Solved: Re: Compatible APIC versions?

tigephillips · ‎12-08-2014

Is there a list of compatible APIC versions? I upgraded to apic-1.0(2j) today and the standard session login fails now. I also cloned the latest version and tried the tests. They produced 10 errors. Shown below.

Code:

session = ACI.Session(url, login, password)

response = session.login()

Produces the following when executing session.login():

Traceback (most recent call last):

File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-tk/Tkinter.py", line 1470, in __call__

return self.func(*args)

File "./gui_test_9.py", line 149, in login

response = session.login()

File "build/bdist.macosx-10.9-intel/egg/acitoolkit/acisession.py", line 227, in login

resp = self._send_login()

File "build/bdist.macosx-10.9-intel/egg/acitoolkit/acisession.py", line 207, in _send_login

ret = self.session.post(login_url, data=jcred, verify=self.verify_ssl)

File "/Library/Python/2.7/site-packages/requests-1.2.3-py2.7.egg/requests/sessions.py", line 377, in post

return self.request('POST', url, data=data, **kwargs)

File "/Library/Python/2.7/site-packages/requests-1.2.3-py2.7.egg/requests/sessions.py", line 335, in request

resp = self.send(prep, **send_kwargs)

File "/Library/Python/2.7/site-packages/requests-1.2.3-py2.7.egg/requests/sessions.py", line 438, in send

r = adapter.send(request, **kwargs)

File "/Library/Python/2.7/site-packages/requests-1.2.3-py2.7.egg/requests/adapters.py", line 327, in send

raise ConnectionError(e)

ConnectionError: HTTPSConnectionPool(host='10.93.130.125', port=443): Max retries exceeded with url: //api/aaaLogin.json (Caused by <class 'socket.error'>: [Errno 54] Connection reset by peer)

(I'm only included the first error)

Command: python aciphysobject_test.py

.....E...EEEEEEEEE....................

======================================================================

ERROR: test_find (__main__.TestFind)

----------------------------------------------------------------------

Traceback (most recent call last):

File "aciphysobject_test.py", line 628, in test_find

self.assertIn(interface2, results)

File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/unittest/case.py", line 802, in assertIn

if member not in container:

File "build/bdist.macosx-10.9-intel/egg/acitoolkit/acitoolkit.py", line 1647, in __eq__

if (self.interface_type == other.interface_type and

AttributeError: 'Node' object has no attribute 'interface_type'

Zach Seils · ‎12-09-2014

I suspect this is due to bug CSCur62241. The APIC web server no longer accepts SSL3.0/TLS1.0 connections, which causes you to get errors like you’ve described. You can install python on OS X using homebrew and compile it against openssl 1.0.1* to get TLS1.1 and TLS1.2.

Alternatively, you can temporarily force all APIC communication to be via HTTP instead of HTTPS, so your script can execute successfully. To do this:

- On the menu bar, FABRIC -> Fabric Policies -> Pod Policies -> Policies -> Communication

- Under Communication, click the default policy

- In the Work pane, enable HTTP and disable HTTPS

Regards,

Zach

View solution in original post

Zach Seils · ‎12-09-2014

I suspect this is due to bug CSCur62241. The APIC web server no longer accepts SSL3.0/TLS1.0 connections, which causes you to get errors like you’ve described. You can install python on OS X using homebrew and compile it against openssl 1.0.1* to get TLS1.1 and TLS1.2.

Alternatively, you can temporarily force all APIC communication to be via HTTP instead of HTTPS, so your script can execute successfully. To do this:

- On the menu bar, FABRIC -> Fabric Policies -> Pod Policies -> Policies -> Communication

- Under Communication, click the default policy

- In the Work pane, enable HTTP and disable HTTPS

Regards,

Zach

tigephillips · ‎12-09-2014

Thanks Zach! I'll give it a go.

-Tige

tigephillips · ‎12-14-2014

Zach,

Looks like I fixed the SSL issue, but now it looks like the websocket library is having an issue.. To test things I used an old script I wrote that uses 'requests' rather than websocket. You can see below that the requests module still works after the upgrade, but the websocket fails with both SSL and HTTP.

Thanks for any help. I can send the scripts if requested.

-Tige

TIPHILLI-M-20VC:cisco_aci tigelane$ ./aci_login-requests.py

About to use Requests

URL: https://10.93.130.125/api/aaaLogin.json?gui-token-request=yes

User: apiuser

Press Enter to continue or "q" to exit

Login completed. We're done!

TIPHILLI-M-20VC:cisco_aci tigelane$ ./aci_login-websocket.py

About to use native aci toolkit

URL: https://10.93.130.125:443/

User: apiuser

Press Enter to continue or "q" to exit

About to execute: response = session.login()

Traceback (most recent call last):

File "./aci_login-websocket.py", line 83, in

main()

File "./aci_login-websocket.py", line 79, in main

create_login()

File "./aci_login-websocket.py", line 58, in create_login

response = session.login()

File "build/bdist.macosx-10.9-intel/egg/acitoolkit/acisession.py", line 227, in login

File "build/bdist.macosx-10.9-intel/egg/acitoolkit/acisession.py", line 211, in sendlogin

File "build/bdist.macosx-10.9-intel/egg/acitoolkit/acisession.py", line 99, in openweb_socket

File "/usr/local/lib/python2.7/site-packages/websocket/_core.py", line 266, in create_connection

websock.connect(url, **options)

File "/usr/local/lib/python2.7/site-packages/websocket/_core.py", line 524, in connect

self._handshake(hostname, port, resource, **options)

File "/usr/local/lib/python2.7/site-packages/websocket/_core.py", line 596, in _handshake

resp_headers = self._get_resp_headers()

File "/usr/local/lib/python2.7/site-packages/websocket/_core.py", line 549, in getresp_headers

raise WebSocketException("Handshake status %d" % status)

websocket._exceptions.WebSocketException: Handshake status 404

TIPHILLI-M-20VC:cisco_aci tigelane$

Tige Phillips - Vertical Solutions Architect - US Public Sector: SLED Western Operation

Audio: 408.894.3312 - Email & Video & IM: tiphilli@cisco.com<mailto:tiphilli@cisco.com> - Cisco Systems

Proudly “Serving those who Protect, Serve and Educate"

mjovanov · ‎01-05-2015

Hi Tige,

Try editing credentials.py - remove trailing '/' or ':80/'

Example:

From

URL = 'http://' + IPADDR + ':80/'

To

URL = 'https://' + IPADDR

and try again.

Kind regards,

Mio

tigephillips · ‎01-05-2015

Yep, that fixed it. This is the default setup on github. Should probably be changed if it's a real issue and not something I've done somewhere else in the python module.

Thank you Mio!

-Tige

Tige Phillips

408.894.3312

tiphilli@cisco.com<mailto:tiphilli@cisco.com>

Proudly “Serving those who Protect, Serve and Educate"

mjovanov · ‎01-05-2015

Glad to hear that!

Thanks for bringing this up, we'll fix it on github.

Kind regards,
Mio