2020-03-16 20:15:16 |
Jorge Niedbalski |
bug |
|
|
added bug |
2020-03-16 20:16:47 |
Jorge Niedbalski |
nominated for series |
|
Ubuntu Bionic |
|
2020-03-16 20:16:47 |
Jorge Niedbalski |
bug task added |
|
python-barbicanclient (Ubuntu Bionic) |
|
2020-03-16 20:16:47 |
Jorge Niedbalski |
nominated for series |
|
Ubuntu Eoan |
|
2020-03-16 20:16:47 |
Jorge Niedbalski |
bug task added |
|
python-barbicanclient (Ubuntu Eoan) |
|
2020-03-16 20:16:47 |
Jorge Niedbalski |
nominated for series |
|
Ubuntu Focal |
|
2020-03-16 20:16:47 |
Jorge Niedbalski |
bug task added |
|
python-barbicanclient (Ubuntu Focal) |
|
2020-03-16 20:16:47 |
Jorge Niedbalski |
nominated for series |
|
Ubuntu Disco |
|
2020-03-16 20:16:47 |
Jorge Niedbalski |
bug task added |
|
python-barbicanclient (Ubuntu Disco) |
|
2020-03-16 20:16:57 |
Jorge Niedbalski |
python-barbicanclient (Ubuntu Focal): status |
New |
Fix Released |
|
2020-03-16 20:18:15 |
Jorge Niedbalski |
python-barbicanclient (Ubuntu Eoan): status |
New |
Fix Released |
|
2020-03-16 20:18:17 |
Jorge Niedbalski |
python-barbicanclient (Ubuntu Disco): status |
New |
Fix Released |
|
2020-03-16 20:19:38 |
Jorge Niedbalski |
description |
[Description]
As per https://storyboard.openstack.org/#!/story/2007371 we identified that
ubuntu clouds running the version 4.6.0 (bionic) aren't raising a 404
error when a secret container is passed.
This causes the code to not fall back into the legacy mode
[Reproducer]
Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
Create the 3 certs at barbican
$ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
$ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
$ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"
Create a loadbalancer
$ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
Create a secrets container
$ openstack secret container create --type='certificate' --name "test-tls-1" --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00" --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5-4b5a-bffd-c0c43a41b4a8" --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-b5c6-4433-a0a9-a195e2d54c57"
Create the listener
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
This creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
[Possible Regressions]
* No regressions identified so far.
[Fix]
The following changesets needs to be backported into the bionic version 4.6.0-0ubuntu1 |
[Description]
As per https://storyboard.openstack.org/#!/story/2007371 we identified that
ubuntu clouds running the version 4.6.0 (bionic) aren't raising a 404
error when a secret container is passed.
This causes the code to not fall back into the legacy mode
[Reproducer]
Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
Create the 3 certs at barbican
$ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
$ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
$ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"
Create a loadbalancer
$ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
Create a secrets container
$ openstack secret container create --type='certificate' --name "test-tls-1" --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00" --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5-4b5a-bffd-c0c43a41b4a8" --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-b5c6-4433-a0a9-a195e2d54c57"
Create the listener
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
This creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
[Possible Regressions]
* No regressions identified so far.
[Fix]
The following changesets needs to be backported into the bionic version 4.6.0-0ubuntu1
All of those are part of 4.8.0 onward.
** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad |
|
2020-03-16 20:24:09 |
Jorge Niedbalski |
description |
[Description]
As per https://storyboard.openstack.org/#!/story/2007371 we identified that
ubuntu clouds running the version 4.6.0 (bionic) aren't raising a 404
error when a secret container is passed.
This causes the code to not fall back into the legacy mode
[Reproducer]
Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
Create the 3 certs at barbican
$ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
$ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
$ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"
Create a loadbalancer
$ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
Create a secrets container
$ openstack secret container create --type='certificate' --name "test-tls-1" --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00" --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5-4b5a-bffd-c0c43a41b4a8" --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-b5c6-4433-a0a9-a195e2d54c57"
Create the listener
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
This creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
[Possible Regressions]
* No regressions identified so far.
[Fix]
The following changesets needs to be backported into the bionic version 4.6.0-0ubuntu1
All of those are part of 4.8.0 onward.
** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad |
[Description]
As per https://storyboard.openstack.org/#!/story/2007371 we identified that
ubuntu clouds running the version 4.6.0 (bionic) aren't raising a 404
error when a secret container is passed.
