From 97b2a51d6beee4fd58b93027d823d6fd90f5c11f Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Wed, 9 Nov 2022 11:58:37 -0800 Subject: [PATCH] Fix dbcounter install on Debian Bullseye The dbcounter install on Debian Bullseye is broken in a really fun way. The problem is that we end up mixing pypi openssl and distro cryptography under pip and those two versions of libraries are not compatible. The reason this happens is that debian's pip package debundles the pip deps. This splits them out into /usr/share/python-wheels and it will prefer distro versions of libraries over pypi installed versions of libraries. But if a pypi version is installed and a distro version is not then the pypi version is used. If the pypi version of library A does not work with distro version of library B then debundled pip breaks. This has happened with crypytography and pyOpenSSL. This happens because urllib3 (a debundled pip dep) appears to use pyopenssl conditionally. Novnc depends on python3-cryptography, and openstack depends on cryptogrpahy from pypi ensuring we get both a distro and a pypi version installed. However, pyOpenSSL is only pulled in from pypi via openstack deps. This leaves debundled urllib3 attempting to use pypi pyOpenSSL with distro cryptography and that combo isn't valid due to an interface change. To fix this we install python3-openssl ensuring that debundled pip will use distro pyOpenSSL with distro cryptography making everything happy again. But we only do this when we install novnc as novnc is what pulls in distro cryptography in the first place. We can't simply install python3-openssl on all debuntu platforms because this breaks Ubuntu Focal in the other direction. On Ubuntu focal distro pip uses distro pyOpenSSL when no pypi pyOpenSSl is installed (prior to keystone install) and is not compatible with pypi cryptography. Honestly, this whole intersection between distro and pypi installs of cryptography and pyOpenSSL could probably be made cleaner. One option would be for us to always install the constraints version of both packages from pypi and the distro pacakges very early in the devstack run. But that seems far more complicated so I'm not attempting that here. Change-Id: I0fc6a8e66e365ac49c6c7ceb4c71c68714b9f541 --- lib/nova | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/lib/nova b/lib/nova index 6de1d3382f..5c619bb762 100644 --- a/lib/nova +++ b/lib/nova @@ -885,8 +885,23 @@ function install_nova { # a websockets/html5 or flash powered VNC console for vm instances NOVNC_FROM_PACKAGE=$(trueorfalse False NOVNC_FROM_PACKAGE) if [ "$NOVNC_FROM_PACKAGE" = "True" ]; then + # Installing novnc on Debian bullseye breaks the global pip + # install. This happens because novnc pulls in distro cryptography + # which will be prefered by distro pip, but if anything has + # installed pyOpenSSL from pypi (keystone) that is not compatible + # with distro cryptography. Fix this by installing + # python3-openssl (pyOpenSSL) from the distro which pip will prefer + # on Debian. Ubuntu has inverse problems so we only do this for + # Debian. + local novnc_packages + novnc_packages="novnc" + GetOSVersion + if [[ "$os_VENDOR" = "Debian" ]] ; then + novnc_packages="$novnc_packages python3-openssl" + fi + NOVNC_WEB_DIR=/usr/share/novnc - install_package novnc + install_package $novnc_packages else NOVNC_WEB_DIR=$DEST/novnc git_clone $NOVNC_REPO $NOVNC_WEB_DIR $NOVNC_BRANCH