Public bug reported: Summary: I have mitaka based deployment of neutron and designate and while trying to test the native integration of neutron with designate using this guide http://docs.openstack.org/mitaka/networking-guide/adv-config-dns.html I found out my DNS records are not getting created like on port-update or any floating ip operations as expected. This is because the the endpoints in deployments are SSL based (https) and the neutron code of mitaka that gets the keystoneclient session before initiating designate client, has no option to allow us to set verify=True/False from neutron.conf or in code itself https://github.com/openstack/neutron/blob/stable/mitaka/neutron/services/externaldns/drivers/designate/driver.py#L85
this makes it impossible to use neutron integration with designate over https based endpoints until the code is changed to: """ _SESSION = session.Session(verify=False) """ Description: Neutron has option to use external DNS driver in mitaka, such as designate. For that , we need to set the designate options in [designate] section of neutron.conf . For example: """ [designate] url = http://55.114.111.93:9001/v2 admin_auth_url = http://55.114.111.93:35357/v2.0 admin_username = neutron admin_password = x5G90074 admin_tenant_name = service allow_reverse_dns_lookup = True ipv4_ptr_zone_prefix_size = 24 ipv6_ptr_zone_prefix_size = 116 """ the above example works fine when your url and admin_auth_url are http based endpoints. The neutron code uses options of designate section to get a session from keystone and uses that session to initiate designate admin client session as seen in the neutron code here https://github.com/openstack/neutron/blob/stable/mitaka/neutron/services/externaldns/drivers/designate/driver.py#L89 In the case, when a deployment has https(SSL terminated) based endpoints, meaning both url and admin_auth_url has https, the keystone session is made in neutron code using _SESSION = session.Session() the default behavior of keystoneclient is that if a url has https, then always set verify=True and use the ca file for verification. but neither the option to provide a ca file or set verify=True/False is done neutron code for designate driver, this makes it impossible to use the integration over SSL based endpoints. As an example of running the same code of mitaka from neutron :: """ >>> admin_auth = >>> password.Password(auth_url="https://10.240.128.120:6100/v2.0",username="admin",password="admin",tenant_name="service";) >>> _SESSION = session.Session() >>> admin_client = d_client.Client(session=_SESSION, auth=admin_auth) >>> admin_client.zones.list() keystoneauth1.exceptions.connection.SSLError: SSL exception connecting to https://10.240.128.120:6100/v2.0/tokens: [Errno 1] _ssl.c:523: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed """ after altering the session initiation to set verify=False """ _SESSION = session.Session(verify=False) >>> admin_client = d_client.Client(session=_SESSION, auth=admin_auth) >>> admin_client.zones.list() [] """ Proposed fix: have an oslo opt for [designate] to let users specify insecure operations or set a ca file and use that info from neutron.conf to initiate keystone session before getting a designateclient ** Affects: neutron Importance: Undecided Status: New ** Tags: dns mitaka-backport-potential ** Tags added: mitaka-backport-potential -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1588067 Title: Designate DNS driver for neutron fails for SSL based endpoints. Status in neutron: New Bug description: Summary: I have mitaka based deployment of neutron and designate and while trying to test the native integration of neutron with designate using this guide http://docs.openstack.org/mitaka/networking-guide/adv-config-dns.html I found out my DNS records are not getting created like on port-update or any floating ip operations as expected. This is because the the endpoints in deployments are SSL based (https) and the neutron code of mitaka that gets the keystoneclient session before initiating designate client, has no option to allow us to set verify=True/False from neutron.conf or in code itself https://github.com/openstack/neutron/blob/stable/mitaka/neutron/services/externaldns/drivers/designate/driver.py#L85 this makes it impossible to use neutron integration with designate over https based endpoints until the code is changed to: """ _SESSION = session.Session(verify=False) """ Description: Neutron has option to use external DNS driver in mitaka, such as designate. For that , we need to set the designate options in [designate] section of neutron.conf . For example: """ [designate] url = http://55.114.111.93:9001/v2 admin_auth_url = http://55.114.111.93:35357/v2.0 admin_username = neutron admin_password = x5G90074 admin_tenant_name = service allow_reverse_dns_lookup = True ipv4_ptr_zone_prefix_size = 24 ipv6_ptr_zone_prefix_size = 116 """ the above example works fine when your url and admin_auth_url are http based endpoints. The neutron code uses options of designate section to get a session from keystone and uses that session to initiate designate admin client session as seen in the neutron code here https://github.com/openstack/neutron/blob/stable/mitaka/neutron/services/externaldns/drivers/designate/driver.py#L89 In the case, when a deployment has https(SSL terminated) based endpoints, meaning both url and admin_auth_url has https, the keystone session is made in neutron code using _SESSION = session.Session() the default behavior of keystoneclient is that if a url has https, then always set verify=True and use the ca file for verification. but neither the option to provide a ca file or set verify=True/False is done neutron code for designate driver, this makes it impossible to use the integration over SSL based endpoints. As an example of running the same code of mitaka from neutron :: """ >>> admin_auth = password.Password(auth_url="https://10.240.128.120:6100/v2.0",username="admin",password="admin",tenant_name="service";) >>> _SESSION = session.Session() >>> admin_client = d_client.Client(session=_SESSION, auth=admin_auth) >>> admin_client.zones.list() keystoneauth1.exceptions.connection.SSLError: SSL exception connecting to https://10.240.128.120:6100/v2.0/tokens: [Errno 1] _ssl.c:523: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed """ after altering the session initiation to set verify=False """ _SESSION = session.Session(verify=False) >>> admin_client = d_client.Client(session=_SESSION, auth=admin_auth) >>> admin_client.zones.list() [] """ Proposed fix: have an oslo opt for [designate] to let users specify insecure operations or set a ca file and use that info from neutron.conf to initiate keystone session before getting a designateclient To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1588067/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