This causes the code to not fall back into the legacy mode
[Reproducer]
Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
Create the 3 certs at barbican
$ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
$ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
$ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"
Create a loadbalancer
$ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
Create a secrets container
$ openstack secret container create --type='certificate' --name "test-tls-1" --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00" --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5-4b5a-bffd-c0c43a41b4a8" --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-b5c6-4433-a0a9-a195e2d54c57"
Create the listener
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
This creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
[Possible Regressions]
* No regressions identified so far.
[Fix]
The following changesets needs to be backported into the bionic version 4.6.0-0ubuntu1
All of those are part of 4.8.0 onward.
** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad
Corresponding reviews
https://review.opendev.org/#/c/602810/
https://review.opendev.org/#/c/628046/ |
|
2020-03-17 14:46:58 |
Jorge Niedbalski |
python-barbicanclient (Ubuntu Bionic): status |
New |
Won't Fix |
|
2020-03-17 14:47:04 |
Jorge Niedbalski |
python-barbicanclient (Ubuntu Bionic): status |
Won't Fix |
Confirmed |
|
2020-03-17 14:52:21 |
Jorge Niedbalski |
attachment added |
|
Patch for bionic https://bugs.launchpad.net/ubuntu/+source/python-barbicanclient/+bug/1867676/+attachment/5338009/+files/lp-1867676-bionic.debdiff |
|
2020-03-18 16:27:44 |
Edward Hope-Morley |
bug task added |
|
cloud-archive |
|
2020-03-18 18:44:24 |
Corey Bryant |
nominated for series |
|
cloud-archive/queens |
|
2020-03-18 18:44:24 |
Corey Bryant |
bug task added |
|
cloud-archive/queens |
|
2020-03-18 18:44:40 |
Corey Bryant |
cloud-archive: status |
New |
Invalid |
|
2020-03-18 18:44:48 |
Corey Bryant |
cloud-archive/queens: status |
New |
Triaged |
|
2020-03-18 19:29:59 |
Corey Bryant |
description |
[Description]
As per https://storyboard.openstack.org/#!/story/2007371 we identified that
ubuntu clouds running the version 4.6.0 (bionic) aren't raising a 404
error when a secret container is passed.
This causes the code to not fall back into the legacy mode
[Reproducer]
Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
Create the 3 certs at barbican
$ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
$ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
$ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"
Create a loadbalancer
$ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
Create a secrets container
$ openstack secret container create --type='certificate' --name "test-tls-1" --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00" --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5-4b5a-bffd-c0c43a41b4a8" --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-b5c6-4433-a0a9-a195e2d54c57"
Create the listener
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
This creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
[Possible Regressions]
* No regressions identified so far.
[Fix]
The following changesets needs to be backported into the bionic version 4.6.0-0ubuntu1
All of those are part of 4.8.0 onward.
** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad
Corresponding reviews
https://review.opendev.org/#/c/602810/
https://review.opendev.org/#/c/628046/ |
[Description]
As per https://storyboard.openstack.org/#!/story/2007371 we identified that
ubuntu clouds running the version 4.6.0 (bionic) aren't raising a 404
error when a secret container is passed.
This causes the code to not fall back into the legacy mode
[Reproducer]
Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
Create the 3 certs at barbican
$ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
$ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
$ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"
Create a loadbalancer
$ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
Create a secrets container
$ openstack secret container create --type='certificate' --name "test-tls-1" --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00" --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5-4b5a-bffd-c0c43a41b4a8" --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-b5c6-4433-a0a9-a195e2d54c57"
Create the listener
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
This creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
[Possible Regressions]
* Patches are unchanged and come from upstream stable/queens branch. Upstream patches receive unit and functional testing to minimize regression potential. The patches are cherry-picked from stable/stein. This is fixed in all releases upstream from stable/queens on, therefore newer releases have been running with these changes for a while now without issues.
* No regressions identified so far.
[Fix]
The following changesets needs to be backported into the bionic version 4.6.0-0ubuntu1
All of those are part of 4.8.0 onward.
** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad
Corresponding reviews
https://review.opendev.org/#/c/602810/
https://review.opendev.org/#/c/628046/ |
|
2020-03-18 19:30:45 |
Corey Bryant |
description |
[Description]
As per https://storyboard.openstack.org/#!/story/2007371 we identified that
ubuntu clouds running the version 4.6.0 (bionic) aren't raising a 404
error when a secret container is passed.
This causes the code to not fall back into the legacy mode
[Reproducer]
Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
Create the 3 certs at barbican
$ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
$ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
$ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"
Create a loadbalancer
$ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
Create a secrets container
$ openstack secret container create --type='certificate' --name "test-tls-1" --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00" --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5-4b5a-bffd-c0c43a41b4a8" --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-b5c6-4433-a0a9-a195e2d54c57"
Create the listener
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
This creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
[Possible Regressions]
* Patches are unchanged and come from upstream stable/queens branch. Upstream patches receive unit and functional testing to minimize regression potential. The patches are cherry-picked from stable/stein. This is fixed in all releases upstream from stable/queens on, therefore newer releases have been running with these changes for a while now without issues.
