Flavio Percoco wrote: > On 07/23/2014 06:05 PM, Rob Crittenden wrote: >> Rob Crittenden wrote: >>> It looks like the switch to requests in python-glanceclient >>> (https://review.openstack.org/#/c/78269/) has broken nova when SSL is >>> enabled. >>> >>> I think it is related to the custom object that the glanceclient uses. >>> If another connection gets pushed into the pool then things fail because >>> the object isn't a glanceclient VerifiedHTTPSConnection object. >>> >>> The error seen is: >>> >>> 2014-07-22 16:20:57.571 ERROR nova.api.openstack >>> req-e9a94169-9af4-45e8-ab95-1ccd3f8caf04 admin admin Caught error: >>> VerifiedHTTPSConnection instance has no attribute 'insecure' >>> >>> What I see is that nova works until glance is invoked. >>> >>> These all work: >>> >>> $ nova flavor-list >>> $ glance image-list >>> $ nova net-list >>> >>> Now make it go boom: >>> >>> $ nova image-list >>> ERROR (Unauthorized): Unauthorized (HTTP 401) (Request-ID: >>> req-ee964e9a-c2a9-4be9-bd52-3f42c805cf2c) >>> >>> Now that a bad object is now in the pool nothing in nova works: >>> >>> $ nova list >>> ERROR (Unauthorized): Unauthorized (HTTP 401) (Request-ID: >>> req-f670db83-c830-4e75-b29f-44f61ae161a1) >>> >>> A restart of nova gets things back to normal. >>> >>> I'm working on enabling SSL everywhere >>> (https://bugs.launchpad.net/devstack/+bug/1328226) either directly or >>> using TLS proxies (stud). >>> I'd like to eventually get SSL testing done as a gate job which will >>> help catch issues like this in advance. >>> >>> rob >> >> FYI, my temporary workaround is to change the queue name (scheme) so the >> glance clients are handled separately: >> >> diff --git a/glanceclient/common/https.py b/glanceclient/common/https.py >> index 6416c19..72ed929 100644 >> --- a/glanceclient/common/https.py >> +++ b/glanceclient/common/https.py >> @@ -72,7 +72,7 @@ class HTTPSAdapter(adapters.HTTPAdapter): >> def __init__(self, *args, **kwargs): >> # NOTE(flaper87): This line forces poolmanager to use >> # glanceclient HTTPSConnection >> - poolmanager.pool_classes_by_scheme["https"] = HTTPSConnectionPool >> + poolmanager.pool_classes_by_scheme["glance_https"] = >> HTTPSConnectionPoo >> super(HTTPSAdapter, self).__init__(*args, **kwargs) >> >> def cert_verify(self, conn, url, verify, cert): >> @@ -92,7 +92,7 @@ class >> HTTPSConnectionPool(connectionpool.HTTPSConnectionPool): >> be used just when the user sets --no-ssl-compression. >> """ >> >> - scheme = 'https' >> + scheme = 'glance_https' >> >> def _new_conn(self): >> self.num_connections += 1 >> >> This at least lets me continue working. >> >> rob > > Hey Rob, > > Sorry for the late reply, I'll take a look into this.
Ping, have you had a chance to look into it? thanks rob _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
