Bug 2072990 - python-s3transfer-0.1.13-1.el7_9.2.noarch causes urllib3 import before boto3 import to crash with ImportError: cannot import name PROTOCOL_TLS
Summary: python-s3transfer-0.1.13-1.el7_9.2.noarch causes urllib3 import before boto3 ...
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: python-s3transfer
Version: 7.9
Hardware: x86_64
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Oyvind Albrigtsen
QA Contact: Brandon Perkins
URL:
Whiteboard:
Depends On:
Blocks: 2073979
TreeView+ depends on / blocked
 
Reported: 2022-04-07 12:27 UTC by Jason Woods
Modified: 2022-06-22 03:23 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 2050751 1 high CLOSED fence_aws fails to find credentials when only IMDSv2 is enabled (RHEL7) 2022-04-19 03:34:47 UTC
Red Hat Bugzilla 2073979 1 urgent VERIFIED Missing lib python docevents [rhel-7.9.z] 2022-06-19 14:19:27 UTC
Red Hat Issue Tracker RHELPLAN-118246 0 None None None 2022-04-07 12:39:33 UTC

Description Jason Woods 2022-04-07 12:27:51 UTC
Description of problem:

Since release of python-s3transfer-0.1.13-1.el7_9.2.noarch some utilities, such as certbot from EPEL, no longer function, as well as some internal applications.

Version-Release number of selected component (if applicable):

python-s3transfer-0.1.13-1.el7_9.2.noarch

How reproducible:

Always

Steps to Reproduce:
1. Update to python-s3transfer-0.1.13-1.el7_9.2.noarch
2. Run following:

$ python
>>> import boto3
>>> import urllib3
>>> urllib3.__file

3. Also run the following:

$ python
>>> import urllib3
>>> import boto3

Actual results:

1.

Python 2.7.5 (default, Nov 16 2020, 22:23:17)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import boto3
>>> import urllib3
>>> urllib3.__file__
'/usr/lib/fence-agents/bundled/urllib3/__init__.pyc'
>>>

2.

Python 2.7.5 (default, Nov 16 2020, 22:23:17)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import urllib3
>>> urllib3.__file__
'/usr/lib/python2.7/site-packages/urllib3/__init__.pyc'
>>> import boto3
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/boto3/__init__.py", line 16, in <module>
    from boto3.session import Session
  File "/usr/lib/python2.7/site-packages/boto3/session.py", line 19, in <module>
    import botocore.session
  File "/usr/lib/fence-agents/bundled/botocore/session.py", line 29, in <module>
    import botocore.credentials
  File "/usr/lib/fence-agents/bundled/botocore/credentials.py", line 34, in <module>
    from botocore.config import Config
  File "/usr/lib/fence-agents/bundled/botocore/config.py", line 16, in <module>
    from botocore.endpoint import DEFAULT_TIMEOUT, MAX_POOL_CONNECTIONS
  File "/usr/lib/fence-agents/bundled/botocore/endpoint.py", line 22, in <module>
    from botocore.awsrequest import create_request_object
  File "/usr/lib/fence-agents/bundled/botocore/awsrequest.py", line 24, in <module>
    import botocore.utils
  File "/usr/lib/fence-agents/bundled/botocore/utils.py", line 32, in <module>
    import botocore.httpsession
  File "/usr/lib/fence-agents/bundled/botocore/httpsession.py", line 10, in <module>
    from urllib3.util.ssl_ import (
ImportError: cannot import name PROTOCOL_TLS
>>>

Expected results:

Previous version, python-s3transfer-0.1.13-1.el7.0.1.noarch, would return working, as follows. Note that the urllib3 is not replaced from fence-agents and is working.

1.

Python 2.7.5 (default, Nov 16 2020, 22:23:17)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import boto3
>>> import urllib3
>>> urllib3.__file__
'/usr/lib/python2.7/site-packages/urllib3/__init__.pyc'
>>>

2.

