RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/
Bug 1553521 - Bump python-cryptography to >=2.1 and pyOpenSSL >= 17.1.0
Summary: Bump python-cryptography to >=2.1 and pyOpenSSL >= 17.1.0
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: RDO
Classification: Community
Component: openstack-octavia
Version: trunk
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: trunk
Assignee: Carlos Goncalves
QA Contact: Alexander Stafeyev
URL:
Whiteboard:
Depends On: 1553517
Blocks: 1553520 1556933
TreeView+ depends on / blocked
 
Reported: 2018-03-09 01:36 UTC by Carlos Goncalves
Modified: 2019-09-10 14:09 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2018-04-03 09:00:26 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
RDO 12857 0 None rpm-master: NEW openstack/octavia-distgit: Bump python2-cryptography to >= 1.9 (I3a0a9d51e8d82cbd72391f80d353dc39c668bcad) 2018-03-13 20:20:00 UTC
RDO 12874 0 None master: MERGED rdoinfo: Rebuild python-cryptography-vectors-2.1.4 from fedora (I273e5a413a99443fd33e4622cb031c516034043e) 2018-03-13 20:19:49 UTC
RDO 12875 0 None master: MERGED rdoinfo: Rebuild python-pyasn1crypto-0.23.0-2 from fedora (I7a1c370ddbd5d861b3b12079530655ad0337470b) 2018-03-13 20:19:39 UTC
RDO 12877 0 None rpm-master: NEW openstack/octavia-distgit: Bump pyOpenSSL to >= 17.1.0 (If3b2b76d8b7379b19b22b25d20f294aa3bbaec31) 2018-03-13 20:19:28 UTC
RDO 12878 0 None queens-rdo: NEW openstack/octavia-distgit: Bump pyOpenSSL to >= 17.1.0 (If3b2b76d8b7379b19b22b25d20f294aa3bbaec31) 2018-03-13 20:19:18 UTC

Description Carlos Goncalves 2018-03-09 01:36:04 UTC 
Octavia requires python2-cryptography!=2.0,>=1.9 [1] and is synced with global-requirement.txt [2]. RHEL/CentOS7 provides python2-cryptography-1.7.2-1.el7 which is not good enough and throws exceptions on load balancer create in Octavia:

2018-03-08 23:45:46.453 24634 ERROR octavia.controller.worker.controller_worker   File "/usr/lib/python2.7/site-packages/octavia/certificates/common/pkcs12.py", line 35, in get_certificate
2018-03-08 23:45:46.453 24634 ERROR octavia.controller.worker.controller_worker     return self.certificate.to_cryptography().public_bytes(
2018-03-08 23:45:46.453 24634 ERROR octavia.controller.worker.controller_worker AttributeError: 'X509' object has no attribute 'to_cryptography'

Version-Release number of selected component (if applicable):

openstack-octavia-api-2.0.0-1.el7.noarch
openstack-octavia-common-2.0.0-1.el7.noarch
openstack-octavia-health-manager-2.0.0-1.el7.noarch
openstack-octavia-housekeeping-2.0.0-1.el7.noarch
openstack-octavia-worker-2.0.0-1.el7.noarch
python2-octaviaclient-1.4.0-1.el7.noarch
python-octavia-2.0.0-1.el7.noarch

How reproducible: 100%


Steps to Reproduce:
1. openstack loadbalancer create lb2
2. openstack loadbalancer listener create --protocol-port 443 --protocol TERMINATED_HTTPS --name listener2 --default-tls-container=http://<ommitted>:9311/v1/secrets/50a1b6e0-b53c-4b33-a06d-0544eaaf02f0 lb2
Comment 1 Carlos Goncalves 2018-03-09 01:38:18 UTC 
Once python-cryptography is updated, we need to bump Requires: in https://github.com/rdo-packages/octavia-distgit/blob/rpm-master/openstack-octavia.spec#L113-L114
Comment 2 Alan Pevec 2018-03-09 14:24:01 UTC 
Please file BZ against RHEL7 to rebase or backport the fix, we should not be overriding base OS packages.
Comment 3 Carlos Goncalves 2018-03-09 15:18:17 UTC 
Retargeted bz#1553752 to RHEL7.
Comment 4 Carlos Goncalves 2018-03-15 10:58:40 UTC 
python-cryptography>=1.9 is not good enough as recently discovered with a new gate using lower-constraints [1]. Octavia requires python-cryptography>=2.1.

