yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1588067] Re: Designate DNS driver for neutron fails for SSL based endpoints.

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1588067@xxxxxxxxxxxxxxxxxx>
Date: Thu, 16 Jun 2016 21:15:27 -0000
Reply-to: Bug 1588067 <1588067@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Reviewed:  https://review.openstack.org/326958
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=9cd95366a035b29001ce75515d291cf72d07d0c3
Submitter: Jenkins
Branch:    master

commit 9cd95366a035b29001ce75515d291cf72d07d0c3
Author: imran malik <imran.malik@xxxxxxx>
Date:   Wed Jun 8 02:45:32 2016 -0700

    Fix designate dns driver for SSL based endpoints
    
    Allow setting options in designate section to specify if want
    to skip SSL cert check. This makes it possible to work with HTTPS
    based endpoints, the default behavior of keystoneclient is to always
    set verify=True however in current code, one cannot either provide
    a valid CA cert or skip the verification.
    
    DocImpact: Introduce two additional options for `[designate]` section
    in neutron.conf
    CONF.designate.insecure to allow insecure connections over SSL.
    CONF.designate.ca_cert for a valid cert when connecting over SSL
    
    Change-Id: Ic371cc11d783618c38ee40a18206b0c2a197bb3e
    Closes-Bug: #1588067


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1588067

Title:
  Designate DNS driver for neutron fails for SSL based endpoints.

Status in neutron:
  Fix Released

Bug description:
  Summary: 
  I have mitaka based deployment of neutron and designate and while trying to test the native integration of neutron with designate using this guide http://docs.openstack.org/mitaka/networking-guide/adv-config-dns.html I found out my DNS records are not getting created like on port-update or any floating ip operations as expected.
  This is because the the endpoints in deployments are SSL based (https) and the neutron code of mitaka that gets the keystoneclient session before initiating designate client, has no option to allow us to set verify=True/False from neutron.conf or in code itself https://github.com/openstack/neutron/blob/stable/mitaka/neutron/services/externaldns/drivers/designate/driver.py#L85 

  this makes it impossible to use neutron integration with designate
  over https based endpoints until the code is changed to:

  """

  _SESSION = session.Session(verify=False)
  """

  Description:

  Neutron has option to use external DNS driver in mitaka, such as designate. For that , we need to set the designate options in [designate] section of neutron.conf . For example:
  """
  [designate]
  url = http://55.114.111.93:9001/v2
  admin_auth_url = http://55.114.111.93:35357/v2.0
  admin_username = neutron
  admin_password = x5G90074
  admin_tenant_name = service
  allow_reverse_dns_lookup = True
  ipv4_ptr_zone_prefix_size = 24
  ipv6_ptr_zone_prefix_size = 116
  """

  the above example works fine when your url and admin_auth_url are http
  based endpoints. The neutron code uses options of designate section to
  get a session from keystone and uses that session to initiate
  designate admin client session as seen in the neutron code here
  https://github.com/openstack/neutron/blob/stable/mitaka/neutron/services/externaldns/drivers/designate/driver.py#L89

  In the case, when a deployment has https(SSL terminated) based endpoints, meaning both url and admin_auth_url has https, the keystone session is made in neutron code using 
  _SESSION = session.Session()

  the default behavior of keystoneclient is that if a url has https, then always set verify=True and use the ca file for verification.  
  but neither the option to provide a ca file or set verify=True/False is done neutron code for designate driver, this makes it impossible to use the integration over SSL based endpoints. 

  As an example of running the same code of mitaka from neutron ::
  """
  >>> admin_auth = password.Password(auth_url="https://10.240.128.120:6100/v2.0",username="admin",password="admin",tenant_name="service";)
  >>> _SESSION = session.Session()
  >>> admin_client = d_client.Client(session=_SESSION, auth=admin_auth)
  >>> admin_client.zones.list()
  keystoneauth1.exceptions.connection.SSLError: SSL exception connecting to https://10.240.128.120:6100/v2.0/tokens: [Errno 1] _ssl.c:523: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
  """

  after altering the session initiation to set verify=False

  """
  _SESSION = session.Session(verify=False)
  >>> admin_client = d_client.Client(session=_SESSION, auth=admin_auth)
  >>> admin_client.zones.list()
  []
  """

  Proposed fix:

  have an oslo opt for [designate] to let users specify insecure
  operations or set a ca file and use that info from neutron.conf to
  initiate keystone session before getting a designateclient

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1588067/+subscriptions
References

[Bug 1588067] [NEW] Designate DNS driver for neutron fails for SSL based endpoints.
From: Imran Hayder, 2016-06-01