
Committed: https://git.openstack.org/cgit/openstack/networking-ovn/commit/?id=cded136f5096d91c8da5b85e000d2c692464e2e0
Submitter: Zuul
Branch: stable/rocky

commit cded136f5096d91c8da5b85e000d2c692464e2e0
Author: Maciej Józefczyk <email address hidden>
Date: Thu Jul 25 10:28:13 2019 +0000

    Replace httplib2 with requests in metadata agent

    httplib2 uses PROTOCOL_TLSv1 which in fact restricts
    connection to TLS v1.0 only.
    This patch moves to use requests library that uses
    PROTOCOL_TLS, that supports all versions supported
    SSL library.
    Same change was made a while ago in neutron [0].

    [0] https://review.opendev.org/#/c/593641/

    Co-Authored-By: James Page <email address hidden>

    Change-Id: I0f57a1706d41836b35ffd33bb154af6a5667b7cd
    Closes-Bug: #1837870
    (cherry picked from commit c3b9cdccd6422d22f904e6594b392131fff7ed98)

tags: added: in-stable-rocky
tags: added: networking-ovn-proactive-backport-potential
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers