rally doesn't take cacert setting

Bug #1577360 reported by Gavin B on 2016-05-02
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Rally
High
Sergey Skripnick

Bug Description

I want to run rally against an existing cloud.

If I source my credentials file I can run nova, neutron, openstack commands - no issue.

(venv) gavin@gbhos ~/work/rally $ source ../gavin-systems/IPC1/ipc.osrc
(venv) gavin@gbhos ~/work/rally $ nova list
+----+------+--------+------------+-------------+----------+
| ID | Name | Status | Task State | Power State | Networks |
+----+------+--------+------------+-------------+----------+
+----+------+--------+------------+-------------+----------+

I then create my deployment from the environment which claims to succeed :

(venv) gavin@gbhos ~/work/rally $ rally-manage db recreate
2016-05-02 12:58:10.631 73480 INFO alembic.runtime.migration [-] Context impl SQLiteImpl.
2016-05-02 12:58:10.631 73480 INFO alembic.runtime.migration [-] Will assume non-transactional DDL.
2016-05-02 12:58:12.621 73480 INFO alembic.runtime.migration [-] Context impl SQLiteImpl.
2016-05-02 12:58:12.622 73480 INFO alembic.runtime.migration [-] Will assume non-transactional DDL.
2016-05-02 12:58:12.754 73480 INFO alembic.runtime.migration [-] Running stamp_revision -> 3177d36ea270
(venv) gavin@gbhos ~/work/rally $ rally deployment create --fromenv --name=IPC1
2016-05-02 12:58:44.037 73535 INFO rally.deployment.engine [-] Deployment 91737855-9c31-4340-be5d-416eb8e77df6 | Starting: OpenStack cloud deployment.
2016-05-02 12:58:44.242 73535 INFO rally.deployment.engine [-] Deployment 91737855-9c31-4340-be5d-416eb8e77df6 | Completed: OpenStack cloud deployment.
+--------------------------------------+----------------------------+------+------------------+--------+
| uuid | created_at | name | status | active |
+--------------------------------------+----------------------------+------+------------------+--------+
| 91737855-9c31-4340-be5d-416eb8e77df6 | 2016-05-02 10:58:43.924222 | IPC1 | deploy->finished | |
+--------------------------------------+----------------------------+------+------------------+--------+
Using deployment: 91737855-9c31-4340-be5d-416eb8e77df6
~/.rally/openrc was updated

HINTS:
* To get your cloud resources, run:
 rally show [flavors|images|keypairs|networks|secgroups]

* To use standard OpenStack clients, set up your env by running:
 source ~/.rally/openrc
  OpenStack clients are now configured, e.g run:
 glance image-list

However :

(venv) gavin@gbhos ~/work/rally $ rally show flavors

Flavors for user `<email address hidden>` in tenant `<email address hidden>`:
2016-05-02 12:58:55.405 73554 WARNING keystoneclient.auth.identity.generic.base [-] Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
Command failed, please check log for more info
2016-05-02 12:58:55.842 73554 CRITICAL rally [-] SSLError: SSL exception connecting to https://10.243.189.6:5000/v3/auth/tokens: bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)
2016-05-02 12:58:55.842 73554 ERROR rally Traceback (most recent call last):
2016-05-02 12:58:55.842 73554 ERROR rally File "/home/gavin/work/rally/venv/bin/rally", line 10, in <module>
:
:

The correct OS_CACERT is in ~/.rally/openrc :

(venv)<email address hidden> gavin@gbhos ~/work/rally $ grep CERT ~/.rally/openrc
export OS_CACERT='/home/gavin/work/gavin-systems/IPC1/ipc_cert.crt'

But rally itself appears to pay no attention to it.

In order to work around this I had to manually add my certificate to lib/python2.7/site-packages/requests/cacert.pem in the rally virtualenv

Gavin B (gavin-brebner-orange) wrote :

I also tried setting "https_cacert" in the deployment definition file, but that didn't work either

Gavin B (gavin-brebner-orange) wrote :

(venv)admin gavin@gbhos ~/work/rally $ rally --version
0.4.1~dev30

Andrey Kurilin (andreykurilin) wrote :

Hi! Could you share output of `rally deployment config`?

Changed in rally:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Sergey Skripnick (eyerediskin)

Reviewed: https://review.openstack.org/319206
Committed: https://git.openstack.org/cgit/openstack/rally/commit/?id=8838a4da0d02a2c3b7ffad10adae161b4d81a9e0
Submitter: Jenkins
Branch: master

commit 8838a4da0d02a2c3b7ffad10adae161b4d81a9e0
Author: Sergey Skripnick <email address hidden>
Date: Fri May 20 13:21:57 2016 +0200

    Do not ignore cacert setting

    Value of cacert was ignored while creating keystone session

    Change-Id: I731a18d953c2466b2c26440d5d8b28ac3fbf0137
    Closes-Bug: 1577360

Changed in rally:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers