[openstack-dev] [glance] HTTPS client breaks nova

Rob Crittenden rcritten at redhat.com
Tue Sep 9 19:19:02 UTC 2014 

Flavio Percoco wrote:
> On 07/23/2014 06:05 PM, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> It looks like the switch to requests in python-glanceclient
>>> (https://review.openstack.org/#/c/78269/) has broken nova when SSL is
>>> enabled.
>>>
>>> I think it is related to the custom object that the glanceclient uses.
>>> If another connection gets pushed into the pool then things fail because
>>> the object isn't a glanceclient VerifiedHTTPSConnection object.
>>>
>>> The error seen is:
>>>
>>> 2014-07-22 16:20:57.571 ERROR nova.api.openstack
>>> req-e9a94169-9af4-45e8-ab95-1ccd3f8caf04 admin admin Caught error:
>>> VerifiedHTTPSConnection instance has no attribute 'insecure'
>>>
>>> What I see is that nova works until glance is invoked.
>>>
>>> These all work:
>>>
>>> $ nova flavor-list
>>> $ glance image-list
>>> $ nova net-list
>>>
>>> Now make it go boom:
>>>
>>> $ nova image-list
>>> ERROR (Unauthorized): Unauthorized (HTTP 401) (Request-ID:
>>> req-ee964e9a-c2a9-4be9-bd52-3f42c805cf2c)
>>>
>>> Now that a bad object is now in the pool nothing in nova works:
>>>
>>> $ nova list
>>> ERROR (Unauthorized): Unauthorized (HTTP 401) (Request-ID:
>>> req-f670db83-c830-4e75-b29f-44f61ae161a1)
>>>
>>> A restart of nova gets things back to normal.
>>>
>>> I'm working on enabling SSL everywhere
>>> (https://bugs.launchpad.net/devstack/+bug/1328226) either directly or
>>> using TLS proxies (stud).
>>> I'd like to eventually get SSL testing done as a gate job which will
>>> help catch issues like this in advance.
>>>
>>> rob
>>
>> FYI, my temporary workaround is to change the queue name (scheme) so the
>> glance clients are handled separately:
>>
>> diff --git a/glanceclient/common/https.py b/glanceclient/common/https.py
>> index 6416c19..72ed929 100644
>> --- a/glanceclient/common/https.py
>> +++ b/glanceclient/common/https.py
>> @@ -72,7 +72,7 @@ class HTTPSAdapter(adapters.HTTPAdapter):
>>      def __init__(self, *args, **kwargs):
>>          # NOTE(flaper87): This line forces poolmanager to use
>>          # glanceclient HTTPSConnection
>> -        poolmanager.pool_classes_by_scheme["https"] = HTTPSConnectionPool
>> +        poolmanager.pool_classes_by_scheme["glance_https"] =
>> HTTPSConnectionPoo
>>          super(HTTPSAdapter, self).__init__(*args, **kwargs)
>>
>>      def cert_verify(self, conn, url, verify, cert):
>> @@ -92,7 +92,7 @@ class
>> HTTPSConnectionPool(connectionpool.HTTPSConnectionPool):
>>      be used just when the user sets --no-ssl-compression.
>>      """
>>
>> -    scheme = 'https'
>> +    scheme = 'glance_https'
>>
>>      def _new_conn(self):
>>          self.num_connections += 1
>>
>> This at least lets me continue working.
>>
>> rob
> 
> Hey Rob,
> 
> Sorry for the late reply, I'll take a look into this.

Ping, have you had a chance to look into it?

thanks

rob

More information about the OpenStack-dev mailing list