Bug 1123515
| Summary: | pulp does not run on Fedora 21 beta | ||
|---|---|---|---|
| Product: | [Retired] Pulp | Reporter: | Randy Barlow <rbarlow> |
| Component: | user-experience | Assignee: | Chris Duryee <cduryee> |
| Status: | CLOSED UPSTREAM | QA Contact: | Irina Gulina <igulina> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | Master | CC: | cduryee, igulina, rbarlow, skarmark |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | 2.6.0 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-02-28 22:13:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I just learned a bit about the supported values for the Context object's protocol argument: [rbarlow@coconut ~]$ python Python 2.7.5 (default, Feb 19 2014, 13:47:28) [GCC 4.8.2 20131212 (Red Hat 4.8.2-7)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import ssl >>> dir(ssl) ['CERT_NONE', 'CERT_OPTIONAL', 'CERT_REQUIRED', 'DER_cert_to_PEM_cert', 'OPENSSL_VERSION', 'OPENSSL_VERSION_INFO', 'OPENSSL_VERSION_NUMBER', 'PEM_FOOTER', 'PEM_HEADER', 'PEM_cert_to_DER_cert', 'PROTOCOL_SSLv2', 'PROTOCOL_SSLv23', 'PROTOCOL_SSLv3', 'PROTOCOL_TLSv1', 'RAND_add', 'RAND_egd', 'RAND_status', 'SSLError', 'SSLSocket', 'SSL_ERROR_EOF', 'SSL_ERROR_INVALID_ERROR_CODE', 'SSL_ERROR_SSL', 'SSL_ERROR_SYSCALL', 'SSL_ERROR_WANT_CONNECT', 'SSL_ERROR_WANT_READ', 'SSL_ERROR_WANT_WRITE', 'SSL_ERROR_WANT_X509_LOOKUP', 'SSL_ERROR_ZERO_RETURN', '_DEFAULT_CIPHERS', '_PROTOCOL_NAMES', '_SSLv2_IF_EXISTS', '__builtins__', '__doc__', '__file__', '__name__', '__package__', '_delegate_methods', '_fileobject', '_getnameinfo', '_ssl', 'base64', 'cert_time_to_seconds', 'errno', 'get_protocol_name', 'get_server_certificate', 'socket', 'socket_error', 'sslwrap_simple', 'textwrap', 'wrap_socket'] >>> print ssl._PROTOCOL_NAMES {0: 'SSLv2', 1: 'SSLv3', 2: 'SSLv23', 3: 'TLSv1'} This may or may not be useful in figuring out what is going on in rawhide. Moving back to NEW state for now. This is a good BZ to examine after the F21 beta is released. I hit an issue related to kombu with F21 beta but the bindings appear to work OK for me. Do I need to run with verify_ssl enabled? I get the correct error when verify_ssl is not set to False. Oh wow, I forgot about this. In fixing our POODLE bugs, I changed that argument from "sslv3" to "sslv23", which I now know means "do any protocol you know how to do, including TLS". I think we can forget about the crypto part of this bug, but I suppose we should fix the other issues you mentioned. Want to keep this bug open to fix those? Can you document what they were? Glad to hear the poodle fix also fixed this:) I will change the BZ to a general "Pulp does not work on F21 beta" bug. python-kombu 3.0.24 will fix this on fedora 21. We need to ensure all versions of qpid for various dists have the correct patch. Leaving bz as assigned until kombu is upgraded to 3.0.24 in our deps dir. fixed in pulp 2.6.0-0.2.beta >> rpm -qa pulp-server pulp-server-2.6.0-0.5.beta.fc21.noarch >> pulp-admin -u admin -p admin rpm repo list +----------------------------------------------------------------------+ RPM Repositories +----------------------------------------------------------------------+ Id: krevetka Display Name: krevetka Description: None Content Unit Counts: Id: rybka Display Name: rybka Description: None Content Unit Counts: Erratum: 4 Package Category: 1 Package Group: 2 Rpm: 32 >> pulp-admin -u admin -p admin rpm repo create --repo-id suslik Successfully created repository [suslik] >> pulp-admin -u admin -p admin rpm repo update --repo-id suslik --display-name="Suslik Grisha" Repository [suslik] successfully updated >> pulp-admin -u admin -p admin rpm repo list +----------------------------------------------------------------------+ RPM Repositories +----------------------------------------------------------------------+ Id: krevetka Display Name: krevetka Description: None Content Unit Counts: Id: rybka Display Name: rybka Description: None Content Unit Counts: Erratum: 4 Package Category: 1 Package Group: 2 Rpm: 32 Id: suslik Display Name: Suslik Grisha Description: None Content Unit Counts: Moved to https://pulp.plan.io/issues/476 |
