Ticket #45 (new defect)

Opened 5 years ago

Last modified 5 years ago

pyOpenSSL requirement?

Reported by: dwiggins Owned by: dwiggins
Priority: minor Milestone:
Component: local Version:
Severity: Keywords:
Cc: jonmills@renci.org Dependencies:

Description

(This was  http://groups.geni.net/geni/ticket/1251; moving to this Trac instance.)

In line 62 of /usr/local/ops-monitoring/local/wsgi/localstore.wsgi, you call a function of pyOpenSSL called 'get_extension_count'.

However, in the version of pyOpenSSL that ships with any Enterprise Linux (6.4), this function does not exist. The version of pyOpenSSL we have is pyOpenSSL-0.10-2.el6.x86_64.

The result, in Apache logs, looks like:

[Wed May 21 21:14:06 2014] [info] [client 152.54.14.3] mod_wsgi (pid=15174, process='localstore', application=''): Loading WSGI script '/usr/local/ops-monitoring/local/wsgi/localstore.wsgi'.
[Wed May 21 21:14:06 2014] [error] [client 152.54.14.3] mod_wsgi (pid=15174): Exception occurred processing WSGI script '/usr/local/ops-monitoring/local/wsgi/localstore.wsgi'.
[Wed May 21 21:14:06 2014] [error] [client 152.54.14.3] Traceback (most recent call last):
[Wed May 21 21:14:06 2014] [error] [client 152.54.14.3]   File "/usr/local/ops-monitoring/local/wsgi/localstore.wsgi", line 112, in application
[Wed May 21 21:14:06 2014] [error] [client 152.54.14.3]     if authorized_certificate(cert):
[Wed May 21 21:14:06 2014] [error] [client 152.54.14.3]   File "/usr/local/ops-monitoring/local/wsgi/localstore.wsgi", line 62, in authorized_certificate
[Wed May 21 21:14:06 2014] [error] [client 152.54.14.3]   File "/usr/local/ops-monitoring/local/wsgi/localstore.wsgi", line 62, in authorized_certificate
[Wed May 21 21:14:06 2014] [error] [client 152.54.14.3]     for x in range(cert.get_extension_count()):
[Wed May 21 21:14:06 2014] [error] [client 152.54.14.3] AttributeError: get_extension_count
[Wed May 21 21:14:06 2014] [info] [client 152.54.14.3] Connection closed to child 0 with standard shutdown (server rci-hn.exogeni.net:443)

Change History

  Changed 5 years ago by dwiggins

The missing method is in pyOpenSSL 0.12. We should add something about this to local/README.

  Changed 5 years ago by sblais

David,

this is the exact problem that we are seeing on ashur.
You can tell Jonathan to remove this rpm and install the latest version of pyOpenSsl via pip.

follow-up: ↓ 4   Changed 5 years ago by jonmills

David & Stephane:

You're new, so you may not yet be familiar with some of the ways that ExoGENI operates. We only have 1.5 sysadmins to run all these systems. We would quickly drown if we had to manage lots of one-offs and manual configuration. We insist that every file on an ExoGENI system be owned by an RPM, or be a config file pushed & managed by Puppet. We won't install software via pip, easy_install, CPAN, gem, or source tarball. When we deploy the ops-monitoring software for production use, it too will have to be packaged as an RPM. So in short, the pyOpenSSL RPM will have to stay.

in reply to: ↑ 3   Changed 5 years ago by dwiggins

Replying to jonmills:

If we included the correct version of pyOpenSSL in the release tarball and arranged for it to be used by ops-monitoring instead of the default pyOpenSSL, would that be acceptable? This doesn't address getting it into an RPM, but it's a start.

  Changed 5 years ago by jonmills

We're not thrilled with that solution. Sure it might work in this instance, but it's not a good practice in general. As Victor points out, the value of RPMS/DEBs is that their metadata validates a chain of system dependencies. So sure you can include this one library in your tarball, and it will fulfill the dependencies of your application. But there's nothing to ensure that the rest of the system software fulfills the dependencies of the library you included.

  Changed 5 years ago by dwiggins

Note that the rpm spec file from Jonathan in ticket:50 handles this dependency.

  Changed 5 years ago by dwiggins

In the Internet2 call today we learned that sfa has trouble with pyOpenSSL 0.14. monitoring only needs 0.12, and that version was apparently OK with sfa, but I wanted to note the issue just in case.

  Changed 5 years ago by jonmills

I believe EG is using pyOpenSSL 0.13. Hopefully it is okay...

  Changed 5 years ago by dwiggins

  • priority changed from major to minor
Note: See TracTickets for help on using tickets.