From 605d58b1162cf2c3ca379da0908b614764cf379c Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Mon, 3 Dec 2018 17:04:09 +0100 Subject: [PATCH] nova_compute fails to start in tls-everywhere configuration With tls-everywhere enabled connecting to keystone endpoint fails to retrieve the URL for the placement endpoint as the certificate can not be verified. While verification is disabled to check the placement endpoint later, it is not to communicate with keystone. This disables certificate verification for communication with keystone. Related-Bug: 1784155 Change-Id: I317dd62f3a555f375d540a63c21a6fb38d37ca96 (cherry picked from commit a99820a80cd99690c096553dcdc5e7f7472c02f1) (cherry picked from commit 14af0677c87a64dd7ad96fad41d74da1db3d8e07) --- docker_config_scripts/nova_wait_for_placement_service.py | 2 +- ...ent_service_disable_cert_verify-45f532d7a924df86.yaml | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/nova_wait_for_placement_service_disable_cert_verify-45f532d7a924df86.yaml diff --git a/docker_config_scripts/nova_wait_for_placement_service.py b/docker_config_scripts/nova_wait_for_placement_service.py index cea85b10d9..02b5148b84 100755 --- a/docker_config_scripts/nova_wait_for_placement_service.py +++ b/docker_config_scripts/nova_wait_for_placement_service.py @@ -55,7 +55,7 @@ if __name__ == '__main__': project_name=config.get('placement', 'project_name'), project_domain_name=config.get('placement', 'user_domain_name'), auth_url=config.get('placement', 'auth_url')+'/v3') - sess = session.Session(auth=auth) + sess = session.Session(auth=auth, verify=False) keystone = client.Client(session=sess) iterations_endpoint = iterations diff --git a/releasenotes/notes/nova_wait_for_placement_service_disable_cert_verify-45f532d7a924df86.yaml b/releasenotes/notes/nova_wait_for_placement_service_disable_cert_verify-45f532d7a924df86.yaml new file mode 100644 index 0000000000..57badbb405 --- /dev/null +++ b/releasenotes/notes/nova_wait_for_placement_service_disable_cert_verify-45f532d7a924df86.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - | + With tls-everywhere enabled connecting to keystone endpoint fails + to retrieve the URL for the placement endpoint as the certificate + can not be verified. While verification is disabled to check the + placement endpoint later, it is not to communicate with keystone. + This disables certificate verification for communication with + keystone.