rally doesn't take cacert setting

Bug #1577360 reported by Gavin B
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Rally
Fix Released
High
Sergey Skripnick

Bug Description

I want to run rally against an existing cloud.

If I source my credentials file I can run nova, neutron, openstack commands - no issue.

(venv) gavin@gbhos ~/work/rally $ source ../gavin-systems/IPC1/ipc.osrc
(venv) gavin@gbhos ~/work/rally $ nova list
+----+------+--------+------------+-------------+----------+
| ID | Name | Status | Task State | Power State | Networks |
+----+------+--------+------------+-------------+----------+
+----+------+--------+------------+-------------+----------+

I then create my deployment from the environment which claims to succeed :

(venv) gavin@gbhos ~/work/rally $ rally-manage db recreate
2016-05-02 12:58:10.631 73480 INFO alembic.runtime.migration [-] Context impl SQLiteImpl.
2016-05-02 12:58:10.631 73480 INFO alembic.runtime.migration [-] Will assume non-transactional DDL.
2016-05-02 12:58:12.621 73480 INFO alembic.runtime.migration [-] Context impl SQLiteImpl.
2016-05-02 12:58:12.622 73480 INFO alembic.runtime.migration [-] Will assume non-transactional DDL.
2016-05-02 12:58:12.754 73480 INFO alembic.runtime.migration [-] Running stamp_revision -> 3177d36ea270
(venv) gavin@gbhos ~/work/rally $ rally deployment create --fromenv --name=IPC1
2016-05-02 12:58:44.037 73535 INFO rally.deployment.engine [-] Deployment 91737855-9c31-4340-be5d-416eb8e77df6 | Starting: OpenStack cloud deployment.
2016-05-02 12:58:44.242 73535 INFO rally.deployment.engine [-] Deployment 91737855-9c31-4340-be5d-416eb8e77df6 | Completed: OpenStack cloud deployment.
+--------------------------------------+----------------------------+------+------------------+--------+
| uuid | created_at | name | status | active |
+--------------------------------------+----------------------------+------+------------------+--------+
| 91737855-9c31-4340-be5d-416eb8e77df6 | 2016-05-02 10:58:43.924222 | IPC1 | deploy->finished | |
+--------------------------------------+----------------------------+------+------------------+--------+
Using deployment: 91737855-9c31-4340-be5d-416eb8e77df6
~/.rally/openrc was updated

HINTS:
* To get your cloud resources, run:
 rally show [flavors|images|keypairs|networks|secgroups]

* To use standard OpenStack clients, set up your env by running:
 source ~/.rally/openrc
  OpenStack clients are now configured, e.g run:
 glance image-list

However :

(venv) gavin@gbhos ~/work/rally $ rally show flavors

Flavors for user `<email address hidden>` in tenant `<email address hidden>`:
2016-05-02 12:58:55.405 73554 WARNING keystoneclient.auth.identity.generic.base [-] Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL.
Command failed, please check log for more info
2016-05-02 12:58:55.842 73554 CRITICAL rally [-] SSLError: SSL exception connecting to https://10.243.189.6:5000/v3/auth/tokens: bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)
2016-05-02 12:58:55.842 73554 ERROR rally Traceback (most recent call last):
2016-05-02 12:58:55.842 73554 ERROR rally File "/home/gavin/work/rally/venv/bin/rally", line 10, in <module>
:
:

The correct OS_CACERT is in ~/.rally/openrc :

(venv)<email address hidden> gavin@gbhos ~/work/rally $ grep CERT ~/.rally/openrc
export OS_CACERT='/home/gavin/work/gavin-systems/IPC1/ipc_cert.crt'

But rally itself appears to pay no attention to it.

In order to work around this I had to manually add my certificate to lib/python2.7/site-packages/requests/cacert.pem in the rally virtualenv

Revision history for this message
Gavin B (gavin-brebner-orange) wrote :

I also tried setting "https_cacert" in the deployment definition file, but that didn't work either

Revision history for this message
Gavin B (gavin-brebner-orange) wrote :

(venv)admin gavin@gbhos ~/work/rally $ rally --version
0.4.1~dev30

Revision history for this message
Andriy Kurilin (andreykurilin) wrote :

Hi! Could you share output of `rally deployment config`?

Changed in rally:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Sergey Skripnick (eyerediskin)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to rally (master)

Fix proposed to branch: master
Review: https://review.openstack.org/319206

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to rally (master)

Reviewed: https://review.openstack.org/319206
Committed: https://git.openstack.org/cgit/openstack/rally/commit/?id=8838a4da0d02a2c3b7ffad10adae161b4d81a9e0
Submitter: Jenkins
Branch: master

commit 8838a4da0d02a2c3b7ffad10adae161b4d81a9e0
Author: Sergey Skripnick <email address hidden>
Date: Fri May 20 13:21:57 2016 +0200

    Do not ignore cacert setting

    Value of cacert was ignored while creating keystone session

    Change-Id: I731a18d953c2466b2c26440d5d8b28ac3fbf0137
    Closes-Bug: 1577360

Changed in rally:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.