Python 2.7.5 (default, Nov 16 2020, 22:23:17)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import urllib3
>>> import boto3
>>>
>>>

Additional info:

Seems like new version has bundled new urllib3 of version 1.26.8 - much higher than the system one of 1.20.2 - but if the system one is already imported before boto3, which is case in my apps and certbot, then it ends up with 1.20.2 which seems to break boto3

Comment 3 Jason Woods 2022-04-07 12:48:07 UTC
Certbot logs which triggered along with my own failures:

# certbot
An unexpected error occurred:
ImportError: cannot import name PROTOCOL_TLS
Please see the logfile '/tmp/tmpxyrTML/log' for more details.
# cat /tmp/tmpxyrTML/log
2022-04-07 12:10:52,605:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/bin/certbot", line 9, in <module>
    load_entry_point('certbot==1.11.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1383, in main
    plugins = plugins_disco.PluginsRegistry.find_all()
  File "/usr/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py", line 236, in find_all
    plugin_ep = cls._load_entry_point(entry_point, plugins, with_prefix=False)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py", line 254, in _load_entry_point
    plugin_ep = PluginEntryPoint(entry_point, with_prefix)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/plugins/disco.py", line 56, in __init__
    self.plugin_cls = entry_point.load()
  File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2260, in load
    entry = __import__(self.module_name, globals(),globals(), ['__name__'])
  File "/usr/lib/python2.7/site-packages/certbot_dns_route53/authenticator.py", line 7, in <module>
    from certbot_dns_route53._internal import dns_route53
  File "/usr/lib/python2.7/site-packages/certbot_dns_route53/_internal/dns_route53.py", line 6, in <module>
    import boto3
  File "/usr/lib/python2.7/site-packages/boto3/__init__.py", line 16, in <module>
    from boto3.session import Session
  File "/usr/lib/python2.7/site-packages/boto3/session.py", line 19, in <module>
    import botocore.session
  File "/usr/lib/fence-agents/bundled/botocore/session.py", line 29, in <module>
    import botocore.credentials
  File "/usr/lib/fence-agents/bundled/botocore/credentials.py", line 34, in <module>
    from botocore.config import Config
  File "/usr/lib/fence-agents/bundled/botocore/config.py", line 16, in <module>
    from botocore.endpoint import DEFAULT_TIMEOUT, MAX_POOL_CONNECTIONS
  File "/usr/lib/fence-agents/bundled/botocore/endpoint.py", line 22, in <module>
    from botocore.awsrequest import create_request_object
  File "/usr/lib/fence-agents/bundled/botocore/awsrequest.py", line 24, in <module>
    import botocore.utils
  File "/usr/lib/fence-agents/bundled/botocore/utils.py", line 32, in <module>
    import botocore.httpsession
  File "/usr/lib/fence-agents/bundled/botocore/httpsession.py", line 10, in <module>
    from urllib3.util.ssl_ import (
ImportError: cannot import name PROTOCOL_TLS
2022-04-07 12:10:52,605:ERROR:certbot._internal.log:An unexpected error occurred:
2022-04-07 12:10:52,605:ERROR:certbot._internal.log:ImportError: cannot import name PROTOCOL_TLS

Comment 4 Jered Floyd 2022-04-19 03:50:28 UTC
Duplicating my comment from rhbz#2050751, this also breaks the package "awscli-1.14.28-5.el7_5.1.noarch":

# aws --version
Traceback (most recent call last):
  File "/bin/aws", line 19, in <module>
    import awscli.clidriver
  File "/usr/lib/python2.7/site-packages/awscli/clidriver.py", line 37, in <module>
    from awscli.help import ProviderHelpCommand
  File "/usr/lib/python2.7/site-packages/awscli/help.py", line 24, in <module>
    from botocore.docs.bcdoc import docevents
ImportError: cannot import name docevents


Note You need to log in before you can comment on or make changes to this bug.