[openstack-dev] [nova] reckoning time for nova ec2 stack

Matt Riedemann mriedem at linux.vnet.ibm.com
Tue Jan 13 16:00:04 UTC 2015 


On 1/9/2015 10:17 AM, Steven Hardy wrote:
> On Fri, Jan 09, 2015 at 09:11:50AM -0500, Sean Dague wrote:
>> boto 2.35.0 just released, and makes hmac-v4 authentication mandatory
>> for EC2 end points (it has been optionally supported for a long time).
>>
>> Nova's EC2 implementation does not do this.
>>
>> The short term approach is to pin boto -
>> https://review.openstack.org/#/c/146049/, which I think is a fine long
>> term fix for stable/, but in master not supporting new boto, which
>> people are likely to deploy, doesn't really seem like an option.
>>
>> https://bugs.launchpad.net/tempest/+bug/1408987 is the bug.
>>
>> I don't think shipping an EC2 API in Kilo that doesn't work with recent
>> boto is a thing Nova should do. Do we have volunteers to step up and fix
>> this, or do we need to get more aggressive about deprecating this interface?
>
> I'm not stepping up to maintain the EC2 API, but the auth part of it is
> very similar to heat's auth (which does support hmac-v4), so I hacked on
> the nova API a bit to align with the way heat does things:
>
> https://review.openstack.org/#/c/146124/ (WIP)
>
> This needs some more work, but AFAICS solves the actual auth part which is
> quite simply fixed by reusing some code we have in heat's ec2token middleware.
>
> If this is used, we could extract the common parts and/or use a common auth
> middleware in future, assuming the EC2 implementation as a whole isn't
> deemed unmaintained and removed that is.
>
> Steve
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

Looks like the fix we merged didn't actually fix the problem. I have a 
patch [1] to uncap the boto requirement on master and it's failing the 
ec2 tests in tempest the same as before.

I went back to the nova fix on master and checked patch set 9 which had 
the version uncapped in nova's requirements.txt file, and the tests were 
passing but they were running against boto 2.34 [2].

Unfortunately the cherry pick of the ec2 fix was also backported and 
merged to stable/juno which looks like it was probably a waste of time 
right now since we still have a bug.

Therefore we still probably need to cap boto on stable/juno for now. [3]

[1] https://review.openstack.org/#/c/146592/
[2] 
http://logs.openstack.org/24/146124/9/check/check-tempest-dsvm-full/950581d/logs/pip-freeze.txt.gz
[3] https://review.openstack.org/#/c/146344/

-- 

Thanks,

Matt Riedemann

More information about the OpenStack-dev mailing list