[Openstack-operators] Problems with https endpoints with IceHouse-->Juno-->Kilo migration

Alvise Dorigo alvise.dorigo at pd.infn.it
Tue Oct 27 12:32:10 UTC 2015


I have an IceHouse OpenStack installation, where the endpoints are using 
https as protocol (i.e. in the keystone.endpoint table  the https 
protocol is specified).

Now, I want to migrate this installation to Kilo. For this purpose I 
followed these steps:

- I scratched the controller/network node, but the DB was untouched (it 
resides on different machines), and re-installed with CentOS7
- I installed the Juno rpms (without configuring Juno services)
- I synced the keystone DB to the Juno version using the usual "db_sync" 
command:

     su -s /bin/sh -c "keystone-manage db_sync" keystone

- Then, I scratched the controller/network node, re-installed again with 
CentOS7 and installed all the Kilo RPMs required to sync the DB to the 
Kilo version.
With all the Kilo's RPM installed, I started from there to configure the 
Kilo Keystone service as described in the official guide 
docs.openstack.org.

That installation configures Keystone exposing v3 API, which can be used 
only with the openstackclient (and not by the legacy keystone one). But 
it seems there's a problem with the https endpoints.

After setting the following env vars

export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=XXXXXXXX
export OS_AUTH_URL=https://cloud-areapd-test.pd.infn.it:35357/v3
export OS_CACERT=/etc/grid-security/certificates/INFN-CA-2006.pem

openstack fires out the following error:

[root at controller-01 ~]# openstack user list
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: 
InsecurePlatformWarning: A true SSLContext object is not available. This 
prevents urllib3 from configuring SSL appropriately and may cause 
certain SSL connections to fail. For more information, see 
https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. 

   InsecurePlatformWarning
ERROR: openstack Unable to establish connection to 
http://cloud-areapd-test.pd.infn.it:35357/v3/auth/tokens


With a deeper investigation I see that the Keystone service returns an 
"http" protocol for the endpoint despite the fact that there's https in 
the backend database:

[root at controller-01 ~]# curl -g -i --cacert 
"/etc/grid-security/certificates/INFN-CA-2006.pem" -X GET 
https://cloud-areapd-test.pd.infn.it:35357/v3 -H "Accept: 
application/json" -H "User-Agent: python-keystoneclient"
HTTP/1.1 200 OK
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 268
X-Openstack-Request-Id: req-a47a2873-f81b-490a-b249-7f970754914b
Date: Tue, 27 Oct 2015 10:32:20 GMT
Connection: close

{"version": {"status": "stable", "updated": "2015-03-30T00:00:00Z", 
"media-types": [{"base": "application/json", "type": 
"application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": 
[{"href": "http://cloud-areapd-test.pd.infn.it:35357/v3/", "rel": 
"self"}]}}

The above curl command is grabbed from the output of "openstack --debug 
user list".

If I switch back to v2.0 API in env var OS_AUTH_URL, keystone client 
works correctly (and openstack stops working) and shows me the users, 
tenants, etc.:

[root at controller-01 ~]# export 
OS_AUTH_URL=https://cloud-areapd-test.pd.infn.it:35357/v2.0
[root at controller-01 ~]# keystone user-list
/usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: 
DeprecationWarning: The keystone CLI is deprecated in favor of 
python-openstackclient. For a Python library, continue using 
python-keystoneclient.
   'python-keystoneclient.', DeprecationWarning)
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: 
InsecurePlatformWarning: A true SSLContext object is not available. This 
prevents urllib3 from configuring SSL appropriately and may cause 
certain SSL connections to fail. For more information, see 
https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. 

   InsecurePlatformWarning
+----------------------------------+----------+---------+---------------------+ 

|                id                |   name   | enabled | email        |
+----------------------------------+----------+---------+---------------------+ 

| 62e64ee442cc42e7b07c0209010148c3 |  admin   |   True  | ADMIN_EMAIL     |
| 96ab92677d43476a820428e281d229f2 |  cinder  |   True  | 
cinder at example.co |
| e737d7af46ab46838bbef6c5d16aff7e |  glance  |   True  | 
glance at example.com |
| 84546c19c2b242738235022f73b2e9c2 | neutron  |   True  | 
neutron at example.com |
| b99c5365b6c448d4956fdae02fe0ef11 |   nova   |   True  | 
nova at example.com |
| 3c2bde47975b4f738b316d87f3727ec3 | sgaravat |   True 
|                     |
+----------------------------------+----------+---------+---------------------+ 



So, the question is: is there a bug in the service code which forcely 
translates https to http ?

thanks,

     Alvise Dorigo



More information about the OpenStack-operators mailing list