Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1418392

Summary: TripleO Validation fail due to required Scapy package [rhos-10.0]
Product: Red Hat OpenStack Reporter: Razique Mahroua <rmahroua>
Component: openstack-tripleo-validationsAssignee: Martin André <maandre>
Status: CLOSED CURRENTRELEASE QA Contact: nlevinki <nlevinki>
Severity: high Docs Contact:
Priority: high    
Version: 10.0 (Newton)CC: flfuchs, gmollett, jjoyce, jrist, jschluet, maandre, m.andre, mburns, rhos-maint, slinaber, tvignaud
Target Milestone: ---Keywords: Security, Triaged, ZStream
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1435319 (view as bug list) Environment:
Last Closed: 2018-10-11 08:28:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1420632    
Attachments:
Description Flags
Workaround
none
Workaround - second file none

Description Razique Mahroua 2017-02-01 17:40:57 UTC 
Description of problem:
There are two checks, 'DHCP on the Provisioning Network' and 'DHCP on the Introspection Network'. These two checks fail (from scapy.all import BOOTP raises an exception), despite scapy installed on the system:
[root@director ~] # pip show scapy
---
Metadata-Version: 1.0
Name: scapy
Version: 2.3.2
Summary: Scapy: interactive packet manipulation tool
Home-page: http://www.secdev.org/projects/scapy
Author: Philippe BIONDI
Author-email: phil(at)secdev.org
License: GPLv2
Location: /usr/lib/python2.7/site-packages
Requires:


I applied the following to workaround the issue.
1- Updated /usr/share/openstack-tripleo-validations/validations/dhcp-provisioning.yaml
by appending the following setting to the 'pip' line:
virtualenv_site_packages=yes

pip: name=scapy version=2.3.2 state=present virtualenv=/tmp/validations-venv virtualenv_site_packages=yes


2- Did the same for dhcp-introspection.yaml


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Launch the 'DHCP on the Provisioning Network' and 'DHCP on the Provisioning Network DHCP on the Provisioning Network'checks
2. Both will fail (from scapy.all import BOOTP raises an exception)

Actual results:
The virtual environment does not import the Scapy module

Expected results:
The virtual environment should import the Scapy module and the two checks should pass.


Additional info:
As a side node, the RPM package scapy 2.3.2 is non existing, thus preventing this feature to work in offline installations.
Comment 1 Razique Mahroua 2017-02-01 17:43:02 UTC 
Created attachment 1246756 [details]
Workaround
Comment 2 Razique Mahroua 2017-02-01 17:43:59 UTC 
Created attachment 1246757 [details]
Workaround - second file
Comment 3 Jon Schlueter 2017-02-02 14:26:52 UTC 
doing a bit of digging here is what I found for scapy references in OSP 10

[openstack-tripleo-validations]$ ag scapy
tripleo-validations-5.1.1/validations/dhcp-provisioning.yaml
23:  - name: Install scapy
24:    pip: name=scapy version=2.3.2 state=present virtualenv=/tmp/validations-venv

tripleo-validations-5.1.1/validations/files/rogue_dhcp.py
17:# Disable scapy's warning to stderr:
20:logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
23:from scapy.all import BOOTP
24:from scapy.all import conf
25:from scapy.all import DHCP
26:from scapy.all import Ether
27:from scapy.all import get_if_raw_hwaddr
28:from scapy.all import IP
29:from scapy.all import srp
30:from scapy.all import UDP

tripleo-validations-5.1.1/validations/dhcp-introspection.yaml
18:  - name: Install scapy
19:    pip: name=scapy version=2.3.2 state=present virtualenv=/tmp/validations-venv
Comment 4 Jon Schlueter 2017-02-02 14:30:33 UTC 
how are we getting pip installed on the system?
Comment 15 Martin André 2017-03-22 17:23:28 UTC 
I've pushed a patch both upstream [1] and downstream [2] that replaces the scapy script by one using raw sockets. The upstream patch received negative feedback asking to package scapy instead.

My suggestion would be to remove this validation if the patch is not going to be merged.

I don't know how much work is needed to get scapy packaged for RHEL, but this is not something I can commit to right now. Jason, can someone from the UI DFG take over these patches?

[1] https://review.openstack.org/#/c/430681/
[2] https://code.engineering.redhat.com/gerrit/#/c/97154/
Comment 16 Jason E. Rist 2017-04-10 14:59:51 UTC 
Martin - yes