* No regressions identified so far.
[Fix]
The following changesets needs to be backported into the bionic version 4.6.0-0ubuntu1
All of those are part of 4.8.0 onward.
** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad
Corresponding reviews
https://review.opendev.org/#/c/602810/
https://review.opendev.org/#/c/628046/ |
[Impact]
As per https://storyboard.openstack.org/#!/story/2007371 we identified that
ubuntu clouds running the version 4.6.0 (bionic) aren't raising a 404
error when a secret container is passed.
This causes the code to not fall back into the legacy mode
[Test Case]
Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
Create the 3 certs at barbican
$ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
$ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
$ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"
Create a loadbalancer
$ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
Create a secrets container
$ openstack secret container create --type='certificate' --name "test-tls-1" --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00" --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5-4b5a-bffd-c0c43a41b4a8" --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-b5c6-4433-a0a9-a195e2d54c57"
Create the listener
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
This creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
[Regression Potential]
* Patches are unchanged and come from upstream stable/queens branch. Upstream patches receive unit and functional testing to minimize regression potential. The patches are cherry-picked from stable/stein. This is fixed in all releases upstream from stable/queens on, therefore newer releases have been running with these changes for a while now without issues.
* No regressions identified so far.
[Discussion]
The following changesets needs to be backported into the bionic version 4.6.0-0ubuntu1
All of those are part of 4.8.0 onward.
** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad
Corresponding reviews
https://review.opendev.org/#/c/602810/
https://review.opendev.org/#/c/628046/ |
|
2020-03-18 19:30:52 |
Corey Bryant |
python-barbicanclient (Ubuntu Bionic): status |
Confirmed |
Triaged |
|
2020-03-18 19:30:54 |
Corey Bryant |
python-barbicanclient (Ubuntu Bionic): importance |
Undecided |
High |
|
2020-03-18 19:30:57 |
Corey Bryant |
cloud-archive/queens: importance |
Undecided |
High |
|
2020-03-18 19:34:44 |
Corey Bryant |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2020-03-19 21:20:32 |
Jorge Niedbalski |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2020-03-26 01:37:24 |
Jorge Niedbalski |
description |
[Impact]
As per https://storyboard.openstack.org/#!/story/2007371 we identified that
ubuntu clouds running the version 4.6.0 (bionic) aren't raising a 404
error when a secret container is passed.
This causes the code to not fall back into the legacy mode
[Test Case]
Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
Create the 3 certs at barbican
$ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
$ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
$ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"
Create a loadbalancer
$ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
Create a secrets container
$ openstack secret container create --type='certificate' --name "test-tls-1" --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00" --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5-4b5a-bffd-c0c43a41b4a8" --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-b5c6-4433-a0a9-a195e2d54c57"
Create the listener
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
This creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
[Regression Potential]
* Patches are unchanged and come from upstream stable/queens branch. Upstream patches receive unit and functional testing to minimize regression potential. The patches are cherry-picked from stable/stein. This is fixed in all releases upstream from stable/queens on, therefore newer releases have been running with these changes for a while now without issues.
* No regressions identified so far.
[Discussion]
The following changesets needs to be backported into the bionic version 4.6.0-0ubuntu1
All of those are part of 4.8.0 onward.
** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad
Corresponding reviews
https://review.opendev.org/#/c/602810/
https://review.opendev.org/#/c/628046/ |
[Impact]
Users of Ubuntu bionic running openstack clouds >= rocky
can't create octavia load balancers listeners anymore since the backport of the following patch:
https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df
This change was introduced as part of the following backports and
their posterior syncs into the current Bionic version.
This change added a new exception handler in the code
that manages the decoding of the given PCKS12 certicate bundle when the listener is created, this handler now captures the PCKS12 decoding error and then raises it preventing
the listener creation to happen (when its invoked with i.e.: --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" ) , this was originally being hidden
under the legacy code handler as can be seen here:
https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df
This exception is raised because the barbicanclient doesn't know how to distinguish between a given secret and a container, therefore, when the
user specifies a container UUID the client tries to fetch a secret with that uuid (including the /containers/UUID path) and a error 400 (not the expected 404 http error) is returned.
The change proposed on the SRU makes the client aware of container and secret UUID(s) and is able to split the path to distinguish a non-secret (such as a container), in that way if a container is passed, it fails to pass the parsing validation and the right return code (404) is returned by the client.
If a error 404 gets returned, then the except Exception block gets
executed and the legacy driver code for decoding the pcks12 certicate in octavia is invoked, this legacy
driver is able to decode the container payloads and the decoding of the pcks12 certificate succeeds.
This differentiation was implemented here:
https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
As an example (this worked before the latest bionic version was pushed)
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
With the newest package upgrade this creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
Further rationale on this can be found on https://storyboard.openstack.org/#!/story/2007371
---
[Impact]
As per https://storyboard.openstack.org/#!/story/2007371 we identified that
ubuntu clouds running the version 4.6.0 (bionic) aren't raising a 404
error when a secret container is passed.
This causes the code to not fall back into the legacy mode
[Test Case]
1) Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
2) Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
3) Create the 3 certs at barbican
$ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
$ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
$ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"
4) Create a loadbalancer
$ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
5) Create a secrets container
$ openstack secret container create --type='certificate' --name "test-tls-1" --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00" --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5-4b5a-bffd-c0c43a41b4a8" --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-b5c6-4433-a0a9-a195e2d54c57"
6) Try to create the listener
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
With the newest package upgrade this creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
[Regression Potential]
* Patches are unchanged and come from upstream stable/queens branch. Upstream patches receive unit and functional testing to minimize regression potential. The patches are cherry-picked from stable/stein. This is fixed in all releases upstream from stable/queens on, therefore newer releases have been running with these changes for a while now without issues.
* No regressions identified so far.
[Discussion]
The following changesets needs to be backported into the bionic version 4.6.0-0ubuntu1
All of those are part of 4.8.0 onward.
** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad
Corresponding reviews
https://review.opendev.org/#/c/602810/
https://review.opendev.org/#/c/628046/ |
|
2020-03-26 16:33:22 |
Jorge Niedbalski |
description |
[Impact]
Users of Ubuntu bionic running openstack clouds >= rocky
can't create octavia load balancers listeners anymore since the backport of the following patch:
https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df
This change was introduced as part of the following backports and
their posterior syncs into the current Bionic version.
This change added a new exception handler in the code
that manages the decoding of the given PCKS12 certicate bundle when the listener is created, this handler now captures the PCKS12 decoding error and then raises it preventing
the listener creation to happen (when its invoked with i.e.: --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" ) , this was originally being hidden
under the legacy code handler as can be seen here:
https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df
This exception is raised because the barbicanclient doesn't know how to distinguish between a given secret and a container, therefore, when the
user specifies a container UUID the client tries to fetch a secret with that uuid (including the /containers/UUID path) and a error 400 (not the expected 404 http error) is returned.
The change proposed on the SRU makes the client aware of container and secret UUID(s) and is able to split the path to distinguish a non-secret (such as a container), in that way if a container is passed, it fails to pass the parsing validation and the right return code (404) is returned by the client.
If a error 404 gets returned, then the except Exception block gets
executed and the legacy driver code for decoding the pcks12 certicate in octavia is invoked, this legacy
driver is able to decode the container payloads and the decoding of the pcks12 certificate succeeds.
This differentiation was implemented here:
https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
As an example (this worked before the latest bionic version was pushed)
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
With the newest package upgrade this creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
Further rationale on this can be found on https://storyboard.openstack.org/#!/story/2007371
---
[Impact]
As per https://storyboard.openstack.org/#!/story/2007371 we identified that
ubuntu clouds running the version 4.6.0 (bionic) aren't raising a 404
error when a secret container is passed.
This causes the code to not fall back into the legacy mode
[Test Case]
1) Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
2) Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
3) Create the 3 certs at barbican
$ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
$ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
$ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"
4) Create a loadbalancer
$ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
5) Create a secrets container
$ openstack secret container create --type='certificate' --name "test-tls-1" --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00" --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5-4b5a-bffd-c0c43a41b4a8" --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-b5c6-4433-a0a9-a195e2d54c57"
6) Try to create the listener
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
With the newest package upgrade this creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
[Regression Potential]
* Patches are unchanged and come from upstream stable/queens branch. Upstream patches receive unit and functional testing to minimize regression potential. The patches are cherry-picked from stable/stein. This is fixed in all releases upstream from stable/queens on, therefore newer releases have been running with these changes for a while now without issues.
* No regressions identified so far.
[Discussion]
The following changesets needs to be backported into the bionic version 4.6.0-0ubuntu1
All of those are part of 4.8.0 onward.
** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad
Corresponding reviews
https://review.opendev.org/#/c/602810/
https://review.opendev.org/#/c/628046/ |
[Impact]
Users of Ubuntu bionic running openstack clouds >= rocky
can't create octavia load balancers listeners anymore since the backport of the following patch:
https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df
This change was introduced as part of the following backports and
their posterior syncs into the current Bionic version.
