Attach Volume Fails with secure call to cinder
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Eric Fried | ||
Queens |
Fix Committed
|
Medium
|
Eric Fried | ||
python-cinderclient |
Invalid
|
Undecided
|
Unassigned |
Bug Description
It is found that when cinder endpoint is configured to use https, attach volume flow fails with the stack trace seen below (seen in nova api log) because it fails to make a secure call from nova to cinder. Secure calls perform certificate validation and in this particular flow, certificate validation is completely skipped
File "/usr/lib/
2018-02-27 08:16:51.338 1324 ERROR cinder.
2018-02-27 08:16:51.338 1324 ERROR File "/usr/lib/
2018-02-27 08:16:51.338 1324 ERROR _check_
2018-02-27 08:16:51.338 1324 ERROR File "/usr/lib/
2018-02-27 08:16:51.338 1324 ERROR max_api_version = cinder_
2018-02-27 08:16:51.338 1324 ERROR File "/usr/lib/
2018-02-27 08:16:51.338 1324 ERROR min_server, max_server = get_server_
2018-02-27 08:16:51.338 1324 ERROR File "/usr/lib/
2018-02-27 08:16:51.338 1324 ERROR response = requests.
2018-02-27 08:16:51.338 1324 ERROR File "/usr/lib/
2018-02-27 08:16:51.338 1324 ERROR return request('get', url, params=params, **kwargs)
2018-02-27 08:16:51.338 1324 ERROR File "/usr/lib/
2018-02-27 08:16:51.338 1324 ERROR return session.
2018-02-27 08:16:51.338 1324 ERROR File "/usr/lib/
2018-02-27 08:16:51.338 1324 ERROR resp = self.send(prep, **send_kwargs)
2018-02-27 08:16:51.338 1324 ERROR File "/usr/lib/
2018-02-27 08:16:51.338 1324 ERROR r = adapter.
2018-02-27 08:16:51.338 1324 ERROR File "/usr/lib/
2018-02-27 08:16:51.338 1324 ERROR raise ConnectionError(e, request=request)
2018-02-27 08:16:51.338 1324 ERROR ConnectionError: HTTPSConnection
This is a regression bug introduced as part of changeset https:/
https:/
https:/
https:/
https:/
affects: | cinder → nova |
Changed in nova: | |
assignee: | nobody → Divya K Konoor (dikonoor) |
tags: | added: cinder volumes |
Changed in nova: | |
status: | New → Triaged |
Changed in nova: | |
assignee: | Divya K Konoor (dikonoor) → Eric Fried (efried) |
status: | Incomplete → In Progress |
Changed in nova: | |
assignee: | Eric Fried (efried) → Matt Riedemann (mriedem) |
Changed in nova: | |
assignee: | Matt Riedemann (mriedem) → Eric Fried (efried) |
Changed in nova: | |
importance: | Undecided → Medium |
Ouch, good find. https:/ /review. openstack. org/#/c/ 508345/ could replace the microversion checks via cinderclient if we use the keystoneauth1 Adapter object, but that's not something we can backport to queens and pike.
How terrible would it be if we simply did a find/replace of "https" with "http" in the version URL we're checking here:
https:/ /github. com/openstack/ python- cinderclient/ blob/3. 5.0/cinderclien t/client. py#L109
The version document in cinder clearly doesn't require a token, so SSL shouldn't be a requirement either it seems.