[openstack-dev] [Fuel] [Puppet] Potential critical issue, due Puppet mix stderr and stdout while execute commands

Sergey Vasilenko svasilenko at mirantis.com
Wed Oct 21 15:02:44 UTC 2015 

Hi, guys!

Now I observe potential-dangerous situation in the providers of
puppet-neutron module. I want share details, because not only
puppet-neutron module may be broken by warnings from Openstack CLI
utilities.


 After updating urllib3 library on my lab, commands like 'neutron net list'
began to throw warnings, like:

> root at node-2:~# neutron net-list
> /usr/lib/python2.7/dist-packages/urllib3/util/ssl_.py:90:
> InsecurePlatformWarning: A true SSLContext object is not available. This
> prevents urllib3 from configuring SSL appropriately and may cause certain
> SSL connections to fail. For more information, see
> https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning
> .
>   InsecurePlatformWarning
> /usr/lib/python2.7/dist-packages/urllib3/connection.py:251:
> SecurityWarning: Certificate has no `subjectAltName`, falling back to check
> for a `commonName` for now. This feature is being removed by major browsers
> and deprecated by RFC 2818. (See
> https://github.com/shazow/urllib3/issues/497 for details.)
>   SecurityWarning
>
> +--------------------------------------+-----------+-------------------------------------------------------+
> | id                                   | name      | subnets
>                                 |
>
> +--------------------------------------+-----------+-------------------------------------------------------+
> | 9e1c0866-51f0-4659-8d5c-1c5d0843dab4 | net04_ext |
> 29c952ec-2a13-46fc-a8a1-6e2468a92a95 172.18.171.0/24  |
> | d70b399b-668b-4861-b092-4876ec65df60 | net04     |
> b87fbfd1-0e52-4ab6-8987-286ef0912d1f 192.168.111.0/24 |
>
> +--------------------------------------+-----------+-------------------------------------------------------+
>

root at node-2:~#


Such urllib3 based warnings is only particular case. Warnings may appear by
another reason while call any Openstack utilities.

Such warnings lead to broke work of puppet-neutron manifests:

> 2015-10-20 16:42:11 +0000
> /Stage[main]/Main/Openstack::Network::Create_network[net04]/Neutron_network[net04]
> (info): Evaluated in 5.51 seconds
> 2015-10-20 16:42:11 +0000 Puppet (debug): Prefetching neutron resources
> for neutron_subnet
> 2015-10-20 16:42:11 +0000 Puppet (debug): Executing '/usr/bin/neutron
> subnet-list --format=csv --column=id --quote=none'
> 2015-10-20 16:42:13 +0000 Puppet (debug): Executing '/usr/bin/neutron
> subnet-show --format=shell InsecurePlatformWarning'
> 2015-10-20 16:42:16 +0000 Puppet::Type::Neutron_subnet::ProviderNeutron
> (notice): Unable to complete neutron request due to non-fatal error:
> "Execution of '/usr/bin/neutron subnet-show --format=shell
> InsecurePlatformWarning' returned 1:
> /usr/lib/python2.7/dist-packages/urllib3/util/ssl_.py:90:
> InsecurePlatformWarning: A true SSLContext object is not available. This
> prevents urllib3 from configuring SSL appropriately and may cause certain
> SSL connections to fail. For more information, see
> https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
> InsecurePlatformWarning
> /usr/lib/python2.7/dist-packages/urllib3/connection.py:251:
> SecurityWarning: Certificate has no `subjectAltName`, falling back to check
> for a `commonName` for now. This feature is being removed by major browsers
> and deprecated by RFC 2818. (See
> https://github.com/shazow/urllib3/issues/497 for details.)
>   SecurityWarningUnable to find subnet with name 'InsecurePlatformWarning'
> ". Retrying for 7 sec.

 .....

Unable to find subnet with name 'InsecurePlatformWarning'
> ". Retrying for 0 sec.
> 2015-10-20 16:42:25 +0000 Puppet (debug): Executing '/usr/bin/neutron
> subnet-show --format=shell InsecurePlatformWarning'
> 2015-10-20 16:42:27 +0000 Puppet (err): Could not prefetch neutron_subnet
> provider 'neutron': Can't retrieve subnet-show because Neutron or Keystone
> API is not available.
> /etc/puppet/modules/neutron/lib/puppet/provider/neutron.rb:153:in
> `get_neutron_resource_attrs'
> /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:24:in
> `block in instances'
> /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:23:in
> `collect'
> /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:23:in
> `instances'
> /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:43:in
> `prefetch'
> /usr/lib/ruby/vendor_ruby/puppet/transaction.rb:277:in `prefetch'
> /usr/lib/ruby/vendor_ruby/puppet/transaction.rb:167:in
> `prefetch_if_necessary'
> /usr/lib/ruby/vendor_ruby/puppet/transaction.rb:67:in `block in evaluate'


This happens, because Puppet mixing stderr and stdout while execute shell
commands, like

> commands :neutron => 'neutron'

And code, like

>
> https://github.com/openstack/puppet-neutron/blob/master/lib/puppet/provider/neutron.rb#L134-L146

parses stderr output also. Part of warnings gets into incoming data.

IMHO this situation is potential dangerous for all puppet-openstack
modules..

/sv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151021/1578e25b/attachment.html>

More information about the OpenStack-dev mailing list