Bug 1021537

Summary: Setting Qpid SSL protocol sets wrong variable
Product: Red Hat OpenStack Reporter: Xavier Queralt <xqueralt>
Component: openstack-quantumAssignee: Assaf Muller <amuller>
Status: CLOSED ERRATA QA Contact: Nir Magnezi <nmagnezi>
Severity: high Docs Contact:
Priority: high    
Version: 3.0CC: ajeain, bperkins, chrisw, dallan, jruzicka, lpeer, majopela, ndipanov, rcritten, sclewis, sradvan, xqueralt, yeylon
Target Milestone: z4Keywords: ZStream
Target Release: 3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-quantum-2013.1.4-4.el6ost Doc Type: Bug Fix
Doc Text:
By default, QPID uses TCP as a connection transport instead of a connection protocol. Previously, the procedure for enabling SSL in QPID connections was to set 'qpid_protocol = ssl' in /etc/glance/glance-api.conf. This setting, however, sets connection protocol; the python-qpid client, on the other hand, expects a connection transport type. The mismatch prevented QPID from actually establishing an SSL connection. With this release, the 'qpid_protocol = ssl' setting now enables SSL for the connection transport instead of the connection protocol. As such, QPID can now successfully establish SSL connections.
 Story Points: ---
Clone Of: 996766 Environment:
Last Closed: 2014-01-30 19:49:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 996766    
Bug Blocks: 1021536, 1055616    

Comment 2 Assaf Muller 2013-12-31 15:20:04 UTC 
There's a patch in review to backport the fix to neutron's stable/grizzly branch:
https://review.openstack.org/#/c/56994/
Comment 4 Scott Lewis 2014-01-21 19:59:05 UTC 
Adding >=POST to next async release
Comment 6 Nir Magnezi 2014-01-27 11:14:26 UTC 
Verified NVR: 
openstack-quantum-2013.1.4-4.el6ost.noarch
python-quantum-2013.1.4-4.el6ost.noarch

1. Verified that the new code is present, as specified in: https://review.openstack.org/#/c/56994/3/quantum/openstack/common/rpc/impl_qpid.py

# grep self.conf.qpid_protocol  /usr/lib/python2.6/site-packages/quantum/openstack/common/rpc/impl_qpid.py
        self.connection.transport = self.conf.qpid_protocol

2. tested qpid with SSL:
   - Cofigured qpid with SSL, grizzly version of packstack does not support such installation, I used:
     a. https://github.com/dprince/puppet-qpid/blob/master/templates/qpidd.conf.erb
     b. openstack.redhat.com/Securing_services

Result:
INFO [quantum.openstack.common.rpc.impl_qpid] Connected to AMQP server on 10.35.160.29:5671
Comment 8 errata-xmlrpc 2014-01-30 19:49:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0110.html