StarlingX

sysinv requests not working from remote_cli

Bug #1980417 reported by Andy
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Andy

Bug Description

Brief Description
-----------------
On remote cli, system command such as "system host-list" doesn't work with options "-k/--insecure", "--ca-file", "--cert-file" and ""--key-file" over HTTPS.

Severity
--------
Major: cannot access system information from remote cli.

Steps to Reproduce
------------------
- Setup remote cli environment
- run "system host-list" with the 4 options such as:
  system host-list
  system -k host-list
  system --ca-file=rootca.pem host-list

Expected Behavior
------------------
The command succeeds.

Actual Behavior
----------------
The commands fail with error:

$ system host-list
Must provide Keystone credentials or user-defined endpoint and token, error was: SSL exception connecting to https://128.224.150.215:5000/v3/auth/tokens: HTTPSConnectionPool(host='128.224.150.215', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

Reproducibility
---------------
100% reproducible

System Configuration
--------------------
Remote cli to access a HTTPs enabled system (any configurations)

Branch/Pull Time/Commit
-----------------------
STX master latest.

Last Pass
---------
Unknown

Timestamp/Logs
--------------
See "Steps to Reproduce"

Test Activity
-------------
Regression Testing

Workaround
----------
In the remote cli environment, set OS_CACERT to point to a valid CA or CA bundle.
export OS_CACERT=rootca.pem

Andy (andy.wrs)
Changed in starlingx:
assignee: nobody → Andy (andy.wrs)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/config/+/848639

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/c/starlingx/config/+/848639
Committed: https://opendev.org/starlingx/config/commit/3379be986a52009830182152fd1b4182e45cecf0
Submitter: "Zuul (22348)"
Branch: master

commit 3379be986a52009830182152fd1b4182e45cecf0
Author: Andy Ning <email address hidden>
Date: Thu Jun 30 16:48:33 2022 -0400

    cgtsclient handle certificate related options properly

    Currently cgtsclient ignores "-k/--insecure", "--ca-file",
    "--cert-file" and ""--key-file" options. In order for command
    such as "system host-list" to work over HTTPS, OS_CACERT env
    variable has to be set.

    This change updated cgtsclient to accept and properly handle
    the ignored options.

    Test Plan:
    PASS: remote cli docker image build
    PASS: from remote cli environment, successfully run the
          "system host-list" commands with the 4 options over
          HTTPS.

    Closes-Bug: 1980417
    Signed-off-by: Andy Ning <email address hidden>
    Change-Id: Iae03ac60188157cb726e6e12ba2209eff6b7e1e1

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Medium
tags: added: stx.clients
Andy (andy.wrs)
Changed in starlingx:
status: Fix Released → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to root (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/root/+/849137

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to clients (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/clients/+/849139

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to root (master)

Reviewed: https://review.opendev.org/c/starlingx/root/+/849137
Committed: https://opendev.org/starlingx/root/commit/9bbe8965be7ac8bcebe15005ae5e44786fa00402
Submitter: "Zuul (22348)"
Branch: master

commit 9bbe8965be7ac8bcebe15005ae5e44786fa00402
Author: Andy Ning <email address hidden>
Date: Fri Jul 8 14:16:48 2022 -0400

    Update stx-platformclients tag to stx.7.0-v1.5.8

    This commit updates the image with the updated clients.

    Partial-Bug: 1980417
    Signed-off-by: Andy Ning <email address hidden>
    Change-Id: I04b09f5c2189c394ffb4d82215e26b3417cf4c09

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to clients (master)

Reviewed: https://review.opendev.org/c/starlingx/clients/+/849139
Committed: https://opendev.org/starlingx/clients/commit/22b712caa6e5b91b967fa0a766d3afe0a01719b1
Submitter: "Zuul (22348)"
Branch: master

commit 22b712caa6e5b91b967fa0a766d3afe0a01719b1
Author: Andy Ning <email address hidden>
Date: Fri Jul 8 14:23:46 2022 -0400

    Update stx-platformclients image to version stx.7.0-v1.5.8

    Updated image with the new fixes since the last build

    Partial-Bug: 1980417
    Depends-On: https://review.opendev.org/c/starlingx/root/+/849137
    Signed-off-by: Andy Ning <email address hidden>
    Change-Id: I276c017871757ab8919216e7840ce7e0ddb00525

Ghada Khalil (gkhalil)
Changed in starlingx:
status: In Progress → Fix Released
tags: added: stx.7.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.