Glance Client

[SRU] switch to requests breaks HTTPS support

Bug #1347150 reported by Rob Crittenden
34
This bug affects 7 people
Affects Status Importance Assigned to Milestone
Glance Client
Fix Released
High
Flavio Percoco
Ubuntu Cloud Archive
Fix Released
Undecided
Edward Hope-Morley

Bug Description

[Impact]
  Fix glanceclient breakage in Nova when using https glance endpoint in Juno.

[Test Case]
  1. Deploy Openstack juno (incl. this fix) with https endpoints and
     create an instance.

  2. Check that instance deployed successfully.

[Regression Potential]

  None.

Since the switching to using the requests library in the client, nova boot fails when the glance server is using SSL.

The error reported by nova is:

2014-07-22 16:20:57.569 ^[[00;32mDEBUG glanceclient.common.http [^[[01;36mreq-e9a94169-9af4-45e8-ab95-1ccd3f8caf04 ^[[00;36madmin admin^[[00;32m] ^[[01;35m^[[00;32mcurl -i -X GET -H 'X-Auth-Token: ***' -H 'Accept-Encoding: gzip, deflate, compress' -H 'Accept: */*' -H 'User-Agent: python-glanceclient' --cert None --key None https://test.example.com:9292https://moon.greyoak.com:9292//v1/images/detail?is_public=none&limit=20^[[00m ^[[00;33mfrom (pid=32459) log_curl_request /home/rcrit/redhat/openstack/python-glanceclient/glanceclient/common/http.py:103^[[00m
2014-07-22 16:20:57.571 ^[[01;31mERROR nova.api.openstack [^[[01;36mreq-e9a94169-9af4-45e8-ab95-1ccd3f8caf04 ^[[00;36madmin admin^[[01;31m] ^[[01;35m^[[01;31mCaught error: VerifiedHTTPSConnection instance has no attribute 'insecure'^[[00m

Once seen, all subsequent commands to the nova server fail similarly.

This is fairly easily reproduced with my SSL patches in https://bugs.launchpad.net/devstack/+bug/1328226 (probably needs some rebasing).

With an SSL-everywhere server this can be seen by installing in devstack and doing things like:

These work.

$ nova flavor-list
$ glance image-list
$ nova net-list

Have nova hit glance:

$ nova image-list
ERROR (Unauthorized): Unauthorized (HTTP 401) (Request-ID: req-ee964e9a-c2a9-4be9-bd52-3f42c805cf2c)

All subsequent requests will fail similarly:

$ nova list
ERROR (Unauthorized): Unauthorized (HTTP 401) (Request-ID: req-f670db83-c830-4e75-b29f-44f61ae161a1)

Note that if you start nova and the first thing you do is an image-list it works. I'm guessing this is because the only connection in the pool is a glance connection object which has insecure defined.

See original description
Revision history for this message
Rob Crittenden (rcritten) wrote :

My workaround is to change the scheme name:

diff --git a/glanceclient/common/https.py b/glanceclient/common/https.py
index 93c6e6a..9e470cd 100644
--- a/glanceclient/common/https.py
+++ b/glanceclient/common/https.py
@@ -72,7 +72,7 @@ class HTTPSAdapter(adapters.HTTPAdapter):
     def __init__(self, *args, **kwargs):
         # NOTE(flaper87): This line forces poolmanager to use
         # glanceclient HTTPSConnection
- poolmanager.pool_classes_by_scheme["https"] = HTTPSConnectionPool
+ poolmanager.pool_classes_by_scheme["glance+https"] = HTTPSConnectionPoo
         super(HTTPSAdapter, self).__init__(*args, **kwargs)

     def cert_verify(self, conn, url, verify, cert):
@@ -92,7 +92,7 @@ class HTTPSConnectionPool(connectionpool.HTTPSConnectionPool):
     be used just when the user sets --no-ssl-compression.
     """

- scheme = 'https'
+ scheme = 'glance+https'

     def _new_conn(self):
         self.num_connections += 1

Flavio Percoco (flaper87)
Changed in python-glanceclient:
assignee: nobody → Flavio Percoco (flaper87)
importance: Undecided → High
OpenStack Infra (hudson-openstack)
Changed in python-glanceclient:
status: New → In Progress
Revision history for this message
Flavio Percoco (flaper87) wrote :

Proposed patch: https://review.openstack.org/#/c/110574/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-glanceclient (master)

Reviewed: https://review.openstack.org/110574
Committed: https://git.openstack.org/cgit/openstack/python-glanceclient/commit/?id=052904ba32f6e6075b023065bff684042c640c6a
Submitter: Jenkins
Branch: master

commit 052904ba32f6e6075b023065bff684042c640c6a
Author: Flavio Percoco <email address hidden>
Date: Wed Jul 30 10:57:46 2014 +0200

    Don't replace the https handler in the poolmanager

    In order to keep the support for `--ssl-nocompression` it was decided to
    overwrite the https HTTPAdapter in `requests` poolmanager. Although this
    seemed to work correctly, it was causing some issues when using
    glanceclient from other services that rely on requests and that were
    also configured to use TLS.

    THis patch changes implements a different strategy by using
    `glance+https` as the scheme to use when `no-compression` is requested.

    Closes-bug: #1350251
    Closes-bug: #1347150
    Closes-bug: #1362766

    Change-Id: Ib25237ba821ee20a561a163b79402d1375ebed0b

Changed in python-glanceclient:
status: In Progress → Fix Committed
Louis Taylor (kragniz)
Changed in python-glanceclient:
status: Fix Committed → Fix Released
Edward Hope-Morley (hopem)
description: updated
summary: - switch to requests breaks HTTPS support
+ [SRU] switch to requests breaks HTTPS support
Revision history for this message
Edward Hope-Morley (hopem) wrote :
Edward Hope-Morley (hopem)
Changed in cloud-archive:
assignee: nobody → Edward Hope-Morley (hopem)
status: New → In Progress
Corey Bryant (corey.bryant)
Changed in cloud-archive:
status: In Progress → Invalid
Chuck Short (zulcss)
no longer affects: python-glanceclient/juno
Changed in cloud-archive:
status: Invalid → In Progress
Revision history for this message
Corey Bryant (corey.bryant) wrote :

Hi Ed, Thanks for the patches. This is available for testing now in the trusty-juno-staging ppa:

sudo add-apt-repository ppa:ubuntu-cloud-archive/juno-staging

Revision history for this message
Edward Hope-Morley (hopem) wrote :

Hi Cory, i've tested out this Juno build and I no longer see the errors when using https endpoints so LGTM.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

Apologies for the late update on this bug as this fix has been available for a while now. This is fixed in python-glanceclient 1:0.14.0-0ubuntu1~cloud1 in the trusty-juno cloud archive. To get the fix:

sudo add-apt-repository cloud-archive:juno
sudo apt-get update

Changed in cloud-archive:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.