Mirantis OpenStack

Ceilometerclient doesn't handle SSL certs correctly

Bug #1443792 reported by Dmitry Nikishov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Fix Released
High
Ilya Tyaptin
Mirantis OpenStack 6.1
6.0.x
Won't Fix
High
Ilya Tyaptin
Mirantis OpenStack 6.0-updates

Bug Description

Environment:
MOS 6.0/HA/Ubuntu

Once SSL (w/ self-signed certs) is manually configured on HAProxy post-deployment, Ceilometer client cannot be used to access Ceilometer API. There seem to be 2 issues:

1. "insecure" option is being ignored. The patch has been already merged to master: https://review.openstack.org/#/c/137831/
2. "cacert" parameter is being passed as "cert", which leads to connection errors. See https://bugs.launchpad.net/python-ceilometerclient/+bug/1389591 The fix for this has also been merged to master https://review.openstack.org/#/c/146951/

Revision history for this message
Alexander Ignatov (aignatov) wrote :

Dmitry could you please provide clear description what is needed for customer exactly?
Backport patches which you described in items 1 and 2?

Changed in mos:
importance: Undecided → High
status: New → Confirmed
assignee: nobody → MOS Ceilometer (mos-ceilometer)
milestone: none → 6.1
Revision history for this message
Dmitry Nikishov (nikishov-da) wrote :

Yes, customer need these patches in 6.0.

Ivan Berezovskiy (iberezovskiy)
Changed in mos:
assignee: MOS Ceilometer (mos-ceilometer) → Ilya Tyaptin (ityaptin)
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Related fix proposed to openstack/python-ceilometerclient (openstack-ci/fuel-6.1/2014.2)

Related fix proposed to branch: openstack-ci/fuel-6.1/2014.2
Change author: Srinivas Sakhamuri <email address hidden>
Review: https://review.fuel-infra.org/5765

Changed in mos:
status: Confirmed → In Progress
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Related fix merged to openstack/python-ceilometerclient (openstack-ci/fuel-6.1/2014.2)

Reviewed: https://review.fuel-infra.org/5763
Submitter: Ivan Berezovskiy <email address hidden>
Branch: openstack-ci/fuel-6.1/2014.2

Commit: 9e0a93202b8b6964c850d5924346891e11ff7aa4
Author: ZhiQiang Fan <email address hidden>
Date: Wed Apr 15 14:57:39 2015

Enable --os-insecure CLI option

--os-insecure is not correctly passed to Keystoneclient because it
expects a bool type but we assgin a string value to the insecure
parameter, this patch fixes it by using oslo.utils.strutils.bool_from_string.

--os-insecure is ignored by Ceilometerclient.v2.client because it
expects parameter verify rather than insecure, this patch fixes it
by converting insecure to verify if that field is not set.

Related-bug: 1443792
cherry-picked from d51c261

Change-Id: I730e8e6b8f984f537ff13099404c3378b6b6774e

Ivan Berezovskiy (iberezovskiy)
Changed in mos:
status: In Progress → Fix Committed
Revision history for this message
Ivan Berezovskiy (iberezovskiy) wrote :

https://review.fuel-infra.org/#/c/5765/ isn't merged yet

Changed in mos:
status: Fix Committed → In Progress
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote :

Reviewed: https://review.fuel-infra.org/5765
Submitter: Ivan Berezovskiy <email address hidden>
Branch: openstack-ci/fuel-6.1/2014.2

Commit: a9286236f49443db6ff44da91657de8122caff82
Author: Srinivas Sakhamuri <email address hidden>
Date: Wed Apr 15 15:29:46 2015

Fix improper parameter setup for cacert and client certs

The client passes cacert incorrectly, CA cert need to be passed
in verify parameter to requests library. Also at present, key file
is not being used, which if it is supplied need to be passed as a
tuple in cert parameter

Python requests library relevant doc link
http://docs.python-requests.org/en/latest/user/advanced/#ssl-cert-verification

cherry-picked from 1369b2c

Change-Id: If4b7350d1107c01eb7e127e35aa72e6dfb139978
Related-Bug: 1443792

Ivan Berezovskiy (iberezovskiy)
Changed in mos:
status: In Progress → Fix Committed
Revision history for this message
Vitaly Gusev (vgusev) wrote :

This bug was reproduced on custom ISO and we can't verify fix in MOS 6.1, because MOS 6.1 and less don't support changing ssl parameter in keystone config (by default parameter use_ssl=false). But we verify it on devstack and fix works here.

Changed in mos:
status: Fix Committed → Fix Released
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Related fix proposed to openstack/python-ceilometerclient (openstack-ci/fuel-7.0/2015.1.0)

Related fix proposed to branch: openstack-ci/fuel-7.0/2015.1.0
Change author: ZhiQiang Fan <email address hidden>
Review: https://review.fuel-infra.org/8292

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote :

Related fix proposed to branch: openstack-ci/fuel-7.0/2015.1.0
Change author: Srinivas Sakhamuri <email address hidden>
Review: https://review.fuel-infra.org/8293

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/python-ceilometerclient (openstack-ci/fuel-7.0/2015.1.0)

Change abandoned by Ilya Tyaptin <email address hidden> on branch: openstack-ci/fuel-7.0/2015.1.0
Review: https://review.fuel-infra.org/8293

Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote :

Change abandoned by Ilya Tyaptin <email address hidden> on branch: openstack-ci/fuel-7.0/2015.1.0
Review: https://review.fuel-infra.org/8292

Revision history for this message
Alexey Stupnikov (astupnikov) wrote :

MOS 6.0 is no longer supported, moving to Won't Fix.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.