I thought we had code in other places that split out stderr and only logged it if there was an actual error but I cannot find the reference now. I think that matches the original proposal. Not sure I like idea #3.
On Wed, Oct 21, 2015 at 9:21 AM, Stanislaw Bogatkin <sbogat...@mirantis.com> wrote: > I spoken with Sergii about this and prepared a patch for get rid of > SecurityWarning [0] - it was easy. But we can't get rid from > InsecurePlatformWarning > so easy way. I see next options: > 1. Update python version as [1] said - should be hard task > 2. Downgrade urllib version to one without such warning - is a bad idea, > as for me > 3. Rewrite code to use non-standard ssl python module (pyOpenSSL, for > example) - may be a massive task > 4. Use something like 2>/dev/null to don't show stderr when call the > command - doesn't looks good, cause problem can be seen on other places (I > saw similar problems with keystone provider, for example) > 5. Rewrite code to split stderr/stdout, as Sergey proposed - is a most > reasonable idea, as for me. > > [0] https://review.openstack.org/#/c/237379 > [1] > https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning > > > On Wed, Oct 21, 2015 at 10:02 AM, Sergey Vasilenko < > svasile...@mirantis.com> wrote: > >> Hi, guys! >> >> Now I observe potential-dangerous situation in the providers of >> puppet-neutron module. I want share details, because not only >> puppet-neutron module may be broken by warnings from Openstack CLI >> utilities. >> >> >> After updating urllib3 library on my lab, commands like 'neutron net >> list' began to throw warnings, like: >> >>> root@node-2:~# neutron net-list >>> /usr/lib/python2.7/dist-packages/urllib3/util/ssl_.py:90: >>> InsecurePlatformWarning: A true SSLContext object is not available. This >>> prevents urllib3 from configuring SSL appropriately and may cause certain >>> SSL connections to fail. For more information, see >>> https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning >>> . >>> InsecurePlatformWarning >>> /usr/lib/python2.7/dist-packages/urllib3/connection.py:251: >>> SecurityWarning: Certificate has no `subjectAltName`, falling back to check >>> for a `commonName` for now. This feature is being removed by major browsers >>> and deprecated by RFC 2818. (See >>> https://github.com/shazow/urllib3/issues/497 for details.) >>> SecurityWarning >>> >>> +--------------------------------------+-----------+-------------------------------------------------------+ >>> | id | name | subnets >>> | >>> >>> +--------------------------------------+-----------+-------------------------------------------------------+ >>> | 9e1c0866-51f0-4659-8d5c-1c5d0843dab4 | net04_ext | >>> 29c952ec-2a13-46fc-a8a1-6e2468a92a95 172.18.171.0/24 | >>> | d70b399b-668b-4861-b092-4876ec65df60 | net04 | >>> b87fbfd1-0e52-4ab6-8987-286ef0912d1f 192.168.111.0/24 | >>> >>> +--------------------------------------+-----------+-------------------------------------------------------+ >>> >> >> root@node-2:~# >> >> >> Such urllib3 based warnings is only particular case. Warnings may appear >> by another reason while call any Openstack utilities. >> >> Such warnings lead to broke work of puppet-neutron manifests: >> >>> 2015-10-20 16:42:11 +0000 >>> /Stage[main]/Main/Openstack::Network::Create_network[net04]/Neutron_network[net04] >>> (info): Evaluated in 5.51 seconds >>> 2015-10-20 16:42:11 +0000 Puppet (debug): Prefetching neutron resources >>> for neutron_subnet >>> 2015-10-20 16:42:11 +0000 Puppet (debug): Executing '/usr/bin/neutron >>> subnet-list --format=csv --column=id --quote=none' >>> 2015-10-20 16:42:13 +0000 Puppet (debug): Executing '/usr/bin/neutron >>> subnet-show --format=shell InsecurePlatformWarning' >>> 2015-10-20 16:42:16 +0000 Puppet::Type::Neutron_subnet::ProviderNeutron >>> (notice): Unable to complete neutron request due to non-fatal error: >>> "Execution of '/usr/bin/neutron subnet-show --format=shell >>> InsecurePlatformWarning' returned 1: >>> /usr/lib/python2.7/dist-packages/urllib3/util/ssl_.py:90: >>> InsecurePlatformWarning: A true SSLContext object is not available. This >>> prevents urllib3 from configuring SSL appropriately and may cause certain >>> SSL connections to fail. For more information, see >>> https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. >>> InsecurePlatformWarning >>> /usr/lib/python2.7/dist-packages/urllib3/connection.py:251: >>> SecurityWarning: Certificate has no `subjectAltName`, falling back to check >>> for a `commonName` for now. This feature is being removed by major browsers >>> and deprecated by RFC 2818. (See >>> https://github.com/shazow/urllib3/issues/497 for details.) >>> SecurityWarningUnable to find subnet with name >>> 'InsecurePlatformWarning' >>> ". Retrying for 7 sec. >> >> ..... >> >> Unable to find subnet with name 'InsecurePlatformWarning' >>> ". Retrying for 0 sec. >>> 2015-10-20 16:42:25 +0000 Puppet (debug): Executing '/usr/bin/neutron >>> subnet-show --format=shell InsecurePlatformWarning' >>> 2015-10-20 16:42:27 +0000 Puppet (err): Could not prefetch >>> neutron_subnet provider 'neutron': Can't retrieve subnet-show because >>> Neutron or Keystone API is not available. >>> /etc/puppet/modules/neutron/lib/puppet/provider/neutron.rb:153:in >>> `get_neutron_resource_attrs' >>> /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:24:in >>> `block in instances' >>> /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:23:in >>> `collect' >>> /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:23:in >>> `instances' >>> /etc/puppet/modules/neutron/lib/puppet/provider/neutron_subnet/neutron.rb:43:in >>> `prefetch' >>> /usr/lib/ruby/vendor_ruby/puppet/transaction.rb:277:in `prefetch' >>> /usr/lib/ruby/vendor_ruby/puppet/transaction.rb:167:in >>> `prefetch_if_necessary' >>> /usr/lib/ruby/vendor_ruby/puppet/transaction.rb:67:in `block in >>> evaluate' >> >> >> This happens, because Puppet mixing stderr and stdout while execute shell >> commands, like >> >>> commands :neutron => 'neutron' >> >> And code, like >> >>> >>> https://github.com/openstack/puppet-neutron/blob/master/lib/puppet/provider/neutron.rb#L134-L146 >> >> parses stderr output also. Part of warnings gets into incoming data. >> >> IMHO this situation is potential dangerous for all puppet-openstack >> modules.. >> >> /sv >> >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
