Description of problem: Cannot cancel builds. Version-Release number of selected component (if applicable): koji-1.13.0-2.fc26.noarch How reproducible: Always Steps to Reproduce: 1. $ koji cancel 20596638 2. $ sudo dnf install python-krbV Actual results: ImportError: Please install python-krbV to use kerberos. ... Last metadata expiration check: 2:24:52 ago on Tue Jul 18 13:30:20 2017. Package python-krbV-1.0.90-13.fc26.x86_64 is already installed, skipping. Dependencies resolved. Nothing to do. Complete! Expected results: Cancel the build.
Simpler reproducer: $ koji hello ImportError: Please install python-krbV to use kerberos.
The code in https://pagure.io/koji/blob/master/f/koji/__init__.py#_2089 krb_login() has this: if principal is None and keytab is None and ccache is None: try: # Silently try GSSAPI first if self.gssapi_login(proxyuser=proxyuser): return True except: pass if not krbV: raise PythonImportError( "Please install python-krbV to use kerberos." ) Note that this has a bare except which you should never do, the exception there is: UnboundLocalError('local variable 'sinfo' referenced before assignment') Note that this happens only sometimes: $ koji hello नमस्कार, churchyard! You are using the hub at https://koji.fedoraproject.org/kojihub Authenticated via GSSAPI $ koji hello <class 'UnboundLocalError'> local variable 'sinfo' referenced before assignment ImportError: Please install python-krbV to use kerberos.
That's here: https://pagure.io/koji/blob/master/f/koji/__init__.py#_2214 Also, what really causes the issue is this (added tarcebacks print to some places to see those): Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/koji/__init__.py", line 2211, in gssapi_login sinfo = self._callMethod('sslLogin', [proxyuser], retry=False) File "/usr/lib/python3.6/site-packages/koji/__init__.py", line 2420, in _callMethod return self._sendCall(handler, headers, request) File "/usr/lib/python3.6/site-packages/koji/__init__.py", line 2333, in _sendCall return self._sendOneCall(handler, headers, request) File "/usr/lib/python3.6/site-packages/koji/__init__.py", line 2378, in _sendOneCall r = self.rsession.post(handler, **callopts) File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 535, in post return self.request('POST', url, data=data, json=json, **kwargs) requests_kerberos.exceptions.MutualAuthenticationError: Unable to authenticate <Response [200]> Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/koji/__init__.py", line 2102, in krb_login if self.gssapi_login(proxyuser=proxyuser): File "/usr/lib/python3.6/site-packages/koji/__init__.py", line 2220, in gssapi_login raise AuthError('unable to obtain a session') koji.AuthError: unable to obtain a session
Same for me. but I am can't start building package from scratch. [mikhail@localhost mutter]$ koji build --scratch f26 mutter-3.24.3-4.fc26.src.rpm ImportError: Please install python-krbV to use kerberos. [mikhail@localhost mutter]$ sudo dnf install python-krbV [sudo] password for mikhail: Last metadata expiration check: 1:32:52 ago on Чт 20 июл 2017 14:44:37. Package python-krbV-1.0.90-13.fc26.x86_64 is already installed, skipping. Dependencies resolved. Nothing to do. Complete!
Is there any maintainers here? How do you build packages from scratch if koji not worked?
(In reply to Mikhail from comment #5) > How do you build packages from scratch if koji not worked? I so far only needed to scratch build existing Fedora packages, I've used: fedpkg build --srpm --scratch And that worked for me.
If I build with koji as you suggest above, my builded package accidentally not push into the Fedora repository?
The --scratch option makes sure of that.
FYI: I'm working around this with running koji-1.13 with python2: $ python2 `which koji` cancel <task_id> It seems "python-krbV is unlikely to ever support python 3" (https://bugzilla.redhat.com/show_bug.cgi?id=1024834). So koji need to switch to an alternative of python-krbV to make it work under python3 with kerberos authentication.
FWIW, the recommended alternative to python-krbV is python-gssapi.
Note that Koji already uses "from requests_kerberos import HTTPKerberosAuth" and krbV is only used as a fallback if that fails, see comment #3.
*** Bug 1472106 has been marked as a duplicate of this bug. ***
Apparently also happens on Fedora 25. Upstream issue and fix for the bad error message (but not the actual problem): https://pagure.io/koji/issue/519
Yes, running with python2 as suggested in comment #9 workarounds the issue for me. On python3 with fix from https://pagure.io/koji/issue/519 I have been getting "AuthError: unable to obtain a session".
I've also ran into this issue on F26, I believe after resolving a packaging conflict involving krb5-libs when doing a dnf update. Reinstalling krb5-libs, koji packages and python-krbV did not resolve the problem. For some reason, re-authenticating with kinit and then running the koji command worked without needing to use the python2 workaround.
