On 07/23/2014 06:05 PM, Rob Crittenden wrote: > Rob Crittenden wrote: >> It looks like the switch to requests in python-glanceclient >> (https://review.openstack.org/#/c/78269/) has broken nova when SSL is >> enabled. >> >> I think it is related to the custom object that the glanceclient uses. >> If another connection gets pushed into the pool then things fail because >> the object isn't a glanceclient VerifiedHTTPSConnection object. >> >> The error seen is: >> >> 2014-07-22 16:20:57.571 ERROR nova.api.openstack >> req-e9a94169-9af4-45e8-ab95-1ccd3f8caf04 admin admin Caught error: >> VerifiedHTTPSConnection instance has no attribute 'insecure' >> >> What I see is that nova works until glance is invoked. >> >> These all work: >> >> $ nova flavor-list >> $ glance image-list >> $ nova net-list >> >> Now make it go boom: >> >> $ nova image-list >> ERROR (Unauthorized): Unauthorized (HTTP 401) (Request-ID: >> req-ee964e9a-c2a9-4be9-bd52-3f42c805cf2c) >> >> Now that a bad object is now in the pool nothing in nova works: >> >> $ nova list >> ERROR (Unauthorized): Unauthorized (HTTP 401) (Request-ID: >> req-f670db83-c830-4e75-b29f-44f61ae161a1) >> >> A restart of nova gets things back to normal. >> >> I'm working on enabling SSL everywhere >> (https://bugs.launchpad.net/devstack/+bug/1328226) either directly or >> using TLS proxies (stud). >> I'd like to eventually get SSL testing done as a gate job which will >> help catch issues like this in advance. >> >> rob > > FYI, my temporary workaround is to change the queue name (scheme) so the > glance clients are handled separately: > > diff --git a/glanceclient/common/https.py b/glanceclient/common/https.py > index 6416c19..72ed929 100644 > --- a/glanceclient/common/https.py > +++ b/glanceclient/common/https.py > @@ -72,7 +72,7 @@ class HTTPSAdapter(adapters.HTTPAdapter): > def __init__(self, *args, **kwargs): > # NOTE(flaper87): This line forces poolmanager to use > # glanceclient HTTPSConnection > - poolmanager.pool_classes_by_scheme["https"] = HTTPSConnectionPool > + poolmanager.pool_classes_by_scheme["glance_https"] = > HTTPSConnectionPoo > super(HTTPSAdapter, self).__init__(*args, **kwargs) > > def cert_verify(self, conn, url, verify, cert): > @@ -92,7 +92,7 @@ class > HTTPSConnectionPool(connectionpool.HTTPSConnectionPool): > be used just when the user sets --no-ssl-compression. > """ > > - scheme = 'https' > + scheme = 'glance_https' > > def _new_conn(self): > self.num_connections += 1 > > This at least lets me continue working. > > rob
Hey Rob, Sorry for the late reply, I'll take a look into this. Cheers, Flavio -- @flaper87 Flavio Percoco _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
