← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1720049] [NEW] glance image-list command failed when ssl enabled in glance service

 

Public bug reported:


Steps to reproduce:

1. Deploy glance service in SSL mode
2. Set below extra env variable
OS_CACERT=/etc/ssl/openstack/ca.crt
OS_CERT=/etc/ssl/openstack/client3.crt
OS_KEY=/etc/ssl/openstack/client3.key

3. Try to use this command: glance image-list
SSL exception connecting to https://pike-c7:9292/v2/images?limit=20&sort_key=name&sort_dir=asc: ("bad handshake: Error([('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert handshake failure')],)",)

If I enable debug:
glance --debug image-list
DEBUG:keystoneauth.session:REQ: curl -g -i -X GET https://pike-c7:9292/v2/images?limit=20&sort_key=name&sort_dir=asc -H "User-Agent: python-glanceclient" -H "Content-Type: application/octet-stream" -H "X-Auth-Token: {SHA1}d41d9e001959c67c31eca98d67a65d048f13a1f4"
INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): pike-c7
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/glanceclient/shell.py", line 699, in main
    OpenStackImagesShell().main(argv)
  File "/usr/lib/python2.7/site-packages/glanceclient/shell.py", line 603, in main
    args.func(client, args)
  File "/usr/lib/python2.7/site-packages/glanceclient/v2/shell.py", line 237, in do_image_list
    utils.print_list(images, columns)
  File "/usr/lib/python2.7/site-packages/glanceclient/common/utils.py", line 185, in print_list
    for o in objs:
  File "/usr/lib/python2.7/site-packages/glanceclient/common/utils.py", line 524, in next
    return self._next()
  File "/usr/lib/python2.7/site-packages/glanceclient/common/utils.py", line 517, in _next
    obj, resp = next(self._self_wrapped)
  File "/usr/lib/python2.7/site-packages/glanceclient/v2/images.py", line 183, in list
    for image, resp in paginate(url, page_size, limit):
  File "/usr/lib/python2.7/site-packages/glanceclient/v2/images.py", line 110, in paginate
    resp, body = self.http_client.get(next_url, headers=req_id_hdr)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 288, in get
    return self.request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/site-packages/glanceclient/common/http.py", line 335, in request
    **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 192, in request
    return self.session.request(url, method, **kwargs)
  File "/usr/lib/python2.7/site-packages/positional/__init__.py", line 101, in inner
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 703, in request
    resp = send(**kwargs)
  File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 765, in _send_request
    raise exceptions.SSLError(msg)
SSLError: SSL exception connecting to https://pike-c7:9292/v2/images?limit=20&sort_key=name&sort_dir=asc: ("bad handshake: Error([('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert handshake failure')],)",)
SSL exception connecting to https://pike-c7:9292/v2/images?limit=20&sort_key=name&sort_dir=asc: ("bad handshake: Error([('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert handshake failure')],)",)

But if I input three parameters in command line, It can display result:
glance --os-cacert /etc/ssl/openstack/ca.crt --os-cert /etc/ssl/openstack/client3.crt --os-key /etc/ssl/openstack/client3.key image-list
+--------------------------------------+-------------------------+
| ID                                   | Name                    |
+--------------------------------------+-------------------------+
| 9f3c23db-5d67-4aba-9dd2-aec5287f5f1c | cirros                  |
| 3664023e-9db6-44a3-9e18-86d14ade5784 | cloud-template-centos73 |
|                                      |                         |
| c3a7f251-6ede-41df-b75f-a9257d1b71ef | cloud-template-rhel73   |
|                                      |                         |
+--------------------------------------+-------------------------+

It seems that glance client didn't read certificate and/or key file from
env variable.

