Ask Your Question

glance client Unable to establish connection when run on django/apache

asked 2017-02-14 14:35:50 -0500

Hi there,

I've been digging through posts here for several days trying to get to the bottom of this problem and it seems nobody has hit the same wall. I'm developing a web tool that will allow authorized users to transfer images between openstack clouds with python 2.7.5, django 1.10.5, apache 2.4.6 and the openstack instance I'm testing with is running the Liberty release.

The problem is that when i run my commands in the python shell or in a script file they execute fine and return the image list im requesting from the glance service, but when I try to run the same commands in my apache instance I get:

Unable to establish connection to https://my.openstack.server/v2.0/tokens

Here is the code in question:

class repo_connector(object):
    def __init__(self, auth_url, project, username, password):
        self.auth_url = auth_url
        self.project = project
        self.username = username
        self.password = password
        self.cacert = "/path/to/my/ca"
        self.sess = self._get_keystone_session()
        image_list = self._get_images()

    def _get_keystone_session(self):
            auth = v2.Password(auth_url=self.auth_url, username=self.username, password=self.password, tenant_name=self.project)
            sess = session.Session(auth=auth, verify=self.cacert)
        except Exception as e:
            log.error("Problem importing keystone modules, and getting session: %s" % e)
        log.debug("Session object for %s created" %
        return sess

    def _get_images(self):
        glance = glanceclient.Client('2', session=self.sess)

        images = glance.images.list()
        #for testing///code fails on this command

        image_list = ()

        # Do things with images
        for image in glance.images.list():
            img_id = image['id']
            img_name = image['name']
            image_list += ((self.project, img_name, img_id),)

        return image_list

It seems the glanceclient object is initiated and it retrieves a generator object for the list of images but as soon as I try to do something with the generator the error above pops up.

I suspect the problem has something to do with the certificates. My service uses https only and initially authenticates users based on their certificate. My personal certificate as well as my service and the openstack instance are all using certificates from the same authority. I initially had a similar problem running these commands from the python shell but once i added in the cacert there was no issues(resolved the SSL: CERTIFICATE_VERIFY_FAILED) and it seems to be a separate error than the one I get when running it on apache.

This is the code that runs just fine on the system, I've tried hard-coding the values into my apache code for a proof of concept but I got the same results:

from keystoneclient.auth.identity import v2
from keystoneclient import session
import glanceclient

auth = v2.Password(auth_url='my.auth.url:port/v2.0', username='myuser', password='mypass', tenant_name='testing')
sess = session.Session(auth=auth, cacert='/path//to/my/cert')

glance = glanceclient.Client('2', session=sess)


If anyone has any ideas about what I should try I'd love to hear them. Please let ... (more)

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2017-02-15 17:07:19 -0500

So after many hours of digging through the call stack and sifting thru logs I finally noticed this popping up in my apache error log:

extern "Python": function Cryptography_rand_bytes() called, but @ffi.def_extern() was not called in the current subinterpreter.  Returning 0.

As it turns out the keystone/glance clients use this library but produce the above error when run behind an apache server. After a little searching i found (this link) to a github issue for this library. The fix went in a couple months ago and I was able to clear up the problem with my web service with a simple pip upgrade of the cryprography library.

Hopefully this helps someone else down the line so you don't lose days development time like I have.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2017-02-14 14:35:50 -0500

Seen: 185 times

Last updated: Feb 14 '17