Rob Crittenden wrote: > It looks like the switch to requests in python-glanceclient > (https://review.openstack.org/#/c/78269/) has broken nova when SSL is > enabled. > > I think it is related to the custom object that the glanceclient uses. > If another connection gets pushed into the pool then things fail because > the object isn't a glanceclient VerifiedHTTPSConnection object. > > The error seen is: > > 2014-07-22 16:20:57.571 ERROR nova.api.openstack > req-e9a94169-9af4-45e8-ab95-1ccd3f8caf04 admin admin Caught error: > VerifiedHTTPSConnection instance has no attribute 'insecure' > > What I see is that nova works until glance is invoked. > > These all work: > > $ nova flavor-list > $ glance image-list > $ nova net-list > > Now make it go boom: > > $ nova image-list > ERROR (Unauthorized): Unauthorized (HTTP 401) (Request-ID: > req-ee964e9a-c2a9-4be9-bd52-3f42c805cf2c) > > Now that a bad object is now in the pool nothing in nova works: > > $ nova list > ERROR (Unauthorized): Unauthorized (HTTP 401) (Request-ID: > req-f670db83-c830-4e75-b29f-44f61ae161a1) > > A restart of nova gets things back to normal. > > I'm working on enabling SSL everywhere > (https://bugs.launchpad.net/devstack/+bug/1328226) either directly or > using TLS proxies (stud). > I'd like to eventually get SSL testing done as a gate job which will > help catch issues like this in advance. > > rob
FYI, my temporary workaround is to change the queue name (scheme) so the glance clients are handled separately: diff --git a/glanceclient/common/https.py b/glanceclient/common/https.py index 6416c19..72ed929 100644 --- a/glanceclient/common/https.py +++ b/glanceclient/common/https.py @@ -72,7 +72,7 @@ class HTTPSAdapter(adapters.HTTPAdapter): def __init__(self, *args, **kwargs): # NOTE(flaper87): This line forces poolmanager to use # glanceclient HTTPSConnection - poolmanager.pool_classes_by_scheme["https"] = HTTPSConnectionPool + poolmanager.pool_classes_by_scheme["glance_https"] = HTTPSConnectionPoo super(HTTPSAdapter, self).__init__(*args, **kwargs) def cert_verify(self, conn, url, verify, cert): @@ -92,7 +92,7 @@ class HTTPSConnectionPool(connectionpool.HTTPSConnectionPool): be used just when the user sets --no-ssl-compression. """ - scheme = 'https' + scheme = 'glance_https' def _new_conn(self): self.num_connections += 1 This at least lets me continue working. rob _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev