Bug 1553752

Summary: Bump python-cryptography to >=2.1
Product: Red Hat Enterprise Linux 7 Reporter: Carlos Goncalves <cgoncalves>
Component: python-cryptographyAssignee: Christian Heimes <cheimes>
Status: CLOSED WONTFIX QA Contact: Kaleem <ksiddiqu>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.5CC: apevec, cgoncalves, jschluet, lhh, markmc, mkosek, nmanos, srevivo
Target Milestone: pre-dev-freezeKeywords: Rebase
Target Release: 7.5   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1553517 Environment:
Last Closed: 2018-12-14 13:48:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Carlos Goncalves 2018-03-09 13:18:18 UTC 
+++ This bug was initially created as a clone of Bug #1553517 +++

Description of problem:

Octavia requires python2-cryptography!=2.0,>=1.9 [1] and is synced with global-requirement.txt [2]. CentOS7 provides python2-cryptography-1.7.2-1.el7 which is not good enough and throws exceptions on load balancer create in Octavia:

2018-03-08 23:45:46.453 24634 ERROR octavia.controller.worker.controller_worker   File "/usr/lib/python2.7/site-packages/octavia/certificates/common/pkcs12.py", line 35, in get_certificate
2018-03-08 23:45:46.453 24634 ERROR octavia.controller.worker.controller_worker     return self.certificate.to_cryptography().public_bytes(
2018-03-08 23:45:46.453 24634 ERROR octavia.controller.worker.controller_worker AttributeError: 'X509' object has no attribute 'to_cryptography'

Could we promote python2-cryptography-2.1.4 from Fedora [3]? There might be some considerations to be made first, i.e. bump of openssl and pyopenssl versions?


[1] https://github.com/openstack/octavia/blob/master/requirements.txt#L47
[2] https://github.com/openstack/requirements/blob/master/global-requirements.txt#L28
[3] https://src.fedoraproject.org/rpms/python-cryptography/blob/master/f/python-cryptography.spec
Comment 1 Carlos Goncalves 2018-03-09 15:15:18 UTC 
Retargetting product to RHEL7.
Comment 3 Carlos Goncalves 2018-03-15 11:01:31 UTC 
python-cryptography>=1.9 is not good enough as recently discovered with a new gate using lower-constraints [1]. Octavia requires python-cryptography>=2.1.

Version bump being requested upstream for global-requirements.txt and lower-constraints.txt in [2].

Submitted new patch set for openstack-octavia.spec [3].

[1] https://review.openstack.org/#/c/553134/
[2] https://review.openstack.org/#/c/553136/
[3] https://review.rdoproject.org/r/#/c/12857
Comment 4 Noam Manos 2018-04-03 09:10:25 UTC 
(In reply to Carlos Goncalves from comment #3)
> python-cryptography>=1.9 is not good enough as recently discovered with a
> new gate using lower-constraints [1]. Octavia requires
> python-cryptography>=2.1.
> 
> Version bump being requested upstream for global-requirements.txt and
> lower-constraints.txt in [2].
> 
> Submitted new patch set for openstack-octavia.spec [3].
> 
> [1] https://review.openstack.org/#/c/553134/
> [2] https://review.openstack.org/#/c/553136/
> [3] https://review.rdoproject.org/r/#/c/12857

On puddle 2018-03-20.2 - There's no "python-cryptography" nor "python2-cryptography" packages at all, only "cryptography" version 1.7.2.

----

(overcloud) [stack@undercloud-0 ~]$ cat /etc/yum.repos.d/latest-installed 
13   -p 2018-03-20.2
(overcloud) [stack@undercloud-0 ~]$ pip list | egrep *cryptography
cryptography                     1.7.2            
(overcloud) [stack@undercloud-0 ~]$ pip list | egrep *OpenSSL*
pyOpenSSL                        17.3.0           

----
Comment 5 Carlos Goncalves 2018-04-03 09:43:20 UTC 
Noam, this bz is for RHEL7. You should be looking at rhbz #1556933 where python-cryptography>=2.1 is now being provided in OSP channels.

Additionally, do not use pip. Use yum. Your grep is not matching correctly, you should be doing like "grep *cryptography*".
Comment 6 Carlos Goncalves 2018-04-03 11:21:42 UTC 
The requirement of python-cryptography>=2.1 by OpenStack Octavia was met in rhbz#1556933 by shipping the bumped version via OSP channels.