metadata service calls to nova-api-metadata with IP based SAN's fails

Bug #1790598 reported by James Page on 2018-09-04
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Undecided
Unassigned
neutron (Ubuntu)
Status tracked in Cosmic
Xenial
Low
Unassigned
Bionic
High
Unassigned
Cosmic
High
James Page

Bug Description

[Impact]
If the nova-api-metadata service is secured with a certificate that makes use of IP based SAN's, under Python 2 certificate validation will fail as the ssl module does not support use of IP addresses in cert SAN fields (and httplib2 which is used to make the request uses ssl directly).

Master branch of neutron has switched (see [0]) to using requests to make these calls, supporting use of certs with IP address based SAN's (via urllib3 which does support IP address based SAN's under Python 2).

[0] https://github.com/openstack/neutron/commit/7e0dd2f18d4919964655cfce7a282d1c5c131fc4

[Test Case]
Deploy OpenStack, securing metadata service using certs with IPAddress based SAN's (openstack charms + vault can do this).
Boot instance - instance will fail to get metadata due to neutron->nova cert verification failure.

[Regression Potential]
Patch switches communication between neutron and nova for metadata queries to use requests over httplib2; so its a fairly like-for-like switch - both are used across openstack for various purposes.

James Page (james-page) on 2018-09-04
Changed in neutron (Ubuntu Cosmic):
status: New → Triaged
Changed in neutron (Ubuntu Bionic):
status: New → Triaged
Changed in neutron (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → High
Changed in neutron (Ubuntu Bionic):
importance: Undecided → High
Changed in neutron (Ubuntu Cosmic):
importance: Undecided → High
description: updated
description: updated
Changed in neutron:
status: New → Fix Committed
James Page (james-page) on 2018-09-04
Changed in neutron (Ubuntu Cosmic):
status: Triaged → In Progress
assignee: nobody → James Page (james-page)
James Page (james-page) on 2018-09-04
Changed in neutron (Ubuntu Xenial):
importance: High → Low
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package neutron - 2:13.0.0-0ubuntu2

---------------
neutron (2:13.0.0-0ubuntu2) cosmic; urgency=medium

  * d/p/metadata-use-requests-for-comms-with-nova-api.patch: Cherry
    pick of fix to support use of certs with IP based SAN's on Nova
    API endpoints when making metadata service calls (LP: #1790598).
  * d/control: Bump minimum requests version inline with above patch.

 -- James Page <email address hidden> Tue, 04 Sep 2018 14:59:36 +0100

Changed in neutron (Ubuntu Cosmic):
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/599537
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=c28e4963b75414f093e432c9934f8658a4e56b98
Submitter: Zuul
Branch: stable/rocky

commit c28e4963b75414f093e432c9934f8658a4e56b98
Author: James Page <email address hidden>
Date: Mon Aug 20 15:22:10 2018 +0100

    metadata: use requests for comms with nova api

    httplib2 makes use of the ssl module provided by Python; under Python 2,
    the ssl module does not support IP addresses as subject alternate names
    (SAN's) which although an optional part of the associated RFC, is awkward
    to work with in environments where certificate management approaches
    rely on use of IP addresses in SAN's.

    The requests module is more than happy to deal with this scenario; switch
    to requests in preference of httplib2 for metadata proxy calls.

    httplib2 is retained as its used elsewhere in the codebase.

    Closes-Bug: 1790598
    Change-Id: Ife4adf09ddbf7116da2f8596c80aed53fb6790df
    (cherry picked from commit 7e0dd2f18d4919964655cfce7a282d1c5c131fc4)

tags: added: in-stable-rocky
Corey Bryant (corey.bryant) wrote :

The stable/queens fix has been included in neutron 2:12.0.4-0ubuntu1, currently in the bionic unapproved queue awaiting SRU team review.

description: updated
James Page (james-page) on 2018-10-02
description: updated
Brian Murray (brian-murray) wrote :

As an FYI the "Regression Potential" part of the SRU description is supposed to be about how things can go wrong not a statement regarding the chances of their being a regression.

An upload of neutron to bionic-proposed has been rejected from the upload queue for the following reason: "coreycb said he was going to add some more patches in #ubuntu-devel.".

Corey Bryant (corey.bryant) wrote :

Neutron 2:12.0.4-0ubuntu1 is now ready for review in the unapproved queue.

James Page (james-page) on 2018-10-03
description: updated

Hello James, or anyone else affected,

Accepted neutron into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/neutron/2:12.0.4-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in neutron (Ubuntu Bionic):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-bionic
Corey Bryant (corey.bryant) wrote :

Regression testing successful for bionic-proposed (tempest results):

======
Totals
======
Ran: 92 tests in 1318.6413 sec.
 - Passed: 84
 - Skipped: 8
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 494.8999 sec.

Corey Bryant (corey.bryant) wrote :

Regression testing successful for queens-proposed (tempest results):

======
Totals
======
Ran: 92 tests in 1000.6584 sec.
 - Passed: 84
 - Skipped: 8
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 465.0920 sec.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers