[all] Eventlet broken again with SSL, this time under Python 3.9

Dmitriy Rabotyagov noonedeadpunk at ya.ru
Sat Jan 30 09:47:40 UTC 2021


In the meanwhile we see that most of the services fail to interact with rabbitmq over self-signed SSL in case RDO packages are used even with Python 3.6.
We don't see this happening when installing things with pip packages though. Both rdo and pip version of eventlet we used was 0.30.0.

RDO started failing for us several days back with:
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)

Not sure, maybe it's not related directly to eventlet, but sounds like it might be.


29.01.2021, 17:02, "Thomas Goirand" <zigo at debian.org>:
> On 1/29/21 2:53 PM, Sean Mooney wrote:
>>  On Fri, 2021-01-29 at 13:44 +0100, Thomas Goirand wrote:
>>>  On 1/29/21 1:19 PM, Sean Mooney wrote:
>>>>  On Thu, 2021-01-28 at 21:02 +0100, Thomas Goirand wrote:
>>>>>  Hi,
>>>>>
>>>>>  Swift proxy fails with Python 3.9 under Debian Unstable with Python 3.9:
>>>>>  http://paste.openstack.org/show/802063/
>>>>>
>>>>>  (that's when doing a simple "openstack container list")
>>>>>
>>>>>  I got the same problem with neutron-rpc-server:
>>>>>  http://paste.openstack.org/show/802071/
>>>>>
>>>>>  (this happens when neutron-rpc-server tries to tell Nova that my new VM
>>>>>  port is up)
>>>>  im surprised you got this far i was still expecting nova-compute to hang connecting to rabbit
>>>>  it did in decemebr has the 0.30.0 release of eventlet fixed that?
>>>
>>>  The Debian package for Eventlet 0.26.1-4 contains these patches:
>>>
>>>  https://github.com/eventlet/eventlet/commit/46fc185c8f92008c65aef2713fc1445bfc5f6fec
>>>  https://github.com/eventlet/eventlet/pull/664
>>>  https://github.com/eventlet/eventlet/pull/672
>>  https://github.com/eventlet/eventlet/pull/664 was not in the version i used in early decmber
>
> Indeed. Neither the other 2.
>
>>  so that is likely what allows nova to not hang.
>
> Yeah.
>
>>  the ssl issue i expect to still impact the vnc proxy but i might try it again and see.
>>
>>  i think all 3 of those are in 0.30.0
>
> Eventlet being a very touchy dependency of OpenStack, we very much
> prefer cherry-picking patches whenever possible. However, I tried
> 0.30.0, and it didn't solve the SSL problem (so I'm back to our patched
> 0.26.1 Debian release).
>
> Cheers,
>
> Thomas Goirand (zigo)


-- 
Kind Regards,
Dmitriy Rabotyagov



More information about the openstack-discuss mailing list