octavia

SNI in stable/liberty & master(mitaka) for octavia is not able to validated

Bug #1520990 reported by min wang
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
octavia
Fix Released
Critical
Adam Harwell

Bug Description

So we want to backport TLS patches to stable/liberty for octavia, here are there patches that we need to backported:

https://review.openstack.org/#/c/237207/,
https://review.openstack.org/#/c/237282/,
https://review.openstack.org/#/c/237183/

I went through the steps in the wikipage --- https://wiki.openstack.org/wiki/Network/LBaaS/docs/how-to-create-tls-loadbalancer

1.git clone devstack stable/liberty version

2. edit the localrc file with octavia barbican and neutron-lbaas with stable/liberty version

3. ./stack

4. after the devstack is up, cherry-picked the above 3 patches in octaiva , python install them and edited the section of etc/octavia/octavia.conf for certificates section, restart o-cw service

5. created tls lb, listener,pool, member

6. in the validation part, i got the timeout error:

test@test-virtual-machine:~/devstack$ curl -kv https://10.0.0.5---(this is the vip for lb)
* Rebuilt URL to: https://10.0.0.5/
* Hostname was NOT found in DNS cache
* Trying 10.0.0.5...
* connect to 10.0.0.5 port 443 failed: Connection timed out
* Failed to connect to 10.0.0.5 port 443: Connection timed out
* Closing connection 0

test@test-virtual-machine:/etc/neutron$ openssl s_client -servername <email address hidden> -connect $(neutron lbaas-loadbalancer-list | awk '/ lb1 / {print $6}'):443

Michael Johnson (johnsom)
Changed in octavia:
importance: Undecided → Critical
Michael Johnson (johnsom)
Changed in octavia:
assignee: nobody → Adam Harwell (adam-harwell)
status: New → Triaged
Revision history for this message
Adam Harwell (adam-harwell) wrote :

Until TLS is working in master / mitaka, there isn't even a complete list of patches to backport. We need to revisit this once we have all of the patches to fix this actually merged into Mitaka...

Revision history for this message
Adam Harwell (adam-harwell) wrote :

Noting this as a backport candidate so I don't forget:
https://review.openstack.org/#/c/285574/

Revision history for this message
Madhusudhan Kandadai (madhusudhan-kandadai) wrote :
Download full text (15.7 KiB)

I am seeing the same error in mitaka too.

listener with TLS and SNI

devstack@ubuntu:~$ neutron lbaas-loadbalancer-create --name lb1 private-subnet
Created a new loadbalancer:
+---------------------+--------------------------------------+
| Field | Value |
 +---------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| id | a332cfe7-ce3d-4853-8419-6f3aa0f1ce47 |
| listeners | |
| name | lb1 |
| operating_status | OFFLINE |
| pools | |
| provider | octavia |
| provisioning_status | PENDING_CREATE |
| tenant_id | 71a38238ffb74292a2783935d8d0897f |
| vip_address | 10.0.0.15 |
| vip_port_id | 1804477d-e370-4355-91f3-3644a6199a8b |
| vip_subnet_id | 28d324c9-1110-4618-b13b-529a44d7808a |
 +---------------------+--------------------------------------+
devstack@ubuntu:~$
devstack@ubuntu:~$
devstack@ubuntu:~$
devstack@ubuntu:~$ neutron lbaas-loadbalancer-list
+--------------------------------------+------+-------------+---------------------+----------+
| id | name | vip_address | provisioning_status | provider |
 +--------------------------------------+------+-------------+---------------------+----------+
| a332cfe7-ce3d-4853-8419-6f3aa0f1ce47 | lb1 | 10.0.0.15 | ACTIVE | octavia |
 +--------------------------------------+------+-------------+---------------------+----------+
devstack@ubuntu:~$ neutron lbaas-listener-create --debug --loadbalancer lb1 --protocol-port 443 --protocol TERMINATED_HTTPS --name listener1 --default-tls-container-ref=$(barbican secret container list | awk '/ tls_container / {print $2}') --sni-container-refs=$(barbican secret container list | awk '/ tls_container2 / {print $2}')
Starting new HTTP connection (1): 192.168.109.128
Starting new HTTP connection (1): 192.168.109.128
Resetting dropped connection: 192.168.109.128
Starting new HTTP connection (1): 192.168.109.128
Starting new HTTP connection (1): 192.168.109.128
Resetting dropped connection: 192.168.109.128
DEBUG: stevedore.extension found extension EntryPoint.parse('v2token = keystoneauth1.loading._plugins.identity.v2:Token')
DEBUG: stevedore.extension found extension EntryPoint.parse('admin_token = keystoneauth1.loading._plugins.admin_token:AdminToken')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3oidcauthcode = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectAuthorizationCode')
DEBUG: stevedore.extension found extension EntryPoint.parse('v2password = keystoneauth1.loading._plugins.identity.v2:Password')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3password = keystoneauth1.loading._plugins.identity.v3:Password')
DEBUG: stevedore.extension found extension EntryPoint.parse('v3oidcpassword =...

