verify: False in clouds.yaml does not == --insecure for python-openstackclient

Bug #1616891 reported by Ramy Asselin on 2016-08-25
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
oslo.utils
Undecided
Unassigned
python-novaclient
Undecided
Unassigned
python-openstackclient
Fix Released
High
Dean Troyer

Bug Description

Sanitized verbose output is available here: http://paste.openstack.org/show/563229/

Abbreviated here:

root@puppet3:/opt/system-config/production# openstack -vv server list
WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils
START with options: [u'-vv', u'server', u'list']
Auth plugin password selected
compute API version 2, cmd group openstack.compute.v2
network API version 2, cmd group openstack.network.v2
image API version 2, cmd group openstack.image.v2
volume API version 2, cmd group openstack.volume.v2
identity API version 2.0, cmd group openstack.identity.v2
object_store API version 1, cmd group openstack.object_store.v1
baremetal API version 1.6, cmd group openstack.baremetal.v1
orchestration API version 1, cmd group openstack.orchestration.v1
neutronclient API version 2, cmd group openstack.neutronclient.v2
dns API version 2, cmd group openstack.dns.v2
Auth plugin password selected
Exception raised: 'Module_six_moves_urllib_parse' object has no attribute 'SplitResult'
END return value: 1

With ansible get a similar stack trace:

Inventory script (/etc/ansible/hosts/openstack) had an execution error: Traceback (most recent call last):
  File "/etc/ansible/hosts/openstack", line 61, in <module>
    import shade
  File "/usr/local/lib/python2.7/dist-packages/shade/__init__.py", line 24, in <module>
    from shade.openstackcloud import OpenStackCloud
  File "/usr/local/lib/python2.7/dist-packages/shade/openstackcloud.py", line 40, in <module>
    import novaclient.client
  File "/usr/local/lib/python2.7/dist-packages/novaclient/client.py", line 38, in <module>
    from oslo_utils import netutils
  File "/usr/local/lib/python2.7/dist-packages/oslo_utils/netutils.py", line 307, in <module>
    class _ModifiedSplitResult(parse.SplitResult):
AttributeError: 'Module_six_moves_urllib_parse' object has no attribute 'SplitResult'

Pip freeze output: http://paste.openstack.org/show/563229/

Workaround: restore back to previous clients. When I pip install these everything works again.
Working pip freeze output: http://paste.openstack.org/show/563165/

This is what gets installed when pip install the previously working pip freeze output showing it works:
Successfully installed Markdown-2.6.6 PyYAML-3.11 jsonpatch-1.14 jsonpointer-1.10 keystoneauth1-2.11.1 netifaces-0.10.4 openstacksdk-0.9.2 os-client-config-1.19.1 osc-lib-1.0.1 oslo.config-3.15.0 oslo.i18n-3.8.0 python-glanceclient-2.3.0 python-novaclient-5.0.0 python-openstackclient-2.6.0 requests-2.11.0 rfc3986-0.3.1 six-1.10.0 stevedore-1.17.0
Cleaning up...
root@puppet3:~# openstack server list
+--------------------------------------+-----------------------------+--------+------------------------------------+
| ID | Name | Status | Networks |
+--------------------------------------+-----------------------------+--------+------------------------------------+
| 9ec86b91-4a86-42f7-8fa4-fc9c996cf500 | git03.gpc.gozer.hpcloud.net | ACTIVE | default=192.168.0.9, 10.245.80.186 |
+--------------------------------------+-----------------------------+--------+------------------------------------+

Summary of packages that were downgraded:
jsonpatch==1.3
jsonpointer==1.0
keystoneauth1==2.12.0
netifaces==0.10.5
openstacksdk==0.9.3
os-client-config==1.20.1
osc-lib==1.0.2
oslo.config==3.16.0
oslo.i18n==3.9.0
python-glanceclient==2.5.0
python-novaclient==5.1.0
python-openstackclient==3.0.1
PyYAML==3.10
requests==2.11.1
rfc3986==0.4.1
stevedore==1.17.1

Monty Taylor (mordred) wrote :

Chatted on IRC - it seems there is an old copy of six on the system that looks to have gotten there via the python-six distro package, so the pip installation of the software did not install the appropriate version of six. Investigating workarounds.

