Public bug reported: With "OPENSTACK_SSL_NO_VERIFY = True" in local_settings.py, Horizon is able to communicate with a Cinder API instance that is using a self- signed certificate.
However, before communicating with the Cinder API, it first uses cinderclient to retrieve available API versions: https://github.com/openstack/horizon/blob/d5b7feb5d4bf622905d717cd20fc83fd136c8a8c/openstack_dashboard/api/cinder.py#L263 The get_server_version method from cinderclient doesn't support an "insecure" or "verify" argument and the request it does to retrieve the API versions is currently always secure: https://github.com/openstack /python- cinderclient/blob/63b36a901bfaf2508a9c3cda1d8dafb8769f2340/cinderclient/client.py#L75-L109 Even with DEBUG logging enabled, it was not trivial to understand what was going on because the only thing that gets written to the logs is something that looks like this: ===== DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 172.29.236.100:8776 Call to list enabled services failed. This is likely due to a problem communicating with the Cinder endpoint. Consistency Group panel will not be displayed. DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 172.29.236.100:8776 Call to list enabled services failed. This is likely due to a problem communicating with the Cinder endpoint. Consistency Group Snapshot panel will not be displayed. DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 172.29.236.100:8776 Call to list enabled services failed. This is likely due to a problem communicating with the Cinder endpoint. Volume Group panel will not be displayed. DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 172.29.236.100:8776 Call to list enabled services failed. This is likely due to a problem communicating with the Cinder endpoint. Volume Group Snapshot panel will not be displayed. ===== I had to manually add some tracing to get the actual exception: ===== Traceback (most recent call last): File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/openstack_dashboard/dashboards/project/volumes/views.py", line 63, in _get_volumes sort_dir=sort_dir, paginate=True) File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/openstack_dashboard/api/cinder.py", line 319, in volume_list_paged c_client = _cinderclient_with_generic_groups(request) File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/openstack_dashboard/api/cinder.py", line 271, in _cinderclient_with_generic_groups version = get_microversion(request, 'groups') File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/openstack_dashboard/api/cinder.py", line 265, in get_microversion min_ver, max_ver = cinder_client.get_server_version(cinder_url) File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/cinderclient/client.py", line 109, in get_server_version response = requests.get(version_url) File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/api.py", line 72, in get return request('get', url, params=params, **kwargs) File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/api.py", line 58, in request return session.request(method=method, url=url, **kwargs) File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/sessions.py", line 512, in request resp = self.send(prep, **send_kwargs) File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/sessions.py", line 622, in send r = adapter.send(request, **kwargs) File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/adapters.py", line 511, in send raise SSLError(e, request=request) SSLError: HTTPSConnectionPool(host='172.29.236.100', port=8776): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),)) ===== It seems like the fix would be to add an "insecure" parameter to cinderclient's get_server_version method and then use that parameter from Horizon's "get_microversion" method for the Cinder API. ** Affects: horizon Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1815635 Title: Horizon is unable to retrieve Cinder API versions when it has a self- signed SSL certificate Status in OpenStack Dashboard (Horizon): New Bug description: With "OPENSTACK_SSL_NO_VERIFY = True" in local_settings.py, Horizon is able to communicate with a Cinder API instance that is using a self- signed certificate. However, before communicating with the Cinder API, it first uses cinderclient to retrieve available API versions: https://github.com/openstack/horizon/blob/d5b7feb5d4bf622905d717cd20fc83fd136c8a8c/openstack_dashboard/api/cinder.py#L263 The get_server_version method from cinderclient doesn't support an "insecure" or "verify" argument and the request it does to retrieve the API versions is currently always secure: https://github.com/openstack/python- cinderclient/blob/63b36a901bfaf2508a9c3cda1d8dafb8769f2340/cinderclient/client.py#L75-L109 Even with DEBUG logging enabled, it was not trivial to understand what was going on because the only thing that gets written to the logs is something that looks like this: ===== DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 172.29.236.100:8776 Call to list enabled services failed. This is likely due to a problem communicating with the Cinder endpoint. Consistency Group panel will not be displayed. DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 172.29.236.100:8776 Call to list enabled services failed. This is likely due to a problem communicating with the Cinder endpoint. Consistency Group Snapshot panel will not be displayed. DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 172.29.236.100:8776 Call to list enabled services failed. This is likely due to a problem communicating with the Cinder endpoint. Volume Group panel will not be displayed. DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): 172.29.236.100:8776 Call to list enabled services failed. This is likely due to a problem communicating with the Cinder endpoint. Volume Group Snapshot panel will not be displayed. ===== I had to manually add some tracing to get the actual exception: ===== Traceback (most recent call last): File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/openstack_dashboard/dashboards/project/volumes/views.py", line 63, in _get_volumes sort_dir=sort_dir, paginate=True) File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/openstack_dashboard/api/cinder.py", line 319, in volume_list_paged c_client = _cinderclient_with_generic_groups(request) File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/openstack_dashboard/api/cinder.py", line 271, in _cinderclient_with_generic_groups version = get_microversion(request, 'groups') File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/openstack_dashboard/api/cinder.py", line 265, in get_microversion min_ver, max_ver = cinder_client.get_server_version(cinder_url) File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/cinderclient/client.py", line 109, in get_server_version response = requests.get(version_url) File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/api.py", line 72, in get return request('get', url, params=params, **kwargs) File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/api.py", line 58, in request return session.request(method=method, url=url, **kwargs) File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/sessions.py", line 512, in request resp = self.send(prep, **send_kwargs) File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/sessions.py", line 622, in send r = adapter.send(request, **kwargs) File "/openstack/venvs/horizon-18.1.3/lib/python2.7/site-packages/requests/adapters.py", line 511, in send raise SSLError(e, request=request) SSLError: HTTPSConnectionPool(host='172.29.236.100', port=8776): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),)) ===== It seems like the fix would be to add an "insecure" parameter to cinderclient's get_server_version method and then use that parameter from Horizon's "get_microversion" method for the Cinder API. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1815635/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
