OpenStack Compute (nova)

glance requests from nova fail if there are too many endpoints in the service catalog

Bug #1482699 reported by Matt Riedemann
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Matt Riedemann
OpenStack Compute (nova) 12.0.0 "liberty"
Juno
Fix Released
Medium
Matt Riedemann
OpenStack Compute (nova) 2014.2.4
Kilo
Fix Released
Medium
Matt Riedemann
OpenStack Compute (nova) 2015.1.3

Bug Description

Nova sends the entire serialized service catalog in the http header to glance requests:

https://github.com/openstack/nova/blob/icehouse-eol/nova/image/glance.py#L136

If you have a lot of endpoints in your service catalog this can make glance fail with "400 Header Line TooLong".

Per bknudson: "Any service using the auth_token middleware has no use for the x-service-catalog header. All that auth_token middleware uses is x-auth-token. The auth_token middleware will actually strip the x-service-catalog from the request before it sends the request on to the rest of the pipeline, so the application will never see it."

If glance needs the service catalog it will get it from keystone when it auths the tokens, so nova shouldn't be sending this.

Matt Riedemann (mriedem)
Changed in nova:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Matt Riedemann (mriedem)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/210515

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/210557

Matt Riedemann (mriedem)
Changed in nova:
importance: High → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/210568

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/210515
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=4fa9bc1c544af30f167499284fc3e8ff6b65d23f
Submitter: Jenkins
Branch: master

commit 4fa9bc1c544af30f167499284fc3e8ff6b65d23f
Author: ZHU ZHU <email address hidden>
Date: Fri Aug 7 09:09:08 2015 -0700

    Don't pass the service catalog when making glance requests

    If your service catalog has too many endpoints in it, passing this in
    the request to glance can result in a 400 because the header is too big.

    This isn't even necessary to pass to glance since we use the auth_token
    middleware.

    Per bknudson: "Any service using the auth_token middleware has no use
    for the x-service-catalog header. All that auth_token middleware uses is
    x-auth-token. The auth_token middleware will actually strip the
    x-service-catalog from the request before it sends the request on to the
    rest of the pipeline, so the application will never see it."

    Closes-Bug: #1482699

    Change-Id: I204c6f61194bef6eba01ab0525bc80fa2e323acd

Changed in nova:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/kilo)

Reviewed: https://review.openstack.org/210557
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=9724d506bd9c478b757874b1de80f4e9fb7d7743
Submitter: Jenkins
Branch: stable/kilo

commit 9724d506bd9c478b757874b1de80f4e9fb7d7743
Author: ZHU ZHU <email address hidden>
Date: Fri Aug 7 09:09:08 2015 -0700

    Don't pass the service catalog when making glance requests

    If your service catalog has too many endpoints in it, passing this in
    the request to glance can result in a 400 because the header is too big.

    This isn't even necessary to pass to glance since we use the auth_token
    middleware.

    Per bknudson: "Any service using the auth_token middleware has no use
    for the x-service-catalog header. All that auth_token middleware uses is
    x-auth-token. The auth_token middleware will actually strip the
    x-service-catalog from the request before it sends the request on to the
    rest of the pipeline, so the application will never see it."

    Closes-Bug: #1482699

    Change-Id: I204c6f61194bef6eba01ab0525bc80fa2e323acd
    (cherry picked from commit 4fa9bc1c544af30f167499284fc3e8ff6b65d23f)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/juno)

Reviewed: https://review.openstack.org/210568
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=77d33a33d662ab5ae85265f5f9c9968dc8fa8e5b
Submitter: Jenkins
Branch: stable/juno

commit 77d33a33d662ab5ae85265f5f9c9968dc8fa8e5b
Author: ZHU ZHU <email address hidden>
Date: Fri Aug 7 09:09:08 2015 -0700

    Don't pass the service catalog when making glance requests

    If your service catalog has too many endpoints in it, passing this in
    the request to glance can result in a 400 because the header is too big.

    This isn't even necessary to pass to glance since we use the auth_token
    middleware.

    Per bknudson: "Any service using the auth_token middleware has no use
    for the x-service-catalog header. All that auth_token middleware uses is
    x-auth-token. The auth_token middleware will actually strip the
    x-service-catalog from the request before it sends the request on to the
    rest of the pipeline, so the application will never see it."

    Conflicts:
            nova/tests/unit/image/test_glance.py
            nova/tests/unit/virt/xenapi/image/test_glance.py
            nova/tests/unit/virt/xenapi/test_vm_utils.py

    NOTE(mriedem): The conflicts in the tests are due to the test modules
    all being moved in kilo, otherwise there are no differences.

    Closes-Bug: #1482699

    Change-Id: I204c6f61194bef6eba01ab0525bc80fa2e323acd
    (cherry picked from commit 4fa9bc1c544af30f167499284fc3e8ff6b65d23f)
    (cherry picked from commit 9724d506bd9c478b757874b1de80f4e9fb7d7743)

Thierry Carrez (ttx)
Changed in nova:
milestone: none → liberty-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: liberty-3 → 12.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.