Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Downgrading dnspython back to 1.16.0 to fix Eventlet
214 views
Skip to first unread message
Thomas Goirand
Feb 2, 2021, 1:50:02 PM2/2/21
to
Hi Scott, Robert,
As you may know, Eventlet is at the hart of OpenStack. Unfortunately,
version 0.26.1 currently in Sid/Testing fails when connecting over SSL,
with a traceback that looks like this:
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 392,
in connect
self.ssl_context = create_urllib3_context(
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 303,
in create_urllib3_context
context.options |= options
File "/usr/lib/python3.9/ssl.py", line 602, in options
super(SSLContext, SSLContext).options.__set__(self, value)
File "/usr/lib/python3.9/ssl.py", line 602, in options
super(SSLContext, SSLContext).options.__set__(self, value)
File "/usr/lib/python3.9/ssl.py", line 602, in options
super(SSLContext, SSLContext).options.__set__(self, value)
[Previous line repeated 458 more times]
RecursionError: maximum recursion depth exceeded (txn:
txad38d097c88545ecbd274-0060127626)
In OpenStack, this happens whenever a service attempts to validate a
Keystone token, meaning whenever any component connects to the OpenStack
API (in most deployments: this is done over SSL). In other words: all of
OpenStack is currently completely broken because of this.
Both Eventlet and DNSPython are monkey patching the standard SSL library
in potentially conflicting ways (for those who don't know: this means
they override the standard Python SSL objects/functions to re-write /
overload them).
This incompatibility is well known upstream. Some has been addressed in
Eventlet, but not all. Currently, Eventlet has:
'dnspython >= 1.15.0, < 2.0.0'
as dependency in upstream setup.py.
So I am currently wondering if we could revert DNSPython in Sid/Testing
to 1.16.0 until this is fixed upstream. That is, unless someone here in
this list knows how to fix Eventlet, but this looks like non-trivial...
Note that Ubuntu has version 2.0.0+really1.16.0-2ubuntu2, as they
understood the above.
Scott, Robert, your thoughts? Do you think it's ok to downgrade
dnspython? Or will it break some other reverse-dependencies? Is there
another way to fix the current situation?
Cheers,
Thomas Goirand (zigo)
P.S: The current reverse-dependency tree is:
Reverse-Recommends
==================
* 2ping
* calibre
* dnstwist
Reverse-Depends
===============
* ansible
* b4
* dehydrated-hook-ddns-tsig
* designate-tempest-plugin
* dhcpy6d
* dkimpy-milter
* dnsdiag
* dnsrecon
* dnsviz
* fierce
* knockpy
* linkchecker [amd64 arm64 armel armhf i386 mips64el mipsel ppc64el s390x]
* mailman3
* patator
* python3-aioxmpp
* python3-authheaders
* python3-certbot-dns-rfc2136
* python3-designate
* python3-dkim
* python3-dnsq
* python3-electrum
* python3-email-validator
* python3-etcd
* python3-eventlet
* python3-exchangelib
* python3-formencode
* python3-kdcproxy
* python3-ldapdomaindump
* python3-sleekxmpp
* python3-spf
* recon-ng
* samba [amd64 arm64 armel armhf i386 mips64el mipsel ppc64el s390x]
As you may know, Eventlet is at the hart of OpenStack. Unfortunately,
version 0.26.1 currently in Sid/Testing fails when connecting over SSL,
with a traceback that looks like this:
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 392,
in connect
self.ssl_context = create_urllib3_context(
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 303,
in create_urllib3_context
context.options |= options
File "/usr/lib/python3.9/ssl.py", line 602, in options
super(SSLContext, SSLContext).options.__set__(self, value)
File "/usr/lib/python3.9/ssl.py", line 602, in options
super(SSLContext, SSLContext).options.__set__(self, value)
File "/usr/lib/python3.9/ssl.py", line 602, in options
super(SSLContext, SSLContext).options.__set__(self, value)
[Previous line repeated 458 more times]
RecursionError: maximum recursion depth exceeded (txn:
txad38d097c88545ecbd274-0060127626)
In OpenStack, this happens whenever a service attempts to validate a
Keystone token, meaning whenever any component connects to the OpenStack
API (in most deployments: this is done over SSL). In other words: all of
OpenStack is currently completely broken because of this.
Both Eventlet and DNSPython are monkey patching the standard SSL library
in potentially conflicting ways (for those who don't know: this means
they override the standard Python SSL objects/functions to re-write /
overload them).
This incompatibility is well known upstream. Some has been addressed in
Eventlet, but not all. Currently, Eventlet has:
'dnspython >= 1.15.0, < 2.0.0'
as dependency in upstream setup.py.
So I am currently wondering if we could revert DNSPython in Sid/Testing
to 1.16.0 until this is fixed upstream. That is, unless someone here in
this list knows how to fix Eventlet, but this looks like non-trivial...
Note that Ubuntu has version 2.0.0+really1.16.0-2ubuntu2, as they
understood the above.
Scott, Robert, your thoughts? Do you think it's ok to downgrade
dnspython? Or will it break some other reverse-dependencies? Is there
another way to fix the current situation?
Cheers,
Thomas Goirand (zigo)
P.S: The current reverse-dependency tree is:
Reverse-Recommends
==================
* 2ping
* calibre
* dnstwist
Reverse-Depends
===============
* ansible
* b4
* dehydrated-hook-ddns-tsig
* designate-tempest-plugin
* dhcpy6d
* dkimpy-milter
* dnsdiag
* dnsrecon
* dnsviz
* fierce
* knockpy
* linkchecker [amd64 arm64 armel armhf i386 mips64el mipsel ppc64el s390x]
* mailman3
* patator
* python3-aioxmpp
* python3-authheaders
* python3-certbot-dns-rfc2136
* python3-designate
* python3-dkim
* python3-dnsq
* python3-electrum
* python3-email-validator
* python3-etcd
* python3-eventlet
* python3-exchangelib
* python3-formencode
* python3-kdcproxy
* python3-ldapdomaindump
* python3-sleekxmpp
* python3-spf
* recon-ng
* samba [amd64 arm64 armel armhf i386 mips64el mipsel ppc64el s390x]
Thomas Goirand
Feb 4, 2021, 4:50:03 AM2/4/21
to
On 2/2/21 7:46 PM, Thomas Goirand wrote:
> Both Eventlet and DNSPython are monkey patching the standard SSL library
> in potentially conflicting ways
After checking, that's *NOT* the case. Though Eventlet is doing
> Both Eventlet and DNSPython are monkey patching the standard SSL library
> in potentially conflicting ways
monkey-patching of dnspython, in a possible not-compatible with 2.x.
Anyways, looks like this small patch fixes Eventlet with dnspython 2:
https://github.com/tipabu/eventlet/commit/2f9b7969f9a66a75e72908454246b88bf57fe58a
I've uploaded Debian release 0.26.1-5, and when it reaches the mirrors,
I'll try again to make OpenStack work, and see how it goes. If it fixes
everything, then we're good to go. Otherwise, my questioning about
downgrading dnspython to 1.16.0 still stand. I'll let you know.
Cheers,
Thomas Goirand (zigo)
P.S: Thanks to Tim Burke for this patch
0 new messages