1262073 – Pulp tasks tries to connect to 127.0.0.1 instead of localhost hostname

Bug 1262073 - Pulp tasks tries to connect to 127.0.0.1 instead of localhost hostname

Summary: Pulp tasks tries to connect to 127.0.0.1 instead of localhost hostname

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Pulp
Sub Component:
Version:	Nightly
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1246263 1252573
TreeView+	depends on / blocked

Reported:	2015-09-10 18:43 UTC by Stephen Benjamin
Modified:	2021-04-06 18:01 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-27 09:18:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Pulp Redmine	1245	0	Normal	CLOSED - CURRENTRELEASE	Pulp cannot be configured to connect to Qpid at 'localhost'	Never
Red Hat Product Errata	RHBA-2016:1501	0	normal	SHIPPED_LIVE	Red Hat Satellite 6.2 Capsule and Server	2016-07-27 12:28:58 UTC

Description Stephen Benjamin 2015-09-10 18:43:30 UTC

Description of problem:

/etc/pulp/server.conf contains:

  [tasks] 
  broker_url: qpid://localhost:5671
  celery_require_ssl: true
  cacert: /etc/pki/katello/certs/katello-default-ca.crt
  keyfile: /etc/pki/katello/qpid_client_striped.crt
  certfile: /etc/pki/katello/qpid_client_striped.crt

However, pulp tries to connect to the IP and then claims the certificate doesn't match - the certificate DOES have a `localhost` CN.

Sep 10 14:42:06 katello-centos7-bats.example.com pulp[24219]: pulp.server.async.scheduler:ERROR: Connection hostname '127.0.0.1' does not match names from peer certificate: ['katello-centos7-bats.example.com', 'localhost', u'katello-centos7-bats.example.com']


Version-Release number of selected component (if applicable):
python-celery-3.1.11-1.el7.noarch
pulp-docker-plugins-1.0.1-1.el7.noarch
python-isodate-0.5.0-4.pulp.el7.noarch
pulp-nodes-common-2.6.2-1.el7.noarch
python-kombu-3.0.24-8.pulp.el7.noarch
python-pulp-docker-common-1.0.1-1.el7.noarch
pulp-server-2.6.2-1.el7.noarch
python-pulp-rpm-common-2.6.2-1.el7.noarch
python-rhsm-1.8.0-2.pulp.el7.x86_64
python-pulp-bindings-2.6.2-1.el7.noarch
python-pulp-puppet-common-2.6.2-1.el7.noarch
pulp-rpm-plugins-2.6.2-1.el7.noarch
pulp-katello-0.4-3.el7.noarch
rubygem-smart_proxy_pulp-1.0.1-2.el7.noarch
python-pulp-common-2.6.2-1.el7.noarch
pulp-selinux-2.6.2-1.el7.noarch
pulp-puppet-plugins-2.6.2-1.el7.noarch
pulp-puppet-tools-2.6.2-1.el7.noarch
pulp-nodes-parent-2.6.2-1.el7.noarch


How reproducible:
Always

Steps to Reproduce:
1. Configure pulp to connect to broker on localhost
2. Restart everything

Actual results:
Celery tries 127.0.0.1 for broker connection

Expected results:
Should use localhost


Additional info:

Comment 1 pulp-infra@redhat.com 2015-09-10 21:30:17 UTC

The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug.

Comment 2 pulp-infra@redhat.com 2015-09-10 21:30:17 UTC

The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.

Comment 4 pulp-infra@redhat.com 2015-10-02 18:30:22 UTC

The Pulp upstream bug status is at POST. Updating the external tracker on this bug.

Comment 5 pulp-infra@redhat.com 2015-10-02 18:50:34 UTC

The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.

Comment 6 Brian Bouterse 2015-10-02 19:06:06 UTC

The commit associated with the upstream issue create 3.0.24-10. The commit should cherry pick cleanly on the upstream 3.0.24-9 release of python-kombu. If there are any issues applying the cherry pick, NEEDSINFO me.

Comment 7 pulp-infra@redhat.com 2015-10-22 15:00:43 UTC

The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.

Comment 8 pulp-infra@redhat.com 2015-11-06 20:00:25 UTC

The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.

Comment 9 Bryan Kearney 2016-01-04 15:28:28 UTC

Moving this to POST. Please verify once 2.7 or greater is incorporated into the build.

Comment 12 Jitendra Yejare 2016-04-15 11:33:03 UTC

Verified this issue on Sat 6.2 snap 8.1

I see that pulp is trying to connect to localhost and not to IP:
ERROR: ("Connection hostname 'localhost' does not match names from peer certificate: ['qeblade36.rhq.lab.eng.bos.redhat.com', u'qeblade36.rhq.lab.eng.bos.redhat.com']",)


But I see still error related to this change of broker url to 'localhost' as above and also this:
Apr 15 07:21:38 qeblade36 pulp: celery.worker.consumer:ERROR: (25749-58496) consumer: Cannot connect to qpid://localhost:5671//: ("Connection hostname 'localhost' does not match names from peer certificate: ['qeblade36.rhq.lab.eng.bos.redhat.com', u'qeblade36.rhq.lab.eng.bos.redhat.com']",).

And as per my opinion, these errors looks out of contest of this bug. And the main issue of connecting to localhost is solved.

Please feel free to reopen the bug, if I am wrong.

Comment 13 Jitendra Yejare 2016-04-15 11:40:17 UTC

Moving this to Assigned.

I further explore the impacts and I see that enabling Redhat Repos is failing with error - ' There was an issue with the backend service pulp: No pulp workers running.' due to see this change.

And I believe this change is blocking and impacting the satelltie server as pulp workers are not running.

So changing this to 'Failed QA'

Comment 14 Stephen Benjamin 2016-04-15 12:53:05 UTC

Ah sorry, this probably should've just been marked as a dev task and not QE'd.  It was just a bug fix in an underlying library that's needed for another BZ.

I think you can mark this VERIFIED. 

Your test did verify the change worked. Previously, if you put localhost as the qpid URL, pulp would replace it with 127.0.0.1 and do all the SSL verification against that.  Your test shows it's keeping the 'localhost' name.

The certificate issue is totally expected.

https://bugzilla.redhat.com/show_bug.cgi?id=1252573 is where we'll change the default to connect to localhost and update the certificates.

Comment 15 Jitendra Yejare 2016-04-18 06:40:51 UTC

Moving this to verified as per comment 14 from Stephen.

Thanks Stephen for the explanation.

Comment 17 errata-xmlrpc 2016-07-27 09:18:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501

Note You need to log in before you can comment on or make changes to this bug.