← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #83007

[Bug 1815635] Re: Horizon is unable to retrieve Cinder API versions when it has a self-signed SSL certificate

  Thread PreviousDate PreviousThread Next 
*** This bug is a duplicate of bug 1744670 ***
    https://bugs.launchpad.net/bugs/1744670

** This bug has been marked a duplicate of bug 1744670
   In pike ssl deployment horizon cnt retrieve volumes/snapshots and service data via cinderclient

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1815635

Title:
  Horizon is unable to retrieve Cinder API versions when it has a self-
  signed SSL certificate

Status in OpenStack Dashboard (Horizon):
  Confirmed

Bug description:
  With "OPENSTACK_SSL_NO_VERIFY = True" in local_settings.py, Horizon is
  able to communicate with a Cinder API instance that is using a self-
  signed certificate.

  However, before communicating with the Cinder API, it first uses
  cinderclient to retrieve available API versions:
  https://github.com/openstack/horizon/blob/d5b7feb5d4bf622905d717cd20fc83fd136c8a8c/openstack_dashboard/api/cinder.py#L263

  The get_server_version method from cinderclient doesn't support an
  "insecure" or "verify" argument and the request it does to retrieve
  the API versions is currently always secure:
  https://github.com/openstack/python-
  cinderclient/blob/63b36a901bfaf2508a9c3cda1d8dafb8769f2340/cinderclient/client.py#L75-L109

  Even with DEBUG logging enabled, it was not trivial to understand what
  was going on because the only thing that gets written to the logs is
  something that looks like this:

  =====
  DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 172.29.236.100:8776
  Call to list enabled services failed. This is likely due to a problem communicating with the Cinder endpoint. Consistency Group panel will not be displayed.
  DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 172.29.236.100:8776
  Call to list enabled services failed. This is likely due to a problem communicating with the Cinder endpoint. Consistency Group Snapshot panel will not be displayed.
  DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 172.29.236.100:8776
  Call to list enabled services failed. This is likely due to a problem communicating with the Cinder endpoint. Volume Group panel will not be displayed.
  DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 172.29.236.100:8776
  Call to list enabled services failed. This is likely due to a problem communicating with the Cinder endpoint. Volume Group Snapshot panel will not be displayed.
  =====

  I had to manually add some tracing to get the actual exception:

  =====
  Traceback (most recent call last):
    File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/openstack_dashboard/dashboards/project/volumes/views.py", line 63, in _get_volumes
      sort_dir=sort_dir, paginate=True)
    File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/openstack_dashboard/api/cinder.py", line 319, in volume_list_paged
      c_client = _cinderclient_with_generic_groups(request)
    File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/openstack_dashboard/api/cinder.py", line 271, in _cinderclient_with_generic_groups
      version = get_microversion(request, 'groups')
    File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/openstack_dashboard/api/cinder.py", line 265, in get_microversion
      min_ver, max_ver = cinder_client.get_server_version(cinder_url)
    File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/cinderclient/client.py", line 109, in get_server_version
      response = requests.get(version_url)
    File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/api.py", line 72, in get
      return request('get', url, params=params, **kwargs)
    File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/api.py", line 58, in request
      return session.request(method=method, url=url, **kwargs)
    File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/sessions.py", line 512, in request
      resp = self.send(prep, **send_kwargs)
    File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/sessions.py", line 622, in send
      r = adapter.send(request, **kwargs)
    File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/adapters.py", line 511, in send
      raise SSLError(e, request=request)
  SSLError: HTTPSConnectionPool(host='172.29.236.100', port=8776): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
  =====

  It seems like the fix would be to add an "insecure" parameter to
  cinderclient's get_server_version method and then use that parameter
  from Horizon's "get_microversion" method for the Cinder API.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1815635/+subscriptions

References

  Thread PreviousDate PreviousThread Next