glance has a code specific for python2.5. We need to delete this
code cause glanceclient doesn't support neither python2.5 or
python2.6.
Change-Id: I17e4905b6e02fcfff033a6cde03324e2a47bfce2
Not only is this code broken on the requests we require on
distro-provided requests, it's not needed anymore. Remove it.
Closes-bug: 1526254
Change-Id: I47a07bf9910f118392785fc20e015f036a2e8a7c
We need all the headers to be safe strings so they can be joined
together and not become an unicode string in doing so.
This fixes a bug when creating an image with non-ascii characters in the
name.
This is required for python 2.6 compatibility.
Change-Id: I66ebc27edf4ccd8f903399da58705711c372536d
Closes-Bug: 1448080
We have a basic implementation for a fallback mechanism that will use v1
rather than v2 when downloading schema files from glance-api fails.
However, this is not sound. If the schemas are cached already, we won't
check if v2 is available and fail to fallback.
This patch fixes the aforementioned issue by getting the list of
available versions from the server only when the API versions was not
explicitly specified through the CLI. That is, for all commands that
don't pass `--os-image-api-version 2`, we'll check v2's availability and
we'll fallback to v1 if it isn't available.
This patch also changes how we handle `/versions` calls in the client.
The server has been, incorrectly, replying to requests to `/version`
with a 300 error, which ended up in the client re-raising such
exception. While I think 300 shouldn't raise an exception, I think we
should handle that in a spearate patch. Therefore, this patch just
avoids raising such exception when `/version` is explicitly called.
This fallback behaviour and the check on `/versions` will be removed in
future versions of the client. The later depends on this bug[0] being
fixed.
[0] https://bugs.launchpad.net/glance/+bug/1491350
Closes-bug: #1489381
Change-Id: Ibeba6bc86db2a97b8a2b4bd042248464cd792e5e
Custom SSL handling was introduced because disabling SSL layer compression
provided an approximately five fold performance increase in some
cases. Without SSL layer compression disabled the image transfer would be
CPU bound -- with the CPU performing the DEFLATE algorithm. This would
typically limit image transfers to < 20 MB/s. When --no-ssl-compression
was specified the client would not negotiate any compression algorithm
during the SSL handshake with the server which would remove the CPU
bottleneck and transfers could approach wire speed.
In order to support '--no-ssl-compression' two totally separate code
paths exist depending on whether this is True or False. When SSL
compression is disabled, rather than using the standard 'requests'
library, we enter some custom code based on pyopenssl and httplib in
order to disable compression.
This patch/spec proposes removing the custom code because:
* It is a burden to maintain
Eg adding new code such as keystone session support is more complicated
* It can introduce additional failure modes
We have seen some bugs related to the 'custom' certificate checking
* Newer Operating Systems disable SSL for us.
Eg. While Debian 7 defaulted to compression 'on', Debian 8 has compression
'off'. This makes both servers and client less likely to have compression
enabled.
* Newer combinations of 'requests' and 'python' do this for us
Requests disables compression when backed by a version of python which
supports it (>= 2.7.9). This makes clients more likely to disable
compression out-of-the-box.
* It is (in principle) possible to do this on older versions too
If pyopenssl, ndg-httpsclient and pyasn1 are installed on older
operating system/python combinations, the requests library should
disable SSL compression on the client side.
* Systems that have SSL compression enabled may be vulnerable to the CRIME
(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4929) attack.
Installations which are security conscious should be running the Glance
server with SSL disabled.
Full Spec: https://review.openstack.org/#/c/187674
Blueprint: remove-custom-client-ssl-handling
Change-Id: I7e7761fc91b0d6da03939374eeedd809534f6edf
This commit enables new flake8 checks:
* E265 block comment should start with '# '
* H405 multi line docstring summary not separated with an empty line
* E123 closing bracket does not match indentation of opening bracket's line
* H238 old style class declaration, use new style (inherit from `object`)
* E128 continuation line under-indented for visual indent
and makes related changes in the code.
Change-Id: Ie993afc930f6b74d7a990bcaa9fc0e9f5ba1585c
As stated in the OpenStack Hacking Guidelines, it is prefered
that only modules should be imported.
Also updated tox.ini to ignore opestack/common among others.
Change-Id: I2f0a603c31052eadee581c11880c0ec6bd392829
To make this work we create a different HTTPClient that extends the
basic keystoneclient Adapter. The Adapter is a standard set of
parameters that all clients should know how to use like region_name and
user_agent. We extend this with the glance specific response
manipulation like loading and sending iterables.
Implements: bp session-objects
Change-Id: Ie8eb4bbf7d1a037099a6d4b272cab70525fbfc85
The oslo.utils libraries are moving away from namespace packages.
This requires oslo.utils>=1.2.0
bp drop-namespace-packages
Change-Id: I803df61e91eabb96329d859aef6bea03530fb84f
Some generated header values may in fact be None. Trying to encode None
causes the client to fail with an exception and cannot be worked around
by the user.
Change-Id: I638b1fba0ef9a07d726445d8c2cdd774140f5b83
Closes-bug: 1415935
This module now lives in oslo.utils, so import it from there instead.
Co-Authored-By: Ian Cordasco <ian.cordasco@rackspace.com>
Change-Id: Ib35dc840992433542490670781badd9529ec8947
If we don't explicitly close a response after streaming its download,
then we can run into HTTPConnectionPool full warnings. It also will hurt
performance if we have to continuously create new sockets for new
responses. Calling close will return the connection to the pool so it
can be reused. Note this is only necessary when streaming a response. If
we don't stream it, then requests will return the connection to the pool
for us.
Change-Id: I803bd4dd0e769c233501d5e5ff07a19705fbe233
Closes-bug: 1341777
The returns from requests' response.content is a bytes type. Under
python 3 this fails in error handling and string conversion. The
response.text variable should be used to treat a response body as a
string.
Closes-Bug: #1407531
Change-Id: Ifd588b5f6820ef21beb186d88d0b3f1a267695aa
When file size is an exact multiple of chunk_size, glance client
is processing EOF in image-data as a chunk and sends to
glance-api. The server treats this as the end of chunked
transmission and sends a http response.
When the actual last chunk is sent by the 'requests' library, the
server sends a 400 response and tracebacks with broken pipe
as the client has already closed the socket.
Closes-Bug: #1342080
Change-Id: Icdbff838450db1c252ddc919a230a7d3ca16765f
Change I09f70eee3e2777f52ce040296015d41649c2586a, introduced a bug where
the identity_headers are not added to the request headers anymore
causing the former to be completely ignored and useless.
This patch fixes that issue by restoring the previous code. A new test
has been added to avoid regressions.
Closes-bug: #1394965
Change-Id: I1b1633636448398cf3f41217f1d671b43ebd9946
python-glanceclient displays curl statements for debugging/troubleshooting
purposes. For IPv6 URLs, curl requires --globoff to be passed in the
arguments. Since glanceclient does not use curl directly, this patch
displays the curl commands with globoff option which works for both
IPv4 and IPv6 URLs.
Fix adapted from python-novaclient Ib7099e8e3bbc15f29bbaa1db37ef21e78a74e7bc
Closes-Bug: #1228744
Change-Id: Ie02c4e75ca1ab995102aa55bbff39b2161218b2d
Commit f980fc549247fa2deb87dfacebc6d8d13ccd45d1 changed how the
X-Auth-Token header was scrubbed when logging the request, but
effectively made the value required which can lead to an AttributeError
if the value for the header is None.
The value can be None if you're using Nova but don't have Nova
configured with auth_strategy='keystone' (see
nova.image.glance._create_glance_client for details).
This patch simply checks if the auth_token is set in the http client
object and if not, it doesn't set the X-Auth-Token key in the session
header.
Closes-Bug: #1381295
Change-Id: Ie285d5253df28a9f0f964147a53c99ceaa919c5c
In order to keep the support for `--ssl-nocompression` it was decided to
overwrite the https HTTPAdapter in `requests` poolmanager. Although this
seemed to work correctly, it was causing some issues when using
glanceclient from other services that rely on requests and that were
also configured to use TLS.
THis patch changes implements a different strategy by using
`glance+https` as the scheme to use when `no-compression` is requested.
Closes-bug: #1350251
Closes-bug: #1347150
Closes-bug: #1362766
Change-Id: Ib25237ba821ee20a561a163b79402d1375ebed0b
Similar to commit dec9c9f35 and log_curl_request,
this ignores decoding errors when logging response
headers by passing errors='ignore' to safe_encode.
Change-Id: Ic915a7d8334e9473f300c9db670a3a8f5cda8976
Closes-Bug: #1369756
The new version of requests (2.4.0) has updated underlying urllib3
to version 1.9. Unfortunately urllib3 introduced new exception
ProtocolError. Because of that unit tests in glance are failing:
ProtocolError: ('Connection aborted.', gaierror(-2, 'Name or service not known'))
To solve this problem new urllib3 exception is caught in the same place
that the old one was. Unfortunately both exception are still in use so
I couldn't remove the old one.
Change-Id: I55eef98e734c59b9b627f182768a633b2b701e43
Closes-Bug: #1364893
If no CA certificate is provided to be used for validation then
fall back to the system-wide CA bundle as presented by
python-requests.
Change-Id: I05206a868150d4b62b6f1b833310eb9b86b7c4f8
Closes-bug: #1362179
Python 3 changed the semantics of dict.items() [0], which now returns a
iterable 'view' instead of a list of tuples. This has the repercussion
that you can no longer check for membership of a key using:
key in dict.items()
This patch simply replaces that check with a test for the key existing
in the dict itself, rather than the items.
[0] http://legacy.python.org/dev/peps/pep-3106/
Closes-Bug: 1359880
Change-Id: I7c59b0432725b660c9fa7270cde2e07bf3ea77db
A bug was introduced which meant that the server SSL certificate was
not being verified. Here we make sure that it is checked (unless
the --insecure flag is used).
Helps guard against man-in-the-middle attack.
Change-Id: I08f30bf3906b6580c871729311343fa8eefda91b
Closes-bug: #1357430
To help end user uses profiling by glanceclient CLI directly, the
change added '--profile <HMAC_KEY>' argument to the shell.
This change also fixed a function regression, it was used to pass
necessary trace info to glance server via http header:
dbb242b776 (diff-740dd7d9149f46fe4c01ef0ab7eb3bfbL196)
In addition:
1. If client app want to enable profiling feature for glanceclient
object, please see: http://paste.openstack.org/show/85722/
2. Afer adding more trace point into Client object, as fundamental
requirement of osprofiler, what we need to notice caller is providing
correct messaging notifier in the context code.
The relevant change for glance server is ready at:
I45a19f5eb5304c2b78a9e12cbc0744941a807304
DocImpact
Change-Id: If42b69b2695a5f88536ecbc2c1b3592d9dbd880a
Signed-off-by: Zhi Yan Liu <lzy.dev@gmail.com>
Some proxy or gateway softwares, e.g. jumpgate [0], use url-pattern
based approach to match which hanlding logic needs to be triggered for
particular service calling when it received a http(s) call as a
middleman. The change fixed an issue which caused glanceclient send out
the request to a dis-normal url, which contains duplicated "/".
The change removed a wrong and duplicated code snippet from curl logging
function as well.
[0] http://goo.gl/yt52X1
Change-Id: Ic8b3920e11d400771ead7f9c44b615f10b4a5cef
Signed-off-by: Zhi Yan Liu <zhiyanl@cn.ibm.com>
Downgrades the log message when an http request fails from error
to debug. The logging level changed in the http.py upgrade in
I09f70eee3e2777f52ce040296015d41649c2586a which effectively reverted
a similar fix commited in I6d0efb53d1e81adf309f7fa580ec5a8073a811c5.
