Bug 1920894

Summary: python2-urllib3: update 1.24.3 -> 1.26.2 for OCP breaks cloud-init ("Unable to get API token: None/latest/api/token")
Product: OpenShift Container Platform Reporter: Simon Krenger <skrenger>
Component: Service BrokerAssignee: Jesus M. Rodriguez <jesusr>
Status: CLOSED ERRATA QA Contact: Cuiping HUO <chuo>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.11.0CC: agogala, aos-bugs, apevec, eterrell, fkrohn, huzhao, jesusr, jgreguske, ldu, lhh, linl, pviktori, ribarry, xiachen, xiliang, yacao, yuxisun
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-02 22:01:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1924613, 1944916    
Bug Blocks:    

Comment 13 Eduardo Otubo 2021-03-18 08:20:40 UTC 
Back to NEW since there's nothing currently being done to fix this issue from cloud-init side.
Comment 14 Huijuan Zhao 2021-03-29 15:28:35 UTC 
(In reply to Eduardo Otubo from comment #13)
> Back to NEW since there's nothing currently being done to fix this issue
> from cloud-init side.

Hi Jesus,

Not sure who and how we address this issue, but according to the reproduce steps, seems related with the compatibility of python2-urllib3 and cloud-init, could you take a look the issue from python2-urllib3 side? 

Thanks!
Comment 15 Jesus M. Rodriguez 2021-03-29 17:47:44 UTC 
@huzhao Yes, I'm going to address this this week. Seems related to the change I made to fix a CVE in python2-urllib3 https://bugzilla.redhat.com/show_bug.cgi?id=1924613
Comment 17 Jesus M. Rodriguez 2021-03-30 22:52:49 UTC 
I have done the following to address this bug:

* reverted back to python2-urllib3 1.24.3 [1] which was the most recent 3.11 release before bumping to 1.26.2.
* backported upstream patch to fix CVE-2020-26137 [2] which was why we updated to 1.26.2 in the first place
* bumped the Epoch of python2-urllib3 1.24.3 to 1 to force it to downgrade the 1.26.2 on existing servers
* created a bug [3] against python2-requests to support upgrading to newer urllib3.

[1] brew build for 1.24.3-2 https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=35834480
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1883800
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1944916
Comment 18 Huijuan Zhao 2021-05-24 08:22:22 UTC 
(In reply to Jesus M. Rodriguez from comment #17)
> I have done the following to address this bug:
> 
> * reverted back to python2-urllib3 1.24.3 [1] which was the most recent 3.11
> release before bumping to 1.26.2.
> * backported upstream patch to fix CVE-2020-26137 [2] which was why we
> updated to 1.26.2 in the first place
> * bumped the Epoch of python2-urllib3 1.24.3 to 1 to force it to downgrade
> the 1.26.2 on existing servers
> * created a bug [3] against python2-requests to support upgrading to newer
> urllib3.
> 
> [1] brew build for 1.24.3-2
> https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=35834480
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1883800
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=1944916

Thanks Jesus!

Sorry reply late. I installed python2-urllib3-1.24.3-2.el7.noarch with cloud-init-19.4-7.el7_9.3.x86_64 in rhel-7.9, it works well, no error found.
Change component to python-urllib3 for better track, please feel free to correct me if not suitable.

Thanks!
Huijuan
Comment 19 Petr Viktorin (pviktori) 2021-06-02 12:27:02 UTC 
Python-maint does not maintain "rhel-7-server-ose-3.11-rpms". Changing the product to OpenStack.
Comment 21 Cuiping HUO 2021-07-20 01:34:45 UTC 
This bug depends on https://bugzilla.redhat.com/show_bug.cgi?id=1924613, and it is not ready yet.
Comment 22 Cuiping HUO 2021-07-21 08:58:52 UTC 
Verified. 
For the most recent 3.11.465 cluster, python2-urllib3 has been reverted back to python2-urllib3-1.24.3-2.el7.noarch

cluster version: v3.11.465 with python2-urllib3-1.24.3-2.el7.noarch

# subscription-manager register --username=xxx
Registering to: subscription.rhsm.redhat.com:443/subscription
Password: 
The system has been registered with ID: db369aea-1f15-480c-b9b9-9f2b65f7230e
The registered system name is: ip-172-18-9-52.ec2.internal

# subscription-manager repos --enable="rhel-7-server-ose-3.11-rpms"
Repository 'rhel-7-server-ose-3.11-rpms' is enabled for this system.


#yum update 
...
Installing:
 kernel                                        x86_64        3.10.0-1160.31.1.el7                 rhel-7-server-rpms                    50 M
 python2-chardet                               noarch        3.0.4-7.el7ost                       aos                                  186 k
     replacing  python-chardet.noarch 2.2.1-3.el7
 python2-requests                              noarch        2.19.1-4.el7ost                      aos                                  123 k
     replacing  python-requests.noarch 2.6.0-9.el7_8
 python2-urllib3                               noarch        1:1.24.3-2.el7                       aos                                  170 k
     replacing  python-urllib3.noarch 1.10.2-7.el7

# rpm -qa | grep urllib3
python2-urllib3-1.24.3-2.el7.noarch
Comment 25 errata-xmlrpc 2021-12-02 22:01:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 3.11.569 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4827