** Description changed: Note: Original description below [Impact] * On Jammy Caracal, when endpoints are configured with TLS, the Magnum UI does not display any information about deployed resources, although they are created and visible using the command-line client. The dashboard displays errors about connecting to the backend * This bug is introduced by a patch (d/p/0001-Update- VerifiedHTTPSConnection-for-Python-3.12.patch) [1], which was added to include Python 3.12 support by refactoring ssl context management but did not pass a server_hostname parameter to context.wrap_socket. This - merged upstream during the Dalmation cycle and was not backported to + merged upstream during the Dalmatian cycle and was not backported to Caracal upstream. Therefore, upstream Caracal doesn't hit this bug, but also doesn't have the fix that properly supports Python 3.12. In any case, the patch [1] is included in the Ubuntu Cloud Archive for Jammy- Caracal, so our packages are affected. * The bug was fixed upstream in [2], which merged during the Epoxy - cycle, and was backported to Dalmation (but not upstream Caracal, since - upstream Caracal doesn't have [1]). However, our Dalmation and Epoxy + cycle, and was backported to Dalmatian (but not upstream Caracal, since + upstream Caracal doesn't have [1]). However, our Dalmatian and Epoxy packages don't have this fix. Therefore, the affected Ubuntu packages the python-magnumclient shipped as a distro package for Noble and Plucky, and for the Ubuntu Cloud Archive (UCA) the affected packages are - python-magnumclient for Jammy Caracal, Noble Dalmation, Noble-Epoxy. + python-magnumclient for Jammy Caracal, Noble Dalmatian, Noble-Epoxy. [1] https://opendev.org/openstack/python-magnumclient/commit/83a10d4d49388fb680b450c728cd1e62d18e8672 [2] https://opendev.org/openstack/python-magnumclient/commit/ecdcc0697cd53592b54078175001755169436761 [Test Plan] * Deploy Openstack by any method. I will use juju * Deploy magnum services and setup relations juju deploy magnum --channel=2024.1/stable magnum juju relate magnum keystone juju relate magnum vault juju relate magnum:ampq rabbitmq-server:ampq juju relate magnum:shared-db magnum-mysql-router:shared-db juju deploy magnum-dashboard --channel=2024.1/stable magnum-dashboard juju relate magnum-dashboard keystone juju relate magnum-dashboard vault juju relate magnum-dashboard openstack-dashboard * Configure magnum juju run magnum/0 domain-setup * Open openstack dashboard, and go to the cluster management pane * See error message and that there's observability of any magnum resources without the patch * Upgrade to proposed, and see a properly populated dashboard [What can go wrong] * While this fixes an issue with SNI in TLS handshakes, it may not fix the problem in all environments. If SNI is not configured correctly or TLS certs are not distributed properly in the environment, the backend may remain unreachable from the dashboard ==================================== Original description: Openstack: 2024.2 Ubuntu: 22.04 Deployment Tool: Kolla Ansible Steps to reproduce: From version 2024.2 of Magnum when using Horizon (navigate to Project->Container Infra->Cluster or Cluster Templates) "/api/container_infra/*" endpoints return 500 Internal Server Error "check_hostname requires server_hostname". Container Infra Endpoint is using HTTPS Horizon error log: error invoking apiclient Traceback (most recent call last): File "/var/lib/kolla/venv/lib/python3.12/site-packages/openstack_dashboard/api/rest/utils.py", line 128, in _wrapped data = function(self, request, *args, **kw) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnum_ui/api/rest/magnum.py", line 302, in get result = magnum.cluster_list(request) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnum_ui/api/magnum.py", line 193, in cluster_list return magnumclient(request).clusters.list(limit, marker, sort_key, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/v1/baseunit.py", line 82, in list return self._list(self._path(path), self.__class__.template_name) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/common/base.py", line 117, in _list resp, body = self.api.json_request('GET', url) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/common/httpclient.py", line 240, in json_request resp, body_iter = self._http_request(url, method, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/common/httpclient.py", line 187, in _http_request conn.request(method, conn_url, **kwargs) File "/usr/lib/python3.12/http/client.py", line 1336, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib/python3.12/http/client.py", line 1382, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib/python3.12/http/client.py", line 1331, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib/python3.12/http/client.py", line 1091, in _send_output self.send(msg) File "/usr/lib/python3.12/http/client.py", line 1035, in send self.connect() File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/common/httpclient.py", line 310, in connect self.sock = context.wrap_socket(sock) ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.12/ssl.py", line 455, in wrap_socket return self.sslsocket_class._create( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.12/ssl.py", line 970, in _create raise ValueError("check_hostname requires server_hostname") ValueError: check_hostname requires server_hostname Internal Server Error: /api/container_infra/clusters/ After analysis the problem exists in python-magnumclient from version 4.6.0 (https://opendev.org/openstack/python- magnumclient/commit/5d8fd3840052e07418e007f336deb99fd58b7e92) According to documentation when using check_hostname with CERT_REQUIRED you must also pass server_hostname to wrap_socket (Python 3.12 doc reference: https://docs.python.org/3.12/library/ssl.html#ssl.SSLContext.check_hostname
** Patch removed: "noble-dalmation-lp2091103.debdiff" https://bugs.launchpad.net/magnum/+bug/2091103/+attachment/5930785/+files/noble-dalmation-lp2091103.debdiff ** Patch removed: "jammy-caracal-lp2091103.debdiff" https://bugs.launchpad.net/magnum/+bug/2091103/+attachment/5930786/+files/jammy-caracal-lp2091103.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091103 Title: [SRU]: check_hostname requires server_hostname when using container_infra endpoint with HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/2091103/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
