[openstack-dev] [glance] HTTPS client breaks nova

Rob Crittenden rcritten at redhat.com
Wed Jul 23 16:05:09 UTC 2014 

Rob Crittenden wrote:
> It looks like the switch to requests in python-glanceclient
> (https://review.openstack.org/#/c/78269/) has broken nova when SSL is
> enabled.
> 
> I think it is related to the custom object that the glanceclient uses.
> If another connection gets pushed into the pool then things fail because
> the object isn't a glanceclient VerifiedHTTPSConnection object.
> 
> The error seen is:
> 
> 2014-07-22 16:20:57.571 ERROR nova.api.openstack
> req-e9a94169-9af4-45e8-ab95-1ccd3f8caf04 admin admin Caught error:
> VerifiedHTTPSConnection instance has no attribute 'insecure'
> 
> What I see is that nova works until glance is invoked.
> 
> These all work:
> 
> $ nova flavor-list
> $ glance image-list
> $ nova net-list
> 
> Now make it go boom:
> 
> $ nova image-list
> ERROR (Unauthorized): Unauthorized (HTTP 401) (Request-ID:
> req-ee964e9a-c2a9-4be9-bd52-3f42c805cf2c)
> 
> Now that a bad object is now in the pool nothing in nova works:
> 
> $ nova list
> ERROR (Unauthorized): Unauthorized (HTTP 401) (Request-ID:
> req-f670db83-c830-4e75-b29f-44f61ae161a1)
> 
> A restart of nova gets things back to normal.
> 
> I'm working on enabling SSL everywhere
> (https://bugs.launchpad.net/devstack/+bug/1328226) either directly or
> using TLS proxies (stud).
> I'd like to eventually get SSL testing done as a gate job which will
> help catch issues like this in advance.
> 
> rob

FYI, my temporary workaround is to change the queue name (scheme) so the
glance clients are handled separately:

diff --git a/glanceclient/common/https.py b/glanceclient/common/https.py
index 6416c19..72ed929 100644
--- a/glanceclient/common/https.py
+++ b/glanceclient/common/https.py
@@ -72,7 +72,7 @@ class HTTPSAdapter(adapters.HTTPAdapter):
     def __init__(self, *args, **kwargs):
         # NOTE(flaper87): This line forces poolmanager to use
         # glanceclient HTTPSConnection
-        poolmanager.pool_classes_by_scheme["https"] = HTTPSConnectionPool
+        poolmanager.pool_classes_by_scheme["glance_https"] =
HTTPSConnectionPoo
         super(HTTPSAdapter, self).__init__(*args, **kwargs)

     def cert_verify(self, conn, url, verify, cert):
@@ -92,7 +92,7 @@ class
HTTPSConnectionPool(connectionpool.HTTPSConnectionPool):
     be used just when the user sets --no-ssl-compression.
     """

-    scheme = 'https'
+    scheme = 'glance_https'

     def _new_conn(self):
         self.num_connections += 1

This at least lets me continue working.

rob

More information about the OpenStack-dev mailing list