[Sts-sponsors] [Bug 1915072] Re: [plugin][ovn-central][ovn-host] include logs
This bug was fixed in the package sosreport - 4.0-1ubuntu7 --- sosreport (4.0-1ubuntu7) hirsute; urgency=medium [Edward Hope-Morley] * d/p/0017-ovn-extend-information.patch (LP: #1915072) - Extend ovn informations -- Eric Desrochers Thu, 11 Feb 2021 11:06:31 -0500 ** Changed in: sosreport (Ubuntu Hirsute) Status: In Progress => Fix Released -- You received this bug notification because you are a member of STS Sponsors, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1915072 Title: [plugin][ovn-central][ovn-host] include logs Status in sosreport package in Ubuntu: Fix Released Status in sosreport source package in Bionic: New Status in sosreport source package in Focal: New Status in sosreport source package in Groovy: New Status in sosreport source package in Hirsute: Fix Released Bug description: https://github.com/sosreport/sos/pull/2410 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sosreport/+bug/1915072/+subscriptions -- Mailing list: https://launchpad.net/~sts-sponsors Post to : sts-sponsors@lists.launchpad.net Unsubscribe : https://launchpad.net/~sts-sponsors More help : https://help.launchpad.net/ListHelp
[Sts-sponsors] [Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
the python-oslo.vmware failures are almost certainly the same as bug
1912792
--
You received this bug notification because you are a member of STS
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1906720
Title:
Fix the disable_ssl_certificate_validation option
Status in python-httplib2 package in Ubuntu:
Fix Released
Status in python-httplib2 source package in Bionic:
Fix Committed
Status in python-httplib2 source package in Focal:
Fix Released
Status in python-httplib2 source package in Groovy:
Fix Released
Status in python-httplib2 source package in Hirsute:
Fix Released
Bug description:
[Impact]
* On Bionic, MAAS CLI fails to work with apis over https with self-signed
certificates due to broken disable_ssl_certificate_validation option
with python 3.5 and later.
[Steps to Reproduce]
1. prepare a maas server (it doesn't have to be HA to reproduce)
2. prepare a set of certificate, key and ca-bundle
3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl
restart nginx`
4. add the ca certificates to the host
sudo mkdir /usr/share/ca-certificates/extra
sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
dpkg-reconfigure ca-certificates
5. login with a new profile over https url
6. if the certificate is not trusted by the root store, it fails to login
7. adding the '--insecure' flag should disable the certificate check
[Where Problems Could Occur]
* Potential issues could happen if we disable certificate validation for
all TLS interactions, any connection https related.
* Should not break existing python3 versions.
* Should not affect previously working python2 versions.
[Other Info]
This change should fix the issue with python3, and you should be able
to connect with python2 as before.
python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
*both are build from the same source package
helpful urls:
https://maas.io/docs/deb/2.8/cli/installation
https://maas.io/docs/deb/2.8/cli/configuration-journey
https://maas.io/docs/deb/2.8/ui/configuration-journey
[Test Case]
# create bionic VM/lxc container
lxc launch ubuntu:bionic lp1906720
# get source code from repo
pull-lp-source python-httplib2 bionic
# install maas-cli
apt-get install maas-cli
# install maas server
apt-get install maas
# init maas
sudo maas init
# answer questions
# generate self signed cert and key
openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt
-keyout localhost.key
# add certs
sudo cp -v localhost.crt /usr/share/ca-certificates/extra/
# add new cert to list
sudo dpkg-reconfigure ca-certificates
[1]
# select yes with spacebar
# save and it will reload with 1 new certificate
# create api key files
touch api_key
touch api-key-file
# remove any packages with this
# or this python3-httplib2
apt-cache search python-httplib2
apt-get remove python-httplib2
apt-get remove python3-httplib2
# create 2 admin users
sudo maas createadmin testadmin
sudo maas createadmin secureadmin
# generate maas api keys
sudo maas apikey --username=testadmin > api_key
sudo maas apikey --username=secureadmin > api-key-file
# setup nginx proxy
sudo apt update
sudo apt install nginx
touch /etc/nginx/sites-available/maas-https-default
# contents of maas-https-default
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key /home/ubuntu/localhost.key;
location / {
proxy_pass http://localhost:5240;
include /etc/nginx/proxy_params;
}
location /MAAS/ws {
proxy_pass http://127.0.0.1:5240/MAAS/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
sudo service nginx restart
# make sure you can login to maas-cli without TLS
# by running this script
# this is for the non-tls user
# this goes into a script called maas-login.sh
touch maas-login.sh
sudo chmod +rwx maas-login.sh
#!/bin/sh
PROFILE=testadmin
API_KEY_FILE=/home/ubuntu/api_key
API_SERVER=127.0.0.1:5240
MAAS_URL=http://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
sudo chmod +rwx https-maas.sh
# another script called https-maas.sh
# for the tls user
#!/bin/sh
PROFILE=secureadmin
API_KEY_FILE=/home/ubuntu/api-key-file
API_SERVER=127.0.0.1
MAAS_URL=https://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
# try to login
./maas-login.sh
cd /etc/nginx/sites-enabled
sudo touch maas-https-default
#example nginx config for maas https
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key
[Sts-sponsors] [Bug 1915072] Re: [plugin][ovn-central][ovn-host] include logs
[sts-sponsors][hirsute] Sponsored in active development release: "[ubuntu/hirsute-proposed] sosreport 4.0-1ubuntu7 (Accepted)" As stated in #1, an SRU template will be required to kickoff the SRU. - Eric -- You received this bug notification because you are a member of STS Sponsors, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1915072 Title: [plugin][ovn-central][ovn-host] include logs Status in sosreport package in Ubuntu: In Progress Status in sosreport source package in Bionic: New Status in sosreport source package in Focal: New Status in sosreport source package in Groovy: New Status in sosreport source package in Hirsute: In Progress Bug description: https://github.com/sosreport/sos/pull/2410 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sosreport/+bug/1915072/+subscriptions -- Mailing list: https://launchpad.net/~sts-sponsors Post to : sts-sponsors@lists.launchpad.net Unsubscribe : https://launchpad.net/~sts-sponsors More help : https://help.launchpad.net/ListHelp
[Sts-sponsors] [Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
and apport/amd64 played tricks on us, but it does pass now.
