Fix dbcounter install on Debian Bullseye

The dbcounter install on Debian Bullseye is broken in a really fun way. The problem is that we end up mixing pypi openssl and distro cryptography under pip and those two versions of libraries are not compatible. The reason this happens is that debian's pip package debundles the pip deps. This splits them out into /usr/share/python-wheels and it will prefer distro versions of libraries over pypi installed versions of libraries. But if a pypi version is installed and a distro version is not then the pypi version is used. If the pypi version of library A does not work with distro version of library B then debundled pip breaks. This has happened with crypytography and pyOpenSSL. This happens because urllib3 (a debundled pip dep) appears to use pyopenssl conditionally. Novnc depends on python3-cryptography, and openstack depends on cryptogrpahy from pypi ensuring we get both a distro and a pypi version installed. However, pyOpenSSL is only pulled in from pypi via openstack deps. This leaves debundled urllib3 attempting to use pypi pyOpenSSL with distro cryptography and that combo isn't valid due to an interface change. To fix this we install python3-openssl ensuring that debundled pip will use distro pyOpenSSL with distro cryptography making everything happy again. But we only do this when we install novnc as novnc is what pulls in distro cryptography in the first place. We can't simply install python3-openssl on all debuntu platforms because this breaks Ubuntu Focal in the other direction. On Ubuntu focal distro pip uses distro pyOpenSSL when no pypi pyOpenSSl is installed (prior to keystone install) and is not compatible with pypi cryptography. Honestly, this whole intersection between distro and pypi installs of cryptography and pyOpenSSL could probably be made cleaner. One option would be for us to always install the constraints version of both packages from pypi and the distro pacakges very early in the devstack run. But that seems far more complicated so I'm not attempting that here. Change-Id: I0fc6a8e66e365ac49c6c7ceb4c71c68714b9f541
2022-11-09 11:58:37 -08:00 · 2022-11-09 11:58:37 -08:00 · 97b2a51d6b
parent 47a429777c
commit 97b2a51d6b
1 changed files with 16 additions and 1 deletions
--- a/lib/nova
+++ b/lib/nova
@ -885,8 +885,23 @@ function install_nova {
        # a websockets/html5 or flash powered VNC console for vm instances
        NOVNC_FROM_PACKAGE=$(trueorfalse False NOVNC_FROM_PACKAGE)
        if [ "$NOVNC_FROM_PACKAGE" = "True" ]; then
+            # Installing novnc on Debian bullseye breaks the global pip
+            # install. This happens because novnc pulls in distro cryptography
+            # which will be prefered by distro pip, but if anything has
+            # installed pyOpenSSL from pypi (keystone) that is not compatible
+            # with distro cryptography. Fix this by installing
+            # python3-openssl (pyOpenSSL) from the distro which pip will prefer
+            # on Debian. Ubuntu has inverse problems so we only do this for
+            # Debian.
+            local novnc_packages
+            novnc_packages="novnc"
+            GetOSVersion
+            if [[ "$os_VENDOR" = "Debian" ]] ; then
+                novnc_packages="$novnc_packages python3-openssl"
+            fi
+
            NOVNC_WEB_DIR=/usr/share/novnc
-            install_package novnc
+            install_package $novnc_packages
        else
            NOVNC_WEB_DIR=$DEST/novnc
            git_clone $NOVNC_REPO $NOVNC_WEB_DIR $NOVNC_BRANCH