OpenStack-Ansible

os_cinder: wrong interpretation of keystone_service_internaluri_insecure

Bug #1914602 reported by Damian Pietras
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
High
Unassigned

Bug Description

I'd like to have insecure (self-signed certs) setup for a lab. I've set keystone_service_internaluri_insecure: true but that fails on "Ensure cinder api is available" step of os_cinder role. That is because the variable is really interpreted with opposite value in this step.

Before that change:

TASK [os_cinder : Ensure cinder api is available] *********************************************************************
FAILED - RETRYING: Ensure cinder api is available (10 retries left).
FAILED - RETRYING: Ensure cinder api is available (9 retries left).
FAILED - RETRYING: Ensure cinder api is available (8 retries left).
FAILED - RETRYING: Ensure cinder api is available (7 retries left).
FAILED - RETRYING: Ensure cinder api is available (6 retries left).
FAILED - RETRYING: Ensure cinder api is available (5 retries left).
FAILED - RETRYING: Ensure cinder api is available (4 retries left).
FAILED - RETRYING: Ensure cinder api is available (3 retries left).
FAILED - RETRYING: Ensure cinder api is available (2 retries left).
FAILED - RETRYING: Ensure cinder api is available (1 retries left).
fatal: [dev-osctr1_cinder_api_container-61942b45]: FAILED! => {"attempts": 10, "changed": false, "elapsed": 0, "msg": "Status code was -1 and not [200, 300]: Request failed: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1056)>", "redirected": false, "status": -1, "url": "https://192.168.208.1:8776"}

Revision history for this message
Damian Pietras (damianp) wrote :
Revision history for this message
Jonathan Rosser (jrosser) wrote :

Hi Damian,

This is the definition of keystone_service_internaluri_insecure:

https://opendev.org/openstack/openstack-ansible/src/branch/master/inventory/group_vars/all/keystone.yml#L37-L41

Can you clarify if you are trying to use a self signed certificate on the internal API endpoint, or the external API endpoint?

keystone_service_internaluri_insecure is true when the internal endpoint is configured for https (it's http by default) and the user has not supplied a proper certificate.

If you could give a little more detail about what you are trying to achieve it would be really helpful.

Thanks,
Jonathan.

Revision history for this message
Damian Pietras (damianp) wrote :

Hi Jonathan

My case was:
- OpenStack lab with very basic configuration
- Internal and external API URLs using HTTPS
- self-signed (invalid), autogenerated certificates

The value of keystone_service_internaluri_insecure was set as user variable in user_variables.yml to disable verification of certificates in API communication.
This and similar "*_internaluri_insecure" variables are read in many roles and properly disable certificate validation. Example:
https://opendev.org/openstack/openstack-ansible-os_keystone/src/branch/master/tasks/main.yml#L189

The os_cinder role is the only role I had error because it actually enables verification of the certificate in this task instead of disabling it.

Revision history for this message
Dmitriy Rabotyagov (noonedeadpunk) wrote :

Oh, that is actually true - this logic is incorrect https://opendev.org/openstack/openstack-ansible-os_cinder/src/branch/master/tasks/cinder_backends.yml#L20

Changed in openstack-ansible:
status: New → Confirmed
Revision history for this message
Dmitriy Rabotyagov (noonedeadpunk) wrote :

Pushed https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/775079 as a fix

Changed in openstack-ansible:
status: Confirmed → In Progress
Revision history for this message
Dmitriy Rabotyagov (noonedeadpunk) wrote :

Oh, thanks for attaching patch btw and reporting the issue!

You're also very welcome to directly contribute to the code:) you will need to setup a gerrit [1] account for that (ie login with ubuntu one and set username and upload ssh key for authorization):
https://docs.openstack.org/contributors/common/setup-gerrit.html

It's pretty easy and straightforward procees.

[1] https://review.opendev.org/

Changed in openstack-ansible:
importance: Undecided → High
Dmitriy Rabotyagov (noonedeadpunk)
Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-os_cinder (stable/train)

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/775773
Committed: https://opendev.org/openstack/openstack-ansible-os_cinder/commit/5e4af7f3fea6c299847125827e4249da5b2ba963
Submitter: "Zuul (22348)"
Branch: stable/train

commit 5e4af7f3fea6c299847125827e4249da5b2ba963
Author: Dmitriy Rabotyagov <email address hidden>
Date: Thu Feb 11 10:55:37 2021 +0200

    Fix cert verification logic for cinder api

    Change-Id: I8cf74ee5d1157357999059227ae9f805fc6fa4de
    Closes-Bug: #1914602
    (cherry picked from commit 6fd2a1a255e4531a3018ec6b3db1424521f04c9e)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_cinder train-eol

This issue was fixed in the openstack/openstack-ansible-os_cinder train-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_cinder ussuri-eol

This issue was fixed in the openstack/openstack-ansible-os_cinder ussuri-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_cinder yoga-eom

This issue was fixed in the openstack/openstack-ansible-os_cinder yoga-eom release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_cinder victoria-eom

This issue was fixed in the openstack/openstack-ansible-os_cinder victoria-eom release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_cinder wallaby-eom

This issue was fixed in the openstack/openstack-ansible-os_cinder wallaby-eom release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_cinder xena-eom

This issue was fixed in the openstack/openstack-ansible-os_cinder xena-eom release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.