Designate DNS driver for neutron fails for SSL based endpoints.

Bug #1588067 reported by Imran Hayder
48
This bug affects 9 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Imran Hayder

Bug Description

Summary:
I have mitaka based deployment of neutron and designate and while trying to test the native integration of neutron with designate using this guide http://docs.openstack.org/mitaka/networking-guide/adv-config-dns.html I found out my DNS records are not getting created like on port-update or any floating ip operations as expected.
This is because the the endpoints in deployments are SSL based (https) and the neutron code of mitaka that gets the keystoneclient session before initiating designate client, has no option to allow us to set verify=True/False from neutron.conf or in code itself https://github.com/openstack/neutron/blob/stable/mitaka/neutron/services/externaldns/drivers/designate/driver.py#L85

this makes it impossible to use neutron integration with designate over https based endpoints until the code is changed to:

"""

_SESSION = session.Session(verify=False)
"""

Description:

Neutron has option to use external DNS driver in mitaka, such as designate. For that , we need to set the designate options in [designate] section of neutron.conf . For example:
"""
[designate]
url = http://55.114.111.93:9001/v2
admin_auth_url = http://55.114.111.93:35357/v2.0
admin_username = neutron
admin_password = x5G90074
admin_tenant_name = service
allow_reverse_dns_lookup = True
ipv4_ptr_zone_prefix_size = 24
ipv6_ptr_zone_prefix_size = 116
"""

the above example works fine when your url and admin_auth_url are http based endpoints. The neutron code uses options of designate section to get a session from keystone and uses that session to initiate designate admin client session as seen in the neutron code here https://github.com/openstack/neutron/blob/stable/mitaka/neutron/services/externaldns/drivers/designate/driver.py#L89

In the case, when a deployment has https(SSL terminated) based endpoints, meaning both url and admin_auth_url has https, the keystone session is made in neutron code using
_SESSION = session.Session()

the default behavior of keystoneclient is that if a url has https, then always set verify=True and use the ca file for verification.
but neither the option to provide a ca file or set verify=True/False is done neutron code for designate driver, this makes it impossible to use the integration over SSL based endpoints.

As an example of running the same code of mitaka from neutron ::
"""
>>> admin_auth = password.Password(auth_url="https://10.240.128.120:6100/v2.0",username="admin",password="admin",tenant_name="service")
>>> _SESSION = session.Session()
>>> admin_client = d_client.Client(session=_SESSION, auth=admin_auth)
>>> admin_client.zones.list()
keystoneauth1.exceptions.connection.SSLError: SSL exception connecting to https://10.240.128.120:6100/v2.0/tokens: [Errno 1] _ssl.c:523: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
"""

after altering the session initiation to set verify=False

"""
_SESSION = session.Session(verify=False)
>>> admin_client = d_client.Client(session=_SESSION, auth=admin_auth)
>>> admin_client.zones.list()
[]
"""

Proposed fix:

have an oslo opt for [designate] to let users specify insecure operations or set a ca file and use that info from neutron.conf to initiate keystone session before getting a designateclient

tags: added: mitaka-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/324177

Changed in neutron:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/326958

Changed in neutron:
assignee: nobody → Imran Hayder (hayderimran7)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/326958
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=9cd95366a035b29001ce75515d291cf72d07d0c3
Submitter: Jenkins
Branch: master

commit 9cd95366a035b29001ce75515d291cf72d07d0c3
Author: imran malik <email address hidden>
Date: Wed Jun 8 02:45:32 2016 -0700

    Fix designate dns driver for SSL based endpoints

    Allow setting options in designate section to specify if want
    to skip SSL cert check. This makes it possible to work with HTTPS
    based endpoints, the default behavior of keystoneclient is to always
    set verify=True however in current code, one cannot either provide
    a valid CA cert or skip the verification.

    DocImpact: Introduce two additional options for `[designate]` section
    in neutron.conf
    CONF.designate.insecure to allow insecure connections over SSL.
    CONF.designate.ca_cert for a valid cert when connecting over SSL

    Change-Id: Ic371cc11d783618c38ee40a18206b0c2a197bb3e
    Closes-Bug: #1588067

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/mitaka)

Change abandoned by Imran Hayder Malik (<email address hidden>) on branch: stable/mitaka
Review: https://review.openstack.org/324177
Reason: cherry picking this https://review.openstack.org/#/c/326958/ to stable/mitaka

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/330817

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/mitaka)

Reviewed: https://review.openstack.org/330817
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=c705e2f9f6c7b4a9db4a80a764268e490ea41f01
Submitter: Jenkins
Branch: stable/mitaka

commit c705e2f9f6c7b4a9db4a80a764268e490ea41f01
Author: imran malik <email address hidden>
Date: Wed Jun 8 02:45:32 2016 -0700

    Fix designate dns driver for SSL based endpoints

    Allow setting options in designate section to specify if want
    to skip SSL cert check. This makes it possible to work with HTTPS
    based endpoints, the default behavior of keystoneclient is to always
    set verify=True however in current code, one cannot either provide
    a valid CA cert or skip the verification.

    DocImpact: Introduce two additional options for `[designate]` section
    in neutron.conf
    CONF.designate.insecure to allow insecure connections over SSL.
    CONF.designate.ca_cert for a valid cert when connecting over SSL

    Change-Id: Ic371cc11d783618c38ee40a18206b0c2a197bb3e
    Closes-Bug: #1588067

tags: added: in-stable-mitaka
tags: added: neutron-proactive-backport-potential
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/neutron 9.0.0.0b2

This issue was fixed in the openstack/neutron 9.0.0.0b2 development milestone.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/neutron 8.2.0

This issue was fixed in the openstack/neutron 8.2.0 release.

tags: removed: neutron-proactive-backport-potential
tags: removed: mitaka-backport-potential
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers