[openstack-dev] [all] Eventlet + SSL + Python 3 = broken monkey patching leading to completely broken glance-api
Thomas Goirand
zigo at debian.org
Fri May 18 13:01:37 UTC 2018
Hi,
It took me nearly a week to figure this out, as I'm not really an expert
in Eventlet, OpenSSL and all, but now I've pin-pointed a big problem.
My tests were around Glance, which I was trying to run over SSL and
Eventlet, though it seems a general issue with SSL + Python 3.
In the normal setup, when I do:
openstack image list
then I get:
Unable to establish connection to https://127.0.0.1:9292/v2/images:
('Connection aborted.', OSError(0, 'Error'))
(more detailed stack dump at the end of this message [1])
Though, with Eventlet 0.20.0, if in
/usr/lib/python3/dist-packages/eventlet/green/ssl.py line 352, I comment
out set_nonblocking(newsock) in the accept() function of the
GreenSSLSocket, then everything works.
Note that:
- This also happens with latest Eventlet 0.23.0
- There's no problem without SSL
- There's no commit on top of 0.23.0 relevant to the issue
The issue has been reported here 2 years ago:
https://github.com/eventlet/eventlet/issues/308
it's marked with "importance-bug" and "need-contributor", but nobody did
anything about it.
I also tried running with libapache2-mod-wsgi-py3, but then I'm hitting
another bug: https://bugs.launchpad.net/glance/+bug/1518431
what's going on is that glanceclient spit out a 411 error complaining
about content lenght. That issue is seen *only* when using Apache and
mod_wsgi.
So, I'm left with no solution here: Glance never works over SSL and
Python 3. Something's really wrong should be fixed. Please help!
This also pinpoints something: our CI is *not* covering the SSL case, or
mod_wsgi, when really, it should. We should be having tests with:
- mod_wsgi
- eventlet
- uwsgi
and all of the above with and without SSL, plus Python 2 and 3, plus
with file or swift backend. That's 24 possibility of problems, which we
should IMO all cover. We don't need to run all tests, but maybe just
make sure that at least the daemon works, which isn't the case at the
moment for most of these use cases. The only setup that works are:
- eventlet with or without SSL, using Python 2
- eventlet without SSL with Python 3
- apache with or without SSL without swift backend
As much as I understand, we're only testing with eventlet with Python 2
and 3 without SSL and file backend. That's 2 setups out of 24... Can
someone works on fixing this?
Cheers,
Thomas Goirand (zigo)
[1]
Unable to establish connection to https://127.0.0.1:9292/v2/images:
('Connection aborted.', OSError(0, 'Error'))
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line
601, in urlopen
chunked=chunked)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line
346, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line
852, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 326,
in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 329,
in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.5/ssl.py", line 385, in wrap_socket
_context=self)
File "/usr/lib/python3.5/ssl.py", line 760, in __init__
self.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 996, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 641, in do_handshake
self._sslobj.do_handshake()
OSError: [Errno 0] Error
More information about the OpenStack-dev
mailing list