Revision history for this message
Madhusudhan Kandadai (madhusudhan-kandadai) wrote :

/var/lib/octavia/c46e0340-1462-411d-8670-e3c48dc506a7/haproxy.cfg

# Configuration for lb1
global
    daemon
    user nobody
    group nogroup
    log /dev/log local0
    log /dev/log local1 notice
    stats socket /var/lib/octavia/c46e0340-1462-411d-8670-e3c48dc506a7.sock mode 0666 level user

defaults
    log global
    retries 3
    option redispatch
    timeout connect 5000
    timeout client 50000
    timeout server 50000

frontend c46e0340-1462-411d-8670-e3c48dc506a7
    option tcplog
    redirect scheme https if !{ ssl_fc }
    bind 10.0.0.15:443 ssl crt /var<email address hidden>
    mode http
    default_backend ba05da83-8f13-49f3-bb71-e622a978e6f0

backend ba05da83-8f13-49f3-bb71-e622a978e6f0
    mode http
    balance roundrobin
    option forwardfor
    server 4dd5c223-7872-419d-8a17-e994005a5b6e 10.0.0.10:80 weight 1
    server 7a948676-ff32-4fb4-808d-006aa70a4e0f 10.0.0.9:80 weight 1

summary: - SNI in stable/liberty for octavia is not able to validated
+ SNI in stable/liberty & master(mitaka) for octavia is not able to
+ validated
Revision history for this message
Madhusudhan Kandadai (madhusudhan-kandadai) wrote :
Download full text (4.9 KiB)

mysql> desc neutron.lbaas_sni;
+------------------+--------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
 +------------------+--------------+------+-----+---------+-------+
| listener_id | varchar(36) | NO | PRI | NULL | |
| tls_container_id | varchar(128) | NO | PRI | NULL | |
| position | int(11) | YES | | NULL | |
 +------------------+--------------+------+-----+---------+-------+
3 rows in set (0.00 sec)

mysql> desc octavia.sni;
+------------------+-------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
 +------------------+-------------+------+-----+---------+-------+
| listener_id | varchar(36) | NO | PRI | NULL | |
| tls_container_id | varchar(36) | NO | PRI | NULL | |
| position | int(11) | YES | | NULL | |
 +------------------+-------------+------+-----+---------+-------+
3 rows in set (0.00 sec)

In o-api log:

127.0.0.1 - - [17/Mar/2016 12:29:08] "GET /v1/loadbalancers/54eebb7a-1a3d-43ad-9486-fee847e66922 HTTP/1.1" 200 349
2016-03-17 12:30:45.494 20764 ERROR oslo_db.sqlalchemy.exc_filters [req-064a6190-034f-493e-a470-7db5d6144e0f - - - - -] DBAPIError exception wrapped from (pymysql.err.DataError) (1406, u"Data too long for column 'tls_container_id' at row 1") [SQL: u'INSERT INTO sni (listener_id, tls_container_id, position) VALUES (%(listener_id)s, %(tls_container_id)s, %(position)s)'] [parameters: {'position': None, 'listener_id': u'e86ed249-f10a-4a6c-bac6-193d5794fd47', 'tls_container_id': 'http://192.168.109.128:9311/v1/containers/0ab59c90-c601-42ec-8d4f-f4ca8979876d'}]
2016-03-17 12:30:45.494 20764 ERROR oslo_db.sqlalchemy.exc_filters Traceback (most recent call last):
2016-03-17 12:30:45.494 20764 ERROR oslo_db.sqlalchemy.exc_filters File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/base.py", line 1139, in _execute_context
2016-03-17 12:30:45.494 20764 ERROR oslo_db.sqlalchemy.exc_filters context)
2016-03-17 12:30:45.494 20764 ERROR oslo_db.sqlalchemy.exc_filters File "/usr/local/lib/python2.7/dist-packages/sqlalchemy/engine/default.py", line 450, in do_execute
2016-03-17 12:30:45.494 20764 ERROR oslo_db.sqlalchemy.exc_filters cursor.execute(statement, parameters)
2016-03-17 12:30:45.494 20764 ERROR oslo_db.sqlalchemy.exc_filters File "/usr/local/lib/python2.7/dist-packages/pymysql/cursors.py", line 158, in execute
2016-03-17 12:30:45.494 20764 ERROR oslo_db.sqlalchemy.exc_filters result = self._query(query)
2016-03-17 12:30:45.494 20764 ERROR oslo_db.sqlalchemy.exc_filters File "/usr/local/lib/python2.7/dist-packages/pymysql/cursors.py", line 308, in _query
2016-03-17 12:30:45.494 20764 ERROR oslo_db.sqlalchemy.exc_filters conn.query(q)
2016-03-17 12:30:45.494 20764 ERROR oslo_db.sqlalchemy.exc_filters File "/usr/local/lib/python2.7/dist-packages/pymysql/connections.py", line 820, in query
2016-03-17 12:30:45.494 20764 ERROR oslo_db.sqlalchemy.exc_filters self._affected_rows = self._read_query_result(unbuffered=unbuffered)
2016-03-17 12:30:45.494 20764 ERROR oslo_d...

Read more...

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to octavia (master)

Reviewed: https://review.openstack.org/297480
Committed: https://git.openstack.org/cgit/openstack/octavia/commit/?id=298fd45380a937f21f09a4532615fe3af139ab56
Submitter: Jenkins
Branch: master

commit 298fd45380a937f21f09a4532615fe3af139ab56
Author: Aishwarya Thangappa <email address hidden>
Date: Wed Mar 23 19:41:50 2016 -0700

    Fixes the SNI issues in master(mitaka) for octavia

    1. Fixes the mismatch between the tls_container_id lengths in neutron.lbaas_sni
    and octavia.sni tables.
    2. Fixes the syntax error in cert_parser.py field. (tls_container.id => tls_container_id)
    3. Removes the certs['sni_certs'] parameter from the rest_api_driver.py as it gets wrongly
    assigned to socket_path parameter in the jinja_cfg.py file.
    4. Modifies the sample_configs to make the unit tests work with the above changes.

    Change-Id: I8fe5854ef2dc508e37a368294c44eef63b5bccba
    Closes-Bug: #1520990

Changed in octavia:
status: Triaged → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to octavia (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/330311

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/octavia 0.9.0

This issue was fixed in the openstack/octavia 0.9.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on octavia (stable/mitaka)

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: stable/mitaka
Review: https://review.openstack.org/330311
Reason: This review is > 4 weeks without comment and currently blocked by a core reviewer with a -2. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and contacting the reviewer with the -2 on this review to ensure you address their concerns.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/octavia 0.9.0

This issue was fixed in the openstack/octavia 0.9.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.