We don't want to log at ERROR level because we already have an
exception raised and the caller can handle it if wants
to. However this error will appear regularly in the Nova logs
under normal behavior (say a client specifies an image which does
not exist) and there is no way of disabling only the glanceclient
error log. This results in a lot of noise in the nova log file.
Change-Id: Iec13bff439073a79cb24e9b22fd43603ae4e61b7
Setting stream=True with requests can lead to issues
with not closing the connection so the urllib3 connection
pool is not freed up, so only set stream=True if making
a request with application/octet-stream content-type.
See the body-content-workflow and keep-alive sections
in the requests docs here for more information:
http://docs.python-requests.org/en/latest/user/advanced/
Note that commit dbb242b changed the response body_iter
code to potentially return a six.StringIO object rather
than the old ResponseBodyIterator class and since the
images client code is not converting the body_iter into
a dict using json.loads, we have to do that directly
in the _request method where the body_iter is
constructed.
Co-authored-by: Flavio Percoco <fpercoco@redhat.com>
Change-Id: I86572b69c4511f933c9676108190271874346302
Partial-Bug: #1341777
This review implements blueprint python-request and replaces the old
http client implementation in favor of a new one based on
python-requests.
Major changes:
* raw_request and json_request removed since everything is now being
handled by the same method "_request"
* New methods that match HTTP's methods were added:
- get
- put
- post
- head
- patch
- delete
* Content-Type is now being "inferred" based on the data being sent:
- if it is file-like object it chunks the request
- if it is a python type not instance of basestring then it'll try
to serialize it to json
- Every other case will keep the incoming content-type and will send
the data as is.
* Glanceclient's HTTPSConnection implementation will be used if
no-compression flag is set to True.
Co-Author: Flavio Percoco<flaper87@gmail.com>
Change-Id: I09f70eee3e2777f52ce040296015d41649c2586a
To be able to create profiling traces for Glance, client should be
able to send special HTTP header that contains trace info.
This patch is as well important to be able to make cross project
traces. (Typical case nova calls glance via python client, if
profiler is initialized in nova, glance client will add extra
header, that will be parsed by special osprofiler middleware in glance
api)
Don't worry no security issue here, trace information is signed by HMAC
key that is setted in api-paste.ini. So only person that knows HMAC key
is able to send proper header.
Change-Id: Ib13084fbe9b33c2f3dee165f7d6c778546cce6ca
If --os-cacert was passed to the cli the following error was
triggered: "cafile must be None or a byte string". This is
because 'load_verify_locations' requires a byte string to
be passed in.
We fix this by explicitly converting the argument to a byte
string.
We do this in 'VerifiedHTTPSConnection' rather than sooner, eg
during arg handling, as it will no longer be required should we
move to a different http library (eg requests).
Fixes bug 1301849.
Change-Id: I9014f5d040cae9f0b6f03d8f13de8419597560cb
This debug line is causing tracebacks in the n-cpu logs for
tempest runs. Its because the logged data is sometimes unicode:
Traceback (most recent call last):
File "/usr/lib/python2.7/logging/__init__.py", line 846, in emit
msg = self.format(record)
File "/opt/stack/new/nova/nova/openstack/common/log.py", line 710, in format
return logging.StreamHandler.format(self, record)
File "/usr/lib/python2.7/logging/__init__.py", line 723, in format
return fmt.format(record)
File "/opt/stack/new/nova/nova/openstack/common/log.py", line 674, in format
return logging.Formatter.format(self, record)
File "/usr/lib/python2.7/logging/__init__.py", line 467, in format
s = self._fmt % record.__dict__
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 1234: ordinal not in range(128)
Logged from file http.py, line 153
The change used correct encoding error handling policy for the log
which may includes non-ascii char.
Closes-bug: 1320655
Change-Id: I97f5f14b9beddcceb7fbd371062caf5a38a62a20