The Pulp bindings explicitly configure an m2crypto SSL Context() object with 'sslv3'. My theory is that this is conflicting with Fedora 21+'s new crypto policies[0], which disallow certain cryptography operations by default. I've not dug into the problems deeply enought to be sure of this, but I do know that this context is causing this traceback in Fedora rawhide: 2014-07-24 15:51:35,871 - ERROR - Client-side exception occurred Traceback (most recent call last): File "/home/rbarlow/devel/pulp/pulp/client_lib/pulp/client/extensions/core.py", line 478, in run exit_code = Cli.run(self, args) File "/usr/lib/python2.7/site-packages/okaara/cli.py", line 974, in run exit_code = command_or_section.execute(self.prompt, remaining_args) File "/home/rbarlow/devel/pulp/pulp/client_lib/pulp/client/extensions/extensions.py", line 224, in execute return self.method(*arg_list, **clean_kwargs) File "/home/rbarlow/devel/pulp/pulp/client_lib/pulp/client/commands/repo/cudl.py", line 342, in run self.display_repositories(**kwargs) File "/home/rbarlow/devel/pulp/pulp/client_lib/pulp/client/commands/repo/cudl.py", line 370, in display_repositories repo_list = self.get_repositories(query_params, **kwargs) File "/home/rbarlow/devel/pulp/pulp_rpm/extensions_admin/pulp_rpm/extensions/admin/repo_list.py", line 24, in get_repositories all_repos = self._all_repos(query_params, **kwargs) File "/home/rbarlow/devel/pulp/pulp_rpm/extensions_admin/pulp_rpm/extensions/admin/repo_list.py", line 66, in _all_repos self.all_repos_cache = self.context.server.repo.repositories(query_params).response_body File "/home/rbarlow/devel/pulp/pulp/bindings/pulp/bindings/repository.py", line 34, in repositories return self.server.GET(path, query_parameters) File "/home/rbarlow/devel/pulp/pulp/bindings/pulp/bindings/server.py", line 85, in GET return self._request('GET', path, queries) File "/home/rbarlow/devel/pulp/pulp/bindings/pulp/bindings/server.py", line 135, in _request response_code, response_body = self.server_wrapper.request(method, url, body) File "/home/rbarlow/devel/pulp/pulp/bindings/pulp/bindings/server.py", line 285, in request connection.request(method, url, body=body, headers=headers) File "/usr/lib64/python2.7/httplib.py", line 995, in request self._send_request(method, url, body, headers) File "/usr/lib64/python2.7/httplib.py", line 1029, in _send_request self.endheaders(body) File "/usr/lib64/python2.7/httplib.py", line 991, in endheaders self._send_output(message_body) File "/usr/lib64/python2.7/httplib.py", line 844, in _send_output self.send(msg) File "/usr/lib64/python2.7/httplib.py", line 806, in send self.connect() File "/usr/lib64/python2.7/site-packages/M2Crypto/httpslib.py", line 58, in connect sock.connect((self.host, self.port)) File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 185, in connect ret = self.connect_ssl() File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 178, in connect_ssl return m2.ssl_connect(self.ssl, self._timeout) SSLError: sslv3 alert handshake failure For connections that don't use a context at all, m2crypto is able to connect to the Pulp server correctly. I've also been able to eliminate the server by ensuring that curl and wget are able to accept the Pulp API without issue. [0] http://fedoraproject.org/wiki/Changes/CryptoPolicy