From 5f4fd9c5ef262daf922ca321d0cb94a7dde238d9 Mon Sep 17 00:00:00 2001 From: Adam Harwell Date: Tue, 14 Apr 2020 04:27:49 -0700 Subject: [PATCH] Fix py3 amphora-agent cert-rotation type bug Flask's stream always returns bytes, file write always takes string. This causes py3 amps to return 500 on cert rotation AND wipe out the certificate, so the amphora are no longer controllable and go to ERROR state. Anyone running py3 amps prior to this patch will experience amphorae breaking on a timer due to housekeeping cert rotation! Change-Id: I831b0b48d719397c14d80f8ebcbad997c50c7795 (cherry picked from commit 96a4482dff134b7be5c8d4da6c862b0a7f4a5a4b) --- .../backends/agent/api_server/certificate_update.py | 2 +- ...agent-py3-cert-upload-binary-74e0ab35c5a85c68.yaml | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/amp-agent-py3-cert-upload-binary-74e0ab35c5a85c68.yaml diff --git a/octavia/amphorae/backends/agent/api_server/certificate_update.py b/octavia/amphorae/backends/agent/api_server/certificate_update.py index 520100a94a..79510a13d2 100644 --- a/octavia/amphorae/backends/agent/api_server/certificate_update.py +++ b/octavia/amphorae/backends/agent/api_server/certificate_update.py @@ -30,7 +30,7 @@ def upload_server_cert(): flags = os.O_WRONLY | os.O_CREAT | os.O_TRUNC # mode 00600 mode = stat.S_IRUSR | stat.S_IWUSR - with os.fdopen(os.open(file_path, flags, mode), 'w') as crt_file: + with os.fdopen(os.open(file_path, flags, mode), 'wb') as crt_file: b = stream.read(BUFFER) while b: crt_file.write(b) diff --git a/releasenotes/notes/amp-agent-py3-cert-upload-binary-74e0ab35c5a85c68.yaml b/releasenotes/notes/amp-agent-py3-cert-upload-binary-74e0ab35c5a85c68.yaml new file mode 100644 index 0000000000..cadc3311ba --- /dev/null +++ b/releasenotes/notes/amp-agent-py3-cert-upload-binary-74e0ab35c5a85c68.yaml @@ -0,0 +1,11 @@ +--- +upgrade: + - | + Any amphorae running a py3 based image must be recycled or else they will + eventually fail on certificate rotation. +fixes: + - | + Resolved broken certificate upload on py3 based amphora images. On a + housekeeping certificate rotation event, the amphora would clear out its + server certificate and return a 500, putting the amphora in ERROR status + and breaking further communication. See upgrade notes.