When using the client with python 3.4 and no ssl compression the following
stack trace ocurrs:
TypeError: startswith first arg must be bytes or a tuple of bytes, not str
Closes-bug: 1442883
Related-bug: 1357430
Change-Id: I8e28f0bb1f3e866f11851247ce31470ca8c2af4f
Since the release of the 0.16.1 client, using the 'no ssl compression'
option, whether on the command line, or via the library -- Nova does this by
default -- a stack trace was generated.
Closes-bug: 1442664
Related-bug: 1357430
Change-Id: I2b8ddcb0a7ae3cfccdfc20d3ba476f3b4f4ec32d
Mainly to improve consistency, use range() from six.moves
renames across glance.
Behaves consistently like py2 xrange() and py3 range().
Change-Id: I7c573a3a9775f454b98d25f2a14f8e9f5f4ac432
Other OpenStack services which instantiate a 'https' glanceclient using
ssl_compression=False and insecure=False (eg Nova, Cinder) are leaking
sockets due to glanceclient not closing the connection to the Glance
server.
This could happen for a sub-set of calls, eg 'show', 'delete', 'update'.
netstat -nopd would show the sockets would hang around forever:
... 127.0.0.1:9292 ESTABLISHED 9552/python off (0.00/0/0)
urllib's ConnectionPool relies on the garbage collector to tear down
sockets which are no longer in use. The 'verify_callback' function used to
validate SSL certs was holding a reference to the VerifiedHTTPSConnection
instance which prevented the sockets being torn down.
Change-Id: Idb3e68151c48ed623ab89d05d88ea48465429838
Closes-bug: 1423165
Currently, on systems like Fedora and Debian, it is possible to import
urllib3 as well as requests.packages.urllib3. They functionally point to
the same code but sys.modules considers them to be separate items. When
downstream packagers unvendor urllib3 from requests, they also change
all the imports inside of the package. So if the code imports urllib3
from requests.packages.urllib3 and modifies globals in a submodule, that
will not be visible to requests since it has been rewritten to use
urllib3 (not requests.packages.urllib3). By handling this logic
ourselves, we can issue a release until upstream packages and requests
can fix this and cut a new release.
Change-Id: Ic77ce8a06d9d148a899b4b8695990fca8fdaefc5
Closes-bug: 1396550
The oslo.utils libraries are moving away from namespace packages.
This requires oslo.utils>=1.2.0
bp drop-namespace-packages
Change-Id: I803df61e91eabb96329d859aef6bea03530fb84f
This module now lives in oslo.utils, so import it from there instead.
Co-Authored-By: Ian Cordasco <ian.cordasco@rackspace.com>
Change-Id: Ib35dc840992433542490670781badd9529ec8947
This pep (included in python 2.7.9) changes the behaviour of SSL
certificate chain handling to be more py3 like.
Include required new exception behaviour in the list of
exceptions to translate under py2.
https://github.com/python/peps/blob/master/pep-0476.txt
Closes-Bug: 1404227
Change-Id: I7da1a13d1ec861a07fd96684d0431508a214a2c8
In order to keep the support for `--ssl-nocompression` it was decided to
overwrite the https HTTPAdapter in `requests` poolmanager. Although this
seemed to work correctly, it was causing some issues when using
glanceclient from other services that rely on requests and that were
also configured to use TLS.
THis patch changes implements a different strategy by using
`glance+https` as the scheme to use when `no-compression` is requested.
Closes-bug: #1350251
Closes-bug: #1347150
Closes-bug: #1362766
Change-Id: Ib25237ba821ee20a561a163b79402d1375ebed0b
python-glanceclient (like, for example, curl) can advertise the default
set of supported OpenSSL ciphers in its ClientHello packet.
This patches reduces that to a stronger subset.
Change-Id: I7c30465e79d8a32f43458cd6253a98fcf067dc38
Closes-bug: #1370283
A bug was introduced which meant that the server SSL certificate was
not being verified. Here we make sure that it is checked (unless
the --insecure flag is used).
Helps guard against man-in-the-middle attack.
Change-Id: I08f30bf3906b6580c871729311343fa8eefda91b
Closes-bug: #1357430
Currently the glance client can't operate on IPv6 address based
openstack controller IPs. The reason for this is the absence of
creation of a IPv6 socket in the glance client code (in https.py).
The glance client is trying to create sockets from the AF_INET
socket family but this will lead to errors when glance client makes
a call on the IPv6 IP addresses.
In order to fix this limitation, we ensure that if the hostname
resolves to IPv6 or an explicit IPv6 address is used to configure
the openstack controller - glance client shall be able to detect
that and then create a AF_INET6 socket family. In all other cases
a AF_INET socket is created. We default to IPv4 sockets in all
other cases.
Change-Id: I7d5a09675cd5dab2e39f0faeaa7c169291eedac6
Closes-bug: #1348030
This review implements blueprint python-request and replaces the old
http client implementation in favor of a new one based on
python-requests.
Major changes:
* raw_request and json_request removed since everything is now being
handled by the same method "_request"
* New methods that match HTTP's methods were added:
- get
- put
- post
- head
- patch
- delete
* Content-Type is now being "inferred" based on the data being sent:
- if it is file-like object it chunks the request
- if it is a python type not instance of basestring then it'll try
to serialize it to json
- Every other case will keep the incoming content-type and will send
the data as is.
* Glanceclient's HTTPSConnection implementation will be used if
no-compression flag is set to True.
Co-Author: Flavio Percoco<flaper87@gmail.com>
Change-Id: I09f70eee3e2777f52ce040296015d41649c2586a
Stuart McLaren