-
Bug
-
Resolution: Done-Errata
-
Critical
-
4.11.z
-
Critical
-
Yes
-
2
-
Metal Platform 243, Metal Platform 244
-
2
-
Rejected
-
False
-
-
-
Known Issue
-
Done
The problem manifests as this traceback in the ironic-python-agent ramdisk:
Traceback (most recent call last): File "/usr/lib64/python3.6/ssl.py", line 754, in __init__ self.getpeername() OSError: [Errno 107] Transport endpoint is not connectedDuring handling of the above exception, another exception occurred:Traceback (most recent call last): File "/usr/bin/ironic-python-agent", line 10, in <module> sys.exit(run()) File "/usr/lib/python3.6/site-packages/ironic_python_agent/cmd/agent.py", line 63, in run CONF.advertise_protocol).run() File "/usr/lib/python3.6/site-packages/ironic_python_agent/agent.py", line 498, in run self.serve_ipa_api() File "/usr/lib/python3.6/site-packages/ironic_python_agent/agent.py", line 383, in serve_ipa_api self.api.start(cert_file, key_file) File "/usr/lib/python3.6/site-packages/ironic_python_agent/api/app.py", line 141, in start self.service.start() File "/usr/lib/python3.6/site-packages/oslo_service/wsgi.py", line 173, in start self.dup_socket = sslutils.wrap(self.conf, self.dup_socket) File "/usr/lib/python3.6/site-packages/oslo_service/sslutils.py", line 104, in wrap return ssl.wrap_socket(sock, **ssl_kwargs) # nosec File "/usr/lib/python3.6/site-packages/eventlet/green/ssl.py", line 422, in wrap_socket return GreenSSLSocket(sock, *a, **kw) File "/usr/lib/python3.6/site-packages/eventlet/green/ssl.py", line 117, in __init__ ca_certs, do_handshake_on_connect and six.PY2, *args, **kw) File "/usr/lib64/python3.6/ssl.py", line 759, in __init__ blocking = (self.gettimeout() != 0) File "/usr/lib/python3.6/site-packages/eventlet/green/ssl.py", line 145, in gettimeout return self._timeout AttributeError: 'GreenSSLSocket' object has no attribute '_timeout'
Version-Release number of selected component (if applicable):
python3-3.6.8-47.el8_6.2
How reproducible:
always
Steps to Reproduce:
1. Provision a bare metal host or run IPI installer
Actual results:
Provisioning gets stuck on cleaning
Expected results:
Provisioning succeeds
Additional info:
Eventlet overrides gettimeout to use a private instance variable _timeout, but for some reason does not initialize it early enough. Normally, the Python's ssl module calls settimeout. But the fix for CVE 2023-40217 shuffles this code around, adding a new call to gettimeout before settimeout is called with the cached timeout value. This breaks the eventlet's TLS support.
The fix should be rather simple IMO: just remove the condition on Python 2 from here: https://github.com/eventlet/eventlet/blob/master/eventlet/green/ssl.py#L108
- clones
-
-
- Closed
-
- depends on
-
-
- Closed
-
- links to
-
RHBA-2023:6272
OpenShift Container Platform 4.11.z bug fix update
