I spoken with Sergii about this and prepared a patch for get rid of SecurityWarning [0] - it was easy. But we can't get rid from InsecurePlatformWarning so easy way. I see next options: 1. Update python version as [1] said - should be hard task 2. Downgrade urllib version to one without such warning - is a bad idea, as for me 3. Rewrite code to use non-standard ssl python module (pyOpenSSL, for example) - may be a massive task 4. Use something like 2>/dev/null to don't show stderr when call the command - doesn't looks good, cause problem can be seen on other places (I saw similar problems with keystone provider, for example) 5. Rewrite code to split stderr/stdout, as Sergey proposed - is a most reasonable idea, as for me.
[0] https://review.openstack.org/#/c/237379 [1] https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning On Wed, Oct 21, 2015 at 10:02 AM, Sergey Vasilenko <svasile...@mirantis.com> wrote: > Hi, guys! > > Now I observe potential-dangerous situation in the providers of > puppet-neutron module. I want share details, because not only > puppet-neutron module may be broken by warnings from Openstack CLI > utilities. > > > After updating urllib3 library on my lab, commands like 'neutron net > list' began to throw warnings, like: > >> root@node-2:~# neutron net-list >> /usr/lib/python2.7/dist-packages/urllib3/util/ssl_.py:90: >> InsecurePlatformWarning: A true SSLContext object is not available. This >> prevents urllib3 from configuring SSL appropriately and may cause certain >> SSL connections to fail. For more information, see >> https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning >> . >> InsecurePlatformWarning >> /usr/lib/python2.7/dist-packages/urllib3/connection.py:251: >> SecurityWarning: Certificate has no `subjectAltName`, falling back to check >> for a `commonName` for now. This feature is being removed by major browsers >> and deprecated by RFC 2818. (See >> https://github.com/shazow/urllib3/issues/497 for details.) >> SecurityWarning >> >> +--------------------------------------+-----------+-------------------------------------------------------+ >> | id | name | subnets >> | >> >> +--------------------------------------+-----------+-------------------------------------------------------+ >> | 9e1c0866-51f0-4659-8d5c-1c5d0843dab4 | net04_ext | >> 29c952ec-2a13-46fc-a8a1-6e2468a92a95 172.18.171.0/24 | >> | d70b399b-668b-4861-b092-4876ec65df60 | net04 | >> b87fbfd1-0e52-4ab6-8987-286ef0912d1f 192.168.111.0/24 | >> >> +--------------------------------------+-----------+-------------------------------------------------------+ >> > > root@node-2:~# > > > Such urllib3 based warnings is only particular case. Warnings may appear > by another reason while call any Openstack utilities. > > Such warnings lead to broke work of puppet-neutron manifests: > >> 2015-10-20 16:42:11 +0000 >> /Stage[main]/Main/Openstack::Network::Create_network[net04]/Neutron_network[net04] >> (info): Evaluated in 5.51 seconds >> 2015-10-20 16:42:11 +0000 Puppet (debug): Prefetching neutron resources >> for neutron_subnet >> 2015-10-20 16:42:11 +0000 Puppet (debug): Executing '/usr/bin/neutron >> subnet-list --format=csv --column=id --quote=none' >> 2015-10-20 16:42:13 +0000 Puppet (debug): Executing '/usr/bin/neutron >> subnet-show --format=shell InsecurePlatformWarning' >> 2015-10-20 16:42:16 +0000 Puppet::Type::Neutron_subnet::ProviderNeutron >> (notice): Unable to complete neutron request due to non-fatal error: >> "Execution of '/usr/bin/neutron subnet-show --format=shell >> InsecurePlatformWarning' returned 1: >> /usr/lib/python2.7/dist-packages/urllib3/util/ssl_.py:90: >> InsecurePlatformWarning: A true SSLContext object is not available. This >> prevents urllib3 from configuring SSL appropriately and may cause certain >> SSL connections to fail. For more information, see >> https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. >> InsecurePlatformWarning >> /usr/lib/python2.7/dist-packages/urllib3/connection.py:251: >> SecurityWarning: Certificate has no `subjectAltName`, falling back to check >> for a `commonName` for now. This feature is being removed by major browsers >> and deprecated by RFC 2818. (See >> https://github.com/shazow/urllib3/issues/497 for details.) >> SecurityWarningUnable to find subnet with name 'InsecurePlatformWarning' >> ". Retrying for 7 sec. > > ..... > > Unable to find subnet with name 'InsecurePlatformWarning' >> ". Retrying for 0 sec. >> 2015-10-20 16:42:25 +0000 Puppet (debug): Executing '/usr/bin/neutron >> subnet-show --format=shell InsecurePlatformWarning' >> 2015-10-20 16:42:27 +0000 Puppet (err): Could not prefetch neutron_subnet >> provider 'neutron': Can't retrieve subnet-show because Neutron or Keystone >> API is not available. >> /etc/puppet/modules/neutron/lib/puppet/provider/neutron.rb:153:in >> `get_neutron_resource_attrs' >> /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:24:in >> `block in instances' >> /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:23:in >> `collect' >> /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:23:in >> `instances' >> /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:43:in >> `prefetch' >> /usr/lib/ruby/vendor_ruby/puppet/transaction.rb:277:in `prefetch' >> /usr/lib/ruby/vendor_ruby/puppet/transaction.rb:167:in >> `prefetch_if_necessary' >> /usr/lib/ruby/vendor_ruby/puppet/transaction.rb:67:in `block in evaluate' > > > This happens, because Puppet mixing stderr and stdout while execute shell > commands, like > >> commands :neutron => 'neutron' > > And code, like > >> >> https://github.com/openstack/puppet-neutron/blob/master/lib/puppet/provider/neutron.rb#L134-L146 > > parses stderr output also. Part of warnings gets into incoming data. > > IMHO this situation is potential dangerous for all puppet-openstack > modules.. > > /sv > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev