tripleo

Python image uploader: failure when certificate isn't valid

Bug #1817360 reported by Emilien Macchi on 2019-02-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Cédric Jeanneret	tripleo stein-3

Bug Description

Using the Python uploader (now the default), it fails to push containers on a local registry if the source doesn't have a valid certificate.

insecure_registries isn't supported by python uploader yet, it seems.

See original description

Emilien Macchi (emilienm) on 2019-02-22

Changed in tripleo:
milestone:	none → stein-3
importance:	Undecided → High
status:	New → Triaged

Emilien Macchi (emilienm) on 2019-02-22

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-25: Fix proposed to tripleo-common (master)

Fix proposed to branch: master
Review: https://review.openstack.org/639037

Changed in tripleo:
assignee:	nobody → Cédric Jeanneret (cjeanner)
status:	Triaged → In Progress

Revision history for this message

Cédric Jeanneret (cjeanner) wrote on 2019-02-26:

So, there are multiple issues:
- "authenticate" method must allow to pass "verify=False" to the request.Session object.
- apparently, some other methods such as _inspect have troubles using the request.Session properly, and don't get the "verify=False" we need.

In addition, the whole issue seems to be created by a redirect occurring in the _inspect method.

It's pretty nasty...

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-01:

Fix proposed to branch: master
Review: https://review.openstack.org/640270

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-04: Related fix merged to tripleo-common (master)

Reviewed: https://review.openstack.org/639037
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=611080299958c039e7992bff5b1580b916e5c633
Submitter: Zuul
Branch: master

commit 611080299958c039e7992bff5b1580b916e5c633
Author: Cédric Jeanneret <email address hidden>
Date: Mon Feb 25 10:24:14 2019 +0100

Allow PythonImageUploader to accept unknown CA

Handles unknown CA in a dedicated list in order to know
when to enable "verify" for requests.Session calls.

    This new list will hold the registries with unknown CA like
    it's done for the "insecure registries" (this one means "no
    encryption" aka "http").

Change-Id: I00b2e59d3da5374f20dc2eac9bb13e2482ed524b
Related-Bug: #1817360

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-05: Change abandoned on tripleo-common (master)

Change abandoned by Cédric Jeanneret (<email address hidden>) on branch: master
Review: https://review.openstack.org/640270
Reason: previous one is merged, downstream patch submitted - this one has no reason anymore.

Revision history for this message

Cédric Jeanneret (cjeanner) wrote on 2019-03-05:

PythonImageUploader can now accept unknown CA. This issue being downstream-only, I've submitted another patch, downstream, that will list Red Hat dev registry as a NO_VERIFY_REGISTRIES by default.

This issue is therefore closed regarding upstream.

Changed in tripleo:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.