RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1719354 - websocket-client 0.56 ignores default RHEL certificates, breaking OpenStack
Summary: websocket-client 0.56 ignores default RHEL certificates, breaking OpenStack
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: python-websocket-client
Version: 7.6
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: Lokesh Mandvekar
QA Contact: Filip Hubík
URL:
Whiteboard:
Depends On:
Blocks: 1714205 1717469 1718343
TreeView+ depends on / blocked
 
Reported: 2019-06-11 15:04 UTC by Filip Hubík
Modified: 2019-06-13 15:26 UTC (History)
11 users (show)

Fixed In Version: python-websocket-client-0.56.0-3.git3c25814
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-13 15:26:07 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
potential fix (868 bytes, patch)
2019-06-11 15:14 UTC, Lon Hohberger 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:1472 0 None None None 2019-06-13 15:26:13 UTC

Description Filip Hubík 2019-06-11 15:04:21 UTC 
This bug was initially created as a copy of Bug #1702715

I am copying this bug because: 

As original bug was closed as "CLOSED_ERRATA" we need to track this issue with new BZ.

This issue still persists and breaks OSP14, OSP13 and OSP10 deployments, possibly more.

It is not only ipv6-topology specific and it affects all deployments, since it makes OSP fail during introspection.

This issue is related to:
https://bugzilla.redhat.com/show_bug.cgi?id=1702715 - RHEL7 - predecessor
https://bugzilla.redhat.com/show_bug.cgi?id=1717469 - OSP14
https://bugzilla.redhat.com/show_bug.cgi?id=1714205 - OSP13
https://bugzilla.redhat.com/show_bug.cgi?id=1718343 - OSP10


+++ This bug was initially created as a clone of Bug #1696332 +++

Description of problem: When trying to deploy pre-deployed servers and setting public endpoints to ipv6, deployment cannot start due to zaqar websocket returning 504


Version-Release number of selected component (if applicable):
OSP13
puddle: 2019-03-18.1


How reproducible: 100%


Steps to Reproduce:
1. Set public endpoints to IPv6 address
2. Start overcloud deployment

Actual results:

Overcloud installation fails even before stack creation starts (see log attached)

Expected results:

Overcloud installation starts successfully

Additional info:

--- Additional comment from Emilien Macchi on 2019-04-04 15:53:27 UTC ---

I don't see where Zaqar fails, however I see:

2019-04-02 12:04:04,679 INFO: Failed to discover available identity versions when contacting https://2001:db8::b2:13000/. Attempting to parse version from URL.
2019-04-02 12:04:04,680 INFO: Could not determine a suitable URL for the plugin
2019-04-02 12:04:04,724 INFO: + openstack quota set --cores -1 --instances -1 --ram -1
2019-04-02 12:04:05,450 INFO: Failed to discover available identity versions when contacting https://2001:db8::b2:13000/. Attempting to parse version from URL.
2019-04-02 12:04:05,450 INFO: Could not determine a suitable URL for the plugin


Please update the BZ with sosreport.



[snip]

--- Additional comment from James Slagle on 2019-04-23 14:56:01 UTC ---

it looks like we at least need this patch to python-websocket-client as well:

https://github.com/websocket-client/websocket-client/commit/6bc909be0ebe12d6843b64b242e0f015084a7df5
Comment 2 Jon Schlueter 2019-06-11 15:10:19 UTC 
Running down the issue currently it's looking like the rebase pulled in cert bundle checking, which dropped the default certs path/bundle that used to work.

This is the usage in OSP that broke usage of python-websocket-client.  There is a workaround if you export WEBSOCKET_CLIENT_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt  or the right path for your particular cert should resolve the verification issue.
Comment 3 Jon Schlueter 2019-06-11 15:11:25 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=1702715#c12

notes:

 As per mailing thread, this package fails QE since it requires the workaround: export WEBSOCKET_CLIENT_CA_BUNDLE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem otherwise deployment fails at the beginning with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) error message. Once worked around though the deployment passes further with web sockets endpoint set to IPv6
Comment 5 Lon Hohberger 2019-06-11 15:14:14 UTC 
Created attachment 1579429 [details]
potential fix
Comment 9 Filip Hubík 2019-06-11 22:02:34 UTC 
I can confirm basic run of OSP14 with this package (without IR workaround in place) passed. Package was installed after UC installation was done and images were prepared:

