Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-20486

4.11 broken since the latest Python 3.6 update is incompatible with eventlet

    XMLWordPrintable

Details

    • Critical
    • Yes
    • 2
    • Metal Platform 243, Metal Platform 244
    • 2
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      A recent security update to Python caused provisioning of hosts on the bare metal platform to fail. Until this issue is resolved, do not upgrade your {product-title} cluster to version 4.11.52 on the bare metal platform. If you do upgrade to this version and the issue is not fixed, you cannot scale nodes. (link:https://issues.redhat.com/browse/OCPBUGS-20486[*OCPBUGS-20486*])
      Show
      A recent security update to Python caused provisioning of hosts on the bare metal platform to fail. Until this issue is resolved, do not upgrade your {product-title} cluster to version 4.11.52 on the bare metal platform. If you do upgrade to this version and the issue is not fixed, you cannot scale nodes. (link: https://issues.redhat.com/browse/OCPBUGS-20486 [* OCPBUGS-20486 *])
    • Known Issue
    • Done

    Description

      The problem manifests as this traceback in the ironic-python-agent ramdisk:

      Traceback (most recent call last):
        File "/usr/lib64/python3.6/ssl.py", line 754, in __init__
          self.getpeername()
      OSError: [Errno 107] Transport endpoint is not connectedDuring handling of the above exception, another exception occurred:Traceback (most recent call last):
        File "/usr/bin/ironic-python-agent", line 10, in <module>
          sys.exit(run())
        File "/usr/lib/python3.6/site-packages/ironic_python_agent/cmd/agent.py", line 63, in run
          CONF.advertise_protocol).run()
        File "/usr/lib/python3.6/site-packages/ironic_python_agent/agent.py", line 498, in run
          self.serve_ipa_api()
        File "/usr/lib/python3.6/site-packages/ironic_python_agent/agent.py", line 383, in serve_ipa_api
          self.api.start(cert_file, key_file)
        File "/usr/lib/python3.6/site-packages/ironic_python_agent/api/app.py", line 141, in start
          self.service.start()
        File "/usr/lib/python3.6/site-packages/oslo_service/wsgi.py", line 173, in start
          self.dup_socket = sslutils.wrap(self.conf, self.dup_socket)
        File "/usr/lib/python3.6/site-packages/oslo_service/sslutils.py", line 104, in wrap
          return ssl.wrap_socket(sock, **ssl_kwargs)  # nosec
        File "/usr/lib/python3.6/site-packages/eventlet/green/ssl.py", line 422, in wrap_socket
          return GreenSSLSocket(sock, *a, **kw)
        File "/usr/lib/python3.6/site-packages/eventlet/green/ssl.py", line 117, in __init__
          ca_certs, do_handshake_on_connect and six.PY2, *args, **kw)
        File "/usr/lib64/python3.6/ssl.py", line 759, in __init__
          blocking = (self.gettimeout() != 0)
        File "/usr/lib/python3.6/site-packages/eventlet/green/ssl.py", line 145, in gettimeout
          return self._timeout
      AttributeError: 'GreenSSLSocket' object has no attribute '_timeout'
      

      Version-Release number of selected component (if applicable):

      python3-3.6.8-47.el8_6.2

      How reproducible:

      always

      Steps to Reproduce:

      1. Provision a bare metal host or run IPI installer
      

      Actual results:

      Provisioning gets stuck on cleaning

      Expected results:

      Provisioning succeeds

      Additional info:

      Eventlet overrides gettimeout to use a private instance variable _timeout, but for some reason does not initialize it early enough. Normally, the Python's ssl module calls settimeout. But the fix for CVE 2023-40217 shuffles this code around, adding a new call to gettimeout before settimeout is called with the cached timeout value. This breaks the eventlet's TLS support.

      The fix should be rather simple IMO: just remove the condition on Python 2 from here: https://github.com/eventlet/eventlet/blob/master/eventlet/green/ssl.py#L108

      Attachments

        Issue Links

          Activity

            People

              rhn-engineering-dtantsur Dmitry Tantsur
              rhn-engineering-dtantsur Dmitry Tantsur
              Jad Haj Yahya Jad Haj Yahya
              Darragh Fitzmaurice Darragh Fitzmaurice
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: