Bug 1123515 - pulp does not run on Fedora 21 beta
Summary: pulp does not run on Fedora 21 beta
Alias: None
Product: Pulp
Classification: Retired
Component: user-experience
Version: Master
Hardware: All
OS: Linux
Target Milestone: ---
: 2.6.0
Assignee: Chris Duryee
QA Contact: Irina Gulina
Depends On:
TreeView+ depends on / blocked
Reported: 2014-07-25 21:48 UTC by Randy Barlow
Modified: 2015-02-28 22:13 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-02-28 22:13:50 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Pulp Redmine 476 None None None Never

Description Randy Barlow 2014-07-25 21:48:19 UTC
The Pulp bindings explicitly configure an m2crypto SSL Context() object with 'sslv3'. My theory is that this is conflicting with Fedora 21+'s new crypto policies[0], which disallow certain cryptography operations by default. I've not dug into the problems deeply enought to be sure of this, but I do know that this context is causing this traceback in Fedora rawhide:

2014-07-24 15:51:35,871 - ERROR - Client-side exception occurred
Traceback (most recent call last):
  File "/home/rbarlow/devel/pulp/pulp/client_lib/pulp/client/extensions/core.py", line 478, in run 
    exit_code = Cli.run(self, args)
  File "/usr/lib/python2.7/site-packages/okaara/cli.py", line 974, in run 
    exit_code = command_or_section.execute(self.prompt, remaining_args)
  File "/home/rbarlow/devel/pulp/pulp/client_lib/pulp/client/extensions/extensions.py", line 224, in execute
    return self.method(*arg_list, **clean_kwargs)
  File "/home/rbarlow/devel/pulp/pulp/client_lib/pulp/client/commands/repo/cudl.py", line 342, in run 
  File "/home/rbarlow/devel/pulp/pulp/client_lib/pulp/client/commands/repo/cudl.py", line 370, in display_repositories
    repo_list = self.get_repositories(query_params, **kwargs)
  File "/home/rbarlow/devel/pulp/pulp_rpm/extensions_admin/pulp_rpm/extensions/admin/repo_list.py", line 24, in get_repositories
    all_repos = self._all_repos(query_params, **kwargs)
  File "/home/rbarlow/devel/pulp/pulp_rpm/extensions_admin/pulp_rpm/extensions/admin/repo_list.py", line 66, in _all_repos
    self.all_repos_cache = self.context.server.repo.repositories(query_params).response_body
  File "/home/rbarlow/devel/pulp/pulp/bindings/pulp/bindings/repository.py", line 34, in repositories
    return self.server.GET(path, query_parameters)
  File "/home/rbarlow/devel/pulp/pulp/bindings/pulp/bindings/server.py", line 85, in GET 
    return self._request('GET', path, queries)
  File "/home/rbarlow/devel/pulp/pulp/bindings/pulp/bindings/server.py", line 135, in _request
    response_code, response_body = self.server_wrapper.request(method, url, body)
  File "/home/rbarlow/devel/pulp/pulp/bindings/pulp/bindings/server.py", line 285, in request
    connection.request(method, url, body=body, headers=headers)
  File "/usr/lib64/python2.7/httplib.py", line 995, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1029, in _send_request
  File "/usr/lib64/python2.7/httplib.py", line 991, in endheaders
  File "/usr/lib64/python2.7/httplib.py", line 844, in _send_output
  File "/usr/lib64/python2.7/httplib.py", line 806, in send
  File "/usr/lib64/python2.7/site-packages/M2Crypto/httpslib.py", line 58, in connect
    sock.connect((self.host, self.port))
  File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 185, in connect
    ret = self.connect_ssl()
  File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 178, in connect_ssl
    return m2.ssl_connect(self.ssl, self._timeout)
SSLError: sslv3 alert handshake failure

For connections that don't use a context at all, m2crypto is able to connect to the Pulp server correctly. I've also been able to eliminate the server by ensuring that curl and wget are able to accept the Pulp API without issue.

