Bug 1553521

Summary: Bump python-cryptography to >=2.1 and pyOpenSSL >= 17.1.0
Product: [Community] RDO Reporter: Carlos Goncalves <cgoncalves>
Component: openstack-octaviaAssignee: Carlos Goncalves <cgoncalves>
Status: CLOSED CURRENTRELEASE QA Contact: Alexander Stafeyev <astafeye>
Severity: high Docs Contact:
Priority: unspecified    
Version: trunkCC: amuller, apevec, bcafarel, cgoncalves, jschluet
Target Milestone: ---Keywords: Rebase
Target Release: trunk   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-03 09:00:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1553517    
Bug Blocks: 1553520, 1556933    

Description Carlos Goncalves 2018-03-09 01:36:04 UTC
Octavia requires python2-cryptography!=2.0,>=1.9 [1] and is synced with global-requirement.txt [2]. RHEL/CentOS7 provides python2-cryptography-1.7.2-1.el7 which is not good enough and throws exceptions on load balancer create in Octavia:

2018-03-08 23:45:46.453 24634 ERROR octavia.controller.worker.controller_worker   File "/usr/lib/python2.7/site-packages/octavia/certificates/common/pkcs12.py", line 35, in get_certificate
2018-03-08 23:45:46.453 24634 ERROR octavia.controller.worker.controller_worker     return self.certificate.to_cryptography().public_bytes(
2018-03-08 23:45:46.453 24634 ERROR octavia.controller.worker.controller_worker AttributeError: 'X509' object has no attribute 'to_cryptography'

Version-Release number of selected component (if applicable):


How reproducible: 100%

Steps to Reproduce:
1. openstack loadbalancer create lb2
2. openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS --name listener2 --default-tls-container=http://<ommitted>:9311/v1/secrets/50a1b6e0-b53c-4b33-a06d-0544eaaf02f0 lb2

Comment 1 Carlos Goncalves 2018-03-09 01:38:18 UTC
Once python-cryptography is updated, we need to bump Requires: in https://github.com/rdo-packages/octavia-distgit/blob/rpm-master/openstack-octavia.spec#L113-L114

Comment 2 Alan Pevec 2018-03-09 14:24:01 UTC
Please file BZ against RHEL7 to rebase or backport the fix, we should not be overriding base OS packages.

Comment 3 Carlos Goncalves 2018-03-09 15:18:17 UTC
Retargeted bz#1553752 to RHEL7.

Comment 4 Carlos Goncalves 2018-03-15 10:58:40 UTC
python-cryptography>=1.9 is not good enough as recently discovered with a new gate using lower-constraints [1]. Octavia requires python-cryptography>=2.1.

Version bump being requested upstream for global-requirements.txt and lower-constraints.txt in [2].

Submitted new patch set for openstack-octavia.spec [3].

[1] https://review.openstack.org/#/c/553134/
[2] https://review.openstack.org/#/c/553136/
[3] https://review.rdoproject.org/r/#/c/12857

Comment 5 Carlos Goncalves 2018-03-15 13:09:31 UTC
Created lower-constraints.txt out of requirements.txt from octavia stable/queens, bumped jinja2 and python-barbicanclient versions. I then ran ran unit and functional tests.

- FAIL: http://paste.openstack.org/show/701685/ (python-cryptography==1.9)
- FAIL: http://paste.openstack.org/show/701695/ (python-cryptography==2.1)
- SUCCESS: http://paste.openstack.org/show/701690/ (python-cryptography==2.1 AND pyOpenSSL==17.1.0)

lower-constraints.txt for stable/queens verified to work with Octavia stable/queens:

# The order of packages is significant, because pip processes them in the order
# of appearance. Changing the order has an impact on the overall integration
# process, which may cause wedges in the gate later.
alembic==0.8.10 # MIT
cotyledon==1.3.0 # Apache-2.0
pecan==1.0.0 # BSD
pbr==2.0.0 # Apache-2.0
SQLAlchemy==1.0.10 # MIT
Babel==2.3.4 # BSD
futurist==1.2.0 # Apache-2.0
requests==2.14.2 # Apache-2.0
rfc3986==0.3.1 # Apache-2.0
keystoneauth1==3.3.0 # Apache-2.0
keystonemiddleware==4.17.0 # Apache-2.0
python-neutronclient==6.3.0 # Apache-2.0
WebOb==1.7.1 # MIT
six==1.10.0 # MIT
stevedore==1.20.0 # Apache-2.0
oslo.config==5.1.0 # Apache-2.0
oslo.context==2.19.2 # Apache-2.0
oslo.db==4.27.0 # Apache-2.0
oslo.i18n==3.15.3 # Apache-2.0
oslo.log==3.36.0 # Apache-2.0
oslo.messaging==5.29.0 # Apache-2.0
oslo.middleware==3.31.0 # Apache-2.0
oslo.policy==1.30.0 # Apache-2.0
oslo.reports==1.18.0 # Apache-2.0
oslo.utils==3.33.0 # Apache-2.0
pyasn1==0.1.8 # BSD
pyasn1-modules==0.0.6 # BSD
PyMySQL==0.7.6 # MIT License
python-barbicanclient==4.5.2 # Apache-2.0
python-glanceclient==2.8.0 # Apache-2.0
python-novaclient==9.1.0 # Apache-2.0
pyOpenSSL==16.2.0 # Apache-2.0
WSME==0.8.0 # MIT
Jinja2==2.10 # BSD License (3 clause)
taskflow==2.16.0 # Apache-2.0
diskimage-builder==1.1.2 # Apache-2.0
futures==3.0.0;python_version=='2.7' or python_version=='2.6' # BSD
castellan==0.16.0 # Apache-2.0

#for the amphora api
Flask==0.10 # BSD
netifaces==0.10.4 # MIT
ipaddress==1.0.16;python_version<'3.3' # PSF
cryptography==1.9 # BSD/Apache-2.0
pyroute2==0.4.21;sys_platform!='win32' # Apache-2.0 (+ dual licensed GPL2)
gunicorn==19.0.0 # MIT

Comment 6 Carlos Goncalves 2018-04-03 08:49:10 UTC
Only one patch remains in-review: https://review.rdoproject.org/r/#/c/12878/