[openstack-dev] [Fuel] [Puppet] Potential critical issue, due Puppet mix stderr and stdout while execute commands

Stanislaw Bogatkin sbogatkin at mirantis.com
Wed Oct 21 15:21:49 UTC 2015


I spoken with Sergii about this and prepared a patch for get rid of
SecurityWarning [0] - it was easy. But we can't get rid from
InsecurePlatformWarning
so easy way. I see next options:
1. Update python version as [1] said - should be hard task
2. Downgrade urllib version to one without such warning - is a bad idea, as
for me
3. Rewrite code to use non-standard ssl python module (pyOpenSSL, for
example) - may be a massive task
4. Use something like 2>/dev/null to don't show stderr when call the
command - doesn't looks good, cause problem can be seen on other places (I
saw similar problems with keystone provider, for example)
5. Rewrite code to split stderr/stdout, as Sergey proposed - is a most
reasonable idea, as for me.

[0] https://review.openstack.org/#/c/237379
[1]
https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning


On Wed, Oct 21, 2015 at 10:02 AM, Sergey Vasilenko <svasilenko at mirantis.com>
wrote:

> Hi, guys!
>
> Now I observe potential-dangerous situation in the providers of
> puppet-neutron module. I want share details, because not only
> puppet-neutron module may be broken by warnings from Openstack CLI
> utilities.
>
>
>  After updating urllib3 library on my lab, commands like 'neutron net
> list' began to throw warnings, like:
>
>> root at node-2:~# neutron net-list
>> /usr/lib/python2.7/dist-packages/urllib3/util/ssl_.py:90:
>> InsecurePlatformWarning: A true SSLContext object is not available. This
>> prevents urllib3 from configuring SSL appropriately and may cause certain
>> SSL connections to fail. For more information, see
>> https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning
>> .
>>   InsecurePlatformWarning
>> /usr/lib/python2.7/dist-packages/urllib3/connection.py:251:
>> SecurityWarning: Certificate has no `subjectAltName`, falling back to check
>> for a `commonName` for now. This feature is being removed by major browsers
>> and deprecated by RFC 2818. (See
>> https://github.com/shazow/urllib3/issues/497 for details.)
>>   SecurityWarning
>>
>> +--------------------------------------+-----------+-------------------------------------------------------+
>> | id                                   | name      | subnets
>>                                   |
>>
>> +--------------------------------------+-----------+-------------------------------------------------------+
>> | 9e1c0866-51f0-4659-8d5c-1c5d0843dab4 | net04_ext |
>> 29c952ec-2a13-46fc-a8a1-6e2468a92a95 172.18.171.0/24  |
>> | d70b399b-668b-4861-b092-4876ec65df60 | net04     |
>> b87fbfd1-0e52-4ab6-8987-286ef0912d1f 192.168.111.0/24 |
>>
>> +--------------------------------------+-----------+-------------------------------------------------------+
>>
>
> root at node-2:~#
>
>
> Such urllib3 based warnings is only particular case. Warnings may appear
> by another reason while call any Openstack utilities.
>
> Such warnings lead to broke work of puppet-neutron manifests:
>
>> 2015-10-20 16:42:11 +0000
>> /Stage[main]/Main/Openstack::Network::Create_network[net04]/Neutron_network[net04]
>> (info): Evaluated in 5.51 seconds
>> 2015-10-20 16:42:11 +0000 Puppet (debug): Prefetching neutron resources
>> for neutron_subnet
>> 2015-10-20 16:42:11 +0000 Puppet (debug): Executing '/usr/bin/neutron
>> subnet-list --format=csv --column=id --quote=none'
>> 2015-10-20 16:42:13 +0000 Puppet (debug): Executing '/usr/bin/neutron
>> subnet-show --format=shell InsecurePlatformWarning'
>> 2015-10-20 16:42:16 +0000 Puppet::Type::Neutron_subnet::ProviderNeutron
>> (notice): Unable to complete neutron request due to non-fatal error:
>> "Execution of '/usr/bin/neutron subnet-show --format=shell
>> InsecurePlatformWarning' returned 1:
>> /usr/lib/python2.7/dist-packages/urllib3/util/ssl_.py:90:
>> InsecurePlatformWarning: A true SSLContext object is not available. This
>> prevents urllib3 from configuring SSL appropriately and may cause certain
>> SSL connections to fail. For more information, see
>> https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
>> InsecurePlatformWarning
>> /usr/lib/python2.7/dist-packages/urllib3/connection.py:251:
>> SecurityWarning: Certificate has no `subjectAltName`, falling back to check
>> for a `commonName` for now. This feature is being removed by major browsers
>> and deprecated by RFC 2818. (See
>> https://github.com/shazow/urllib3/issues/497 for details.)
>>   SecurityWarningUnable to find subnet with name 'InsecurePlatformWarning'
>> ". Retrying for 7 sec.
>
>  .....
>
> Unable to find subnet with name 'InsecurePlatformWarning'
>> ". Retrying for 0 sec.
>> 2015-10-20 16:42:25 +0000 Puppet (debug): Executing '/usr/bin/neutron
>> subnet-show --format=shell InsecurePlatformWarning'
>> 2015-10-20 16:42:27 +0000 Puppet (err): Could not prefetch neutron_subnet
>> provider 'neutron': Can't retrieve subnet-show because Neutron or Keystone
>> API is not available.
>> /etc/puppet/modules/neutron/lib/puppet/provider/neutron.rb:153:in
>> `get_neutron_resource_attrs'
>> /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:24:in
>> `block in instances'
>> /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:23:in
>> `collect'
>> /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:23:in
>> `instances'
>> /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:43:in
>> `prefetch'
>> /usr/lib/ruby/vendor_ruby/puppet/transaction.rb:277:in `prefetch'
>> /usr/lib/ruby/vendor_ruby/puppet/transaction.rb:167:in
>> `prefetch_if_necessary'
>> /usr/lib/ruby/vendor_ruby/puppet/transaction.rb:67:in `block in evaluate'
>
>
> This happens, because Puppet mixing stderr and stdout while execute shell
> commands, like
>
>> commands :neutron => 'neutron'
>
> And code, like
>
>>
>> https://github.com/openstack/puppet-neutron/blob/master/lib/puppet/provider/neutron.rb#L134-L146
>
> parses stderr output also. Part of warnings gets into incoming data.
>
> IMHO this situation is potential dangerous for all puppet-openstack
> modules..
>
> /sv
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151021/8349a6e3/attachment.html>


More information about the OpenStack-dev mailing list