it passed on bionic-updates, which suggests a regression on bionic-proposed;
but another rereun with bionic-proposed now passed.. well. it's good now! :)
from [1]:
2.20.9-0ubuntu7.23 python-httplib2/0.9.2+dfsg-1ubuntu0.3 2021-02-10
23:43:24 UTC 0h 12m 27s mfo passlog artifacts
2.20.9-0ubuntu7.23 python-httplib2/0.9.2+dfsg-1ubuntu0.2 2021-02-10
23:01:31 UTC 0h 10m 15s mfo passlog artifacts
2.20.9-0ubuntu7.23 python-httplib2/0.9.2+dfsg-1ubuntu0.3 2021-02-10
13:34:34 UTC 0h 13m 01s mfo faillog artifacts
2.20.9-0ubuntu7.23 python-httplib2/0.9.2+dfsg-1ubuntu0.3 2021-02-09
22:41:05 UTC 0h 11m 19s - faillog artifacts
[1] https://autopkgtest.ubuntu.com/packages/apport/bionic/amd64
--
You received this bug notification because you are a member of STS
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1906720
Title:
Fix the disable_ssl_certificate_validation option
Status in python-httplib2 package in Ubuntu:
Fix Released
Status in python-httplib2 source package in Bionic:
Fix Committed
Status in python-httplib2 source package in Focal:
Fix Released
Status in python-httplib2 source package in Groovy:
Fix Released
Status in python-httplib2 source package in Hirsute:
Fix Released
Bug description:
[Impact]
* On Bionic, MAAS CLI fails to work with apis over https with self-signed
certificates due to broken disable_ssl_certificate_validation option
with python 3.5 and later.
[Steps to Reproduce]
1. prepare a maas server (it doesn't have to be HA to reproduce)
2. prepare a set of certificate, key and ca-bundle
3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl
restart nginx`
4. add the ca certificates to the host
sudo mkdir /usr/share/ca-certificates/extra
sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
dpkg-reconfigure ca-certificates
5. login with a new profile over https url
6. if the certificate is not trusted by the root store, it fails to login
7. adding the '--insecure' flag should disable the certificate check
[Where Problems Could Occur]
* Potential issues could happen if we disable certificate validation for
all TLS interactions, any connection https related.
* Should not break existing python3 versions.
* Should not affect previously working python2 versions.
[Other Info]
This change should fix the issue with python3, and you should be able
to connect with python2 as before.
python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
*both are build from the same source package
helpful urls:
https://maas.io/docs/deb/2.8/cli/installation
https://maas.io/docs/deb/2.8/cli/configuration-journey
https://maas.io/docs/deb/2.8/ui/configuration-journey
[Test Case]
# create bionic VM/lxc container
lxc launch ubuntu:bionic lp1906720
# get source code from repo
pull-lp-source python-httplib2 bionic
# install maas-cli
apt-get install maas-cli
# install maas server
apt-get install maas
# init maas
sudo maas init
# answer questions
# generate self signed cert and key
openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt
-keyout localhost.key
# add certs
sudo cp -v localhost.crt /usr/share/ca-certificates/extra/
# add new cert to list
sudo dpkg-reconfigure ca-certificates
[1]
# select yes with spacebar
# save and it will reload with 1 new certificate
# create api key files
touch api_key
touch api-key-file
# remove any packages with this
# or this python3-httplib2
apt-cache search python-httplib2
apt-get remove python-httplib2
apt-get remove python3-httplib2
# create 2 admin users
sudo maas createadmin testadmin
sudo maas createadmin secureadmin
# generate maas api keys
sudo maas apikey --username=testadmin > api_key
sudo maas apikey --username=secureadmin > api-key-file
# setup nginx proxy
sudo apt update
sudo apt install nginx
touch /etc/nginx/sites-available/maas-https-default
# contents of maas-https-default
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key /home/ubuntu/localhost.key;
location / {
proxy_pass http://localhost:5240;
include /etc/nginx/proxy_params;
}
location /MAAS/ws {
proxy_pass http://127.0.0.1:5240/MAAS/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
sudo service nginx restart
# make sure you can login to maas-cli without TLS
# by running this script
# this is for the non-tls user
# this goes into a script called maas-login.sh
touch
