Bug 1553752 - Bump python-cryptography to >=2.1
Summary: Bump python-cryptography to >=2.1
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: python-cryptography
Version: 7.5
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: pre-dev-freeze
: 7.5
Assignee: Christian Heimes
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-03-09 13:18 UTC by Carlos Goncalves
Modified: 2018-12-14 13:48 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1553517
Environment:
Last Closed: 2018-12-14 13:48:41 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1556933 high CLOSED Bump python-cryptography to >=2.1 2020-10-14 00:28:05 UTC

Internal Links: 1556933

Description Carlos Goncalves 2018-03-09 13:18:18 UTC
+++ This bug was initially created as a clone of Bug #1553517 +++

Description of problem:

Octavia requires python2-cryptography!=2.0,>=1.9 [1] and is synced with global-requirement.txt [2]. CentOS7 provides python2-cryptography-1.7.2-1.el7 which is not good enough and throws exceptions on load balancer create in Octavia:

2018-03-08 23:45:46.453 24634 ERROR octavia.controller.worker.controller_worker   File "/usr/lib/python2.7/site-packages/octavia/certificates/common/pkcs12.py", line 35, in get_certificate
2018-03-08 23:45:46.453 24634 ERROR octavia.controller.worker.controller_worker     return self.certificate.to_cryptography().public_bytes(
2018-03-08 23:45:46.453 24634 ERROR octavia.controller.worker.controller_worker AttributeError: 'X509' object has no attribute 'to_cryptography'

Could we promote python2-cryptography-2.1.4 from Fedora [3]? There might be some considerations to be made first, i.e. bump of openssl and pyopenssl versions?


[1] https://github.com/openstack/octavia/blob/master/requirements.txt#L47
[2] https://github.com/openstack/requirements/blob/master/global-requirements.txt#L28
[3] https://src.fedoraproject.org/rpms/python-cryptography/blob/master/f/python-cryptography.spec

Comment 1 Carlos Goncalves 2018-03-09 15:15:18 UTC
Retargetting product to RHEL7.

Comment 3 Carlos Goncalves 2018-03-15 11:01:31 UTC
python-cryptography>=1.9 is not good enough as recently discovered with a new gate using lower-constraints [1]. Octavia requires python-cryptography>=2.1.

Version bump being requested upstream for global-requirements.txt and lower-constraints.txt in [2].

Submitted new patch set for openstack-octavia.spec [3].

[1] https://review.openstack.org/#/c/553134/
[2] https://review.openstack.org/#/c/553136/
[3] https://review.rdoproject.org/r/#/c/12857

Comment 4 Noam Manos 2018-04-03 09:10:25 UTC
(In reply to Carlos Goncalves from comment #3)
> python-cryptography>=1.9 is not good enough as recently discovered with a
> new gate using lower-constraints [1]. Octavia requires
> python-cryptography>=2.1.
> 
> Version bump being requested upstream for global-requirements.txt and
> lower-constraints.txt in [2].
> 
> Submitted new patch set for openstack-octavia.spec [3].
> 
> [1] https://review.openstack.org/#/c/553134/
> [2] https://review.openstack.org/#/c/553136/
> [3] https://review.rdoproject.org/r/#/c/12857

On puddle 2018-03-20.2 - There's no "python-cryptography" nor "python2-cryptography" packages at all, only "cryptography" version 1.7.2.

----

(overcloud) [stack@undercloud-0 ~]$ cat /etc/yum.repos.d/latest-installed 
13   -p 2018-03-20.2
(overcloud) [stack@undercloud-0 ~]$ pip list | egrep *cryptography
cryptography                     1.7.2            
(overcloud) [stack@undercloud-0 ~]$ pip list | egrep *OpenSSL*
pyOpenSSL                        17.3.0           

----

Comment 5 Carlos Goncalves 2018-04-03 09:43:20 UTC
Noam, this bz is for RHEL7. You should be looking at rhbz #1556933 where python-cryptography>=2.1 is now being provided in OSP channels.

Additionally, do not use pip. Use yum. Your grep is not matching correctly, you should be doing like "grep *cryptography*".

Comment 6 Carlos Goncalves 2018-04-03 11:21:42 UTC
The requirement of python-cryptography>=2.1 by OpenStack Octavia was met in rhbz#1556933 by shipping the bumped version via OSP channels.


Note You need to log in before you can comment on or make changes to this bug.