[openstack-dev] [glance] HTTPS client breaks nova

Flavio Percoco flavio at redhat.com
Wed Jul 30 08:33:54 UTC 2014 

On 07/23/2014 06:05 PM, Rob Crittenden wrote:
> Rob Crittenden wrote:
>> It looks like the switch to requests in python-glanceclient
>> (https://review.openstack.org/#/c/78269/) has broken nova when SSL is
>> enabled.
>>
>> I think it is related to the custom object that the glanceclient uses.
>> If another connection gets pushed into the pool then things fail because
>> the object isn't a glanceclient VerifiedHTTPSConnection object.
>>
>> The error seen is:
>>
>> 2014-07-22 16:20:57.571 ERROR nova.api.openstack
>> req-e9a94169-9af4-45e8-ab95-1ccd3f8caf04 admin admin Caught error:
>> VerifiedHTTPSConnection instance has no attribute 'insecure'
>>
>> What I see is that nova works until glance is invoked.
>>
>> These all work:
>>
>> $ nova flavor-list
>> $ glance image-list
>> $ nova net-list
>>
>> Now make it go boom:
>>
>> $ nova image-list
>> ERROR (Unauthorized): Unauthorized (HTTP 401) (Request-ID:
>> req-ee964e9a-c2a9-4be9-bd52-3f42c805cf2c)
>>
>> Now that a bad object is now in the pool nothing in nova works:
>>
>> $ nova list
>> ERROR (Unauthorized): Unauthorized (HTTP 401) (Request-ID:
>> req-f670db83-c830-4e75-b29f-44f61ae161a1)
>>
>> A restart of nova gets things back to normal.
>>
>> I'm working on enabling SSL everywhere
>> (https://bugs.launchpad.net/devstack/+bug/1328226) either directly or
>> using TLS proxies (stud).
>> I'd like to eventually get SSL testing done as a gate job which will
>> help catch issues like this in advance.
>>
>> rob
> 
> FYI, my temporary workaround is to change the queue name (scheme) so the
> glance clients are handled separately:
> 
> diff --git a/glanceclient/common/https.py b/glanceclient/common/https.py
> index 6416c19..72ed929 100644
> --- a/glanceclient/common/https.py
> +++ b/glanceclient/common/https.py
> @@ -72,7 +72,7 @@ class HTTPSAdapter(adapters.HTTPAdapter):
>      def __init__(self, *args, **kwargs):
>          # NOTE(flaper87): This line forces poolmanager to use
>          # glanceclient HTTPSConnection
> -        poolmanager.pool_classes_by_scheme["https"] = HTTPSConnectionPool
> +        poolmanager.pool_classes_by_scheme["glance_https"] =
> HTTPSConnectionPoo
>          super(HTTPSAdapter, self).__init__(*args, **kwargs)
> 
>      def cert_verify(self, conn, url, verify, cert):
> @@ -92,7 +92,7 @@ class
> HTTPSConnectionPool(connectionpool.HTTPSConnectionPool):
>      be used just when the user sets --no-ssl-compression.
>      """
> 
> -    scheme = 'https'
> +    scheme = 'glance_https'
> 
>      def _new_conn(self):
>          self.num_connections += 1
> 
> This at least lets me continue working.
> 
> rob

Hey Rob,

Sorry for the late reply, I'll take a look into this.

Cheers,
Flavio


-- 
@flaper87
Flavio Percoco

More information about the OpenStack-dev mailing list