[0] http://fedoraproject.org/wiki/Changes/CryptoPolicy

Comment 1 Randy Barlow 2014-07-25 21:55:39 UTC
I just learned a bit about the supported values for the Context object's protocol argument:

[rbarlow@coconut ~]$ python
Python 2.7.5 (default, Feb 19 2014, 13:47:28) 
[GCC 4.8.2 20131212 (Red Hat 4.8.2-7)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> dir(ssl)
['CERT_NONE', 'CERT_OPTIONAL', 'CERT_REQUIRED', 'DER_cert_to_PEM_cert', 'OPENSSL_VERSION', 'OPENSSL_VERSION_INFO', 'OPENSSL_VERSION_NUMBER', 'PEM_FOOTER', 'PEM_HEADER', 'PEM_cert_to_DER_cert', 'PROTOCOL_SSLv2', 'PROTOCOL_SSLv23', 'PROTOCOL_SSLv3', 'PROTOCOL_TLSv1', 'RAND_add', 'RAND_egd', 'RAND_status', 'SSLError', 'SSLSocket', 'SSL_ERROR_EOF', 'SSL_ERROR_INVALID_ERROR_CODE', 'SSL_ERROR_SSL', 'SSL_ERROR_SYSCALL', 'SSL_ERROR_WANT_CONNECT', 'SSL_ERROR_WANT_READ', 'SSL_ERROR_WANT_WRITE', 'SSL_ERROR_WANT_X509_LOOKUP', 'SSL_ERROR_ZERO_RETURN', '_DEFAULT_CIPHERS', '_PROTOCOL_NAMES', '_SSLv2_IF_EXISTS', '__builtins__', '__doc__', '__file__', '__name__', '__package__', '_delegate_methods', '_fileobject', '_getnameinfo', '_ssl', 'base64', 'cert_time_to_seconds', 'errno', 'get_protocol_name', 'get_server_certificate', 'socket', 'socket_error', 'sslwrap_simple', 'textwrap', 'wrap_socket']
>>> print ssl._PROTOCOL_NAMES
{0: 'SSLv2', 1: 'SSLv3', 2: 'SSLv23', 3: 'TLSv1'}

This may or may not be useful in figuring out what is going on in rawhide.

Comment 2 Chris Duryee 2014-10-30 18:32:48 UTC
Moving back to NEW state for now. This is a good BZ to examine after the F21 beta is released.

Comment 3 Chris Duryee 2014-11-04 22:31:59 UTC
I hit an issue related to kombu with F21 beta but the bindings appear to work OK for me. Do I need to run with verify_ssl enabled? I get the correct error when verify_ssl is not set to False.

Comment 4 Randy Barlow 2014-11-05 01:08:49 UTC
Oh wow, I forgot about this. In fixing our POODLE bugs, I changed that argument from "sslv3" to "sslv23", which I now know means "do any protocol you know how to do, including TLS".

I think we can forget about the crypto part of this bug, but I suppose we should fix the other issues you mentioned. Want to keep this bug open to fix those? Can you document what they were?

Comment 5 Chris Duryee 2014-11-05 15:07:20 UTC
Glad to hear the poodle fix also fixed this:)

I will change the BZ to a general "Pulp does not work on F21 beta" bug.

Comment 6 Chris Duryee 2014-11-07 20:01:44 UTC
python-kombu 3.0.24 will fix this on fedora 21.

We need to ensure all versions of qpid for various dists have the correct patch. Leaving bz as assigned until kombu is upgraded to 3.0.24 in our deps dir.

Comment 7 Chris Duryee 2014-12-23 20:52:47 UTC
fixed in pulp 2.6.0-0.2.beta

Comment 8 Irina Gulina 2015-02-02 18:37:59 UTC
>> rpm -qa pulp-server

>> pulp-admin -u admin -p admin rpm repo list
                            RPM Repositories

Id:                  krevetka
Display Name:        krevetka
Description:         None
Content Unit Counts: 

Id:                  rybka
Display Name:        rybka
Description:         None
Content Unit Counts: 
  Erratum:          4
  Package Category: 1
  Package Group:    2
  Rpm:              32

>> pulp-admin -u admin -p admin rpm repo create --repo-id suslik
Successfully created repository [suslik]

>> pulp-admin -u admin -p admin rpm repo update --repo-id suslik --display-name="Suslik Grisha"
Repository [suslik] successfully updated

>> pulp-admin -u admin -p admin rpm repo list
                            RPM Repositories

Id:                  krevetka
Display Name:        krevetka
Description:         None
Content Unit Counts: 

Id:                  rybka
Display Name:        rybka
Description:         None
Content Unit Counts: 
  Erratum:          4
  Package Category: 1
  Package Group:    2
  Rpm:              32

Id:                  suslik
Display Name:        Suslik Grisha
Description:         None
Content Unit Counts:

Comment 9 Brian Bouterse 2015-02-28 22:13:50 UTC
Moved to https://pulp.plan.io/issues/476

Note You need to log in before you can comment on or make changes to this bug.