Bug 1830776 - fence_compute's --insecure option has the exact opposite effect of what it is meant
Summary: fence_compute's --insecure option has the exact opposite effect of what it is...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: fence-agents
Version: 8.2
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: rc
: 8.3
Assignee: Oyvind Albrigtsen
QA Contact: pkomarov
Steven J. Levine
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-05-03 19:16 UTC by Michele Baldessari
Modified: 2020-11-04 02:30 UTC (History)
9 users (show)

Fixed In Version: fence-agents-4.2.1-47.el8
Doc Type: Bug Fix
Doc Text:
.`fence_compute` and `fence_evacuate` agents now interpret `insecure` option in a more standard way Previously, the `fence_compute` and `fence_evacuate` agents worked as if `--insecure` was specified by default. With this update, customers who do not use valid certificates for their compute or evacuate services must set `insecure=true` and use the `--insecure` option when running manually from the CLI. This is consistent with the behavior of all other agents.
Clone Of:
Environment:
Last Closed: 2020-11-04 02:28:57 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:4622 0 None None None 2020-11-04 02:29:10 UTC

Description Michele Baldessari 2020-05-03 19:16:48 UTC
urrently fence_compute's --insecure option has the exact opposite effect of what it is meant.
The help page states:
   --insecure                     Explicitly allow agent to perform "insecure" TLS
                                        (https) requests
                
Which assumes that when we do not specify it we make secure requests. Which is not the case:
[root@database-2 ~]# /usr/sbin/fence_compute -o list --auth-url=https://overcloud.redhat.local:13000 --username=admin --password=$(hiera -c /etc/puppet/hiera.yaml keystone::admin_password) --domain=redhat.local --project-domain=Default --user-domain=Default --region-name=regionOne --tenant-name=admin 
/usr/lib/python3.6/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/adva
nced-usage.html#ssl-warnings
  InsecureRequestWarning)
...             
compute-0.redhat.local,
compute-0,      
compute-1.redhat.local,
compute-1,      
                
The reason for this is that when we do *not* specify --insecure, then options['--insecure'] is set to the
string 'False' and when we pass "verify=(not options['--insecure'])" to the keystone session class,
we basically always pass the False boolean value (because not of a string is always False).
Whereas when we do specify --insecure then options['--insecure'] is set to the empty string
which becomes the True bool value when passing verify==(not options['--insecure']).
                
This is all the exact opposite of what we want.


Before the patch:
[root@database-2 ~]# /usr/sbin/fence_compute -o list --auth-url=https://overcloud.redhat.local:13000 --username=admin --password=$(hiera -c /etc/puppet/hiera.yaml keystone::admin_password) --domain=redhat.local --project-domain=Default --user-domain=Default --region-name=regionOne --tenant-name=admin --insecure                                                                                                                                                      
compute-0.redhat.local,
compute-0,      
compute-1.redhat.local,
compute-1,      
[root@database-2 ~]# /usr/sbin/fence_compute -o list --auth-url=https://overcloud.redhat.local:13000 --username=admin --password=$(hiera -c /etc/puppet/hiera.yaml keystone::admin_password) --domain=redhat.local --project-domain=Default --user-domain=Default --region-name=regionOne --tenant-name=admin 
/usr/lib/python3.6/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings InsecureRequestWarning)
...             
compute-0.redhat.local,
compute-0,      
compute-1.redhat.local,
compute-1,      
                
After the patch:
[root@database-2 ~]# ./test -o list --auth-url=https://overcloud.redhat.local:13000 --username=admin --password=$(hiera -c /etc/puppet/hiera.yaml keystone::admin_password) --domain=redhat.local --project-domain=Default --user-domain=Default --region-name=regionOne --tenant-name=admin          
compute-0.redhat.local,
compute-0,      
compute-1.redhat.local,
compute-1,      
[root@database-2 ~]# ./test -o list --auth-url=https://overcloud.redhat.local:13000 --username=admin --password=$(hiera -c /etc/puppet/hiera.yaml keystone::admin_password) --domain=redhat.local --project-domain=Default --user-domain=Default --region-name=regionOne --tenant-name=admin --insecure
/usr/lib/python3.6/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings InsecureRequestWarning)
...             
compute-0.redhat.local,
compute-0,      
compute-1.redhat.local,
compute-1,     

[root@database-2 ~]# diff -u /usr/sbin/fence_compute  test      
--- /usr/sbin/fence_compute     2020-02-13 15:15:09.000000000 +0000             
+++ test        2020-05-03 18:19:57.923253223 +0000       
@@ -281,7 +281,13 @@     
                                 
        loader = loading.get_plugin_loader('password')    
        keystone_auth = loader.load_from_options(**kwargs)      
-       keystone_session = session.Session(auth=keystone_auth, verify=(not options["--insecure"]))
+       verify_tls = True        
+        # When --insecure is not specified the value is the string 'False'     
+        # Otherwise when it is added to the command line the option is set to ''
+       if options['--insecure'].lower().strip() in ['', 'true']:
+               verify_tls = False
+                                   
+       keystone_session = session.Session(auth=keystone_auth, verify=verify_tls)
                                    
        nova_versions = [ "2.11", "2" ]
        for version in nova_versions:

Comment 4 Oyvind Albrigtsen 2020-05-12 07:08:19 UTC
https://github.com/ClusterLabs/fence-agents/pull/332

Comment 17 pkomarov 2020-09-24 21:53:30 UTC
Verified,
[root@controller-0 ~]# rpm -q fence-agents-compute
fence-agents-compute-4.2.1-47.el8.noarch

[root@controller-0 ~]#                        /usr/sbin/fence_compute -o list --auth-url=https://overcloud.redhat.local:13000 --username=admin --password=$(hiera -c /etc/puppet/hiera.yaml keystone::admin_password) --domain=redhat.local --project-domain=Default --user-domain=Default --region-name=regionOne --tenant-name=admin --insecure | grep InsecureRequestWarning
[root@controller-0 ~]# echo $?
1

Comment 20 errata-xmlrpc 2020-11-04 02:28:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (fence-agents bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4622


Note You need to log in before you can comment on or make changes to this bug.