Version:
Pike on CentOS 7 (OpenStack-Pike release in CentOS delivery)
python2-glanceclient-2.8.0-1.el7.noarch

** Affects: glance
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1720049

Title:
  glance image-list command failed when ssl enabled in glance service

Status in Glance:
  New

Bug description:
  
  Steps to reproduce:

  1. Deploy glance service in SSL mode
  2. Set below extra env variable
  OS_CACERT=/etc/ssl/openstack/ca.crt
  OS_CERT=/etc/ssl/openstack/client3.crt
  OS_KEY=/etc/ssl/openstack/client3.key

  3. Try to use this command: glance image-list
  SSL exception connecting to https://pike-c7:9292/v2/images?limit=20&sort_key=name&sort_dir=asc: ("bad handshake: Error([('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert handshake failure')],)",)

  If I enable debug:
  glance --debug image-list
  DEBUG:keystoneauth.session:REQ: curl -g -i -X GET https://pike-c7:9292/v2/images?limit=20&sort_key=name&sort_dir=asc -H "User-Agent: python-glanceclient" -H "Content-Type: application/octet-stream" -H "X-Auth-Token: {SHA1}d41d9e001959c67c31eca98d67a65d048f13a1f4"
  INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): pike-c7
  Traceback (most recent call last):
    File "/usr/lib/python2.7/site-packages/glanceclient/shell.py", line 699, in main
      OpenStackImagesShell().main(argv)
    File "/usr/lib/python2.7/site-packages/glanceclient/shell.py", line 603, in main
      args.func(client, args)
    File "/usr/lib/python2.7/site-packages/glanceclient/v2/shell.py", line 237, in do_image_list
      utils.print_list(images, columns)
    File "/usr/lib/python2.7/site-packages/glanceclient/common/utils.py", line 185, in print_list
      for o in objs:
    File "/usr/lib/python2.7/site-packages/glanceclient/common/utils.py", line 524, in next
      return self._next()
    File "/usr/lib/python2.7/site-packages/glanceclient/common/utils.py", line 517, in _next
      obj, resp = next(self._self_wrapped)
    File "/usr/lib/python2.7/site-packages/glanceclient/v2/images.py", line 183, in list
      for image, resp in paginate(url, page_size, limit):
    File "/usr/lib/python2.7/site-packages/glanceclient/v2/images.py", line 110, in paginate
      resp, body = self.http_client.get(next_url, headers=req_id_hdr)
    File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 288, in get
      return self.request(url, 'GET', **kwargs)
    File "/usr/lib/python2.7/site-packages/glanceclient/common/http.py", line 335, in request
      **kwargs)
    File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 192, in request
      return self.session.request(url, method, **kwargs)
    File "/usr/lib/python2.7/site-packages/positional/__init__.py", line 101, in inner
      return wrapped(*args, **kwargs)
    File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 703, in request
      resp = send(**kwargs)
    File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line 765, in _send_request
      raise exceptions.SSLError(msg)
  SSLError: SSL exception connecting to https://pike-c7:9292/v2/images?limit=20&sort_key=name&sort_dir=asc: ("bad handshake: Error([('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert handshake failure')],)",)
  SSL exception connecting to https://pike-c7:9292/v2/images?limit=20&sort_key=name&sort_dir=asc: ("bad handshake: Error([('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert handshake failure')],)",)

  But if I input three parameters in command line, It can display result:
  glance --os-cacert /etc/ssl/openstack/ca.crt --os-cert /etc/ssl/openstack/client3.crt --os-key /etc/ssl/openstack/client3.key image-list
  +--------------------------------------+-------------------------+
  | ID                                   | Name                    |
  +--------------------------------------+-------------------------+
  | 9f3c23db-5d67-4aba-9dd2-aec5287f5f1c | cirros                  |
  | 3664023e-9db6-44a3-9e18-86d14ade5784 | cloud-template-centos73 |
  |                                      |                         |
  | c3a7f251-6ede-41df-b75f-a9257d1b71ef | cloud-template-rhel73   |
  |                                      |                         |
  +--------------------------------------+-------------------------+

  It seems that glance client didn't read certificate and/or key file
  from env variable.

  Version:
  Pike on CentOS 7 (OpenStack-Pike release in CentOS delivery)
  python2-glanceclient-2.8.0-1.el7.noarch

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1720049/+subscriptions


Follow ups