| Summary: | Audrey agent fails to connect to config server openssl self signed cert issue | |||
|---|---|---|---|---|
| Product: | [Retired] CloudForms Cloud Engine | Reporter: | Rehana <redakkan> | |
| Component: | aeolus-audrey-agent | Assignee: | Dan Radez <dradez> | |
| Status: | CLOSED ERRATA | QA Contact: | dgao | |
| Severity: | high | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 1.0.0 | CC: | akarol, asettle, cpelland, deltacloud-maint, dmacpher, hbrock, jrd, whayutin | |
| Target Milestone: | rc | Keywords: | Triaged, ZStream | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
The two versions of python-httplib2 (0.6x and 0.7x) were available, however Audrey Agent was not compatible with 0.7x, and as a result Cloud Engine was unable to communicate with Agent Agent. This fix updates Audrey Agent to be compatible with 0.7x by allowing self signed certification. This means that Audrey Agent can successfully communicate with Cloud Engine.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 813319 826708 (view as bug list) | Environment: | ||
| Last Closed: | 2012-12-04 15:03:48 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 813319, 826708 | |||
|
Description
Rehana
2012-04-16 14:45:13 UTC
I added some additional logging statements to /usr/bin/audrey on the guest in question. Current logs show: [root ~]# cat /var/log/audrey.log 2012-04-16 06:44:29,151 - INFO : audrey:1295 Invoked audrey_script_main 2012-04-16 06:44:29,151 - DEBUG : audrey:868 HTTP GET: https://cloudengine-audrey.usersys.redhat.com/version; headers=None 2012-04-16 06:44:29,418 - ERROR : audrey:871 Error in HTTP GET: https://cloudengine-audrey.usersys.redhat.com/version; headers=None; error=[Errno 1] _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2012-04-16 06:44:29,418 - INFO : audrey:1315 Failed attempt to contact config server 2012-04-16 06:44:39,429 - DEBUG : audrey:868 HTTP GET: https://cloudengine-audrey.usersys.redhat.com/version; headers=None 2012-04-16 06:44:39,566 - ERROR : audrey:871 Error in HTTP GET: https://cloudengine-audrey.usersys.redhat.com/version; headers=None; error=[Errno 1] _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2012-04-16 06:44:39,566 - INFO : audrey:1315 Failed attempt to contact config server 2012-04-16 06:44:49,577 - DEBUG : audrey:868 HTTP GET: https://cloudengine-audrey.usersys.redhat.com/version; headers=None 2012-04-16 06:44:49,700 - ERROR : audrey:871 Error in HTTP GET: https://cloudengine-audrey.usersys.redhat.com/version; headers=None; error=[Errno 1] _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2012-04-16 06:44:49,701 - INFO : audrey:1315 Failed attempt to contact config server 2012-04-16 06:44:59,711 - DEBUG : audrey:868 HTTP GET: https://cloudengine-audrey.usersys.redhat.com/version; headers=None 2012-04-16 06:44:59,840 - ERROR : audrey:871 Error in HTTP GET: https://cloudengine-audrey.usersys.redhat.com/version; headers=None; error=[Errno 1] _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2012-04-16 06:44:59,840 - INFO : audrey:1315 Failed attempt to contact config server 2012-04-16 06:45:09,851 - DEBUG : audrey:868 HTTP GET: https://cloudengine-audrey.usersys.redhat.com/version; headers=None 2012-04-16 06:45:09,979 - ERROR : audrey:871 Error in HTTP GET: https://cloudengine-audrey.usersys.redhat.com/version; headers=None; error=[Errno 1] _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2012-04-16 06:45:09,980 - INFO : audrey:1315 Failed attempt to contact config server 2012-04-16 06:45:19,990 - DEBUG : audrey:868 HTTP GET: https://cloudengine-audrey.usersys.redhat.com/version; headers=None 2012-04-16 06:45:20,127 - ERROR : audrey:871 Error in HTTP GET: https://cloudengine-audrey.usersys.redhat.com/version; headers=None; error=[Errno 1] _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2012-04-16 06:45:20,127 - ERROR : audrey:1318 Failed to connect to the Configserver This problem stems from the version of python-httplib2. The version on the RHEL-6.2 guest was 0.7.2-1.el6. That version came from epel. We downgraded to the standard rhel6.2 provided version of python-httplib2 0.6.0-4.el6_0 This fixes the problem, but leaves us with two other problems: 1) epel is needed for the wordpress demo on rhel because epel is the only place to get wordpress 2) when python-httplib2 0.7.2-1.el6 becomes the standard version in rhel, this problem will arise again in a much more permanent way A quick workaround could be to restrict the nvr of python-httplib2 to 0.6.0-4.el6_0 or something similar in the aeolus-audrey-agent spec file. This needs to be fixed in the 1.0.z release. The fix is for the audrey agent, customers that use audrey to install code that requires python-httplib2 will fail. Greg, can you put together a couple sentences to go into relnotes for this, to tide us over until 1.0z? Updating the component to audrey-agent. Adding relnotes to technical notes.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
The audrey-agent currently requires python-httplib2 v0.6.0. CloudForms Cloud Engine channel provides python-httplib2-0.6.0-4.el6_0. However, EPEL is providing python-httplib2-0.7.2-1.el6. Therefore, images built with the audrey agent and that include EPEL as a repository in the image template will experience this bug.
We're leaving this bug open to track the issue in the audrey-agent to be fixed in zstream. The issue is that audrey-agent should handle ssl cert validation in both python-httplib 0.6.0 and python-httplib 0.7.0. In the short term (zstream timeline), the fix will be to introduce logic into audrey-agent that turns off ssl cert validation when python-httplib 0.7.0 is loaded (and not change anything when python-httplib 0.6.0 is loaded). In the long term (1.1?/2.0?), the fix will be to propagate the appropriate ssl cert from the config server to the launching guest with audrey-agent. There's no specific plan in place yet to determine how to make this happen. But, it opens up the larger opportunity for widespread certificate management in Cloud Forms. Assigning to Dan. fixed in da87064e28d588925959e270f66d7183a6500295 built as 0.4.9-1 [root@10-16-120-177 ~]# cat /var/log/audrey.log 2012-06-13 13:26:44,423 - INFO : audrey:1305 Invoked audrey_script_main 2012-06-13 13:26:44,685 - INFO : audrey:1334 <Instance of: CSClient Version: 1 Config Server Endpoint: https://deaddonkey.usersys.redhat.com Config Server oAuth Key: af6caa10-b56d-11e1-9376-e83935c21f2c Config Server oAuth Secret: dNq4bvMxPoKwr3tFuChikdIe5nQYCRuqejSSKuzIOzT2 Config Server Params: Config Server Configs: Temporary Directory: Tarball Name: eot> 2012-06-13 13:26:44,686 - INFO : audrey:951 Invoked CSClient.get_cs_tooling() 2012-06-13 13:26:44,886 - INFO : audrey:683 Invoked unpack_tooling() 2012-06-13 13:26:44,888 - INFO : audrey:908 Invoked CSClient.get_cs_configs() 2012-06-13 13:26:45,086 - INFO : audrey:923 Invoked CSClient.get_cs_params() 2012-06-13 13:26:45,286 - INFO : audrey:521 Invoked generate_provides() 2012-06-13 13:26:45,636 - INFO : audrey:938 Invoked CSClient.put_cs_params_values() [root@10-16-120-177 ~]# rpm -qa | grep "python-httplib" python-httplib2-0.7.4-1.el6.noarch [root@10-16-120-177 ~]# rpm -qa | grep "audrey" aeolus-audrey-agent-0.4.9-1.el6_2.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2012-1516.html |