yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1830535] [NEW] Invalid neutron metadata proxy configuration leads to confusing nova exception

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Gary Kotton <1830535@xxxxxxxxxxxxxxxxxx>
Date: Sun, 26 May 2019 11:28:27 -0000
Reply-to: Bug 1830535 <1830535@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

The exception below is received when nova has the following configuration:
1. nova metadata proxy service has:
[neutron]
metadata_proxy_shared_secret = novarocks

2. neutron nsx_v section does not have metadata_shared_secret defined
(this means that the proxy does not inject the signature in the headers)

Exception:
{"log":"\n","stream":"stdout","time":"2019-05-23T05:23:07.140817119Z"}
{"log":"2019-05-23 05:23:07.140 27 INFO nova.metadata.wsgi.server [-] 172.165.0.171,151.168.64.0 \"GET /openstack/2013-10-17/meta_data.json HTTP/1.1\" status: 500 len: 139 time: 0.0021250\n","stream":"stdout","time":"2019-05-23T05:23:07.140925898Z"}
{"log":"2019-05-23 05:23:11.479 21 INFO nova.metadata.wsgi.server [-] 151.168.64.0 \"GET / HTTP/1.0\" status: 200 len: 234 time: 0.0003791\n","stream":"stdout","time":"2019-05-23T05:23:11.479529255Z"}
{"log":"2019-05-23 05:23:17.148 23 INFO nova.metadata.wsgi.server [-] Traceback (most recent call last):\n","stream":"stdout","time":"2019-05-23T05:23:17.149314446Z"}
{"log":" File \"/usr/lib/python2.7/site-packages/eventlet/wsgi.py\", line 547, in handle_one_response\n","stream":"stdout","time":"2019-05-23T05:23:17.149350181Z"}
{"log":" result = self.application(self.environ, start_response)\n","stream":"stdout","time":"2019-05-23T05:23:17.149354111Z"}
{"log":" File \"/usr/lib/python2.7/site-packages/paste/urlmap.py\", line 216, in __call__\n","stream":"stdout","time":"2019-05-23T05:23:17.149356993Z"}
{"log":" return app(environ, start_response)\n","stream":"stdout","time":"2019-05-23T05:23:17.149359848Z"}
{"log":" File \"/usr/lib/python2.7/site-packages/webob/dec.py\", line 129, in __call__\n","stream":"stdout","time":"2019-05-23T05:23:17.149386987Z"}
{"log":" resp = self.call_func(req, *args, **kw)\n","stream":"stdout","time":"2019-05-23T05:23:17.149390526Z"}
{"log":" File \"/usr/lib/python2.7/site-packages/webob/dec.py\", line 193, in call_func\n","stream":"stdout","time":"2019-05-23T05:23:17.149393698Z"}
{"log":" return self.func(req, *args, **kwargs)\n","stream":"stdout","time":"2019-05-23T05:23:17.149396416Z"}
{"log":" File \"/usr/lib/python2.7/site-packages/oslo_middleware/base.py\", line 130, in __call__\n","stream":"stdout","time":"2019-05-23T05:23:17.149399029Z"}
{"log":" response = req.get_response(self.application)\n","stream":"stdout","time":"2019-05-23T05:23:17.149401804Z"}
{"log":" File \"/usr/lib/python2.7/site-packages/webob/request.py\", line 1314, in send\n","stream":"stdout","time":"2019-05-23T05:23:17.149404384Z"}
{"log":" application, catch_exc_info=False)\n","stream":"stdout","time":"2019-05-23T05:23:17.149407042Z"}
{"log":" File \"/usr/lib/python2.7/site-packages/webob/request.py\", line 1278, in call_application\n","stream":"stdout","time":"2019-05-23T05:23:17.149409578Z"}
{"log":" app_iter = application(self.environ, start_response)\n","stream":"stdout","time":"2019-05-23T05:23:17.149412418Z"}
{"log":" File \"/usr/lib/python2.7/site-packages/webob/dec.py\", line 129, in __call__\n","stream":"stdout","time":"2019-05-23T05:23:17.149415333Z"}
{"log":" resp = self.call_func(req, *args, **kw)\n","stream":"stdout","time":"2019-05-23T05:23:17.149418371Z"}
{"log":" File \"/usr/lib/python2.7/site-packages/webob/dec.py\", line 193, in call_func\n","stream":"stdout","time":"2019-05-23T05:23:17.149420897Z"}
{"log":" return self.func(req, *args, **kwargs)\n","stream":"stdout","time":"2019-05-23T05:23:17.149423678Z"}
{"log":" File \"/usr/lib/python2.7/site-packages/nova/api/metadata/handler.py\", line 108, in __call__\n","stream":"stdout","time":"2019-05-23T05:23:17.14942617Z"}
{"log":" meta_data = self._handle_instance_id_request_from_lb(req)\n","stream":"stdout","time":"2019-05-23T05:23:17.149428942Z"}
{"log":" File \"/usr/lib/python2.7/site-packages/nova/api/metadata/handler.py\", line 259, in _handle_instance_id_request_from_lb\n","stream":"stdout","time":"2019-05-23T05:23:17.149431537Z"}
{"log":" instance_address)\n","stream":"stdout","time":"2019-05-23T05:23:17.149434403Z"}
{"log":" File \"/usr/lib/python2.7/site-packages/nova/api/metadata/handler.py\", line 284, in _validate_shared_secret\n","stream":"stdout","time":"2019-05-23T05:23:17.149436904Z"}
{"log":" if not secutils.constant_time_compare(expected_signature, signature):\n","stream":"stdout","time":"2019-05-23T05:23:17.14943964Z"}
{"log":"TypeError: 'NoneType' does not have the buffer interface\n","stream":"stdout","time":"2019-05-23T05:23:17.149442368Z"}
{"log":"\n","stream":"stdout","time":"2019-05-23T05:23:17.149444941Z"}

