Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Won't Do
Priority: Blocker
Fix Version/s: None
Affects Version/s: CentOS Stream 9
Component/s: python-requests
Labels:
- centos-stream-9

Regression:
Yes
Severity:
Important

AssignedTeam:
rhel-pt-python
Sub-System Group:

ssg_platform_tools

Story Points:
1
Product Documentation Required:
None
Products:

CentOS Stream
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

As reported in the OpenStack context [1][2], a regression introduced in the following package:

python3-requests-2.25.1-9.el9.noarch

causes failures during the bootstrap in tls-e based environment.
In particular, using [1] as example, the following stack trace is produced:

Could not load 'http': [X509] PEM lib (_ssl.c:4311)
Could not load 'https': [X509] PEM lib (_ssl.c:4311)
2025-02-06 13:56:07.685 1 CRITICAL manila [-] Unhandled error: ssl.SSLError: [X509] PEM lib (_ssl.c:4311)
2025-02-06 13:56:07.685 1 ERROR manila Traceback (most recent call last):
2025-02-06 13:56:07.685 1 ERROR manila   File "/usr/bin/manila-manage", line 10, in <module>
2025-02-06 13:56:07.685 1 ERROR manila     sys.exit(main())
2025-02-06 13:56:07.685 1 ERROR manila   File "/usr/lib/python3.9/site-packages/manila/cmd/manage.py", line 544, in main
2025-02-06 13:56:07.685 1 ERROR manila     fn(*fn_args)
2025-02-06 13:56:07.685 1 ERROR manila   File "/usr/lib/python3.9/site-packages/manila/cmd/manage.py", line 205, in sync
2025-02-06 13:56:07.685 1 ERROR manila     return migration.upgrade(version)
2025-02-06 13:56:07.685 1 ERROR manila   File "/usr/lib/python3.9/site-packages/manila/db/migration.py", line 28, in upgrade
2025-02-06 13:56:07.685 1 ERROR manila     return IMPL.upgrade(version)
2025-02-06 13:56:07.685 1 ERROR manila   File "/usr/lib/python3.9/site-packages/manila/utils.py", line 161, in __getattr__
2025-02-06 13:56:07.685 1 ERROR manila     backend = self.__get_backend()
2025-02-06 13:56:07.685 1 ERROR manila   File "/usr/lib/python3.9/site-packages/manila/utils.py", line 156, in __get_backend
2025-02-06 13:56:07.685 1 ERROR manila     self.__backend = __import__(name, None, None, fromlist)
2025-02-06 13:56:07.685 1 ERROR manila   File "/usr/lib/python3.9/site-packages/manila/db/migrations/alembic/migration.py", line 22, in <module>
2025-02-06 13:56:07.685 1 ERROR manila     from manila.db.sqlalchemy import api as db_api
2025-02-06 13:56:07.685 1 ERROR manila   File "/usr/lib/python3.9/site-packages/manila/db/sqlalchemy/api.py", line 61, in <module>
2025-02-06 13:56:07.685 1 ERROR manila     osprofiler_sqlalchemy = importutils.try_import('osprofiler.sqlalchemy')
2025-02-06 13:56:07.685 1 ERROR manila   File "/usr/lib/python3.9/site-packages/oslo_utils/importutils.py", line 103, in try_import
2025-02-06 13:56:07.685 1 ERROR manila     return import_module(import_str)
2025-02-06 13:56:07.685 1 ERROR manila   File "/usr/lib/python3.9/site-packages/oslo_utils/importutils.py", line 73, in import_module
2025-02-06 13:56:07.685 1 ERROR manila     __import__(import_str)
2025-02-06 13:56:07.685 1 ERROR manila   File "/usr/lib/python3.9/site-packages/osprofiler/sqlalchemy.py", line 21, in <module>
2025-02-06 13:56:07.685 1 ERROR manila     from osprofiler import profiler
2025-02-06 13:56:07.685 1 ERROR manila   File "/usr/lib/python3.9/site-packages/osprofiler/profiler.py", line 27, in <module>
2025-02-06 13:56:07.685 1 ERROR manila     from osprofiler import notifier
2025-02-06 13:56:07.685 1 ERROR manila   File "/usr/lib/python3.9/site-packages/osprofiler/notifier.py", line 18, in <module>
2025-02-06 13:56:07.685 1 ERROR manila     from osprofiler.drivers import base
2025-02-06 13:56:07.685 1 ERROR manila   File "/usr/lib/python3.9/site-packages/osprofiler/drivers/__init__.py", line 4, in <module>
2025-02-06 13:56:07.685 1 ERROR manila     from osprofiler.drivers import loginsight  # noqa
2025-02-06 13:56:07.685 1 ERROR manila   File "/usr/lib/python3.9/site-packages/osprofiler/drivers/loginsight.py", line 26, in <module>
2025-02-06 13:56:07.685 1 ERROR manila     import requests
2025-02-06 13:56:07.685 1 ERROR manila   File "/usr/lib/python3.9/site-packages/requests/__init__.py", line 121, in <module>
2025-02-06 13:56:07.685 1 ERROR manila     from .api import request, get, head, post, patch, put, delete, options
2025-02-06 13:56:07.685 1 ERROR manila   File "/usr/lib/python3.9/site-packages/requests/api.py", line 13, in <module>
2025-02-06 13:56:07.685 1 ERROR manila     from . import sessions
2025-02-06 13:56:07.685 1 ERROR manila   File "/usr/lib/python3.9/site-packages/requests/sessions.py", line 28, in <module>
2025-02-06 13:56:07.685 1 ERROR manila     from .adapters import HTTPAdapter
2025-02-06 13:56:07.685 1 ERROR manila   File "/usr/lib/python3.9/site-packages/requests/adapters.py", line 60, in <module>
2025-02-06 13:56:07.685 1 ERROR manila     _preloaded_ssl_context.load_verify_locations(
2025-02-06 13:56:07.685 1 ERROR manila ssl.SSLError: [X509] PEM lib (_ssl.c:4311)
2025-02-06 13:56:07.685 1 ERROR manila

The issue comes from the recent MR [3], associated to the RHEL CVE [4].
As per the first comment in [4], a regression has been discovered upstream, and a patch to address the certificate load regression has been produced, but it's still in draft.

The current workaround (as per [1]) is to downgrade the python-requests package to the previous build (python3-requests-2.5.1-8.el9), where the bootstrap still works properly.

[1] https://github.com/openstack-k8s-operators/manila-operator/pull/386

[2] https://issues.redhat.com/browse/OSPCIX-673

[3] https://gitlab.com/redhat/centos-stream/rpms/python-requests/-/merge_requests/19#f344ab862856703d63b64c90c7cc5f114f23fb59

[4] https://issues.redhat.com/browse/RHEL-37609
[5] https://github.com/psf/requests/pull/6731