Python image uploader: failure when certificate isn't valid

Bug #1817360 reported by Emilien Macchi on 2019-02-22
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Cédric Jeanneret

Bug Description

Using the Python uploader (now the default), it fails to push containers on a local registry if the source doesn't have a valid certificate.

insecure_registries isn't supported by python uploader yet, it seems.

Changed in tripleo:
milestone: none → stein-3
importance: Undecided → High
status: New → Triaged
description: updated

Fix proposed to branch: master
Review: https://review.openstack.org/639037

Changed in tripleo:
assignee: nobody → Cédric Jeanneret (cjeanner)
status: Triaged → In Progress
Cédric Jeanneret (cjeanner) wrote :

So, there are multiple issues:
- "authenticate" method must allow to pass "verify=False" to the request.Session object.
- apparently, some other methods such as _inspect have troubles using the request.Session properly, and don't get the "verify=False" we need.

In addition, the whole issue seems to be created by a redirect occurring in the _inspect method.

It's pretty nasty...

Fix proposed to branch: master
Review: https://review.openstack.org/640270

Reviewed: https://review.openstack.org/639037
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=611080299958c039e7992bff5b1580b916e5c633
Submitter: Zuul
Branch: master

commit 611080299958c039e7992bff5b1580b916e5c633
Author: Cédric Jeanneret <email address hidden>
Date: Mon Feb 25 10:24:14 2019 +0100

    Allow PythonImageUploader to accept unknown CA

    Handles unknown CA in a dedicated list in order to know
    when to enable "verify" for requests.Session calls.

    This new list will hold the registries with unknown CA like
    it's done for the "insecure registries" (this one means "no
    encryption" aka "http").

    Change-Id: I00b2e59d3da5374f20dc2eac9bb13e2482ed524b
    Related-Bug: #1817360

Change abandoned by Cédric Jeanneret (<email address hidden>) on branch: master
Review: https://review.openstack.org/640270
Reason: previous one is merged, downstream patch submitted - this one has no reason anymore.

Cédric Jeanneret (cjeanner) wrote :

PythonImageUploader can now accept unknown CA. This issue being downstream-only, I've submitted another patch, downstream, that will list Red Hat dev registry as a NO_VERIFY_REGISTRIES by default.

This issue is therefore closed regarding upstream.

Changed in tripleo:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers