tripleo

molecule jobs failing with AttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'

Bug #1995608 reported by Rabi Mishra
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Critical
Rabi Mishra
tripleo antelope-1

Bug Description

Looks like it's due to the lastest cryptography[1] with is causing the issue.

[1] https://github.com/pyca/cryptography/issues/7126

2022-11-03 11:34:13.930275 | centos-9-stream |
2022-11-03 11:34:13.930291 | centos-9-stream | TASK [test_deps : Install selinux python libs] *********************************
2022-11-03 11:34:13.930308 | centos-9-stream | An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'
2022-11-03 11:34:13.930333 | centos-9-stream | fatal: [localhost]: FAILED! => changed=false
2022-11-03 11:34:13.930351 | centos-9-stream | module_stderr: |-
2022-11-03 11:34:13.930367 | centos-9-stream | Traceback (most recent call last):
2022-11-03 11:34:13.930383 | centos-9-stream | File "/home/zuul/.ansible/tmp/ansible-tmp-1667475253.1181245-38316-65011755564981/AnsiballZ_dnf.py", line 100, in <module>
2022-11-03 11:34:13.930414 | centos-9-stream | _ansiballz_main()
2022-11-03 11:34:13.930435 | centos-9-stream | File "/home/zuul/.ansible/tmp/ansible-tmp-1667475253.1181245-38316-65011755564981/AnsiballZ_dnf.py", line 92, in _ansiballz_main
2022-11-03 11:34:13.930452 | centos-9-stream | invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
2022-11-03 11:34:13.930468 | centos-9-stream | File "/home/zuul/.ansible/tmp/ansible-tmp-1667475253.1181245-38316-65011755564981/AnsiballZ_dnf.py", line 40, in invoke_module
2022-11-03 11:34:13.930484 | centos-9-stream | runpy.run_module(mod_name='ansible.modules.dnf', init_globals=dict(_module_fqn='ansible.modules.dnf', _modlib_path=modlib_path),
2022-11-03 11:34:13.930500 | centos-9-stream | File "/usr/lib64/python3.9/runpy.py", line 225, in run_module
2022-11-03 11:34:13.930516 | centos-9-stream | return _run_module_code(code, init_globals, run_name, mod_spec)
2022-11-03 11:34:13.930532 | centos-9-stream | File "/usr/lib64/python3.9/runpy.py", line 97, in _run_module_code
2022-11-03 11:34:13.930548 | centos-9-stream | _run_code(code, mod_globals, init_globals,
2022-11-03 11:34:13.930564 | centos-9-stream | File "/usr/lib64/python3.9/runpy.py", line 87, in _run_code
2022-11-03 11:34:13.930579 | centos-9-stream | exec(code, run_globals)
2022-11-03 11:34:13.930596 | centos-9-stream | File "/tmp/ansible_ansible.legacy.dnf_payload_hal9n_vz/ansible_ansible.legacy.dnf_payload.zip/ansible/modules/dnf.py", line 328, in <module>
2022-11-03 11:34:13.930613 | centos-9-stream | File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
2022-11-03 11:34:13.930629 | centos-9-stream | File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
2022-11-03 11:34:13.930644 | centos-9-stream | File "<frozen importlib._bootstrap>", line 664, in _load_unlocked
2022-11-03 11:34:13.930660 | centos-9-stream | File "<frozen importlib._bootstrap>", line 627, in _load_backward_compatible
2022-11-03 11:34:13.930677 | centos-9-stream | File "<frozen zipimport>", line 259, in load_module
2022-11-03 11:34:13.930693 | centos-9-stream | File "/tmp/ansible_ansible.legacy.dnf_payload_hal9n_vz/ansible_ansible.legacy.dnf_payload.zip/ansible/module_utils/urls.py", line 115, in <module>
2022-11-03 11:34:13.930709 | centos-9-stream | File "/home/zuul/test-python/lib64/python3.9/site-packages/urllib3/contrib/pyopenssl.py", line 50, in <module>
2022-11-03 11:34:13.930725 | centos-9-stream | import OpenSSL.SSL
2022-11-03 11:34:13.930741 | centos-9-stream | File "/usr/lib/python3.9/site-packages/OpenSSL/__init__.py", line 8, in <module>
2022-11-03 11:34:13.930757 | centos-9-stream | from OpenSSL import crypto, SSL
2022-11-03 11:34:13.930773 | centos-9-stream | File "/usr/lib/python3.9/site-packages/OpenSSL/crypto.py", line 1556, in <module>
2022-11-03 11:34:13.930789 | centos-9-stream | class X509StoreFlags(object):
2022-11-03 11:34:13.930805 | centos-9-stream | File "/usr/lib/python3.9/site-packages/OpenSSL/crypto.py", line 1577, in X509StoreFlags
2022-11-03 11:34:13.930821 | centos-9-stream | CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK
2022-11-03 11:34:13.930837 | centos-9-stream | AttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'
2022-11-03 11:34:13.930853 | centos-9-stream | module_stdout: ''
2022-11-03 11:34:13.930869 | centos-9-stream | msg: |-
2022-11-03 11:34:13.930885 | centos-9-stream | MODULE FAILURE
2022-11-03 11:34:13.930901 | centos-9-stream | See stdout/stderr for the exact error

Rabi Mishra (rabi)
Changed in tripleo:
milestone: none → antelope-1
OpenStack Infra (hudson-openstack)
Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/863508
Committed: https://opendev.org/openstack/tripleo-ansible/commit/0e0a80a8ab56b5bd6903a8b169d058b352843f2a
Submitter: "Zuul (22348)"
Branch: master

commit 0e0a80a8ab56b5bd6903a8b169d058b352843f2a
Author: rabi <email address hidden>
Date: Thu Nov 3 16:45:57 2022 +0530

    Fix molecule jobs broken with latest cryptography

    Pin cryptography to < 37.0.0[1].

    Also, changes tripleo_keystone_resources role to use
    centos:stream9 image.

    [1] https://github.com/pyca/cryptography/issues/7126

    Closes-Bug: #1995608
    Change-Id: I6852de27f68f4dcf2cac44a80b3a491db1996d9f

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-ansible (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/863462

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-ansible (stable/zed)

Change abandoned by "Rabi Mishra <email address hidden>" on branch: stable/zed
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/863462
Reason: squashed in another review to fix jobs

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-ansible (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/863463
Committed: https://opendev.org/openstack/tripleo-ansible/commit/8a8b6ead442e548ff404ec09f732cf10f50a3420
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 8a8b6ead442e548ff404ec09f732cf10f50a3420
Author: rabi <email address hidden>
Date: Tue Nov 1 23:16:22 2022 +0530

    Fix stable/zed molecule jobs

    This includes backport of two commits.

    [1] Pin openstack.cloud collection

    Install from git repo and pin[1] openstack.cloud collection
    to fix the molecule jobs.

    [1] https://opendev.org/openstack/tripleo-quickstart/src/branch/master/quickstart.sh#L155

    [2] Fix molecule jobs broken with latest cryptography

    Pin cryptography to < 37.0.0[1].

    Also, changes tripleo_keystone_resources role to use
    centos:stream9 image.

    [1] https://github.com/pyca/cryptography/issues/7126

    Closes-Bug: #1995608

    Change-Id: I0bf06f676902851e062f4ffc205801ce473b9a6e
    (cherry picked from commit 4dea939ba09e42c36860c86f15d2cbee2091b3ba
     and 0e0a80a8ab56b5bd6903a8b169d058b352843f2a)

tags: added: in-stable-zed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/864009

Revision history for this message
Cédric Jeanneret (cjeanner) wrote :

It seems this issue is revived - I'm seeing this right now:

ERROR: Cannot install cryptography<37.0.0 because these package versions have conflicting dependencies.

The conflict is caused by:
    The user requested cryptography<37.0.0
    The user requested (constraint) cryptography===38.0.2

To fix this you could try to:
1. loosen the range of package versions you've specified
2. remove package versions to allow pip attempt to solve the dependency conflict

Example:
https://zuul.opendev.org/t/openstack/build/95b8755b46b24cfc9ca6300947a98006

I've pushed a patch that should remove the cryptography pinning - let's see how it goes.

Revision history for this message
Cédric Jeanneret (cjeanner) wrote :

ok - too soon to remove the pin:
https://zuul.opendev.org/t/openstack/build/a7a68e3766244d0a811ac020a4b89d45

we may just drop the upper-constraint from here:
https://github.com/openstack/tripleo-ansible/blob/master/tox.ini#L105

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-ansible (master)

Change abandoned by "Cedric Jeanneret <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/864009
Reason: https://review.opendev.org/c/openstack/tripleo-ansible/+/864010 is better

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-ansible (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/864044

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/864010
Committed: https://opendev.org/openstack/tripleo-ansible/commit/c0bc395ab494ee18e77fba608cdd40762c7b8c51
Submitter: "Zuul (22348)"
Branch: master

commit c0bc395ab494ee18e77fba608cdd40762c7b8c51
Author: Cédric Jeanneret <email address hidden>
Date: Tue Nov 8 15:50:29 2022 +0100

    Move cryprography pin

    This moves the cryptography pin to ansible-requirements.txt
    which is used as a constraints file[1].

    [1] https://opendev.org/openstack/tripleo-ansible/src/branch/master/zuul.d/playbooks/pre.yml#L42

    Related-Bug: #1995608
    Change-Id: I646cd49b614a9f494e77f9893521d3c070900ed5

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (stable/wallaby)

Related fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/864165

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/864166

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-ansible (stable/train)

Change abandoned by "Grzegorz Grasza <email address hidden>" on branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/864044
Reason: Abandoning in favour of https://review.opendev.org/c/openstack/tripleo-ansible/+/864166

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (stable/zed)

Related fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/864172

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-ansible (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/864183

Revision history for this message
Cédric Jeanneret (cjeanner) wrote :

So, in order to correct this issue once for all, we need to get a newer version of the pyOpenSSL package

Current version:
Name : python3-pyOpenSSL
Version : 20.0.1
Release : 2.el9s
Architecture : noarch
Size : 383 k
Source : pyOpenSSL-20.0.1-2.el9s.src.rpm
Repository : @System
From repo : delorean-master-testing
Summary : Python 3 wrapper module around the OpenSSL library
URL : https://pyopenssl.readthedocs.org/
License : ASL 2.0
Description : High-level wrapper around a subset of the OpenSSL library, includes among others
             : * SSL.Connection objects, wrapping the methods of Python's portable
             : sockets
             : * Callbacks written in Python
             : * Extensive error-handling mechanism, mirroring OpenSSL's error codes

Apparently, according the the lib changelog[1], we'll need to get 22.1.0 in order to use cryptography-38 and higher.
This is especially important to follow since the Upper-constraints from OpenStack now limits to *at least* cryptography-38, creating a conflict with our pinning...

[1] https://www.pyopenssl.org/en/latest/changelog.html#id1

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/864906

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-ansible (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/864183
Committed: https://opendev.org/openstack/tripleo-ansible/commit/fec6066a9a9dad2f8dea334f9157890ec6584afe
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit fec6066a9a9dad2f8dea334f9157890ec6584afe
Author: rabi <email address hidden>
Date: Thu Nov 3 16:45:57 2022 +0530

    Fix molecule jobs broken with latest cryptography

    Pin cryptography to < 37.0.0[1].

    Also, changes tripleo_keystone_resources role to use
    centos:stream9 image.

    [1] https://github.com/pyca/cryptography/issues/7126

    Closes-Bug: #1995608
    Change-Id: I6852de27f68f4dcf2cac44a80b3a491db1996d9f
    (cherry picked from commit 0e0a80a8ab56b5bd6903a8b169d058b352843f2a)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/864165
Committed: https://opendev.org/openstack/tripleo-ansible/commit/4106fef31f3061f290a7bf011f85fe36c367dec0
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 4106fef31f3061f290a7bf011f85fe36c367dec0
Author: Cédric Jeanneret <email address hidden>
Date: Tue Nov 8 15:50:29 2022 +0100

    Move cryprography pin

    This moves the cryptography pin to ansible-requirements.txt
    which is used as a constraints file[1].

    [1] https://opendev.org/openstack/tripleo-ansible/src/branch/master/zuul.d/playbooks/pre.yml#L42

    Related-Bug: #1995608
    Change-Id: I646cd49b614a9f494e77f9893521d3c070900ed5
    (cherry picked from commit c0bc395ab494ee18e77fba608cdd40762c7b8c51)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/864172
Committed: https://opendev.org/openstack/tripleo-ansible/commit/dc51d894588f213fd2c8d48b793e748afbcc648e
Submitter: "Zuul (22348)"
Branch: stable/zed

commit dc51d894588f213fd2c8d48b793e748afbcc648e
Author: Cédric Jeanneret <email address hidden>
Date: Tue Nov 8 15:50:29 2022 +0100

    Move cryprography pin

    This moves the cryptography pin to ansible-requirements.txt
    which is used as a constraints file[1].

    [1] https://opendev.org/openstack/tripleo-ansible/src/branch/master/zuul.d/playbooks/pre.yml#L42

    Related-Bug: #1995608
    Change-Id: I646cd49b614a9f494e77f9893521d3c070900ed5
    (cherry picked from commit c0bc395ab494ee18e77fba608cdd40762c7b8c51)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-ansible (stable/train)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/864166
Committed: https://opendev.org/openstack/tripleo-ansible/commit/f82c62aefc8d90600e7111ae96bbce0653f23c22
Submitter: "Zuul (22348)"
Branch: stable/train

commit f82c62aefc8d90600e7111ae96bbce0653f23c22
Author: Cédric Jeanneret <email address hidden>
Date: Tue Nov 8 15:50:29 2022 +0100

    Move cryprography pin

    This moves the cryptography pin to ansible-requirements.txt
    which is used as a constraints file[1].

    [1] https://opendev.org/openstack/tripleo-ansible/src/branch/master/zuul.d/playbooks/pre.yml#L42

    Related-Bug: #1995608
    Change-Id: I646cd49b614a9f494e77f9893521d3c070900ed5
    (cherry picked from commit c0bc395ab494ee18e77fba608cdd40762c7b8c51)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/864906
Committed: https://opendev.org/openstack/tripleo-ansible/commit/c0fbc1b281acdb827bf1ade53f81d073953bfd58
Submitter: "Zuul (22348)"
Branch: master

commit c0fbc1b281acdb827bf1ade53f81d073953bfd58
Author: Cédric Jeanneret <email address hidden>
Date: Thu Nov 17 15:52:19 2022 +0100

    Remove cryptography pin

    If we ensure we're running with pyOpenSSL >= 22.1.0, we are all good
    with the python "cryptography" latest version.

    Closes-Bug: #1995608

    Change-Id: I168bb928e1a3943d243a61ddaa6fea32db7c9e5e

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-ansible (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/865239

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-ansible 6.0.0

This issue was fixed in the openstack/tripleo-ansible 6.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.