Version bump being requested upstream for global-requirements.txt and lower-constraints.txt in [2].

Submitted new patch set for openstack-octavia.spec [3].

[1] https://review.openstack.org/#/c/553134/
[2] https://review.openstack.org/#/c/553136/
[3] https://review.rdoproject.org/r/#/c/12857
Comment 5 Carlos Goncalves 2018-03-15 13:09:31 UTC 
Created lower-constraints.txt out of requirements.txt from octavia stable/queens, bumped jinja2 and python-barbicanclient versions. I then ran ran unit and functional tests.

Results:
- FAIL: http://paste.openstack.org/show/701685/ (python-cryptography==1.9)
- FAIL: http://paste.openstack.org/show/701695/ (python-cryptography==2.1)
- SUCCESS: http://paste.openstack.org/show/701690/ (python-cryptography==2.1 AND pyOpenSSL==17.1.0)



lower-constraints.txt for stable/queens verified to work with Octavia stable/queens:


# The order of packages is significant, because pip processes them in the order
# of appearance. Changing the order has an impact on the overall integration
# process, which may cause wedges in the gate later.
alembic==0.8.10 # MIT
cotyledon==1.3.0 # Apache-2.0
pecan==1.0.0 # BSD
pbr==2.0.0 # Apache-2.0
SQLAlchemy==1.0.10 # MIT
Babel==2.3.4 # BSD
futurist==1.2.0 # Apache-2.0
requests==2.14.2 # Apache-2.0
rfc3986==0.3.1 # Apache-2.0
keystoneauth1==3.3.0 # Apache-2.0
keystonemiddleware==4.17.0 # Apache-2.0
python-neutronclient==6.3.0 # Apache-2.0
WebOb==1.7.1 # MIT
six==1.10.0 # MIT
stevedore==1.20.0 # Apache-2.0
oslo.config==5.1.0 # Apache-2.0
oslo.context==2.19.2 # Apache-2.0
oslo.db==4.27.0 # Apache-2.0
oslo.i18n==3.15.3 # Apache-2.0
oslo.log==3.36.0 # Apache-2.0
oslo.messaging==5.29.0 # Apache-2.0
oslo.middleware==3.31.0 # Apache-2.0
oslo.policy==1.30.0 # Apache-2.0
oslo.reports==1.18.0 # Apache-2.0
oslo.utils==3.33.0 # Apache-2.0
pyasn1==0.1.8 # BSD
pyasn1-modules==0.0.6 # BSD
PyMySQL==0.7.6 # MIT License
python-barbicanclient==4.5.2 # Apache-2.0
python-glanceclient==2.8.0 # Apache-2.0
python-novaclient==9.1.0 # Apache-2.0
pyOpenSSL==16.2.0 # Apache-2.0
WSME==0.8.0 # MIT
Jinja2==2.10 # BSD License (3 clause)
taskflow==2.16.0 # Apache-2.0
diskimage-builder==1.1.2 # Apache-2.0
futures==3.0.0;python_version=='2.7' or python_version=='2.6' # BSD
castellan==0.16.0 # Apache-2.0

#for the amphora api
Flask==0.10 # BSD
netifaces==0.10.4 # MIT
ipaddress==1.0.16;python_version<'3.3' # PSF
cryptography==1.9 # BSD/Apache-2.0
pyroute2==0.4.21;sys_platform!='win32' # Apache-2.0 (+ dual licensed GPL2)
gunicorn==19.0.0 # MIT
Comment 6 Carlos Goncalves 2018-04-03 08:49:10 UTC 
Only one patch remains in-review: https://review.rdoproject.org/r/#/c/12878/
Note You need to log in before you can comment on or make changes to this bug.