Hi, guys! Now I observe potential-dangerous situation in the providers of puppet-neutron module. I want share details, because not only puppet-neutron module may be broken by warnings from Openstack CLI utilities.
After updating urllib3 library on my lab, commands like 'neutron net list' began to throw warnings, like: > root@node-2:~# neutron net-list > /usr/lib/python2.7/dist-packages/urllib3/util/ssl_.py:90: > InsecurePlatformWarning: A true SSLContext object is not available. This > prevents urllib3 from configuring SSL appropriately and may cause certain > SSL connections to fail. For more information, see > https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning > . > InsecurePlatformWarning > /usr/lib/python2.7/dist-packages/urllib3/connection.py:251: > SecurityWarning: Certificate has no `subjectAltName`, falling back to check > for a `commonName` for now. This feature is being removed by major browsers > and deprecated by RFC 2818. (See > https://github.com/shazow/urllib3/issues/497 for details.) > SecurityWarning > > +--------------------------------------+-----------+-------------------------------------------------------+ > | id | name | subnets > | > > +--------------------------------------+-----------+-------------------------------------------------------+ > | 9e1c0866-51f0-4659-8d5c-1c5d0843dab4 | net04_ext | > 29c952ec-2a13-46fc-a8a1-6e2468a92a95 172.18.171.0/24 | > | d70b399b-668b-4861-b092-4876ec65df60 | net04 | > b87fbfd1-0e52-4ab6-8987-286ef0912d1f 192.168.111.0/24 | > > +--------------------------------------+-----------+-------------------------------------------------------+ > root@node-2:~# Such urllib3 based warnings is only particular case. Warnings may appear by another reason while call any Openstack utilities. Such warnings lead to broke work of puppet-neutron manifests: > 2015-10-20 16:42:11 +0000 > /Stage[main]/Main/Openstack::Network::Create_network[net04]/Neutron_network[net04] > (info): Evaluated in 5.51 seconds > 2015-10-20 16:42:11 +0000 Puppet (debug): Prefetching neutron resources > for neutron_subnet > 2015-10-20 16:42:11 +0000 Puppet (debug): Executing '/usr/bin/neutron > subnet-list --format=csv --column=id --quote=none' > 2015-10-20 16:42:13 +0000 Puppet (debug): Executing '/usr/bin/neutron > subnet-show --format=shell InsecurePlatformWarning' > 2015-10-20 16:42:16 +0000 Puppet::Type::Neutron_subnet::ProviderNeutron > (notice): Unable to complete neutron request due to non-fatal error: > "Execution of '/usr/bin/neutron subnet-show --format=shell > InsecurePlatformWarning' returned 1: > /usr/lib/python2.7/dist-packages/urllib3/util/ssl_.py:90: > InsecurePlatformWarning: A true SSLContext object is not available. This > prevents urllib3 from configuring SSL appropriately and may cause certain > SSL connections to fail. For more information, see > https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. > InsecurePlatformWarning > /usr/lib/python2.7/dist-packages/urllib3/connection.py:251: > SecurityWarning: Certificate has no `subjectAltName`, falling back to check > for a `commonName` for now. This feature is being removed by major browsers > and deprecated by RFC 2818. (See > https://github.com/shazow/urllib3/issues/497 for details.) > SecurityWarningUnable to find subnet with name 'InsecurePlatformWarning' > ". Retrying for 7 sec. ..... Unable to find subnet with name 'InsecurePlatformWarning' > ". Retrying for 0 sec. > 2015-10-20 16:42:25 +0000 Puppet (debug): Executing '/usr/bin/neutron > subnet-show --format=shell InsecurePlatformWarning' > 2015-10-20 16:42:27 +0000 Puppet (err): Could not prefetch neutron_subnet > provider 'neutron': Can't retrieve subnet-show because Neutron or Keystone > API is not available. > /etc/puppet/modules/neutron/lib/puppet/provider/neutron.rb:153:in > `get_neutron_resource_attrs' > /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:24:in > `block in instances' > /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:23:in > `collect' > /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:23:in > `instances' > /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:43:in > `prefetch' > /usr/lib/ruby/vendor_ruby/puppet/transaction.rb:277:in `prefetch' > /usr/lib/ruby/vendor_ruby/puppet/transaction.rb:167:in > `prefetch_if_necessary' > /usr/lib/ruby/vendor_ruby/puppet/transaction.rb:67:in `block in evaluate' This happens, because Puppet mixing stderr and stdout while execute shell commands, like > commands :neutron => 'neutron' And code, like > > https://github.com/openstack/puppet-neutron/blob/master/lib/puppet/provider/neutron.rb#L134-L146 parses stderr output also. Part of warnings gets into incoming data. IMHO this situation is potential dangerous for all puppet-openstack modules.. /sv
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
