[openstack-dev] [Fuel] [Puppet] Potential critical issue, due Puppet mix stderr and stdout while execute commands

Matt Fischer matt at mattfischer.com
Thu Oct 22 03:16:47 UTC 2015 

I thought we had code in other places that split out stderr and only logged
it if there was an actual error but I cannot find the reference now. I
think that matches the original proposal. Not sure I like idea #3.

On Wed, Oct 21, 2015 at 9:21 AM, Stanislaw Bogatkin <sbogatkin at mirantis.com>
wrote:

> I spoken with Sergii about this and prepared a patch for get rid of
> SecurityWarning [0] - it was easy. But we can't get rid from InsecurePlatformWarning
> so easy way. I see next options:
> 1. Update python version as [1] said - should be hard task
> 2. Downgrade urllib version to one without such warning - is a bad idea,
> as for me
> 3. Rewrite code to use non-standard ssl python module (pyOpenSSL, for
> example) - may be a massive task
> 4. Use something like 2>/dev/null to don't show stderr when call the
> command - doesn't looks good, cause problem can be seen on other places (I
> saw similar problems with keystone provider, for example)
> 5. Rewrite code to split stderr/stdout, as Sergey proposed - is a most
> reasonable idea, as for me.
>
> [0] https://review.openstack.org/#/c/237379
> [1]
> https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning
>
>
> On Wed, Oct 21, 2015 at 10:02 AM, Sergey Vasilenko <
> svasilenko at mirantis.com> wrote:
>
>> Hi, guys!
>>
>> Now I observe potential-dangerous situation in the providers of
>> puppet-neutron module. I want share details, because not only
>> puppet-neutron module may be broken by warnings from Openstack CLI
>> utilities.
>>
>>
>>  After updating urllib3 library on my lab, commands like 'neutron net
>> list' began to throw warnings, like:
>>
>>> root at node-2:~# neutron net-list
>>> /usr/lib/python2.7/dist-packages/urllib3/util/ssl_.py:90:
>>> InsecurePlatformWarning: A true SSLContext object is not available. This
>>> prevents urllib3 from configuring SSL appropriately and may cause certain
>>> SSL connections to fail. For more information, see
>>> https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning
>>> .
>>>   InsecurePlatformWarning
>>> /usr/lib/python2.7/dist-packages/urllib3/connection.py:251:
>>> SecurityWarning: Certificate has no `subjectAltName`, falling back to check
>>> for a `commonName` for now. This feature is being removed by major browsers
>>> and deprecated by RFC 2818. (See
>>> https://github.com/shazow/urllib3/issues/497 for details.)
>>>   SecurityWarning
>>>
>>> +--------------------------------------+-----------+-------------------------------------------------------+
>>> | id                                   | name      | subnets
>>>                                   |
>>>
>>> +--------------------------------------+-----------+-------------------------------------------------------+
>>> | 9e1c0866-51f0-4659-8d5c-1c5d0843dab4 | net04_ext |
>>> 29c952ec-2a13-46fc-a8a1-6e2468a92a95 172.18.171.0/24  |
>>> | d70b399b-668b-4861-b092-4876ec65df60 | net04     |
>>> b87fbfd1-0e52-4ab6-8987-286ef0912d1f 192.168.111.0/24 |
>>>
>>> +--------------------------------------+-----------+-------------------------------------------------------+
>>>
>>
>> root at node-2:~#
>>
>>
>> Such urllib3 based warnings is only particular case. Warnings may appear
>> by another reason while call any Openstack utilities.
>>
>> Such warnings lead to broke work of puppet-neutron manifests:
>>
>>> 2015-10-20 16:42:11 +0000
>>> /Stage[main]/Main/Openstack::Network::Create_network[net04]/Neutron_network[net04]
>>> (info): Evaluated in 5.51 seconds
>>> 2015-10-20 16:42:11 +0000 Puppet (debug): Prefetching neutron resources
>>> for neutron_subnet
>>> 2015-10-20 16:42:11 +0000 Puppet (debug): Executing '/usr/bin/neutron
>>> subnet-list --format=csv --column=id --quote=none'
>>> 2015-10-20 16:42:13 +0000 Puppet (debug): Executing '/usr/bin/neutron
>>> subnet-show --format=shell InsecurePlatformWarning'
>>> 2015-10-20 16:42:16 +0000 Puppet::Type::Neutron_subnet::ProviderNeutron
>>> (notice): Unable to complete neutron request due to non-fatal error:
>>> "Execution of '/usr/bin/neutron subnet-show --format=shell
>>> InsecurePlatformWarning' returned 1:
>>> /usr/lib/python2.7/dist-packages/urllib3/util/ssl_.py:90:
>>> InsecurePlatformWarning: A true SSLContext object is not available. This
>>> prevents urllib3 from configuring SSL appropriately and may cause certain
>>> SSL connections to fail. For more information, see
>>> https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
>>> InsecurePlatformWarning
>>> /usr/lib/python2.7/dist-packages/urllib3/connection.py:251:
>>> SecurityWarning: Certificate has no `subjectAltName`, falling back to check
>>> for a `commonName` for now. This feature is being removed by major browsers
>>> and deprecated by RFC 2818. (See
>>> https://github.com/shazow/urllib3/issues/497 for details.)
>>>   SecurityWarningUnable to find subnet with name
>>> 'InsecurePlatformWarning'
>>> ". Retrying for 7 sec.
>>
>>  .....
>>
>> Unable to find subnet with name 'InsecurePlatformWarning'
>>> ". Retrying for 0 sec.
>>> 2015-10-20 16:42:25 +0000 Puppet (debug): Executing '/usr/bin/neutron
>>> subnet-show --format=shell InsecurePlatformWarning'
>>> 2015-10-20 16:42:27 +0000 Puppet (err): Could not prefetch
>>> neutron_subnet provider 'neutron': Can't retrieve subnet-show because
>>> Neutron or Keystone API is not available.
>>> /etc/puppet/modules/neutron/lib/puppet/provider/neutron.rb:153:in
>>> `get_neutron_resource_attrs'
>>> /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:24:in
>>> `block in instances'
>>> /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:23:in
>>> `collect'
>>> /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:23:in
>>> `instances'
>>> /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:43:in
>>> `prefetch'
>>> /usr/lib/ruby/vendor_ruby/puppet/transaction.rb:277:in `prefetch'
>>> /usr/lib/ruby/vendor_ruby/puppet/transaction.rb:167:in
>>> `prefetch_if_necessary'
>>> /usr/lib/ruby/vendor_ruby/puppet/transaction.rb:67:in `block in
>>> evaluate'
>>
>>
>> This happens, because Puppet mixing stderr and stdout while execute shell
>> commands, like
>>
>>> commands :neutron => 'neutron'
>>
>> And code, like
>>
>>>
>>> https://github.com/openstack/puppet-neutron/blob/master/lib/puppet/provider/neutron.rb#L134-L146
>>
>> parses stderr output also. Part of warnings gets into incoming data.
>>
>> IMHO this situation is potential dangerous for all puppet-openstack
>> modules..
>>
>> /sv
>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151021/05424136/attachment.html>

More information about the OpenStack-dev mailing list