OpenStack-Ansible

Generated no_proxy env string can be too long for pam_env

Bug #1691749 reported by Stuart Grace
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Low
Jimmy McCrory

Bug Description

Following the example for creating a no_proxy environment string here:
https://github.com/openstack/openstack-ansible/blob/master/etc/openstack_deploy/user_variables.yml#L122

The expanded string can be very long but the Linux pam_env module has limit of 1024 chars for env strings. See for example line 55 in:
https://fossies.org/linux/misc/Linux-PAM-1.3.0.tar.gz/Linux-PAM-1.3.0/modules/pam_env/pam_env.c

This results in repeated error messages in syslog on the hosts, such as:

pam_env(cron:session): non-alphanumeric key '10.29.237.10,10.29.236.235' in /etc/environment', ignoring

(The string '10.29.237.10,10.29.236.235' is part of the expanded no_proxy environment variable that starts after 1024 chars and has been treated as a separate variable).

This message suggests that the proxy would be used for some hosts which should be excluded.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to openstack-ansible (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/465950

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to openstack-ansible (master)

Reviewed: https://review.openstack.org/465950
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=77ac88197c223968e845e57706b81af24d6aa443
Submitter: Jenkins
Branch: master

commit 77ac88197c223968e845e57706b81af24d6aa443
Author: Stuart Grace <email address hidden>
Date: Thu May 18 13:35:06 2017 +0100

    Add var for environment used only inside playbooks

    When global_environment_variables is set in user_variables.yml, this
    installs environment settings in /etc/environment on all hosts and
    containers. These remain in place after deployment is complete.

    This patch adds a similar variable deployment_environment_variables
    that defines environment strings applied only while the playbooks
    are running. They leave nothing behind on the hosts or containers.

    This may be used, for example, for proxy settings required only
    during deployment. A simpler no_proxy setting is adequate during
    deployment, so this provides a workaround to Bug #1691749.

    Change-Id: Ia15d2133c6749fa9496bbf9359b8bf075742d60e
    Related-Bug: #1691749

Revision history for this message
Andy McCrae (andrew-mccrae) wrote :

So the associated patch that has now merged will not leave the overly long env var - is there more to the issue here?
I'm not sure what we can do to ensure the var is under 1024 characters.

TL;DR is there more we can do to resolve this, and any ideas on what would work here?

Revision history for this message
Jonathan Rosser (jrosser) wrote :

The remaining issue is that the docs describe a method of deploying behind a proxy that will fail in a rather subtle way once no_proxy gets > 1024 chars, i.e when the number of IPs in the deployment reaches a surprisingly small number. That issue remains regardless of the merged patch. Is it legitimate to fail out if no_proxy (or indeed any env var) is too long?

However, the merged patch does provide a route to a successful deployment where a very short no_proxy string is defined in deployment_environment_variables. Introducing an alternative method for deploying behind a proxy in the documentation may be helpful.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to openstack-ansible (stable/ocata)

Related fix proposed to branch: stable/ocata
Review: https://review.openstack.org/467659

Revision history for this message
Jean-Philippe Evrard (jean-philippe-evrard) wrote :

Doc change pending. See our bug triage conversation here:
http://eavesdrop.openstack.org/meetings/openstack_ansible_meeting/2017/openstack_ansible_meeting.2017-05-30-16.04.log.html#l-92

Changed in openstack-ansible:
status: New → Confirmed
importance: Undecided → Low
assignee: nobody → Jimmy McCrory (jimmy-mccrory)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to openstack-ansible (stable/ocata)

Reviewed: https://review.openstack.org/467659
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=6d87aa8debea027f20bcd64d57edaee20b91998a
Submitter: Jenkins
Branch: stable/ocata

commit 6d87aa8debea027f20bcd64d57edaee20b91998a
Author: Stuart Grace <email address hidden>
Date: Thu May 18 13:35:06 2017 +0100

    Add var for environment used only inside playbooks

    When global_environment_variables is set in user_variables.yml, this
    installs environment settings in /etc/environment on all hosts and
    containers. These remain in place after deployment is complete.

    This patch adds a similar variable deployment_environment_variables
    that defines environment strings applied only while the playbooks
    are running. They leave nothing behind on the hosts or containers.

    This may be used, for example, for proxy settings required only
    during deployment. A simpler no_proxy setting is adequate during
    deployment, so this provides a workaround to Bug #1691749.

    (cherry picked from commit 77ac88197c223968e845e57706b81af24d6aa443)

    Change-Id: Ia15d2133c6749fa9496bbf9359b8bf075742d60e
    Related-Bug: #1691749

tags: added: in-stable-ocata
Revision history for this message
Jonathan Rosser (jrosser) wrote :

This issue including the 1024 char limit is now documented in the limited connectivity guide. Fix released.

Changed in openstack-ansible:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.