Same here.
it's even worse when dealing with secondary koji instance as the ppc-koji binary is a shell wrapper, one must use eg. python2 /usr/bin/koji --profile ppc cancel qt5-qtwebview-5.7.1-1.fc25 to kill a job ...
Mike, could you please respond?
The root problem here is that gssapi auth is failing. The masked error should have been fixed in commit 56b023b158ce9437469acc8d73db1cd9f65aad55, which was included in 1.14. If gssapi auth fails and krbV is not installed, you should see the underlying error now. The only way I can replicate an error is to destroy my fp.org krb ticket. If I do that, I get an AuthError message, which is reasonable. I expect that you guys are getting a different error. If forcing python2 helps, it is because it allows Koji to fall back to krbV, which really only dodges the issue of gssapi auth failing. Does anyone know what's causing the failure from comment 3?
Side note: if you want to force py2 in Koji 1.14, you can do so in your koji config on a per-profile basis. See: https://docs.pagure.org/koji/release_notes_1.14/#allow-profiles-to-request-a-specific-python-version Of course all that does is make the workaround easier, but it will at least help you with tools that invoke Koji themselves.
(In reply to Mike McLean from comment #19) > The only way I can replicate an error is to destroy my fp.org krb ticket. If > I do that, I get an AuthError message, which is reasonable. I expect that > you guys are getting a different error. [~]$ kinit churchyard Password for churchyard: [~]$ echo $? 0 [~]$ koji cancel 23464856 AuthError: unable to obtain a session
Some changes in a pending PR might help shed some light here. Can you try the following? # git clone https://github.com/mikem23/koji-playground.git # cd koji-playground/ # git checkout pagure/pr/708 # (kinit) # PYTHONPATH=. cli/koji -p koji --debug hello
503 Server Error: Service Temporarily Unavailable for url: https://koji.fedoraproject.org/kojihub I'll test once the infra move is finished.
Works! $ PYTHONPATH=. cli/koji -p koji --debug hello 2017-12-06 16:09:58,145 [DEBUG] koji: Opening new requests session 2017-12-06 16:09:58,145 [DEBUG] koji: Opening new requests session 2017-12-06 16:10:06,360 [DEBUG] koji: Opening new requests session 2017-12-06 16:10:06,361 [DEBUG] koji: gssapi auth failed: MutualAuthenticationError: Unable to authenticate <Response [200]> 2017-12-06 16:10:06,362 [DEBUG] koji: gssapi auth failed: AuthError: unable to obtain a session 2017-12-06 16:10:06,362 [DEBUG] koji: Using server principal: host/koji.fedoraproject.org successfully connected to hub hallo, churchyard! You are using the hub at https://koji.fedoraproject.org/kojihub Authenticated via Kerberos principal churchyard
(Except this runs apparently on Python 2 as well.)
[koji-playground (pagure/pr/708)]$ PYTHONPATH=. python3 cli/koji -p koji --debug hello Traceback (most recent call last): File "cli/koji", line 40, in <module> import koji File "/home/churchyard/Dokumenty/RedHat/koji-playground/koji/__init__.py", line 2134 except Exception, e: ^ SyntaxError: invalid syntax [koji-playground (pagure/pr/708)]$ # edit koji/__init__.py to fix the above [koji-playground (pagure/pr/708)]$ PYTHONPATH=. python3 cli/koji -p koji --debug hello 2017-12-06 16:13:09,559 [DEBUG] koji: Opening new requests session 2017-12-06 16:13:09,559 [DEBUG] koji: Opening new requests session 2017-12-06 16:13:12,806 [DEBUG] koji: Opening new requests session 2017-12-06 16:13:12,806 [DEBUG] koji: gssapi auth failed: requests_kerberos.exceptions.MutualAuthenticationError: Unable to authenticate <Response [200]> Traceback (most recent call last): File "cli/koji", line 310, in <module> rv = locals()[command].__call__(options, session, args) File ".../koji-playground/cli/koji_cli/commands.py", line 7038, in handle_moshimoshi activate_session(session, options) File ".../koji-playground/cli/koji_cli/lib.py", line 571, in activate_session session.krb_login(proxyuser=runas) File ".../koji-playground/koji/__init__.py", line 2132, in krb_login if self.gssapi_login(principal, keytab, ccache, proxyuser=proxyuser): File ".../koji-playground/koji/__init__.py", line 2273, in gssapi_login raise AuthError('unable to obtain a session') koji.AuthError: unable to obtain a session
$ koji hello AuthError: unable to obtain a session Still valid.
I am also still having this issue on the latest builds. My koji is connected via Freeipa.
This may be a bug in requests-kerberos. I wonder if it is related to this: https://github.com/requests/requests-kerberos/issues/54 I still cannot reproduce this myself. Can anyone dig up further info? Perhaps server logs from failed logins?
If anyone hits this on the Fedora Koji, please come by in #fedora-admin and ping puiterwijk so I can track your requests live.