** Description changed: Note: Original description below [Impact] * On Jammy Caracal, when endpoints are configured with TLS, the Magnum UI does not display any information about deployed resources, although they are created and visible using the command-line client. The dashboard displays errors about connecting to the backend * This bug is introduced by a patch (d/p/0001-Update- VerifiedHTTPSConnection-for-Python-3.12.patch) [1], which was added to include Python 3.12 support by refactoring ssl context management but did not pass a server_hostname parameter to context.wrap_socket. This merged upstream during the Dalmatian cycle and was not backported to Caracal upstream. Therefore, upstream Caracal doesn't hit this bug, but - also doesn't have the fix that properly supports Python 3.12. In any - case, the patch [1] is included in the Ubuntu Cloud Archive for Jammy- - Caracal and the distro package for Noble, so our Caracal packages are - affected. + also doesn't have the fix that properly supports Python 3.12. + Nevertheless, the patch [1] is included in the Ubuntu Cloud Archive for + Jammy-Caracal and the distro package for Noble, so Ubuntu's Caracal + packages are affected (distro and UCA). * This bug was fixed upstream in [2], which merged during the Epoxy cycle, and was backported to Dalmatian (but not upstream Caracal, since - upstream Caracal doesn't have [1] and isn't affected by this bug). - However, our Dalmatian and Epoxy packages don't have this fix. + upstream Caracal doesn't have [1] and, therefore, isn't affected by this + bug). However, Ubuntu's Dalmatian and Epoxy packages (both distro + packages and UCA) don't have this fix. * Therefore, the affected Ubuntu packages are the python-magnumclient - shipped as on Noble and Plucky, and then for the Ubuntu Cloud Archive - (UCA) the affected packages are python-magnumclient for Jammy Caracal, - Noble Dalmatian, and Noble-Epoxy. + shipped as on Noble, Oracular (EOL) and Plucky, and then for the Ubuntu + Cloud Archive (UCA) the affected packages are python-magnumclient for + Jammy Caracal, Noble Dalmatian, and Noble-Epoxy. [1] https://opendev.org/openstack/python-magnumclient/commit/83a10d4d49388fb680b450c728cd1e62d18e8672 [2] https://opendev.org/openstack/python-magnumclient/commit/ecdcc0697cd53592b54078175001755169436761 [Test Plan] * Deploy Openstack by any method. I will use juju * Deploy magnum services and setup relations juju deploy magnum --channel=2024.1/stable magnum juju relate magnum keystone juju relate magnum vault juju relate magnum:ampq rabbitmq-server:ampq juju relate magnum:shared-db magnum-mysql-router:shared-db juju deploy magnum-dashboard --channel=2024.1/stable magnum-dashboard juju relate magnum-dashboard keystone juju relate magnum-dashboard vault juju relate magnum-dashboard openstack-dashboard * Configure magnum juju run magnum/0 domain-setup * Open openstack dashboard, and go to the cluster management pane * See error message and that there's observability of any magnum resources without the patch * Upgrade to proposed, and see a properly populated dashboard [What can go wrong] - * While this fixes an issue with SNI in TLS handshakes, it may not fix - the problem in all environments. If SNI is not configured correctly or - TLS certs are not distributed properly in the environment, the backend - may remain unreachable from the dashboard + * While this fixes an issue with SNI in TLS handshakes, in environments + where SNI is not configured correctly or TLS certs are not distributed + properly, this patch may break the environment and expose those issues. ==================================== Original description: Openstack: 2024.2 Ubuntu: 22.04 Deployment Tool: Kolla Ansible Steps to reproduce: From version 2024.2 of Magnum when using Horizon (navigate to Project->Container Infra->Cluster or Cluster Templates) "/api/container_infra/*" endpoints return 500 Internal Server Error "check_hostname requires server_hostname". Container Infra Endpoint is using HTTPS Horizon error log: error invoking apiclient Traceback (most recent call last): File "/var/lib/kolla/venv/lib/python3.12/site-packages/openstack_dashboard/api/rest/utils.py", line 128, in _wrapped data = function(self, request, *args, **kw) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnum_ui/api/rest/magnum.py", line 302, in get result = magnum.cluster_list(request) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnum_ui/api/magnum.py", line 193, in cluster_list return magnumclient(request).clusters.list(limit, marker, sort_key, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/v1/baseunit.py", line 82, in list return self._list(self._path(path), self.__class__.template_name) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/common/base.py", line 117, in _list resp, body = self.api.json_request('GET', url) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/common/httpclient.py", line 240, in json_request resp, body_iter = self._http_request(url, method, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/common/httpclient.py", line 187, in _http_request conn.request(method, conn_url, **kwargs) File "/usr/lib/python3.12/http/client.py", line 1336, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib/python3.12/http/client.py", line 1382, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib/python3.12/http/client.py", line 1331, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib/python3.12/http/client.py", line 1091, in _send_output self.send(msg) File "/usr/lib/python3.12/http/client.py", line 1035, in send self.connect() File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/common/httpclient.py", line 310, in connect self.sock = context.wrap_socket(sock) ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.12/ssl.py", line 455, in wrap_socket return self.sslsocket_class._create( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.12/ssl.py", line 970, in _create raise ValueError("check_hostname requires server_hostname") ValueError: check_hostname requires server_hostname Internal Server Error: /api/container_infra/clusters/ After analysis the problem exists in python-magnumclient from version 4.6.0 (https://opendev.org/openstack/python- magnumclient/commit/5d8fd3840052e07418e007f336deb99fd58b7e92) According to documentation when using check_hostname with CERT_REQUIRED you must also pass server_hostname to wrap_socket (Python 3.12 doc reference: https://docs.python.org/3.12/library/ssl.html#ssl.SSLContext.check_hostname
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091103 Title: [SRU]: check_hostname requires server_hostname when using container_infra endpoint with HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/2091103/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