This fix being SRUed here is contained in 4.8.1-0ubuntu1 (disco onwards)
but not on the Bionic version 4.6.0-0ubuntu1.
The issue gets exposed with the following octavia
packages from UCA + python-barbicanclient 4.6.0ubuntu1.
Please note that likely this python-barbicanclient dependency should
be part of UCA and not of main/universe.
octavia-api | 3.0.0-0ubuntu3~cloud0 | rocky | all
octavia-api | 4.0.0-0ubuntu1.1~cloud0 | stein | all
octavia-api | 4.0.0-0ubuntu1~cloud0 | train | all
This change added a new exception handler in the code
that manages the decoding of the given PCKS12 certicate bundle when the listener is created, this handler now captures the PCKS12 decoding error and then raises it preventing
the listener creation to happen (when its invoked with i.e.: --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" ) , this was originally being hidden
under the legacy code handler as can be seen here:
https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df
This exception is raised because the barbicanclient doesn't know how to distinguish between a given secret and a container, therefore, when the
user specifies a container UUID the client tries to fetch a secret with that uuid (including the /containers/UUID path) and a error 400 (not the expected 404 http error) is returned.
The change proposed on the SRU makes the client aware of container and secret UUID(s) and is able to split the path to distinguish a non-secret (such as a container), in that way if a container is passed, it fails to pass the parsing validation and the right return code (404) is returned by the client.
If a error 404 gets returned, then the except Exception block gets
executed and the legacy driver code for decoding the pcks12 certicate in octavia is invoked, this legacy
driver is able to decode the container payloads and the decoding of the pcks12 certificate succeeds.
This differentiation was implemented here:
https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
As an example (this worked before the latest bionic version was pushed)
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
With the newest package upgrade this creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
Further rationale on this can be found on https://storyboard.openstack.org/#!/story/2007371
[Test Case]
1) Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
2) Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
3) Create the 3 certs at barbican
$ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
$ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
$ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"
4) Create a loadbalancer
$ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
5) Create a secrets container
$ openstack secret container create --type='certificate' --name "test-tls-1" --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00" --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5-4b5a-bffd-c0c43a41b4a8" --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-b5c6-4433-a0a9-a195e2d54c57"
6) Try to create the listener
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
With the newest package upgrade this creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
[Regression Potential]
* I can't identify any regression potential for the fix as the patch
considers the required back-compatibility changes in order to support single secrets and containers (if given).
* Please remember that this breakage is only exposed with octavia-api from UCA >= rocky, and affects a very minor subset of users that make use of the default-tls-container option when creating the listener.
The change considers both cases for compatibility so no breakage is expected on this front.
* Also the unit and functional tests have been included in the SRU changeset in order to ensure that no functionality is broken.
[Discussion]
The following changesets needs to be backported into the bionic version 4.6.0-0ubuntu1
All of those are part of 4.8.0 onward.
** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad
Corresponding reviews
https://review.opendev.org/#/c/602810/
https://review.opendev.org/#/c/628046/ |
|
2020-03-26 18:52:22 |
Robie Basak |
bug |
|
|
added subscriber Robie Basak |
2020-04-06 13:57:31 |
Jorge Niedbalski |
description |
[Impact]
Users of Ubuntu bionic running openstack clouds >= rocky
can't create octavia load balancers listeners anymore since the backport of the following patch:
https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df
This change was introduced as part of the following backports and
their posterior syncs into the current Bionic version.
This fix being SRUed here is contained in 4.8.1-0ubuntu1 (disco onwards)
but not on the Bionic version 4.6.0-0ubuntu1.
The issue gets exposed with the following octavia
packages from UCA + python-barbicanclient 4.6.0ubuntu1.
Please note that likely this python-barbicanclient dependency should
be part of UCA and not of main/universe.
octavia-api | 3.0.0-0ubuntu3~cloud0 | rocky | all
octavia-api | 4.0.0-0ubuntu1.1~cloud0 | stein | all
octavia-api | 4.0.0-0ubuntu1~cloud0 | train | all
This change added a new exception handler in the code
that manages the decoding of the given PCKS12 certicate bundle when the listener is created, this handler now captures the PCKS12 decoding error and then raises it preventing
the listener creation to happen (when its invoked with i.e.: --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" ) , this was originally being hidden
under the legacy code handler as can be seen here:
https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df
This exception is raised because the barbicanclient doesn't know how to distinguish between a given secret and a container, therefore, when the
user specifies a container UUID the client tries to fetch a secret with that uuid (including the /containers/UUID path) and a error 400 (not the expected 404 http error) is returned.
The change proposed on the SRU makes the client aware of container and secret UUID(s) and is able to split the path to distinguish a non-secret (such as a container), in that way if a container is passed, it fails to pass the parsing validation and the right return code (404) is returned by the client.
If a error 404 gets returned, then the except Exception block gets
executed and the legacy driver code for decoding the pcks12 certicate in octavia is invoked, this legacy
driver is able to decode the container payloads and the decoding of the pcks12 certificate succeeds.
This differentiation was implemented here:
https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
As an example (this worked before the latest bionic version was pushed)
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
With the newest package upgrade this creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
Further rationale on this can be found on https://storyboard.openstack.org/#!/story/2007371
[Test Case]
1) Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
2) Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
3) Create the 3 certs at barbican
$ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
$ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
$ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"
4) Create a loadbalancer
$ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
5) Create a secrets container
$ openstack secret container create --type='certificate' --name "test-tls-1" --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00" --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5-4b5a-bffd-c0c43a41b4a8" --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-b5c6-4433-a0a9-a195e2d54c57"
6) Try to create the listener
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
With the newest package upgrade this creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
[Regression Potential]
* I can't identify any regression potential for the fix as the patch
considers the required back-compatibility changes in order to support single secrets and containers (if given).
* Please remember that this breakage is only exposed with octavia-api from UCA >= rocky, and affects a very minor subset of users that make use of the default-tls-container option when creating the listener.
The change considers both cases for compatibility so no breakage is expected on this front.
* Also the unit and functional tests have been included in the SRU changeset in order to ensure that no functionality is broken.
[Discussion]
The following changesets needs to be backported into the bionic version 4.6.0-0ubuntu1
All of those are part of 4.8.0 onward.
** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad
Corresponding reviews
https://review.opendev.org/#/c/602810/
https://review.opendev.org/#/c/628046/ |
[Impact]
Users of Ubuntu bionic running openstack clouds >= rocky
can't create octavia load balancers listeners anymore since the backport of the following patch:
https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df
This change was introduced as part of the following backports and
their posterior syncs into the current Bionic version.
This fix being SRUed here is contained in 4.8.1-0ubuntu1 (disco onwards)
but not on the Bionic version 4.6.0-0ubuntu1.
The issue gets exposed with the following octavia
packages from UCA + python-barbicanclient 4.6.0ubuntu1.
Please note that likely this python-barbicanclient dependency should
be part of UCA and not of main/universe.
octavia-api | 3.0.0-0ubuntu3~cloud0 | rocky | all
octavia-api | 4.0.0-0ubuntu1.1~cloud0 | stein | all
octavia-api | 4.0.0-0ubuntu1~cloud0 | train | all
This change added a new exception handler in the code
that manages the decoding of the given PCKS12 certicate bundle when the listener is created, this handler now captures the PCKS12 decoding error and then raises it preventing
the listener creation to happen (when its invoked with i.e.: --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" ) , this was originally being hidden
under the legacy code handler as can be seen here:
https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df
This exception is raised because the barbicanclient doesn't know how to distinguish between a given secret and a container, therefore, when the
user specifies a container UUID the client tries to fetch a secret with that uuid (including the /containers/UUID path) and a error 400 (not the expected 404 http error) is returned.
The change proposed on the SRU makes the client aware of container and secret UUID(s) and is able to split the path to distinguish a non-secret (such as a container), in that way if a container is passed, it fails to pass the parsing validation and the right return code (404) is returned by the client.
If a error 404 gets returned, then the except Exception block gets
executed and the legacy driver code for decoding the pcks12 certicate in octavia is invoked, this legacy
driver is able to decode the container payloads and the decoding of the pcks12 certificate succeeds.
This differentiation was implemented here:
https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
As an example (this worked before the latest bionic version was pushed)
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
With the newest package upgrade this creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
Further rationale on this can be found on https://storyboard.openstack.org/#!/story/2007371
[Test Case]
1) Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
2) Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
3) Create the 3 certs at barbican
$ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
$ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
$ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"
4) Create a loadbalancer
$ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
5) Create a secrets container
$ openstack secret container create --type='certificate' --name "test-tls-1" --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00" --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5-4b5a-bffd-c0c43a41b4a8" --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-b5c6-4433-a0a9-a195e2d54c57"
6) Try to create the listener
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
With the newest package upgrade this creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
[Regression Potential]
* Creation and List/Get secrets by UUID and with different prefixes (as container secrets) and how this can affect is something to validate with the new SRU.
* Please remember that this breakage is only exposed with octavia-api from UCA >= rocky, and affects a very minor subset of users that make use of the default-tls-container option when creating the listener.
The change considers both cases for compatibility so no breakage is expected on this front.
* Also the unit and functional tests have been included in the SRU changeset in order to ensure that no functionality is broken.
[Discussion]
The following changesets needs to be backported into the bionic version 4.6.0-0ubuntu1
All of those are part of 4.8.0 onward.
** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad
Corresponding reviews
https://review.opendev.org/#/c/602810/
https://review.opendev.org/#/c/628046/ |
|
2020-04-13 19:34:35 |
Dan Streetman |
bug |
|
|
added subscriber STS Sponsors |
2020-04-13 19:35:49 |
Dan Streetman |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2020-04-22 19:17:34 |
Eric Desrochers |
python-barbicanclient (Ubuntu Bionic): status |
Triaged |
In Progress |
|
2020-04-22 19:17:48 |
Eric Desrochers |
python-barbicanclient (Ubuntu Bionic): assignee |
|
Jorge Niedbalski (niedbalski) |
|
2020-04-27 20:25:17 |
Jorge Niedbalski |
description |
[Impact]
Users of Ubuntu bionic running openstack clouds >= rocky
can't create octavia load balancers listeners anymore since the backport of the following patch:
https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df
This change was introduced as part of the following backports and
their posterior syncs into the current Bionic version.
This fix being SRUed here is contained in 4.8.1-0ubuntu1 (disco onwards)
but not on the Bionic version 4.6.0-0ubuntu1.
The issue gets exposed with the following octavia
packages from UCA + python-barbicanclient 4.6.0ubuntu1.
Please note that likely this python-barbicanclient dependency should
be part of UCA and not of main/universe.
octavia-api | 3.0.0-0ubuntu3~cloud0 | rocky | all
octavia-api | 4.0.0-0ubuntu1.1~cloud0 | stein | all
octavia-api | 4.0.0-0ubuntu1~cloud0 | train | all
This change added a new exception handler in the code
that manages the decoding of the given PCKS12 certicate bundle when the listener is created, this handler now captures the PCKS12 decoding error and then raises it preventing
the listener creation to happen (when its invoked with i.e.: --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" ) , this was originally being hidden
under the legacy code handler as can be seen here:
https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df
This exception is raised because the barbicanclient doesn't know how to distinguish between a given secret and a container, therefore, when the
user specifies a container UUID the client tries to fetch a secret with that uuid (including the /containers/UUID path) and a error 400 (not the expected 404 http error) is returned.
The change proposed on the SRU makes the client aware of container and secret UUID(s) and is able to split the path to distinguish a non-secret (such as a container), in that way if a container is passed, it fails to pass the parsing validation and the right return code (404) is returned by the client.
If a error 404 gets returned, then the except Exception block gets
executed and the legacy driver code for decoding the pcks12 certicate in octavia is invoked, this legacy
driver is able to decode the container payloads and the decoding of the pcks12 certificate succeeds.
This differentiation was implemented here:
https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
As an example (this worked before the latest bionic version was pushed)
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
With the newest package upgrade this creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
Further rationale on this can be found on https://storyboard.openstack.org/#!/story/2007371
[Test Case]
1) Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
2) Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
3) Create the 3 certs at barbican
$ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
$ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
$ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"
4) Create a loadbalancer
$ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
5) Create a secrets container
$ openstack secret container create --type='certificate' --name "test-tls-1" --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00" --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5-4b5a-bffd-c0c43a41b4a8" --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-b5c6-4433-a0a9-a195e2d54c57"
6) Try to create the listener
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
With the newest package upgrade this creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
[Regression Potential]
* Creation and List/Get secrets by UUID and with different prefixes (as container secrets) and how this can affect is something to validate with the new SRU.
* Please remember that this breakage is only exposed with octavia-api from UCA >= rocky, and affects a very minor subset of users that make use of the default-tls-container option when creating the listener.
The change considers both cases for compatibility so no breakage is expected on this front.
* Also the unit and functional tests have been included in the SRU changeset in order to ensure that no functionality is broken.
[Discussion]
The following changesets needs to be backported into the bionic version 4.6.0-0ubuntu1
All of those are part of 4.8.0 onward.
** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad
Corresponding reviews
https://review.opendev.org/#/c/602810/
https://review.opendev.org/#/c/628046/ |
[Impact]
Users of Ubuntu bionic running openstack clouds >= rocky
can't create octavia load balancers listeners anymore since the backport of the following patch:
https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df
This change was introduced as part of the following backports and
their posterior syncs into the current Bionic version.