** Affects: nova
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1830535

Title:
  Invalid neutron metadata proxy configuration leads to confusing nova
  exception

Status in OpenStack Compute (nova):
  New

Bug description:
  The exception below is received when nova has the following configuration:
  1. nova metadata proxy service has:
  [neutron]
  metadata_proxy_shared_secret = novarocks

  2. neutron nsx_v section does not have metadata_shared_secret defined
  (this means that the proxy does not inject the signature in the
  headers)

  Exception:
  {"log":"\n","stream":"stdout","time":"2019-05-23T05:23:07.140817119Z"}
  {"log":"2019-05-23 05:23:07.140 27 INFO nova.metadata.wsgi.server [-] 172.165.0.171,151.168.64.0 \"GET /openstack/2013-10-17/meta_data.json HTTP/1.1\" status: 500 len: 139 time: 0.0021250\n","stream":"stdout","time":"2019-05-23T05:23:07.140925898Z"}
  {"log":"2019-05-23 05:23:11.479 21 INFO nova.metadata.wsgi.server [-] 151.168.64.0 \"GET / HTTP/1.0\" status: 200 len: 234 time: 0.0003791\n","stream":"stdout","time":"2019-05-23T05:23:11.479529255Z"}
  {"log":"2019-05-23 05:23:17.148 23 INFO nova.metadata.wsgi.server [-] Traceback (most recent call last):\n","stream":"stdout","time":"2019-05-23T05:23:17.149314446Z"}
  {"log":" File \"/usr/lib/python2.7/site-packages/eventlet/wsgi.py\", line 547, in handle_one_response\n","stream":"stdout","time":"2019-05-23T05:23:17.149350181Z"}
  {"log":" result = self.application(self.environ, start_response)\n","stream":"stdout","time":"2019-05-23T05:23:17.149354111Z"}
  {"log":" File \"/usr/lib/python2.7/site-packages/paste/urlmap.py\", line 216, in __call__\n","stream":"stdout","time":"2019-05-23T05:23:17.149356993Z"}
  {"log":" return app(environ, start_response)\n","stream":"stdout","time":"2019-05-23T05:23:17.149359848Z"}
  {"log":" File \"/usr/lib/python2.7/site-packages/webob/dec.py\", line 129, in __call__\n","stream":"stdout","time":"2019-05-23T05:23:17.149386987Z"}
  {"log":" resp = self.call_func(req, *args, **kw)\n","stream":"stdout","time":"2019-05-23T05:23:17.149390526Z"}
  {"log":" File \"/usr/lib/python2.7/site-packages/webob/dec.py\", line 193, in call_func\n","stream":"stdout","time":"2019-05-23T05:23:17.149393698Z"}
  {"log":" return self.func(req, *args, **kwargs)\n","stream":"stdout","time":"2019-05-23T05:23:17.149396416Z"}
  {"log":" File \"/usr/lib/python2.7/site-packages/oslo_middleware/base.py\", line 130, in __call__\n","stream":"stdout","time":"2019-05-23T05:23:17.149399029Z"}