2019-06-11 18:56:32.820 | --> Running transaction check
2019-06-11 18:56:32.823 | ---> Package python-websocket-client.noarch 0:0.56.0-1.git3c25814.el7 will be updated
2019-06-11 18:56:32.826 | ---> Package python-websocket-client.noarch 0:0.56.0-2.git3c25814.el7 will be an update
2019-06-11 18:56:32.829 | --> Finished Dependency Resolution
Comment 12 Lon Hohberger 2019-06-12 10:46:25 UTC 
The earlier 0.32 version of websocket-client handled things quite differently:

@@ -143,12 +242,19 @@
 
 def _ssl_socket(sock, user_sslopt, hostname):
     sslopt = dict(cert_reqs=ssl.CERT_REQUIRED)
-    certPath = os.path.join(
-        os.path.dirname(__file__), "cacert.pem")
-    if os.path.isfile(certPath):
-        sslopt['ca_certs'] = certPath
     sslopt.update(user_sslopt)
-    check_hostname = sslopt["cert_reqs"] != ssl.CERT_NONE and sslopt.pop('check_hostname', True)
+
+    certPath = os.environ.get('WEBSOCKET_CLIENT_CA_BUNDLE')
+    if certPath and os.path.isfile(certPath) \
+            and user_sslopt.get('ca_certs', None) is None \
+            and user_sslopt.get('ca_cert', None) is None:
+        sslopt['ca_certs'] = certPath
+    elif certPath and os.path.isdir(certPath) \
+            and user_sslopt.get('ca_cert_path', None) is None:
+        sslopt['ca_cert_path'] = certPath
+
+    check_hostname = sslopt["cert_reqs"] != ssl.CERT_NONE and sslopt.pop(
+        'check_hostname', True)
 
     if _can_use_sni():
         sock = _wrap_sni_socket(sock, sslopt, hostname, check_hostname)

The prior version appeared to ship its own cacert.pem, which 0.56 fixes, however, we need it to use the certificates shipped as part of RHEL - and/or the ones installed by system administrators.
Comment 20 Filip Hubík 2019-06-13 12:45:44 UTC 
Hello,
As per comment#16 I tested with package version python-websocket-client-0.56.0-3.git3c25814.el7.noarch installed manually after undercloud deployment.

root@uc $ sudo curl -O http://download.eng.bos.redhat.com/brewroot/vol/rhel-7/packages/python-websocket-client/0.56.0/3.git3c25814.el7/noarch/python-websocket-client-0.56.0-3.git3c25814.el7.noarch.rpm && sudo yum install -y python-websocket-client-0.56.0-3.git3c25814.el7.noarch.rpm
...
2019-06-13 11:01:54.960 |   Updating   : python-websocket-client-0.56.0-3.git3c25814.el7.noarch       1/2 
2019-06-13 11:01:54.966 |   Cleanup    : python-websocket-client-0.56.0-2.git3c25814.el7.noarch       2/2 
2019-06-13 11:01:54.969 |   Verifying  : python-websocket-client-0.56.0-3.git3c25814.el7.noarch       1/2 
2019-06-13 11:01:54.986 |   Verifying  : python-websocket-client-0.56.0-2.git3c25814.el7.noarch       2/2

Node import for introspection works now as expected:

root@uc $ source ~/stackrc
root@uc $ openstack overcloud node import --instance-boot-option=local /home/stack/instackenv.json

3 node(s) successfully moved to the "manageable" state.
2019-06-13 11:05:52.243 | Successfully registered node UUID 82dff966-e116-4c19-98cf-e22d2ae9c11f
2019-06-13 11:05:52.246 | Successfully registered node UUID 5fc92524-ae5b-417c-807c-e024fd542dd1
2019-06-13 11:05:52.248 | Successfully registered node UUID 69316184-f8dc-4de7-9a94-6292e6f4ce4e

# 0

#STDERR: 
#Waiting for messages on queue 'tripleo' with no timeout.

On this short notice, I was able to test OSP14+vxlan+ipv4/ipv6+ssl(as it is by default), OSP13+vxlan+ipv6+ssl minimal topologies (+ceph). All of them are able to pass OC deployment. Moreover, since
we were able to pass also with the previous version (0:0.56.0-2.git3c25814.el7, https://bugzilla.redhat.com/show_bug.cgi?id=1719354#c9) I consider this fix verified - though I will
also test OSP10 and run full Tempest testing to be sure, we also need to check the status of upgrade jobs (note these all remaining steps will take significantly more time), but these simple
OSP deployments seem to be passing.
Comment 25 errata-xmlrpc 2019-06-13 15:26:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:1472
Note You need to log in before you can comment on or make changes to this bug.