Container image uploader should not use http for "no verify" registries

Bug #1858672 reported by Alan Bishop on 2020-01-07
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Medium
Alex Schultz

Bug Description

A deployment using a downstream registry that happens to have an invalid SSL certificate is failing because the container image uploader switches from HTTPS to HTTP. The registry in question (docker-registry.upshift.redhat.com) doesn't support HTTP. Here are the relevant entries from tripleo-container-image-prepare.log:

Starting new HTTPS connection (1): docker-registry.upshift.redhat.com:443
Starting new HTTPS connection (2): docker-registry.upshift.redhat.com:443
https://docker-registry.upshift.redhat.com:443 "GET /v2 HTTP/1.1" 301 39
https://docker-registry.upshift.redhat.com:443 "GET /v2/ HTTP/1.1" 401 87
imagename: docker-registry.upshift.redhat.com/ceph/rhceph-4.0-rhel8:latest
...
Starting new HTTP connection (1): docker-registry.upshift.redhat.com:80
http://docker-registry.upshift.redhat.com:80 "GET /v2/ HTTP/1.1" 503 None
http://docker-registry.upshift.redhat.com/v2/ status code 503
...
Image prepare failed: 503 Server Error: Service Unavailable for url: http://docker-registry.upshift.redhat.com/v2/
Traceback (most recent call last):
  File "/usr/bin/tripleo-container-image-prepare", line 131, in <module>
    env, roles_data, cleanup=args.cleanup, dry_run=args.dry_run)
  File "/usr/lib/python3.6/site-packages/tripleo_common/image/kolla_builder.py", line 213, in container_images_prepare_multi
    uploader.upload()
  File "/usr/lib/python3.6/site-packages/tripleo_common/image/image_uploader.py", line 237, in upload
    uploader.run_tasks()
  File "/usr/lib/python3.6/site-packages/tripleo_common/image/image_uploader.py", line 1818, in run_tasks
    local_images.extend(upload_task(args=self.upload_tasks.pop()))
  File "/usr/lib/python3.6/site-packages/tripleo_common/image/image_uploader.py", line 1874, in upload_task
    return uploader.upload_image(task)
  File "/usr/lib/python3.6/site-packages/tripleo_common/image/image_uploader.py", line 1105, in upload_image
    password=source_password
  File "/usr/lib/python3.6/site-packages/tenacity/__init__.py", line 292, in wrapped_f
    return self.call(f, *args, **kw)
  File "/usr/lib/python3.6/site-packages/tenacity/__init__.py", line 358, in call
    do = self.iter(retry_state=retry_state)
  File "/usr/lib/python3.6/site-packages/tenacity/__init__.py", line 331, in iter
    raise retry_exc.reraise()
  File "/usr/lib/python3.6/site-packages/tenacity/__init__.py", line 167, in reraise
    raise self.last_attempt.result()
  File "/usr/lib64/python3.6/concurrent/futures/_base.py", line 425, in result
    return self.__get_result()
  File "/usr/lib64/python3.6/concurrent/futures/_base.py", line 384, in __get_result
    raise self._exception
  File "/usr/lib/python3.6/site-packages/tenacity/__init__.py", line 361, in call
    result = fn(*args, **kwargs)
  File "/usr/lib/python3.6/site-packages/tripleo_common/image/image_uploader.py", line 394, in authenticate
    r.raise_for_status()
  File "/usr/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 503 Server Error: Service Unavailable for url: http://docker-registry.upshift.redhat.com/v2/

Registries with an invalid SSL certificate may be insecure, but still need to be accessed using HTTPS.

Fix proposed to branch: master
Review: https://review.opendev.org/701411

Changed in tripleo:
status: Triaged → In Progress
Changed in tripleo:
assignee: Alan Bishop (alan-bishop) → Alex Schultz (alex-schultz)

Reviewed: https://review.opendev.org/701411
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=dcf99e7167b7827b6edaf10b460a0dd5e57cdddb
Submitter: Zuul
Branch: master

commit dcf99e7167b7827b6edaf10b460a0dd5e57cdddb
Author: Alan Bishop <email address hidden>
Date: Tue Jan 7 08:54:18 2020 -0800

    Image uploader: use HTTPS for "no verify" registries

    Registries with an invalid SSL certificate are insecure, but still
    need to be accessed via HTTPS. This patch updates the URL builder
    to take this into consideration.

    Closes-Bug: #1858672
    Change-Id: I71436313098f513c200ecc3f862a2b851fb1060a

Changed in tripleo:
status: In Progress → Fix Released

Reviewed: https://review.opendev.org/703008
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=f6bcc3bcdb88ec385c9b308a0f33a6187a7824ef
Submitter: Zuul
Branch: stable/train

commit f6bcc3bcdb88ec385c9b308a0f33a6187a7824ef
Author: Alan Bishop <email address hidden>
Date: Tue Jan 7 08:54:18 2020 -0800

    Image uploader: use HTTPS for "no verify" registries

    Registries with an invalid SSL certificate are insecure, but still
    need to be accessed via HTTPS. This patch updates the URL builder
    to take this into consideration.

    Closes-Bug: #1858672
    Change-Id: I71436313098f513c200ecc3f862a2b851fb1060a
    (cherry picked from commit dcf99e7167b7827b6edaf10b460a0dd5e57cdddb)

tags: added: in-stable-train

Reviewed: https://review.opendev.org/703847
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=cba9fa4e2a66d93f75e260ec524f9d4b89fa64d2
Submitter: Zuul
Branch: stable/stein

commit cba9fa4e2a66d93f75e260ec524f9d4b89fa64d2
Author: Alan Bishop <email address hidden>
Date: Tue Jan 7 08:54:18 2020 -0800

    Image uploader: use HTTPS for "no verify" registries

    Registries with an invalid SSL certificate are insecure, but still
    need to be accessed via HTTPS. This patch updates the URL builder
    to take this into consideration.

    Closes-Bug: #1858672
    Change-Id: I71436313098f513c200ecc3f862a2b851fb1060a
    (cherry picked from commit dcf99e7167b7827b6edaf10b460a0dd5e57cdddb)
    (cherry picked from commit f6bcc3bcdb88ec385c9b308a0f33a6187a7824ef)

tags: added: in-stable-stein

This issue was fixed in the openstack/tripleo-common 12.1.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers