[Openstack-operators] Ubuntu Kernel with Meltdown mitigation SSL issues

Adam Heczko aheczko at mirantis.com
Thu Jan 18 08:42:02 UTC 2018


Hello Sam, thank you for sharing this information.
Could you please provide more information related to your specific setup.
How is Keystone API endpoint TLS terminated in your setup?
AFAIK in our OpenStack labs we haven't observed anything like this although
we terminate TLS on Nginx or HAProxy.


On Thu, Jan 18, 2018 at 4:36 AM, Sam Morrison <sorrison at gmail.com> wrote:

> Hi All,
>
> We updated our control infrastructure to the latest Ubuntu Xenial Kernel
> (4.4.0-109) which includes the meltdown fixes.
>
> We have found this kernel to have issues with SSL connections with python
> and have since downgraded. We get errors like:
>
> SSLError: SSL exception connecting to https://keystone.example.com:
> 35357/v3/auth/tokens: ("bad handshake: Error([('', 'osrandom_rand_bytes',
> 'getrandom() initialization failed.')],)”,)
>
> Full trace:  http://paste.openstack.org/show/646803/
>
> This was affecting glance mainly but all API services were having issues.
>
> Our controllers are running inside KVM VMs and the guests see the CPU as
> "Intel Xeon E3-12xx v2 (Ivy Bridge)”
>
> This isn’t an openstack issue specifically but hopefully it helps others
> who may be seeing similar issues.
>
>
> Cheers,
> Sam
>
>
>
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>



-- 
Adam Heczko
Security Engineer @ Mirantis Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20180118/980c68db/attachment.html>


More information about the OpenStack-operators mailing list