Ramy Asselin (ramy-asselin) wrote :

ubuntu 14.04 image has six installed:
python-six/trusty-updates,now 1.5.2-1ubuntu1 all [installed]

I apt-get removed the packaged and re-ran my setup script on a clean ubuntu 14.04 image.

Now the correct version of six gets installed:

root@puppet4:~# pip freeze | grep six
six==1.10.0

New error is:

root@puppet4:~# openstack server list
WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils
Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
SSL exception connecting to https://10.245.78.7:5000/v2.0/tokens: [Errno 1] _ssl.c:510: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Exeception shouldn't happen since verify: false is in clouds.yaml
Perhaps this is a different bug.

root@puppet4:~# cat /etc/openstack/clouds.yaml
ansible:
  fail_on_errors: False
  use_hostnames: True
cache:
  expiration_time: 86400
  path: /var/cache/ansible-inventory
clouds:
  gpc:
    auth:
      auth_url: 'https://10.245.78.7:5000/v2.0'
      username: gozer
      password: sanitized
      project_name: gozer
    region_name: region1
    verify: false

Monty Taylor (mordred) on 2016-08-25
Changed in oslo.utils:
status: New → Invalid
Changed in python-novaclient:
status: New → Invalid
summary: - openstack server list fails with AttributeError:
- 'Module_six_moves_urllib_parse' object has no attribute 'SplitResult'
+ verify: False in clouds.yaml does not == --insecure for python-
+ openstackclient
Ramy Asselin (ramy-asselin) wrote :

Confirming that openstack --insecure server list works around the issue as does
updating the clouds.yaml file to include insecure: True

Monty Taylor (mordred) wrote :

Changing verify: false to insecure: True works. Not sure why. insecure: True is a fine workaround for now (and probably a better way to express the concept in the file) ... but verify: False worked in previous versions of osc, so it's likely worth investigating to see what we broke.

Dean Troyer (dtroyer) wrote :

In osc-lib ClientManager the verify option passed into __init__() is ignored due to brain failure on my part.

Changed in python-openstackclient:
status: New → Triaged
importance: Undecided → High
assignee: nobody → Dean Troyer (dtroyer)

Fix proposed to branch: master
Review: https://review.openstack.org/360600

Changed in python-openstackclient:
status: Triaged → In Progress

Reviewed: https://review.openstack.org/360600
Committed: https://git.openstack.org/cgit/openstack/osc-lib/commit/?id=9bf62fde0c69c0941e2a767fb580d98f63b1e2ef
Submitter: Jenkins
Branch: master

commit 9bf62fde0c69c0941e2a767fb580d98f63b1e2ef
Author: Dean Troyer <email address hidden>
Date: Thu Aug 25 09:35:34 2016 -0500

    Fix default handling for verify option in ClientManager

    The default for self.verify should be self._cli_options.verify,
    this was missing. This also simplified setting the default for
    self.cacert.

    Closes-bug: #1616891
    Change-Id: I53f0e18fe8fdd07c58c1b687146522ffba9e0044

Changed in python-openstackclient:
status: In Progress → Fix Released

This issue was fixed in the openstack/osc-lib 1.1.0 release.

This issue was fixed in the openstack/osc-lib 1.1.0 release.

This issue was fixed in the openstack/osc-lib 1.2.0 release.

This issue was fixed in the openstack/osc-lib 1.1.0 release.

This issue was fixed in the openstack/osc-lib 1.2.0 release.

This issue was fixed in the openstack/osc-lib 1.1.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers