Bug 1242675
| Summary: | When the undercloud is configured with SSL=true any Cli command produce multiple SSL SecurityWarning. | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Omri Hochman <ohochman> |
| Component: | puppet-tripleo | Assignee: | Juan Antonio Osorio <josorior> |
| Status: | CLOSED ERRATA | QA Contact: | Rodrigo Duarte <rduartes> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 (Kilo) | CC: | ayoung, bnemec, dcain, dh3, dhill, flg, jcoufal, jjoyce, jmelvin, jschluet, jthomas, mburns, mcornea, nkinder, racedoro, rhel-osp-director-maint, shailesh.pilare, slinaber, sputhenp, tvignaud |
| Target Milestone: | ga | Keywords: | Triaged |
| Target Release: | 10.0 (Newton) | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | puppet-tripleo-5.1.0-0.20160928184742.b8f8d0f.el7ost | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-12-14 15:13:43 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Omri Hochman
2015-07-13 23:06:38 UTC
*** Bug 1255563 has been marked as a duplicate of this bug. *** *** Bug 1259529 has been marked as a duplicate of this bug. *** Other than manual code changes, is there a workaround for this? workaround export PYTHONWARNINGS="ignore:Certificate has no, ignore:A true SSLContext object is not available" Hello, [stack@osp7dr2 ~]$ cat stackrc export NOVA_VERSION=1.1 export OS_PASSWORD=$(sudo hiera admin_password) export OS_AUTH_URL=https://192.168.122.2:13000/v2.0 export OS_CACERT=/etc/pki/instack-certs/undercloud.pem export OS_USERNAME=admin export OS_TENANT_NAME=admin export COMPUTE_API_VERSION=1.1 export OS_NO_CACHE=True export PYTHONWARNINGS="ignore:Certificate has no, ignore:A true SSLContext object is not available" After sourcing the file I don't see warnings when executing "nova" command: [stack@osp7dr2 ~]$ source stackrc [stack@osp7dr2 ~]$ nova list +----+------+--------+------------+-------------+----------+ | ID | Name | Status | Task State | Power State | Networks | +----+------+--------+------------+-------------+----------+ +----+------+--------+------------+-------------+----------+ But I see still a warning when using "keystone" command: [stack@osp7dr2 ~]$ keystone user-list /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient. 'python-keystoneclient.', DeprecationWarning) /usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. InsecurePlatformWarning +----------------------------------+------------+---------+--------------------------+ | id | name | enabled | email | +----------------------------------+------------+---------+--------------------------+ | 1df259ce5388436bbc552f084f1887ac | admin | True | root@localhost | | 3d2e15d1ec7245619ec69fc545121a45 | ceilometer | True | email=nobody | | 8b9016da052a4e9cbc6d65f43e132c82 | glance | True | email=nobody | | 8bd69c4718e34c359e3f90df4109e4a9 | heat | True | email=nobody | | 4ae93444e0a7456eb21cb9550da3fbc2 | ironic | True | email=nobody | | c0b92eebe0e0411c847bfefe4642e6dc | neutron | True | email=nobody | | a994c4f90dd44679b71fe061a6ad3ef8 | nova | True | email=nobody | | f5a1240849844d52a7e5004a70cde05a | swift | True | email=nobody | | bbf7430836d84c759a3dc9e1ef672796 | tuskar | True | email=nobody | +----------------------------------+------------+---------+--------------------------+ So, there seems to be a different when executing "nova" commands compared to "keystone" commands. Is this a known issue?
Keystone difference seems to be due to warnings.resetwarnings() which must drop the state of the -W or PYTHONWARNINGS flags. If you comment out warnings.resetwarnings() as below, the work around works with still having the coded Deprecation Warning.
Also, inserting
warnings.simplefilter('ignore')
after
warnings.resetwarnings()
will also drop the warnings.
def __init__(self, parser_class=argparse.ArgumentParser):
# Since Python 2.7, DeprecationWarning is ignored by default, enable
# it so that the deprecation message is displayed.
warnings.simplefilter('once', category=DeprecationWarning)
warnings.warn(
'The keystone CLI is deprecated in favor of '
'python-openstackclient. For a Python library, continue using '
'python-keystoneclient.', DeprecationWarning)
# And back to normal!
#warnings.resetwarnings()
self.parser_class = parser_class
created new bz for keystone difference https://bugzilla.redhat.com/show_bug.cgi?id=1274858 Hey, I am facing the same issue. Setting the PYTHONWARNING flags did not help much. Instead we need to address the error within urllib3 itself. The error warnings can be disabled there: requests.packages.urllib3.disable_warnings() Ben, this will be fixed with our ongoing broader SSL work, right? Mostly. The one exception is that the standalone keystone client doesn't play nicely, but since that is officially deprecated anyway I don't think it's worth spending a lot of effort on. This bug did not make the OSP 8.0 release. It is being deferred to OSP 10. The fix for this has merged upstream: https://review.openstack.org/#/c/368559/ This will be pulled in with puppet-tripleo 5.1.0. verified for puppet-tripleo-5.4.0-3.el7ost.noarch. [stack@undercloud-0 ~]$ cat stackrc export NOVA_VERSION=1.1 export OS_PASSWORD=$(sudo hiera admin_password) export OS_AUTH_URL=https://192.0.2.2:13000/v2.0 export PYTHONWARNINGS="ignore:Certificate has no, ignore:A true SSLContext object is not available" export OS_USERNAME=admin export OS_TENANT_NAME=admin export COMPUTE_API_VERSION=1.1 export OS_BAREMETAL_API_VERSION=1.15 export OS_NO_CACHE=True export OS_CLOUDNAME=undercloud export OS_IMAGE_API_VERSION=1 [stack@undercloud-0 ~]$ source stackrc [stack@undercloud-0 ~]$ nova list +----+------+--------+------------+-------------+----------+ | ID | Name | Status | Task State | Power State | Networks | +----+------+--------+------------+-------------+----------+ +----+------+--------+------------+-------------+----------+ [stack@undercloud-0 ~]$ openstack user list +----------------------------------+------------------+ | ID | Name | +----------------------------------+------------------+ | 7b1da79c2017475baf128736d4cac098 | admin | | d622821399d342e6a49c1a8db3d28ec3 | neutron | | 460982a6ddc94ff498c70d5218e1d5ca | heat | | 6522ed4501974944ad0e825f7f343869 | aodh | | eefc3b5edbfe4bf0bc3a3c210ee4da6d | nova | | 59f1581347004ddb909213d4effbe8b9 | mistral | | 4599e80f12304017be04f11da9933ea3 | glance | | f332a923539f4663a1ba65e41bb41aec | zaqar-websocket | | 9b69d0af29ea47b5afe1b7f4addf42d2 | ironic | | ece7cc720b844ff0ab4434347b493d7a | ceilometer | | f31f368c8824471fa6e95bb76503a41d | ironic-inspector | | 6c2ea955034b4c35bb48d58169d10bc2 | zaqar | | c8138f92d14d4d8c84c4af46907c5806 | swift | +----------------------------------+------------------+ No security warnings were displayed. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2948.html |