OpenStack Compute (nova)

Missing Nova Config Option for Glance Client CA File

Bug #1299841 reported by Ryan Heffernan on 2014-03-30

This bug report is a duplicate of: Bug #1279381: nova service should pass ssl cert and key to glance when glance is configured to use ssl. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Confirmed	Low	Unassigned

Bug Description

Using OS Havana, nova 2013.2.2

There is currently no config option in nova.conf to use a CA cert file to verify glance connections. In order for nova to issue glance client requests to an HTTPS glance endpoint you must turn off certificate validation (glance_api_insecure = True).

Current config in nova.conf to use an HTTPS glance API endpoint:

root@osc:~# grep glance /etc/nova/nova.conf
glance_protocol = https
glance_api_servers = https://osc:9292
glance_api_insecure = True
image_service = nova.image.glance.GlanceImageService

What is missing is an option for the CA cert, which neutron and cinder do have:

root@osc:~# grep ca_certificate /etc/nova/nova.conf
neutron_ca_certificates_file = /etc/nova/ssl/certs/ca.pem
cinder_ca_certificates_file = /etc/nova/ssl/certs/ca.pem

Simple fix in /usr/lib/python2.7/dist-packages/nova/image/glance.py :

1) In glance_opts, add the config option:

    cfg.StrOpt('glance_ca_certificates_file',
                default='',
                help='CA file for glance client to verify server certificates. '),

2) In _create_glance_client, pass cacert to http connection

        # https specific params
        params['insecure'] = CONF.glance_api_insecure
        params['ssl_compression'] = False
        params['cacert'] = CONF.glance_ca_certificates_file

3) Now you can set the CA cert in nova.conf and remove the insecure option:
root@osc:~# grep glance /etc/nova/nova.conf
glance_protocol = https
glance_ca_certificates_file = /etc/nova/ssl/certs/ca.pem
glance_api_servers = https://osc:9292
image_service = nova.image.glance.GlanceImageService

Tags:

Ryan Heffernan (heffernan-ryan) on 2014-03-30

information type:

Private Security → Public

Tiago Mello (timello) on 2014-04-01

Changed in nova:
status:	New → Confirmed

Tiago Mello (timello) on 2014-04-01

Changed in nova:
importance:	Undecided → Low
assignee:	nobody → Tiago Rodrigues de Mello (timello)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-04-01: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/84522

Changed in nova:
status:	Confirmed → In Progress

Matt Riedemann (mriedem) on 2014-04-18

tags:

added: icehouse-backport-potential

Revision history for this message

Openstack Gerrit (openstack-gerrit) wrote on 2014-04-25: Fix proposed to nova (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/90372

Revision history for this message

Openstack Gerrit (openstack-gerrit) wrote on 2014-04-25:

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/90384

Sean Dague (sdague) on 2014-09-15

Changed in nova:
status:	In Progress → Confirmed
assignee:	Tiago Rodrigues de Mello (timello) → nobody

Revision history for this message

Matt Riedemann (mriedem) wrote on 2014-09-18:

This is fixed by https://review.openstack.org/#/c/72974/ now.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-18: Change abandoned on nova (master)

Change abandoned by Matt Riedemann (<email address hidden>) on branch: master
Review: https://review.openstack.org/84522
Reason: Already fixed:

https://review.openstack.org/#/c/72974/

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1279381 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.