Other OpenStack services which instantiate a 'https' glanceclient using
ssl_compression=False and insecure=False (eg Nova, Cinder) are leaking
sockets due to glanceclient not closing the connection to the Glance
server.
This could happen for a sub-set of calls, eg 'show', 'delete', 'update'.
netstat -nopd would show the sockets would hang around forever:
... 127.0.0.1:9292 ESTABLISHED 9552/python off (0.00/0/0)
urllib's ConnectionPool relies on the garbage collector to tear down
sockets which are no longer in use. The 'verify_callback' function used to
validate SSL certs was holding a reference to the VerifiedHTTPSConnection
instance which prevented the sockets being torn down.
Change-Id: Idb3e68151c48ed623ab89d05d88ea48465429838
Closes-bug: 1423165
Currently, on systems like Fedora and Debian, it is possible to import
urllib3 as well as requests.packages.urllib3. They functionally point to
the same code but sys.modules considers them to be separate items. When
downstream packagers unvendor urllib3 from requests, they also change
all the imports inside of the package. So if the code imports urllib3
from requests.packages.urllib3 and modifies globals in a submodule, that
will not be visible to requests since it has been rewritten to use
urllib3 (not requests.packages.urllib3). By handling this logic
ourselves, we can issue a release until upstream packages and requests
can fix this and cut a new release.
Change-Id: Ic77ce8a06d9d148a899b4b8695990fca8fdaefc5
Closes-bug: 1396550
This pep (included in python 2.7.9) changes the behaviour of SSL
certificate chain handling to be more py3 like.
Include required new exception behaviour in the list of
exceptions to translate under py2.
https://github.com/python/peps/blob/master/pep-0476.txt
Closes-Bug: 1404227
Change-Id: I7da1a13d1ec861a07fd96684d0431508a214a2c8
In order to keep the support for `--ssl-nocompression` it was decided to
overwrite the https HTTPAdapter in `requests` poolmanager. Although this
seemed to work correctly, it was causing some issues when using
glanceclient from other services that rely on requests and that were
also configured to use TLS.
THis patch changes implements a different strategy by using
`glance+https` as the scheme to use when `no-compression` is requested.
Closes-bug: #1350251
Closes-bug: #1347150
Closes-bug: #1362766
Change-Id: Ib25237ba821ee20a561a163b79402d1375ebed0b
This review implements blueprint python-request and replaces the old
http client implementation in favor of a new one based on
python-requests.
Major changes:
* raw_request and json_request removed since everything is now being
handled by the same method "_request"
* New methods that match HTTP's methods were added:
- get
- put
- post
- head
- patch
- delete
* Content-Type is now being "inferred" based on the data being sent:
- if it is file-like object it chunks the request
- if it is a python type not instance of basestring then it'll try
to serialize it to json
- Every other case will keep the incoming content-type and will send
the data as is.
* Glanceclient's HTTPSConnection implementation will be used if
no-compression flag is set to True.
Co-Author: Flavio Percoco<flaper87@gmail.com>
Change-Id: I09f70eee3e2777f52ce040296015d41649c2586a
F841 detects local variable is assigned to but never used.
This commit fixes the violations and enables F841 in gate.
Change-Id: Ic4dcac2733dfe334009327ac17aa3952cafaa63a
If --os-cacert was passed to the cli the following error was
triggered: "cafile must be None or a byte string". This is
because 'load_verify_locations' requires a byte string to
be passed in.
We fix this by explicitly converting the argument to a byte
string.
We do this in 'VerifiedHTTPSConnection' rather than sooner, eg
during arg handling, as it will no longer be required should we
move to a different http library (eg requests).
Fixes bug 1301849.
Change-Id: I9014f5d040cae9f0b6f03d8f13de8419597560cb
On assertEqual, the order of parameters should be (expected, observed).
But, some part of glanceclient test were written with invalid order.
This patch fixes this problem.
Change-Id: I7722fdce766ce3cc5bc9944dc72d7d0af0b09f69
Partially-bug: #1277104
Currently, accessing a host via ip address will pass SSL verification;
the CNAME is not checked as intended as part of verify_callback.
'preverify_ok is True' will always return false (int/bool comparison).
preverify_ok will be 1 if preverification has passed.
Fixes bug 1192229
Change-Id: Ib651548ab4289295a9b92ee039b2aff2d08aba5f
Instead of globally ignoring pyflakes and
hacking warnings, only blacklist those that trigger
very frequently so far, in order to clean them
up in followup commits. Fix and start gating
on the rest already.
Change-Id: Ied7c7250061e3bf379e8286e8ce3b9e4af817faf
* Rename --ca-file to --os-cacert (--ca-file deprecated for
backward compatibility)
* Add cacert to keystoneclient initialization to verify the
keystone server certificate
This aligns glanceclient with keystoneclient for option naming
and the use of TLS for the keystone auth connection. It does not
change the use of TLS/SSL for the glance connection.
Change-Id: If8b05655aea5f3c62612d77bf947dd790f77eddf
When using https verify that the Common Name (CN) or
the Subject Alternative Name listed in the server's
certificate match the host we are connected to.
Addresses LP bug 1079692.
Change-Id: I24ea1511a2cbdb7c34ce72ac704d7b5e7d57cec2
Use pyOpenSSL for HTTPS connections.
This allows:
* Neater loading of system CA files
* Optional disabling of SSL compression
The performance gain from disabling SSL compression is significant
in cases where the image being uploaded/downloaded is in an already
compressed format (eg qcow2).
Related to bp ssl-connect-rework.
Change-Id: I0568b6c95c5fc7b8eafdbd0284e24c453660a55a