  {"log":" response = req.get_response(self.application)\n","stream":"stdout","time":"2019-05-23T05:23:17.149401804Z"}
  {"log":" File \"/usr/lib/python2.7/site-packages/webob/request.py\", line 1314, in send\n","stream":"stdout","time":"2019-05-23T05:23:17.149404384Z"}
  {"log":" application, catch_exc_info=False)\n","stream":"stdout","time":"2019-05-23T05:23:17.149407042Z"}
  {"log":" File \"/usr/lib/python2.7/site-packages/webob/request.py\", line 1278, in call_application\n","stream":"stdout","time":"2019-05-23T05:23:17.149409578Z"}
  {"log":" app_iter = application(self.environ, start_response)\n","stream":"stdout","time":"2019-05-23T05:23:17.149412418Z"}
  {"log":" File \"/usr/lib/python2.7/site-packages/webob/dec.py\", line 129, in __call__\n","stream":"stdout","time":"2019-05-23T05:23:17.149415333Z"}
  {"log":" resp = self.call_func(req, *args, **kw)\n","stream":"stdout","time":"2019-05-23T05:23:17.149418371Z"}
  {"log":" File \"/usr/lib/python2.7/site-packages/webob/dec.py\", line 193, in call_func\n","stream":"stdout","time":"2019-05-23T05:23:17.149420897Z"}
  {"log":" return self.func(req, *args, **kwargs)\n","stream":"stdout","time":"2019-05-23T05:23:17.149423678Z"}
  {"log":" File \"/usr/lib/python2.7/site-packages/nova/api/metadata/handler.py\", line 108, in __call__\n","stream":"stdout","time":"2019-05-23T05:23:17.14942617Z"}
  {"log":" meta_data = self._handle_instance_id_request_from_lb(req)\n","stream":"stdout","time":"2019-05-23T05:23:17.149428942Z"}
  {"log":" File \"/usr/lib/python2.7/site-packages/nova/api/metadata/handler.py\", line 259, in _handle_instance_id_request_from_lb\n","stream":"stdout","time":"2019-05-23T05:23:17.149431537Z"}
  {"log":" instance_address)\n","stream":"stdout","time":"2019-05-23T05:23:17.149434403Z"}
  {"log":" File \"/usr/lib/python2.7/site-packages/nova/api/metadata/handler.py\", line 284, in _validate_shared_secret\n","stream":"stdout","time":"2019-05-23T05:23:17.149436904Z"}
  {"log":" if not secutils.constant_time_compare(expected_signature, signature):\n","stream":"stdout","time":"2019-05-23T05:23:17.14943964Z"}
  {"log":"TypeError: 'NoneType' does not have the buffer interface\n","stream":"stdout","time":"2019-05-23T05:23:17.149442368Z"}
  {"log":"\n","stream":"stdout","time":"2019-05-23T05:23:17.149444941Z"}

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1830535/+subscriptions
Follow ups

[Bug 1830535] Re: Invalid neutron metadata proxy configuration leads to confusing nova exception
From: OpenStack Infra, 2019-06-03