**** IMPACTED VERSIONS NOTE ****
This issue can be triggered in standalone without any cloud-archive dependency and affects python-barbicanclient 4.6.0ubuntu1, which is the Bionic version. The issue was fixed in 4.8.1-0ubuntu1 (disco onwards).
However, this exception gets easily manifested in OpenStack deployments
that uses octavia packages from UCA + python-barbicanclient 4.6.0ubuntu1, as it provides direct interaction with the barbican client.
This means that any Ubuntu openstack cloud deployed from UCA on release >= rocky will manifest this issue when deployed on top of Bionic
octavia-api | 3.0.0-0ubuntu3~cloud0 | rocky | all
octavia-api | 4.0.0-0ubuntu1.1~cloud0 | stein | all
octavia-api | 4.0.0-0ubuntu1~cloud0 | train | all
This change added a new exception handler in the code
that manages the decoding of the given PCKS12 certicate bundle when the listener is created, this handler now captures the PCKS12 decoding error and then raises it preventing
the listener creation to happen (when its invoked with i.e.: --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" ) , this was originally being hidden
under the legacy code handler as can be seen here:
https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df
This exception is raised because the barbicanclient doesn't know how to distinguish between a given secret and a container, therefore, when the
user specifies a container UUID the client tries to fetch a secret with that uuid (including the /containers/UUID path) and a error 400 (not the expected 404 http error) is returned.
The change proposed on the SRU makes the client aware of container and secret UUID(s) and is able to split the path to distinguish a non-secret (such as a container), in that way if a container is passed, it fails to pass the parsing validation and the right return code (404) is returned by the client.
If a error 404 gets returned, then the except Exception block gets
executed and the legacy driver code for decoding the pcks12 certicate in octavia is invoked, this legacy
driver is able to decode the container payloads and the decoding of the pcks12 certificate succeeds.
This differentiation was implemented here:
https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
As an example (this worked before the latest bionic version was pushed)
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
With the newest package upgrade this creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
Further rationale on this can be found on https://storyboard.openstack.org/#!/story/2007371
[Test Case]
1) Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/)
2) Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/)
3) Create the 3 certs at barbican
$ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)"
$ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)"
$ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)"
4) Create a loadbalancer
$ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet
5) Create a secrets container
$ openstack secret container create --type='certificate' --name "test-tls-1" --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00" --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5-4b5a-bffd-c0c43a41b4a8" --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d-b5c6-4433-a0a9-a195e2d54c57"
6) Try to create the listener
openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c-86eb3cc7fe1a" -- lb1
With the newest package upgrade this creation will fail with the following exception:
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b-4d26-9920-72b03343596a)
[Regression Potential]
* Creation and List/Get secrets by UUID and with different prefixes (as container secrets) and how this can affect is something to validate with the new SRU.
* Please remember that this breakage is only exposed with octavia-api from UCA >= rocky, and affects a very minor subset of users that make use of the default-tls-container option when creating the listener.
The change considers both cases for compatibility so no breakage is expected on this front.
* Also the unit and functional tests have been included in the SRU changeset in order to ensure that no functionality is broken.
[Discussion]
The following changesets needs to be backported into the bionic version 4.6.0-0ubuntu1
All of those are part of 4.8.0 onward.
** https://github.com/openstack/python-barbicanclient/commit/6651c8ffce48ce7ff08f5563a8e6212677ea0468
** https://github.com/openstack/python-barbicanclient/commit/4eec7121b39de3849b469c56d85b95520aab7bad
Corresponding reviews
https://review.opendev.org/#/c/602810/
https://review.opendev.org/#/c/628046/ |
|
2020-05-11 14:53:04 |
Łukasz Zemczak |
python-barbicanclient (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
2020-05-11 14:53:07 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
2020-05-11 14:53:11 |
Łukasz Zemczak |
tags |
|
verification-needed verification-needed-bionic |
|
2020-05-12 21:43:23 |
Jorge Niedbalski |
tags |
verification-needed verification-needed-bionic |
verification-done verification-done-bionic |
|
2020-05-18 13:47:40 |
Corey Bryant |
cloud-archive/queens: status |
Triaged |
Fix Committed |
|
2020-05-18 13:47:42 |
Corey Bryant |
tags |
verification-done verification-done-bionic |
verification-done verification-done-bionic verification-queens-needed |
|
2020-05-19 23:29:13 |
Launchpad Janitor |
python-barbicanclient (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2020-05-19 23:29:17 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2020-07-06 13:35:54 |
Corey Bryant |
cloud-archive/queens: status |
Fix Committed |
Fix Released |
|